Serhii Yevseiev,Oleksandr Milov,Ivan Opirskyy,Olha Dunaievska,Oleksandr Huk,Volodymyr Pogorelov,Kyrylo Bondarenko,Nataliia Zviertseva,Yevgen Melenti,Bogdan Tomashevsky

DOI: https://doi.org/10.15587/1729-4061.2022.263416

2022-08-31

Eastern-European Journal of Enterprise Technologies

Abstract:The development of the IT industry and computing resources allows the formation of cyberphysical social systems (CPSS), which are the integration of wireless mobile and Internet technologies and the combination of the Internet of things with the technologies of cyberphysical systems. To build protection systems, while minimizing both computing and economic costs, various sets of security profiles are used, ensuring the continuity of critical business processes. To assess/compare the level of CPSS security, various assessment methods based on a set of metrics are generally used. Security metrics are tools for providing up-to-date information about the state of the security level, cost characteristics/parameters from both the defense and attack sides. However, the choice of such sets is not always the same/understandable to the average person. This, firstly, leads to the absence of a generally accepted and unambiguous definition, which means that one system is more secure than another. Secondly, it does not take into account the signs of synergy and hybridity of modern targeted attacks. Without this knowledge, it is impossible to show that the metric measures the security level objectively. Thirdly, there is no universal formal model for all metrics that could be used for rigorous analysis. The paper explores the possibility of defining a basic formal model (classifier) for analyzing security metrics. The proposed security assessment model takes into account not only the level of secrecy of information resources, the level of provision of security services, but also allows, based on the requirements put forward, forming the necessary set of security assessment metrics, taking into account the requirements for the continuity of business processes. The average value of the provision of security services to CPSS information resources is 0.99, with an average value of the security level of information resources of 0.8

Bilgin Metin,Fatma Gül Özhan,Martin Wynn

DOI: https://doi.org/10.3390/electronics13214226

IF: 2.9

2024-10-29

Electronics

Abstract:As businesses increasingly adopt digital processes and solutions to enhance efficiency and productivity, they face heightened cybersecurity threats. Through a systematic literature review and concept development, this article examines the intersection of digitalisation and cybersecurity. It identifies the methodologies and tools used for cybersecurity assessments, factors influencing the adoption of cybersecurity measures, and the critical success factors for implementing these measures. The article also puts forward the concept of cybersecurity governance process categories, which are used to classify the factors uncovered in the research. Findings suggest that current information security standards tend to be too broad and not adequately tailored to the specific needs of small and medium-sized enterprises (SMEs) when implementing emerging technologies, like Internet of Things (IoT), blockchain, and artificial intelligence (AI). Additionally, these standards often employ a top-down approach, which makes it challenging for SMEs to effectively implement them, as they require more scalable solutions tailored to their specific risks and limited resources. The study thus proposes a new framework based on the Plan-Do-Check model, built around the cybersecurity governance process categories and the three core pillars of governance, culture and standards. This is essentially a bottom-up approach that complements current top-down methods, and will be of value to both information technology (IT) professionals as an operational guide, and to researchers as a basis for future research in this field.

engineering, electrical & electronic,computer science, information systems,physics, applied

Serhii Lysenko,Andrii Liubchenko,Volodymyr Коzakov,Yurii Demianchuk,Yurii Krutik

DOI: https://doi.org/10.31893/multirev.2024spe021

2024-06-11

Multidisciplinary Reviews

Abstract:The growing dependence of modern society on digital technologies leads to an increase in cyber threats, which makes the issue of cyber security particularly relevant. The problem of the research is to determine the effective mechanisms of protection of information systems in the conditions of globalization and growing geopolitical challenges. The purpose of the article is to analyze the development of international data privacy standards, the role of the latest technologies in cyberspace protection, and the formation of an effective global network strategy. Special attention is paid to the directions of international cooperation in the development of technological innovations and the training of qualified personnel. The article examines the legal, technological and educational aspects of data security policy, analyzes the experience and practices of different countries, which allows determining effective directions for improving the effectiveness of protection against cyber threats. Based on the conducted research, the main challenges and prospects for the development of the global defense system were determined, including the need to integrate efforts at the international level and integrate into the rapidly changing conditions of cyberspace. The results emphasize the importance of creating a unified global network protection system that ensures the protection of relevant information resources and the privacy of personal data in the digital world. Outlined recommendations for the effective integration of countermeasures into national and international strategies can serve as a factor in ensuring a secure digital future and building an appropriate infrastructure. The results of the article highlight the critical role of global cyber security in ensuring stability and security in today’s digital world, emphasizing the need for a comprehensive approach to its implementation.

Nan Sun,Chang-Tsun Li,Hin Chan,Md Zahidul Islam,Md Rafiqul Islam,Warren Armstrong

DOI: https://doi.org/10.1109/ACCESS.2022.3187211

2022-03-05

Abstract:Cyber assurance, which is the ability to operate under the onslaught of cyber attacks and other unexpected events, is essential for organizations facing inundating security threats on a daily basis. Organizations usually employ multiple strategies to conduct risk management to achieve cyber assurance. Utilizing cybersecurity standards and certifications can provide guidance for vendors to design and manufacture secure Information and Communication Technology (ICT) products as well as provide a level of assurance of the security functionality of the products for consumers. Hence, employing security standards and certifications is an effective strategy for risk management and cyber assurance. In this work, we begin with investigating the adoption of cybersecurity standards and certifications by surveying 258 participants from organizations across various countries and sectors. Specifically, we identify adoption barriers of the Common Criteria through the designed questionnaire. Taking into account the seven identified adoption barriers, we show the recommendations for promoting cybersecurity standards and certifications. Moreover, beyond cybersecurity standards and certifications, we shed light on other risk management strategies devised by our participants, which provides directions on cybersecurity approaches for enhancing cyber assurance in organizations.

Cryptography and Security

Sara Ramezanian,Valtteri Niemi

DOI: https://doi.org/10.1109/access.2024.3392970

IF: 3.9

2024-05-07

IEEE Access

Abstract:The widespread deployment of digital technologies has made the globe an interconnected world. Among other necessities of the digitalized world, cybersecurity is a crucial component. Therefore, education and proper training of the cybersecurity workforce are essential for building a strong national and global community. However, a significant shortage of proficient cybersecurity experts is reported worldwide. In this study, we present a comprehensive guideline for university-level cybersecurity curriculum development with respect to workforce training. Our curriculum guideline is based on consulting various globally well-known documents, reports, and frameworks that are specifically designed for cybersecurity. Namely, to conduct our research we utilize Cybersecurity Curricula 2017 (CSEC2017) by the Joint Task Force on Cybersecurity Education, National Initiative for Cybersecurity Education (NICE) cybersecurity workforce framework by the National Institute of Standards and Technology (NIST), and the Development Needs in Cybersecurity Education: Final report of the project by Lehto et al. at the University of Jyväskylä in Finland. The significance of our work also relies on the fact that the previous efforts to establish a link between the NICE workforce framework and the CSEC2017 curriculum have fallen short, and to the best of our knowledge, this work is the first successful attempt on the matter. In particular, we map every knowledge requirement in each work role to one or several knowledge areas of CSEC2017 curriculum. We define a measurement system to assign a numeric value to each knowledge area. Our goal is to determine the significance of a cybersecurity knowledge area in workforce training. Moreover, we identify the shortcomings of the Cybersecurity Curricula, i.e., we recognize the knowledge areas that are missing from the curriculum. We also discuss about the shortcomings of NICE framework in terms of defining the proper required knowledge in the work roles. Based on our findings, we present a comprehensive guideline for cybersecurity curriculum development for higher educational institutions. Finally, we propose a curriculum roadmap to the job categories.

computer science, information systems,telecommunications,engineering, electrical & electronic

С.Г. Вдовенко,Є.О. Живило,О.О. Черноног,В.М. Докіль,S.G. Vdovenko,,E.A. Zhivilo,A.A. Chernonog,V.N. Dokil,,,

DOI: https://doi.org/10.17721/2519-481x/2022/74-06

2022-01-01

Collection of scientific works of the Military Institute of Kyiv National Taras Shevchenko University

Abstract:The urgency of this work is due to one of the priorities of the national security system of Ukraine to perform the functions and tasks of the defense forces of Ukraine in conditions of destructive activity on the cybersecurity environment of the state. Modern development of information and cyber technologies and global informatization in the world have led to the fact that the information and cybersphere have become the object of various destructive influences on all spheres of society through cyberspace, which complemented existing ones, namely land, sea, air, space and became a sphere conflicts and possible hostilities. States, depending on the degree of their development, build different systems (models) of protection of their information, telecommunications infrastructures, determine the use of technological processes circulating in these systems and protect critical infrastructure from cyber threats, determine the functions, directions and ways of action in cyberspace. Today, more than 60 countries in the world are openly and / or covertly working to improve the functionality of national cybersecurity and cyber defense systems. National and coalition cyber forces are being created, their functions and tasks are being determined, the content and procedure of activity, composition, algorithms for training units, military and civilian specialists are being formed, strategies are being developed, regulatory framework, hardware and software complexes, and special cyber defense software are being improved. and tactics of their application. In general, the development and widespread implementation of communication systems and systems using innovative information and telecommunications technologies in military systems is in accordance with international rules for cyberwarfare, such as the Geneva Convention. At the same time, the main principles of formation of cybersecurity and cyber defense systems of the leading countries of the world are scientifically substantiated legislative, normative-legal, definition-terminological support. Under these conditions, the transformation of the regulatory framework takes into account the constant militarization of national segments of cyberspace, taking into account the criteria (indicators) of threats in cybersecurity and cyber defense of leading countries, the level of system readiness and acquisition of capabilities, etc. To address the issues of regulation and implementation of norms and rules of international organizations in the field of cybersecurity and cyber defense, it is proposed to analyze the current provisions (axiomatics) of the existing legislative, state and departmental regulatory framework, as well as the regulatory framework of international organizations. ITU) on cybersecurity.

English Else

P. S. Klimushyn,V. Ye. Roh,T. P. Kolisnyk

DOI: https://doi.org/10.32631/pb.2023.3.17

2023-09-28

Law and Safety

Abstract:IoT technologies provide smart things with the ability to make decisions in the management of physical objects using intelligence and consensus. To support the Internet of Things, technologies such as built-in devices, cloud and fog computing, big data processing, machine learning, and artificial intelligence are used to produce intelligent physical objects. A review of existing security infrastructures for IoT-based intelligent environments shows that every connected device can be a potential entry point for an attack. An overview of the key aspects of security standards for smart environments based on the Internet of Things has been provided in the following areas: potential solutions, intelligent environments, limits of security assessment, open issues and challenges. Additional research on the development of methodological and technological standardisation measures in the field of interoperability of heterogeneous IoT devices is an urgent task in order to start further discussions on the development of new security standards and certification infrastructure for smart environments based on the IoT. Based on the analysis of the existing problems of implementing the Internet of Things, the methodological and technological features of legal regulation of intellectual environments have been studied. The structures of standardisation of networks and services of the IoT environments at the regional, European and global international levels have been considered. The architecture of the Internet of Things environments has been defined as a multi-level, heterogeneous system with a complex topology and the use of innovative technologies. The single phenomenon of IoT security has been identified as a complex concept that includes functional security and information security with their interconnection, contradictions, challenges and risks. The functional security of the Internet of Things has been studied in terms of the security function, security completeness and resilience, which are subject to regulation in the technical requirements for the product being designed. An aspect model of IoT interoperability has been presented and examples of its application in terms of interrelated components (transport, syntactic, semantic, behavioural, and policy aspects) have been given. An assessment of generally accepted practices and risks of creating regulatory documents (standards, instructions, methodological materials) in the field of functional security of the Internet of Things has been carried out. Recommendations for the introduction of a scientifically based approach to national standardisation of IoT security and measures to address the problem of interoperability of heterogeneous IoT devices have been provided.

Oleh Tarasenko,Dmytro Mirkovets,Artem Shevchyshen,Oleksandr Nahorniuk-Danyliuk,Yurii Yermakov

DOI: https://doi.org/10.46398/cuestpol.4073.33

2022-07-29

Cuestiones Políticas

Abstract:The goal of the article is to identify cybersecurity issues as a component of national security and suggest ways to solve them. The topic of the research is the cyber security of Ukraine. In the course of the research, the following methods were used: dialectical method, formal and legal method, comparative-legal method and scientific abstraction method. As a result, the legal acts governing cybersecurity in Ukraine are analyzed, the cyber security actors are determined and their functions are defined. Practical implementation. There is a need to establish and implement an annual plan for the implementation of the Cyber Security Strategy, which should detail the actions to ensure cyber security, identify specific measures, deadlines and responsible actors. It is concluded that, ways to improve the cybersecurity system (as part of national security), which will update the legal mechanisms of cybersecurity, create cybersecurity infrastructure at the global level, establish effective interaction between cybersecurity actors regardless of their departmental affiliation and / or form of ownership, including with the owners of critical infrastructure and non-state owned information), are in their primary phase.

Shah Khalid Khan,Nirajan Shiwakoti,Peter Stasinopoulos,Matthew Warren

DOI: https://doi.org/10.1016/j.aap.2023.107054

Abstract:Technological advancements in Connected and Automated Vehicles (CAVs), particularly the integration of diverse stakeholder groups (communication service providers, road operators, automakers, repairers, CAV consumers, and the general public) and the pursuit of new economic opportunities, have resulted in the emergence of new technical, legal, and social challenges. The most pressing challenge is deterring criminal behaviour in both the physical and cyber realms through the adoption of CAV cybersecurity protocols and regulations. However, the literature lacks a systematic decision tool to analyze the impact of the potential cybersecurity regulations for dynamically interacting stakeholders, and to identify the leverage points to minimise the cyber-risks. To address this knowledge gap, this study uses systems theory to develop a dynamic modelling tool to analyze the indirect consequences of potential CAVs cybersecurity regulations in the medium to long term. It is hypothesized that CAVs Cybersecurity Regulatory Framework (CRF) is the property of the entire ITS stakeholders. The CRF is modelled using the System Dynamic based Stock-and-Flow-Model (SFM) technique. The SFM is founded on five critical pillars: the Cybersecurity Policy Stack, the Hacker's Capability, Logfiles, CAV Adopters, and intelligence-assisted traffic police. It is found that decision-makers should focus on three major leverage points: establishing a CRF grounded on automakers' innovation; sharing risks in eliminating negative externalities associated with underinvestment and knowledge asymmetries in cybersecurity; and capitalising on massive CAV-generated data in CAV operations. The formal integration of intelligence analysts and computer crime investigators to strengthen traffic police capabilities is pivotal. Recommendations for automakers include data-profiteering in CAV design, production, sales, marketing, safety enhancements and enabling consumer data transparency.Furthermore, CAVs-CRF necessitate a balanced approach to the trade-off between: i) data accessibility constraints on CAV automakers and ITS service providers; ii) regulator command and control thresholds; iii) automakers' business investment protection; and iv) consumers' data privacy guard.

Сергій Толюпа,Лада Сліпачук,Serhii Toliupa,,Lada Slipachuk,

DOI: https://doi.org/10.17721/ists.2023.1.37-42

2023-01-01

Information systems and technologies security

Abstract:This The article is devoted to the disclosure and elucidation of the envisaged composition, structure of measures and tools that will be part of a comprehensive system of protection of industry-integrated MIS in the national cybersecurity sector. The article also describes the specifics and strategic value of the involved resources, which will be operated by the established system of cybersecurity. It is noted that the industry-integrated cyber defense MIS envisages the use of a set of interconnected means and measures, the implementation of which is necessary and sufficient for the full protection of industry-integrated MIS to counter external unauthorized access, etc. Emphasis is placed on the compliance of the envisaged cybersecurity system with international criteria and standards of protection of such control systems for NATO countries, in particular, the US Department of Defense cybersecurity standard (TCSEC also known as "Orange Book"); with international criteria and standards for the protection of similar control systems for other leading countries, in particular, the international technical standard ISO/IEC 15408 "General criteria for assessing IT security", which has been ratified by most leading countries; with guidelines and recommendations of the International Organization NCSS (National Cyber Security Strategies) for NATO Partner countries, as set out in the National Cyber Security Strategy and developed by international national cybersecurity experts, scholars and European international cybersecurity advisers in the context of NATO's "Science for Peace and Security (SPS) Programme"; with national technical standards of Ukraine. The article also presents in detail the full range of mandatory resources and tools for the cybersecurity of designed industry-integrated MIS in the national cybersecurity sector, which include five levels of cybersecurity (organization, software, hardware, engineering, additional physical level).

Adam Janovsky,Jan Jancar,Petr Svenda,Łukasz Chmielewski,Jiri Michalik,Vashek Matyas

DOI: https://doi.org/10.1016/j.cose.2024.103895

2024-07-02

Abstract:Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certified products. To address these problems, we conducted a large-scale automated analysis of Common Criteria certificates. We trained unsupervised models to learn which vulnerabilities from NIST's National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities. This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at <a class="link-external link-https" href="https://seccerts.org" rel="external noopener nofollow">this https URL</a>

Cryptography and Security

Marco Alfano,Viviana Bastidas,Paul Heynen,Markus Helfert

DOI: https://doi.org/10.48550/arXiv.2302.05166

2023-02-10

Cryptography and Security

Abstract:Governments around the world are required to strengthen their national cybersecurity capabilities to respond effectively to the growing, changing, and sophisticated cyber threats and attacks, thus protecting society and the way of life as a whole. Responsible government institutions need to revise, evaluate, and bolster their national cybersecurity capabilities to fulfill the new requirements, for example regarding new trends affecting cybersecurity, key supporting laws and regulations, and implementations risk and challenges. This report presents a comprehensive assessment instrument for cybersecurity at the national level in order to help countries to ensure optimum response capability and more effective use of critical resources of each state. More precisely, the report - builds a common understanding of the critical cybersecurity capabilities and competence to be assessed at the national level, - adds value to national strategic planning and implementation which impact the development and adaptation of national cybersecurity strategies, - provides an overview of the assessment approaches at the national level, including capabilities, frameworks, and controls, - introduces a comprehensive cybersecurity instrument for countries to determine areas of improvement and develop enduring national capabilities, - describes how to apply the proposed national cybersecurity assessment framework in a real-world case, and - presents the results and lessons learned of the application of the assessment framework at the national level to assist governments in further building cybersecurity capabilities.

Alan Raveling,Yanzhen Qu

DOI: https://doi.org/10.24018/ejece.2023.7.4.546

2023-07-12

European Journal of Electrical Engineering and Computer Science

Abstract:This paper has examined the application of the Common Vulnerability Scoring System applied to operational technology or industrial control system-based cybersecurity controls and demonstrated that the unique considerations and aspects of these environments are more accurately captured when compared against a traditional IT based evaluation. Multiple business drivers are compelling consumer goods manufacturers to augment and connect their manufacturing systems bringing with it increases in potential for experiencing a cybersecurity incident [1]. While other business verticals are able to utilize cybersecurity standards and control documents tailored for their industry, manufacturers do not have a set of materials that directly correlate to the operational technology environments in which their systems reside [2]. Cybersecurity practitioners face additional challenges in developing an understanding of the severity of the risks within these environments due to the lack of current quantifiable methods of evaluating the risks. The findings from this research provide cybersecurity practitioners with a repeatable and extensible method to derive the operational risk present to an organization due to the technologies and business strategies employed in the pursuit of business objectives.

Yevhen Zhyvylo

DOI: https://doi.org/10.26565/1684-8489-2023-2-08

2023-12-30

2

Abstract:This paper validates the relevance of contemporary electronic communication systems, networks, and hardware and software suites and tools being particularly susceptible to cyber influences. The goal of the article is to concisely summarize international experience in modern human resource competencies within the cybersecurity domain and to identify their components according to specific directions. The paper examines current international trends regarding the formation of a minimal necessary package for creating, implementing, technical support, and enhancing an information security and cyber defense management system. This necessitates the development of a digitally aware society by the state, a crucial area of its internal policy. It emphasizes the undeniable fact that the demand for cybersecurity professionals will continually grow as high-technology society advances. In the context of the state’s total defense, the role of unified training for defense force personnel and the civilian sector in cybersecurity is beyond doubt. It is concluded that the main focus in forming Cybercom of partner countries is adequate funding, careful selection of personnel, quality professional training, and ensuring full interoperability of diverse structural units of subjects ensuring information protection and cybersecurity at the state level. The share of cyber threats is increasing, and this trend will intensify over the next decade as the internet technology sphere is developing rapidly, and digital solutions are being used in combination (e.g., artificial intelligence and blockchain). For instance, current Russia is one of the main threats to national and international cybersecurity, actively implementing the concept of information confrontation based on a combination of destructive actions in cyberspace. An increase in conflicts between states and the intensity of intelligence and subversive activities in cyberspace is expected. The number of states seeking to form their own cyber-intelligence, master the latest methods of destructive influence in cyberspace, and strengthen state control over the state segment of the Internet is growing. The technical level of cyber threats is increasing, and new tools and mechanisms for cyber attacks are constantly being improved and developed

Jan Vykopal,Valdemar Švábenský,Michael Tuscano Lopez II,Pavel Čeleda

DOI: https://doi.org/10.1145/3641554.3701976

2024-11-14

Abstract:Improving cybersecurity education has become a priority for many countries and organizations worldwide. Computing societies and professional associations have recognized cybersecurity as a distinctive computing discipline and created specialized cybersecurity curricular guidelines. Higher education institutions are introducing new cybersecurity programs, attracting students to this expanding field. In this paper, we examined 101 study programs across 24 countries. Based on their analysis, we argue that top-ranked universities have not yet fully implemented the guidelines and offer programs that have "cyber" in their name but lack some essential elements of a cybersecurity program. In particular, most programs do not sufficiently cover non-technical components, such as law, policies, or risk management. Also, most programs teach knowledge and skills but do not expose students to experiential learning outside the traditional classroom (such as internships) to develop their competencies. As a result, graduates of these programs may not meet employer expectations and may require additional training. To help program directors and educators improve their programs and courses, this paper offers examples of effective practices from cybersecurity programs around the world and our teaching practice.

Cryptography and Security,Computers and Society

Viktoriia Shevchenko

DOI: https://doi.org/10.30977/bul.2219-5548.2022.98.0.161

2022-11-29

Bulletin of Kharkov National Automobile and Highway University

Abstract:Problem. Cybersecurity today is one of the main tasks, whose solution is mandatory not only for digital business. Recently, much attention has been paid to cybersecurity in the field of road transport. Already today, modern cars need high-quality and reliable protection of all electronics, communication systems, user personal data and software. Therefore, the issue of training a qualified specialist in automotive cybersecurity is quite relevant. Goal. The goal is to analyze the modern market of educational services both in Ukraine and other European countries in the field of training bachelors in cybersecurity. Methodology. Methods of analysis, synthesis, scaling and mathematical statistics were used to process the research results. Results. Comparative analysis of educational services of domestic and foreign universities showed that we have the greatest discrepancy between the educational services of domestic and foreign universities in the field of teaching programming technologies. Based on the results of the analysis, it was suggested that improving the quality of training specialists in cybersecurity is possible by increasing the volume and quality of educational services in programming technologies. Originality. A comparison was made of the quality of educational services of Ukrainian and European universities, in which the measure of the quality of disciplines taught is the number of credits allocated for the discipline. Practical value. The conducted study revealed a possible reason for the insufficient quality of training bachelors in cybersecurity in domestic universities. Eliminating the identified shortcoming will not only improve the quality of bachelor's training, but will also have a positive impact on the further employment of university graduates in their specialty.

Tania Wallis,Paul Dorey

DOI: https://doi.org/10.3390/en16041868

IF: 3.2

2023-02-16

Energies

Abstract:This study describes the implementation of an energy sector community to examine the practice of cybersecurity for operational technology environments and their supply chains. Evaluating cybersecurity from the perspectives of different actors participating in the energy sector, the progress and challenges of operators and suppliers in delivering cybersecurity for the sector are explored. While regulatory frameworks incentivize individual organizations to improve their cybersecurity, operational services contain contributions from many organizations, and this supply chain of activity needs to be influenced and managed to achieve desired security and resilience outcomes. Through collaborations and systems engineering approaches, a reference model is created to facilitate improvements in managing the cybersecurity of supply chains for different actors, including service operators, maintainers, manufacturers, and systems integrators. This study provides an illustration of implementing a common vision of cybersecurity improvement across a community of actors. It utilizes a collaborative framework that has facilitated the co-production of cybersecurity guidance for energy sector participants.

energy & fuels

Anton Didenko

DOI: https://doi.org/10.2139/ssrn.3533664

2020-01-01

SSRN Electronic Journal

Abstract:Over the past several years, the cybersecurity regulatory landscape has undergone unprecedented change. Bespoke cybersecurity laws and regulations have replaced pre-existing general risk management and business continuity rules in a number of jurisdictions, including the European Union, Hong Kong, Russia, the USA and Singapore. Cybersecurity has also become the focus of international rules and recommendations adopted by numerous international organisations. The financial sector lies at the centre of the new regulatory initiatives – which, in the absence of an agreed international approach, vary substantially across jurisdictions. This article analyses these emerging legal frameworks by (i) conducting a comparative study of the novel cybersecurity regulations in finance, (ii) identifying the common features of such frameworks and (iii) assessing the prospect of their harmonisation at an international level. It argues that international harmonisation in this area is necessary to overcome the underlying regulatory challenges and outlines the scope of rules amenable, first, to initial (de minimis) and, second, subsequent (more expansive) harmonisation. The article concludes with a list of main upcoming challenges in designing and harmonising cybersecurity regulations in finance and practical recommendations for overcoming them.

Konrad Trzonkowski,Olena Khalina,Paulina Kolisnichenko,Nataliia Rozumovych,Oleksandr Zhyhulin

DOI: https://doi.org/10.34069/ai/2023.69.09.28

2023-09-30

Revista Amazonia Investiga

Abstract:The aim of the article was to study the characteristics of the formation of an information system to implement the administrative and legal mechanism to ensure financial and economic security under the influence of cyber threats. The research methodology involved the use of hierarchical and pairwise comparison analysis, as well as the method of expert analysis, with the help of academic documentary sources. As a result of the study, the main cyber threats in the information system of the administrative and legal mechanism for ensuring financial and economic security were identified and ordered according to their level of influence. This order will allow the management apparatus to understand, at least in theory, the hierarchy of importance of existing threats and subsequently use the latter to build information systems. Everything allows to conclude that, by analyzing the obtained results, a methodical approach to the assessment of cyber threats to financial and economic security was formed. However, the study has its limitations, as for the formation of the above-mentioned information systems, a small number of cyber threats were adopted, which are also characteristic for a particular country like Ukraine.

Kaspar Rosager Ludvigsen,Shishir Nagaraja

DOI: https://doi.org/10.48550/arXiv.2205.13196

2022-05-26

Abstract:Safety is becoming cybersecurity under most circumstances. This should be reflected in the Cybersecurity Resilience Act when it is proposed and agreed upon in the European Union. In this paper, we define a range of principles which this future Act should build upon, a structure and argue why it should be as broad as possible. It is based on what the cybersecurity research community for long have asked for, and on what constitutes clear hard legal rules instead of soft. Important areas such as cybersecurity should be taken seriously, by regulating it in the same way we see other types of critical infrastructure and physical structures, and be uncompromising and logical, to encompass the risks and potential for chaos which its ubiquitous nature entails. We find that principles which regulate cybersecurity systems' life-cycles in detail are needed, as is clearly stating what technology is being used, due to Kirkhoffs principle, and dismissing the idea of technosolutionism. Furthermore, carefully analysing risks is always necessary, but so is understanding when and how the systems manufacturers may fail or almost fail. We do this through the following principles: Ex ante and Ex post assessment, Safety and Security by Design, Denial of Obscurity, Dismissal of Infallibility, Systems Acknowledgement, Full Transparency, Movement towards a Zero-trust Security Model, Cybersecurity Resilience, Enforced Circular Risk Management, Dependability, Hazard Analysis and mitigation or limitation, liability, A Clear Reporting Regime, Enforcement of Certification and Standards, Mandated Verification of Security and Continuous Servicing. To this, we suggest that the Act employs similar authorities and mechanisms as the GDPR and create strong national authorities to coordinate inspection and enforcement in each Member State, with ENISA being the top and coordinating organ.

Computers and Society,Cryptography and Security