Carlos Bendicho

DOI: https://doi.org/10.1007/978-3-030-80119-9_28

2021-06-19

Abstract:The present paper shows a proposal of the characteristics Cloud Risk Assessment Models should have and presents the review of the literature considering those characteristics in order to identify current gaps. This work shows a ranking of Cloud RA models and their degree of compliance with the theoretical reference Cloud Risk Assessment model. The review of literature shows that RA approaches leveraging CSA (Cloud Security Alliance) STAR Registry that have into account organizations security requirements present higher degree of compliance, but they still lack risk economic quantification. The myriad of conceptual models, methodologies and frameworks although based on current NIST SP 800:30, ISO 27001, ISO 27005, ISO 30001, ENISA standards could be enhanced by the use of techno-economic models like UTEM, created by the author, in order to conceive more simplified models for effective Risk Assessment and Mitigation closer to the theoretical reference model for Cloud Risk Assessment, available for all cloud models (IaaS, PaaS, SaaS) and easy to use for all stakeholders.

Networking and Internet Architecture,Cryptography and Security

Jason R. C. Nurse,Sadie Creese,David De Roure

DOI: https://doi.org/10.48550/arXiv.1811.03290

2018-11-08

Cryptography and Security

Abstract:Information security risk assessment methods have served us well over the past two decades. They have provided a tool for organizations and governments to use in protecting themselves against pertinent risks. As the complexity, pervasiveness, and automation of technology systems increases and cyberspace matures, particularly with the Internet of Things (IoT), there is a strong argument that we will need new approaches to assess risk and build trust. The challenge with simply extending existing assessment methodologies to IoT systems is that we could be blind to new risks arising in such ecosystems. These risks could be related to the high degrees of connectivity present or the coupling of digital, cyber-physical, and social systems. This article makes the case for new methodologies to assess risk in this context that consider the dynamics and uniqueness of the IoT while maintaining the rigor of best practice in risk assessment.

Beatrice Cassottana,Muhammad M Roomi,Daisuke Mashima,Giovanni Sansavini

DOI: https://doi.org/10.1111/risa.14089

Abstract:Cyber-physical systems (CPSs) are monitored and controlled by a computing and communicating core. This cyber layer enables better management of the controlled subsystem, but it also introduces threats to the security and protection of CPSs, as demonstrated by recent cyberattacks. The resulting governance and policy emphasis on cybersecurity is reflected in the academia by a vast body of literature. In this article, we systematize existing knowledge on CPS analysis. Specifically, we focus on the quantitative assessment of CPSs before and after the occurrence of a disruption. Through the systematic analysis of the models and methods adopted in the literature, we develop a CPS resilience assessment framework consisting of three steps, namely, (1) CPS description, (2) disruption scenario identification, and (3) resilience strategy selection. For each step of the framework, we suggest established methods for CPS analysis and suggest four criteria for method selection. The framework proposes a standardized workflow to assess the resilience of CPSs before and after the occurrence of a disruption. The application of the proposed framework is exemplified with reference to a power substation and associated communication network.The case study shows that the proposed framework supports resilience decision making by quantifying the effects of the implementation of resilience strategies.

Ashraf S. Mashaleh,Noor Farizah Binti Ibrahim,Mohammad Alauthman,Mohammad Almseidin,Amjad Gawanmeh

DOI: https://doi.org/10.32604/cmc.2023.047323

2024-01-01

Abstract:Increasing Internet of Things (IoT) device connectivity makes botnet attacks more dangerous, carrying catastrophic hazards. As IoT botnets evolve, their dynamic and multifaceted nature hampers conventional detection methods. This paper proposes a risk assessment framework based on fuzzy logic and Particle Swarm Optimization (PSO) to address the risks associated with IoT botnets. Fuzzy logic addresses IoT threat uncertainties and ambiguities methodically. Fuzzy component settings are optimized using PSO to improve accuracy. The methodology allows for more complex thinking by transitioning from binary to continuous assessment. Instead of expert inputs, PSO data-driven tunes rules and membership functions. This study presents a complete IoT botnet risk assessment system. The methodology helps security teams allocate resources by categorizing threats as high, medium, or low severity. This study shows how CICIoT2023 can assess cyber risks. Our research has implications beyond detection, as it provides a proactive approach to risk management and promotes the development of more secure IoT environments.

computer science, information systems,materials science, multidisciplinary

Petar Radanliev,David De Roure,Max Van Kleek,Uchenna Ani,Pete Burnap,Eirini Anthi,Jason R. C. Nurse,Omar Santos,Rafael Mantilla Montalvo,LaTreall Maddox

DOI: https://doi.org/10.1007/s10669-020-09792-x

2020-11-24

Abstract:The Internet of Things (IoT) triggers new types of cyber risks. Therefore, the integration of new IoT devices and services requires a self-assessment of IoT cyber security posture. By security posture this article refers to the cybersecurity strength of an organisation to predict, prevent and respond to cyberthreats. At present, there is a gap in the state of the art, because there are no self-assessment methods for quantifying IoT cyber risk posture. To address this gap, an empirical analysis is performed of 12 cyber risk assessment approaches. The results and the main findings from the analysis is presented as the current and a target risk state for IoT systems, followed by conclusions and recommendations on a transformation roadmap, describing how IoT systems can achieve the target state with a new goal-oriented dependency model. By target state, we refer to the cyber security target that matches the generic security requirements of an organisation. The research paper studies and adapts four alternatives for IoT risk assessment and identifies the goal-oriented dependency modelling as a dominant approach among the risk assessment models studied. The new goal-oriented dependency model in this article enables the assessment of uncontrollable risk states in complex IoT systems and can be used for a quantitative self-assessment of IoT cyber risk posture.

Cryptography and Security,Computers and Society

Ahmed E. Youssef

DOI: https://doi.org/10.48550/arXiv.2001.08993

2020-01-13

Cryptography and Security

Abstract:Security is considered one of the top ranked risks of Cloud Computing (CC) due to the outsourcing of sensitive data onto a third party. In addition, the complexity of the cloud model results in a large number of heterogeneous security controls that must be consistently managed. Hence, no matter how strongly the cloud model is secured, organizations continue suffering from lack of trust on CC and remain uncertain about its security risk consequences. Traditional risk management frameworks do not consider the impact of CC security risks on the business objectives of the organizations. In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting CC identify, analyze, evaluate, and mitigate security risks in their Cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives. In essence, it is designed to address impacts of cloud-specific security risks into business objectives in a given organization. Consequently, organizations are able to conduct a cost-value analysis regarding the adoption of CC technology and gain an adequate level of confidence in Cloud technology. On the other hand, Cloud Service Providers (CSP) are able to improve productivity and profitability by managing cloud-related risks. The proposed framework has been validated and evaluated through a use-case scenario.

Asila AlHarmali,Saqib Ali,Waqas Aman,Omar Hussain

DOI: https://doi.org/10.5121/csit.2024.141608

2024-09-15

Abstract:Cyber-Physical Systems (CPS) integrate physical and embedded systems with information and communication technology systems, monitoring and controlling physical processes with minimal human intervention. The connection to information and communication technology exposes CPS to cyber risks. It is crucial to assess these risks to manage them effectively. This paper reviews scholarly contributions to cyber risk assessment for CPS, analyzing how the assessment approaches were evaluated and investigating to what extent they meet the requirements of effective risk assessment. We identify gaps limiting the effectiveness of the assessment and recommend real-time learning from cybersecurity incidents. Our review covers twenty-eight papers published between 2014 and 2023, selected based on a three-step search. Our findings show that the reviewed cyber risk assessment methodologies revealed limited effectiveness due to multiple factors. These findings provide a foundation for further research to explore and address other factors impacting the quality of cyber risk assessment in CPS.

Cryptography and Security

Xinwen Fu

DOI: https://doi.org/10.48550/arXiv.2209.13793

2022-09-28

Abstract:The concepts of Internet of Things (IoT) and Cyber Physical Systems (CPS) are closely related to each other. IoT is often used to refer to small interconnected devices like those in smart home while CPS often refers to large interconnected devices like industry machines and smart cars. In this paper, we present a unified view of IoT and CPS: from the perspective of network architecture, IoT and CPS are similar. In both IoT and CPS, networking/communication modules are attached to original dumb things so that those dumb things become smart and can be integrated into cyber space. If needed, actuators can also be integrated with a thing so as to control the thing. With this unified view, we can perform risk assessment of an IoT/CPS system from six factors, hardware, networking, operating system (OS), software, data and human. To illustrate the use of such risk analysis framework, we analyze an air quality monitoring network, smart home using smart plugs and building automation system (BAS). We also discuss challenges such as cost and secure OS in IoT security.

Cryptography and Security

In Lee

DOI: https://doi.org/10.3390/fi12090157

2020-09-18

Future Internet

Abstract:Along with the growing threat of cyberattacks, cybersecurity has become one of the most important areas of the Internet of Things (IoT). The purpose of IoT cybersecurity is to reduce cybersecurity risk for organizations and users through the protection of IoT assets and privacy. New cybersecurity technologies and tools provide potential for better IoT security management. However, there is a lack of effective IoT cyber risk management frameworks for managers. This paper reviews IoT cybersecurity technologies and cyber risk management frameworks. Then, this paper presents a four-layer IoT cyber risk management framework. This paper also applies a linear programming method for the allocation of financial resources to multiple IoT cybersecurity projects. An illustration is provided as a proof of concept.

Petar Radanliev,David De Roure,Carsten Maple,Jason R.C. Nurse,Razvan Nicolescu,Uchenna Ani

2024-10-12

Abstract:We present a dependency model tailored to the context of current challenges in data strategies and make recommendations for the cybersecurity community. The model can be used for cyber risk estimation and assessment and generic risk impact assessment.

Cryptography and Security,Artificial Intelligence,Software Engineering

Halima Ibrahim Kure,Shareeful Islam,Mustansar Ghazanfar,Asad Raza,Maruf Pasha

DOI: https://doi.org/10.1007/s00521-021-06400-0

2021-08-11

Neural Computing and Applications

Abstract:Risk management plays a vital role in tackling cyber threats within the cyber-physical system (CPS). It enables identifying critical assets, vulnerabilities and threats and determining suitable proactive control measures for the risk mitigation. However, due to the increased complexity of the CPS, cyber-attacks nowadays are more sophisticated and less predictable, which makes risk management task more challenging. This paper aims for an effective cybersecurity risk management (CSRM) practice using assets criticality, predication of risk types and evaluating the effectiveness of existing controls. We follow a number of techniques for the proposed unified approach including fuzzy set theory for the asset criticality, machine learning classifiers for the risk predication and comprehensive assessment model (CAM) for evaluating the effectiveness of the existing controls. The proposed approach considers relevant CSRM concepts such as asset, threat actor, attack pattern, tactic, technique and procedure (TTP), and controls and maps these concepts with the VERIS community dataset (VCDB) features for the risk predication. The experimental results reveal that using the fuzzy set theory in assessing assets criticality supports stakeholder for an effective risk management practice. Furthermore, the results have demonstrated the machine learning classifiers exemplary performance to predict different risk types including denial of service, cyber espionage and crimeware. An accurate prediction of risk can help organisations to determine the suitable controls in proactive manner to manage the risk.

computer science, artificial intelligence

Alexander Kott,Curtis Arnold

DOI: https://doi.org/10.48550/arXiv.1512.07937

2015-12-25

Abstract:We review the current status and research challenges in the area of cyber security often called continuous monitoring and risk scoring (CMRS). We focus on two most salient aspects of CMRS. First, continuous collection of data through automated feeds; hence the term continuous monitoring. Typical data collected for continuous monitoring purposes include network traffic information as well as host information from host-based agents. Second, analysis of the collected data in order to assess the risks - the risk scoring. This assessment may include flagging especially egregious vulnerabilities and exposures, or computing metrics that provide an overall characterization of the network's risk level. Currently used risk metrics are often simple sums or counts of vulnerabilities and missing patches. The research challenges pertaining to CMRS fall mainly into two categories. The first centers on the problem of integrating and fusing highly heterogeneous information. The second group of challenges is the lack of rigorous approaches to computing risk. Existing risk scoring algorithms remain limited to ad hoc heuristics such as simple sums of vulnerability scores or counts of things like missing patches or open ports, etc. Weaknesses and potentially misleading nature of such metrics are well recognized. For example, the individual vulnerability scores are dangerously reliant on subjective, human, qualitative input, potentially inaccurate and expensive to obtain. Further, the total number of vulnerabilities may matters far less than how vulnerabilities are distributed over hosts, or over time. Similarly, neither topology of the network nor the roles and dynamics of inter-host interactions are considered by simple sums of vulnerabilities or missing patches.

Cryptography and Security

Petar Radanliev,David C. De Roure,Jason R. C. Nurse,Rafael Mantilla Montalvo,Stacy Cannady,Omar Santos,La’Treall Maddox,Peter Burnap,Carsten Maple

DOI: https://doi.org/10.1007/s42452-019-1931-0

2020-01-08

SN Applied Sciences

Abstract:Abstract In this research article, we explore the use of a design process for adapting existing cyber risk assessment standards to allow the calculation of economic impact from IoT cyber risk. The paper presents a new model that includes a design process with new risk assessment vectors, specific for IoT cyber risk. To design new risk assessment vectors for IoT, the study applied a range of methodologies, including literature review, empirical study and comparative study, followed by theoretical analysis and grounded theory. An epistemological framework emerges from applying the constructivist grounded theory methodology to draw on knowledge from existing cyber risk frameworks, models and methodologies. This framework presents the current gaps in cyber risk standards and policies, and defines the design principles of future cyber risk impact assessment. The core contribution of the article therefore, being the presentation of a new model for impact assessment of IoT cyber risk.

English Else

Paul Griffioen,Bruno Sinopoli

DOI: https://doi.org/10.48550/arXiv.2110.07771

2021-10-14

Cryptography and Security

Abstract:Threat modeling and risk assessments are common ways to identify, estimate, and prioritize risk to national, organizational, and individual operations and assets. Several threat modeling and risk assessment approaches have been proposed prior to the advent of the Internet of Things (IoT) that focus on threats and risks in information technology (IT). Due to shortcomings in these approaches and the fact that there are significant differences between the IoT and IT, we synthesize and adapt these approaches to provide a threat modeling framework that focuses on threats and risks in the IoT. In doing so, we develop an IoT attack taxonomy that describes the adversarial assets, adversarial actions, exploitable vulnerabilities, and compromised properties that are components of any IoT attack. We use this IoT attack taxonomy as the foundation for designing a joint risk assessment and maturity assessment framework that is implemented as an interactive online tool. The assessment framework this tool encodes provides organizations with specific recommendations about where resources should be devoted to mitigate risk. The usefulness of this IoT framework is highlighted by case study implementations in the context of multiple industrial manufacturing companies, and the interactive implementation of this framework is available at http://iotrisk.andrew.cmu.edu.

Behrouz Zolfaghari,Abbas Yazdinejad,Ali Dehghantanha,Jacob Krzciok,Khodakhast Bibak

DOI: https://doi.org/10.48550/arXiv.2207.01590

2022-10-25

Abstract:In recent years, the existence of a significant cross-impact between Cloud computing and Internet of Things (IoT) has lead to a dichotomy that gives raise to Cloud-Assisted IoT (CAIoT) and IoT-Based Cloud (IoTBC). Although it is pertinent to study both technologies, this paper focuses on CAIoT, and especially its security issues, which are inherited from both Cloud computing and IoT. This study starts with reviewing existing relevant surveys, noting their shortcomings, which motivate a comprehensive survey in this area. We proceed to highlight existing approaches towards the design of Secure CAIoT (SCAIoT) along with related security challenges and controls. We develop a layered architecture for SCAIoT. Furthermore, we take a look at what the future may hold for SCAIoT with a focus on the role of Artificial Intelligence(AI).

Cryptography and Security

Najat Tissir,Said El Kafhali,Noureddine Aboutabit

DOI: https://doi.org/10.1007/s40860-020-00115-0

2020-10-19

Journal of Reliable Intelligent Environments

Abstract:Cloud Computing is an emerging paradigm that is based on the concept of distributed computing. Its definition is related to the use of computer resources which are offered as a service. As with any novel technology, Cloud Computing is subject to security threats, vulnerabilities, and attacks. Recently, the studies on security impact include the interaction of software, people and services on the Internet and that is called cyber-security or cyberspace security. In spite of various studies, we still fail to define the needs of cybersecurity management in Cloud Computing. This paper principally focuses on a comprehensive study of Cloud Computing concerns, security, cybersecurity differences, ISO, and NIST standards. It aims at identifying the policies and the guidelines included in these standards as well as it provides a comprehensive Framework proposal to manage and prevent cyber risks in Cloud Computing taking into consideration the ISO 27,032, ISO 27,001, ISO 27,017 and NIST cybersecurity Framework CSF. In addition to that, our study pinpoints at the criteria that concern measuring the maturity of organizations that implement the framework. Our objective is to provide guidance to organizations on how to establish their proper approach of cybersecurity risk management in Cloud Computing or to complement their ‘already have’ processes.

Jason R.C. Nurse,Petar Radanliev,Sadie Creese,David De Roure

DOI: https://doi.org/10.1049/cp.2018.0001

2018-06-28

Abstract:Security risk assessment methods have served us well over the last two decades. As the complexity, pervasiveness and automation of technology systems increases, particularly with the Internet of Things (IoT), there is a convincing argument that we will need new approaches to assess risk and build system trust. In this article, we report on a series of scoping workshops and interviews with industry professionals (experts in enterprise systems, IoT and risk) conducted to investigate the validity of this argument. Additionally, our research aims to consult with these professionals to understand two crucial aspects. Firstly, we seek to identify the wider concerns in adopting IoT systems into a corporate environment, be it a smart manufacturing shop floor or a smart office. Secondly, we investigate the key challenges for approaches in industry that attempt to effectively and efficiently assess cyber-risk in the IoT.

Cryptography and Security,Computers and Society,Networking and Internet Architecture

Xuan Zhang,Nattapong Wuwong,Hao Li,Xuejie Zhang

DOI: https://doi.org/10.1109/cit.2010.501

2010-06-01

Abstract:The security risks associated with each cloud delivery model vary and are dependent on a wide range of factors including the sensitivity of information assets, cloud architectures and security controls involved in a particular cloud environment [7]. Over time, organizations tend to relax their security posture. To combat a relaxation of security, the cloud provider should perform regular security assessments [3]. Risk management framework is one of security assessment tool to reduction of threats and vulnerabilities and mitigates security risks. The goal of this paper is to present information risk management framework for better understanding critical areas of focus in cloud computing environment, to identifying a threat and identifying vulnerability. This framework is covering all of cloud service models and cloud deployment models. Cloud provider can be applied this framework to organizations to do risk mitigation.

Urvashi Sangwan

DOI: https://doi.org/10.52783/jes.3233

2024-05-02

Abstract:Through the network's infrastructure, the IoT can impart perception, recognition, and remote control to inanimate objects. Due to IoT's characteristics, it's possible to integrate the real world into a digital system, which improves precision, productivity, and bottom line. While traditional internet infrastructure comprises of highly capable computers and servers, IoT gadgets have limited processing power and storage space. The authentication and key agreement system SecureAuthKey is very lightweight. The suggested technique is meant to solve the security and privacy problems that plague modern constraint-based CPS programmes. A lightweight approach for authenticating cyber-physical objects is one of the expected outcomes. Adaptation and autonomy in cyber-physical systems need not be compromised by a lack of trust or security in users' data or the devices themselves, according to a new type of security algorithm. To provide flexibility and scalability, a new middleware module has been developed on the Raspberry platform to facilitate communication between CPS-based devices and services. Secure Internet of Things (IoT) evaluation methodology that may be used in a variety of contexts and is user-focused. With the suggested system, the two CPS units will be able to authenticate one another. When a network grows larger, the possibility of an attack rises. Therefore, the IoT network is much more susceptible to attacks than conventional networks. As the number of connected devices grows, so do the number of potential threats to their security. To protect the IoT ecosystem from current threats, cutting-edge technology is essential. The proposed approach must be very efficient and have low computational overheads. It creates random session keys to protect wireless transmissions. The system is protected from a variety of cyber threats. The current constraint-based CPS system requires a new lightweight security solution.

Michele De Donno,Juxhino Kavaja,Nicola Dragoni,Antonio Bucchiarone,Manuel Mazzara

DOI: https://doi.org/10.48550/arXiv.1902.10071

2019-01-29

Abstract:The Internet of Things (IoT) is rapidly changing our society to a world where every "thing" is connected to the Internet, making computing pervasive like never before. This tsunami of connectivity and data collection relies more and more on the Cloud, where data analytics and intelligence actually reside. Cloud computing has indeed revolutionized the way computational resources and services can be used and accessed, implementing the concept of utility computing whose advantages are undeniable for every business. However, despite the benefits in terms of flexibility, economic savings, and support of new services, its widespread adoption is hindered by the security issues arising with its usage. From a security perspective, the technological revolution introduced by IoT and Cloud computing can represent a disaster, as each object might become inherently remotely hackable and, as a consequence, controllable by malicious actors. While the literature mostly focuses on security of IoT and Cloud computing as separate entities, in this article we provide an up-to-date and well-structured survey of the security issues of Cloud computing in the IoT era. We give a clear picture of where security issues occur and what their potential impact is. As a result, we claim that it is not enough to secure IoT devices, as cyber-storms come from Clouds.

Signal Processing