Michael Stoltz

DOI: https://doi.org/10.48550/arxiv.2405.07094

2024-05-11

Cryptography and Security

Abstract:This informative report provides a comprehensive analysis of how executive federal report agencies implement the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF) to achieve cybersecurity compliance. By exploring the concept and evolution of the RMF, the report delves into the framework's importance for enhancing cybersecurity measures within federal agencies, addressing the challenges these agencies face in the digital landscape. Through a methodical literature review, the report examines theoretical foundations, implementation strategies, and the critical role of continuous monitoring and automation in RMF processes, drawing from key sources like Ross (2014), Lubell (2020), Barrett et al. (2021), and Pillitteri et al. (2021, 2022), among others. Employing a detailed methodology for data collection and analysis, the report presents findings on the successes and challenges of RMF implementation, highlighting the impact of automation and continuous monitoring in bolstering cybersecurity postures. Case studies offer in-depth insights into the experiences of specific agencies, providing lessons learned and best practices. The report concludes with strategic recommendations for overcoming implementation challenges and suggests future directions for enhancing RMF research and practice. This investigation underscores the RMF's critical role in establishing robust cybersecurity compliance across executive federal agencies, offering valuable recommendations for policymakers, cybersecurity professionals, and governmental bodies.

J. Initiative

DOI: https://doi.org/10.6028/nist.sp.800-37r2

2018-12-01

Abstract:This publication provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF includes a disciplined, structured, and flexible process for organizational asset valuation; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. It also includes activities to help prepare organizations to execute the RMF at the information system level. The RMF promotes the concept of near real-time risk management and ongoing system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and integrates security and privacy into the system development life cycle. Executing the RMF tasks enterprise-wide helps to link essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented in organizational information systems and inherited by those systems. The RMF incorporates concepts from the Framework for Improving Critical Infrastructure Cybersecurity that complement the well-established risk management processes mandated by the Office of Management and Budget and the Federal Information Security Modernization Act.

Computer Science,Business

Alexander A. Ganin,Phuoc Quach,Mahesh Panwar,Zachary A. Collier,Jeffrey M. Keisler,Dayton Marchese,Igor Linkov

DOI: https://doi.org/10.1111/risa.12891

2017-09-05

Risk Analysis

Abstract:Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Michel Dacorogna,Marie Kratz

2023-02-05

Abstract:Not a day goes by without news about a cyber attack. Fear spreads out and lots of wrong ideas circulate. This survey aims at showing how all these uncertainties about cyber can be transformed into manageable risk. After reviewing the main characteristics of cyber risk, we consider the three layers of cyber space: hardware, software and psycho-cognitive layer. We ask ourselves how is this risk different from others, how modelling has been tackled and needs to evolve, and what are the multi-facetted aspects of cyber risk management. This wide exploration pictures a science in the making and points out the questions to be solved for building a resilient society.

Cryptography and Security

Nicole M. Radziwill,Morgan C. Benton

DOI: https://doi.org/10.48550/arXiv.1707.02653

2017-07-09

Cryptography and Security

Abstract:There is no standard yet for measuring and controlling the costs associated with implementing cybersecurity programs. To advance research and practice towards this end, we develop a mapping using the well-known concept of quality costs and the Framework Core within the Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) in response to the Cybersecurity Enhancement Act of 2014. This mapping can be easily adopted by organizations that are already using the NIST CSF for cybersecurity risk management to plan, manage, and continually improve cybersecurity operations. If an organization is not using the NIST CSF, this mapping may still be useful for linking elements in accounting systems that are associated with cybersecurity operations and risk management to a quality cost model.

Wing Fung Chong,Runhuan Feng,Hins Hu,Linfeng Zhang

2023-10-23

Abstract:Cyber risk is an omnipresent risk in the increasingly digitized world that is known to be difficult to manage. This paper proposes a two-pillar cyber risk management framework to address such difficulty. The first pillar, cyber risk assessment, blends the frequency-severity model in insurance with the cascade model in cybersecurity, to capture the unique feature of cyber risk. The second pillar, cyber capital management, provides informative decision-making on a balanced cyber risk management strategy, which includes cybersecurity investments, insurance coverage, and reserves. This framework is demonstrated by a case study based on a historical cyber incident dataset, which shows that a comprehensive cost-benefit analysis is necessary for a budget-constrained company with competing objectives for cyber risk management. Sensitivity analysis also illustrates that the best strategy depends on various factors, such as the amount of cybersecurity investments and the effectiveness of cybersecurity controls.

Risk Management,Cryptography and Security,Optimization and Control

Ejiofor Oluomachi,Akinsola Ahmed,Wahab Ahmed,Edozie Samson

DOI: https://doi.org/10.29322/IJSRP.14.02.2023.p14610

2024-04-17

Abstract:This article assesses the effectiveness of current cybersecurity regulations and policies in the United States amidst the escalating frequency and sophistication of cyber threats. The focus is on the comprehensive framework established by the U.S. government, with a spotlight on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and key regulations such as HIPAA, GLBA, FISMA, CISA, CCPA, and the DOD Cybersecurity Maturity Model Certification. The study evaluates the impact of these regulations on different sectors and analyzes trends in cybercrime data from 2000 to 2022. The findings highlight the challenges, successes, and the need for continuous adaptation in the face of evolving cyber threats

Cryptography and Security,Computers and Society

Jiehua Zhong,Xi Wang,Tao Zhang

DOI: https://doi.org/10.53759/7669/jmc202404015

2024-01-05

Journal of Machine and Computing

Abstract:Cybersecurity is a big issue for major multinational corporations in today's lightning-fast digital world. Risk management and Network Security Governance (NSG) are complex, and this paper discusses the challenges and strategies needed to protect digital assets in a more vulnerable cyber environment. Cyber threats are constantly changing, technological integration is complex, and regulatory compliance is severe, all of which make it more challenging to maintain robust network security. NSG requires strong security rules and standards, which this conversation must address. The ever-changing threat environment demands that these regulations be open, accurate, and flexible. Risk management identifying, assessing, and mitigating threats—is essential to regulatory compliance and organizational reputation, according to the article. Risk mitigation methods like proactive, investigative, and remedial approaches are examined, along with cybersecurity advancements like Artificial Intelligence (AI) and Machine Learning (ML). In solving network security issues, the text emphasizes continuous learning, collaboration, and information sharing. Network Security Governance and Risk Management (NSGRM) is complex and dynamic, and this study covers its challenges and strategies.

Scott Paquette,Paul T. Jaeger,Susan C. Wilson

DOI: https://doi.org/10.1016/j.giq.2010.01.002

IF: 8.49

2010-07-01

Government Information Quarterly

Abstract:Cloud computing, which refers to an emerging computing model where machines in large data centers can be used to deliver services in a scalable manner, has become popular for corporations in need of inexpensive, large scale computing. Recently, the United States government has begun to utilize cloud computing architectures, platforms, and applications to deliver services and meet the needs of their constituents. Surrounding the use of cloud computing are many risks that can have major impacts on the information and services supported by this technology. This paper discusses the current use of cloud computing in government, and the risks–tangible and intangible–associated with its use. Examining specific cases of government cloud computing, this paper explores the level of understanding of the risks by the departments and agencies that implement this technology. This paper argues that a defined risk management program focused on cloud computing is an essential part of the government IT environment.

information science & library science

DOI: https://doi.org/10.33140/aurdp.01.01.02

2024-02-27

Abstract:Background: Cyber Security is to protect online data and software from cyber threats. These cyberattacks are typically intended to gain access to, change, or delete sensitive information; extort money from users; or disrupt regular corporate activities. It is difficult to keep up a regular follow up with new technologies, so it is necessary to keep the important data safe from cyber threats. There are many types of cyber threats, malware, ransomware, social engineering, phishing etc. To prevent cyber-attacks one can, use password manager tools like LastPass and others. People also use two factor authentication for double security on their accounts. Methods: Boards such as the National Institute of Standards and Technology (NIST) are developing frameworks to assist firms in understanding their security risks, improving cybersecurity procedures, and preventing cyber assaults. The fight against cybercrimes and attack, organizations needed a strong base there are 5 types of cyber securities: Critical Infrastructure Security, application security, network security, cloud security and (IoT) Security. In the modern time the US is highly based on computers and on different software, so it is really important for the US to be more conscious about the security as they get many threats almost every day for hacking their data and accounts. Results and Conclusion: Nowadays, even small businesses rarely recover their loss from the cyber-attacks and many back-off from continuing their businesses after being target of hackers. The first cybercrime attack was recorded in 1988 by a graduate student. Now that large companies and even small businesses are aware of cyber-attacks, they try their best to take every precaution to prevent hacking with double security and password manager tools.

Gregor Svindland,Alexander Voß

2024-10-25

Abstract:We introduce a decision-making framework tailored for the management of systemic risk in networks. This framework is constructed upon three fundamental components: (1) a set of acceptable network configurations, (2) a set of interventions aimed at risk mitigation, and (3) a cost function quantifying the expenses associated with these interventions. While our discussion primarily revolves around the management of systemic cyber risks in digital networks, we concurrently draw parallels to risk management of other complex systems where analogous approaches may be adequate.

Risk Management,Cryptography and Security,Discrete Mathematics,Networking and Internet Architecture,Systems and Control

Najat Tissir,Said El Kafhali,Noureddine Aboutabit

DOI: https://doi.org/10.1007/s40860-020-00115-0

2020-10-19

Journal of Reliable Intelligent Environments

Abstract:Cloud Computing is an emerging paradigm that is based on the concept of distributed computing. Its definition is related to the use of computer resources which are offered as a service. As with any novel technology, Cloud Computing is subject to security threats, vulnerabilities, and attacks. Recently, the studies on security impact include the interaction of software, people and services on the Internet and that is called cyber-security or cyberspace security. In spite of various studies, we still fail to define the needs of cybersecurity management in Cloud Computing. This paper principally focuses on a comprehensive study of Cloud Computing concerns, security, cybersecurity differences, ISO, and NIST standards. It aims at identifying the policies and the guidelines included in these standards as well as it provides a comprehensive Framework proposal to manage and prevent cyber risks in Cloud Computing taking into consideration the ISO 27,032, ISO 27,001, ISO 27,017 and NIST cybersecurity Framework CSF. In addition to that, our study pinpoints at the criteria that concern measuring the maturity of organizations that implement the framework. Our objective is to provide guidance to organizations on how to establish their proper approach of cybersecurity risk management in Cloud Computing or to complement their ‘already have’ processes.

Xuan Zhang,Nattapong Wuwong,Hao Li,Xuejie Zhang

DOI: https://doi.org/10.1109/cit.2010.501

2010-06-01

Abstract:The security risks associated with each cloud delivery model vary and are dependent on a wide range of factors including the sensitivity of information assets, cloud architectures and security controls involved in a particular cloud environment [7]. Over time, organizations tend to relax their security posture. To combat a relaxation of security, the cloud provider should perform regular security assessments [3]. Risk management framework is one of security assessment tool to reduction of threats and vulnerabilities and mitigates security risks. The goal of this paper is to present information risk management framework for better understanding critical areas of focus in cloud computing environment, to identifying a threat and identifying vulnerability. This framework is covering all of cloud service models and cloud deployment models. Cloud provider can be applied this framework to organizations to do risk mitigation.

Jonathan Whitaker,Shital Thekdi

DOI: https://doi.org/10.1111/risa.17644

2024-09-07

Abstract:Cybersecurity events can cause business disruptions, health and safety repercussions, financial costs, and negative publicity for large firms, and executives rank cybersecurity as a top operational concern. Although cybersecurity may be the most publicized information systems (IS) risk, large firms face a range of IS risks. Over the past three decades, researchers developed frameworks to categorize and evaluate IS risks. However, there have been few updates to these frameworks despite numerous technological advances, and we are not aware of any research that uses empirical data to map actual IS risks cited by large firms to these frameworks. To address this gap, we coded and analyzed text data from Item 1A (Risk Factors) of the fiscal year 2020 Securities and Exchange Commission Forms 10-K for all Fortune 1000 firms. We build on prior research to develop a framework that places 25 IS risks into four quadrants and 10 categories, and we record the number and type of IS risks cited by each firm. The risk of cyberattack is cited by virtually all Fortune 1000 firms, and the risk of software/hardware failure is cited by 90% of Fortune 1000 firms. Risks associated with data privacy law compliance are cited by 70% of Fortune 1000 firms, and risks associated with internet/telecommunications/power outage, human error, and natural disasters/terrorism are cited by 60% of Fortune 1000 firms. We perform additional analysis to identify differences in risk citation based on industry and financial measures.

Sean P. Gorman,Rajendra G. Kulkarni,Laurie A. Schintler,Roger R. Stough

DOI: https://doi.org/10.48550/arXiv.cond-mat/0306002

2003-05-30

Disordered Systems and Neural Networks

Abstract:Cybersecurity is an issue of increasing concern since the events of September 11th. Many questions have been raised concerning the security of the Internet and the rest of the US's information infrastructure. This paper begins to examine the issue by analyzing the Internet's autonomous system (AS) map. Using the AS map, malicious infections are simulated and different defense strategies are considered in a cost benefit framework. The results show that protecting the most connected nodes provides significant gains in security and that after the small minority of most connected nodes are protected there are diminishing returns for further protection. Although if parts of the small minority are not protected, such as non-US networks, protection levels are significantly decreased.

Gregory Falco,Eric Rosenbach

DOI: https://doi.org/10.1093/oso/9780197526545.003.0004

2021-11-18

Abstract:The question “What do I need to know about cyber frameworks, standards, and laws?” distills the complex landscape of cyber risk laws, requirements, and standards. The chapter begins with a case study on Nielsen Holdings’ legal and business trouble with the European General Data Protection Regulation (GDPR). It distinguishes compliance from security—explaining how readers can achieve both—and clarifies the dynamic, complex legal landscape in a world of ever-evolving cyber risk. It reviews legislation relating to cyber risk including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GBLA), the Federal Information Security Management Act (FISMA), and GDPR. The chapter describes the importance of adopting the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, creating a cyber policy/act/law/regulation “watch list” and purchasing cyber insurance. At the chapter’s end Falco shares Embedded Endurance strategy insight from his experience leading a team developing a cyber standard of care.

Viktor Sarancha,Viktoriia Shabunina,Oksana Tur

DOI: https://doi.org/10.32461/2409-9805.3.2023.290991

2023-11-15

Abstract:The purpose of the article is a comprehensive analysis of the American concept of threats to information security and determination of priority areas of the US’s activity in creating a secure national cyberspace. The methodological basis of the study is general scientific and special methods of cognition, in particular, systemic approach, analysis, synthesis, and logical method. Methods of content analysis, comparative and analytical monitoring of Internet resources of US government bodies responsible for information security are also used. The scientific novelty of the study consists in the expansion of ideas about theoretical aspects in the field of information security and the systematic analysis of instrumental, conceptual foundations and practical aspects of information security in the United States. Conclusions. The globalisation of information systems has created a completely new situation in the security field. In cyberspace the main threat to the US national security comes from states and intermediaries acting in their interests. They have the necessary skills and technologies to carry out destructive cyberattacks for military and political purposes, and also effectively use cyberespionage methods, which not only entails economic losses, but also causes great damage to strategically important industries for the US. The American concept covers such three key levels of cyber security as the state, private business and individual users. There are such defence priorities for the United States as ensuring the protection of critical infrastructure, information networks and systems; quality control of used IT equipment; formation of effective mechanisms of interlevel communication and raising awareness at all levels. An important component of the US National Cyber Strategy is international cooperation on information security issues. In this regard, at the international level the United States seeks to implement such opportunities as to encourage countries to increase responsibility for ensuring the security of information systems and networks at the national and global level; to create the legal regime necessary to ensure cross-border access to information; to form a regime of collective cyber defence within the framework of NATO and other bilateral and multilateral agreements with strategic partners; to preserve the maximum possible freedom of action in cyberspace in order to conduct all types of information operations both during military conflicts and in peacetime. Keywords: cyberspace, information threat, information war, information security, information management, informatisation, ICT.

Feras A. Batarseh

DOI: https://doi.org/10.48550/arXiv.2206.09465

2022-07-21

Abstract:Cybersecurity threats affect all aspects of society; critical infrastructures (such as networks, corporate systems, water supply systems, and intelligent transportation systems) are especially prone to attacks and can have tangible negative consequences on society. However, these critical cyber systems are generally governed by multiple jurisdictions, for instance the Metro in the Washington, D.C. area is managed by the states of Virginia and Maryland, as well as the District of Columbia (DC) through Washington Metropolitan Area Transit Authority (WMATA). Additionally, the water treatment infrastructure managed by DC Water consists of waste water input from Fairfax and Arlington counties, and the district (i.e. DC). Additionally, cyber attacks usually launch from unknown sources, through unknown switches and servers, and end up at the destination without much knowledge on their source or path. Certain infrastructures are shared amongst multiple countries, another idiosyncrasy that exacerbates the issue of governance. This law paper however, is not concerned with the general governance of these infrastructures, rather with the ambiguity in the relevant laws or doctrines about which authority would prevail in the context of a cyber threat or a cyber-attack, with a focus on federal vs. state issues, international law involvement, federal preemption, technical aspects that could affect lawmaking, and conflicting responsibilities in cases of cyber crime. A legal analysis of previous cases is presented, as well as an extended discussion addressing different sides of the argument.

Social and Information Networks,Cryptography and Security

Halima Ibrahim Kure,Shareeful Islam,Mustansar Ghazanfar,Asad Raza,Maruf Pasha

DOI: https://doi.org/10.1007/s00521-021-06400-0

2021-08-11

Neural Computing and Applications

Abstract:Risk management plays a vital role in tackling cyber threats within the cyber-physical system (CPS). It enables identifying critical assets, vulnerabilities and threats and determining suitable proactive control measures for the risk mitigation. However, due to the increased complexity of the CPS, cyber-attacks nowadays are more sophisticated and less predictable, which makes risk management task more challenging. This paper aims for an effective cybersecurity risk management (CSRM) practice using assets criticality, predication of risk types and evaluating the effectiveness of existing controls. We follow a number of techniques for the proposed unified approach including fuzzy set theory for the asset criticality, machine learning classifiers for the risk predication and comprehensive assessment model (CAM) for evaluating the effectiveness of the existing controls. The proposed approach considers relevant CSRM concepts such as asset, threat actor, attack pattern, tactic, technique and procedure (TTP), and controls and maps these concepts with the VERIS community dataset (VCDB) features for the risk predication. The experimental results reveal that using the fuzzy set theory in assessing assets criticality supports stakeholder for an effective risk management practice. Furthermore, the results have demonstrated the machine learning classifiers exemplary performance to predict different risk types including denial of service, cyber espionage and crimeware. An accurate prediction of risk can help organisations to determine the suitable controls in proactive manner to manage the risk.

computer science, artificial intelligence

DOI: https://doi.org/10.47191/jefms/v5-i9-03

2022-09-03

Abstract:All public and private sector organizations are vulnerable to internal and external integrity risks, such as fraud and corruption and others. In the absence of mechanisms to identify, analyze and manage these risks, they can have negative consequences such as economic losses, security applications and reputational applications. In turn, these impacts can erode citizens' trust in public services and trust in government. In order to preserve the integrity of public sector organizations, effective risk management systems are essential, especially in high-risk areas, such as financial management, information technology, fraud and corruption among others. in a context characterized by an uncertain organizational environment. By adopting a risk-based approach, public sector organizations can apply laudable controls that strengthen oversight, without unduly burdening the organization or impairing efficiency. At the same time, it can reduce the perception of excessive control burden among staff and thus reinforce their full commitment to integrity. The objective of our article is to define new concepts relating to the study of risk and risk management in the public sector.