Published August 31, 2022
| Version v1
Journal article
Open
Development of a concept for cybersecurity metrics classification
Creators
- 1. National Technical University "Kharkiv Polytechnic Institute"
- 2. Lviv Polytechnic National University
- 3. National Defence University of Ukraine named after Ivan Cherniakhovskyi
- 4. National Aviation University
- 5. Simon Kuznets Kharkiv National University of Economics
- 6. Juridical Personnel Training Institute for the Security Service of Ukraine Yaroslav Mudryi National Law University
- 7. Ternopil Ivan Puluj National Technical University
Description
The development of the IT industry and computing resources allows the formation of cyberphysical social systems (CPSS), which are the integration of wireless mobile and Internet technologies and the combination of the Internet of things with the technologies of cyberphysical systems. To build protection systems, while minimizing both computing and economic costs, various sets of security profiles are used, ensuring the continuity of critical business processes. To assess/compare the level of CPSS security, various assessment methods based on a set of metrics are generally used. Security metrics are tools for providing up-to-date information about the state of the security level, cost characteristics/parameters from both the defense and attack sides. However, the choice of such sets is not always the same/understandable to the average person. This, firstly, leads to the absence of a generally accepted and unambiguous definition, which means that one system is more secure than another. Secondly, it does not take into account the signs of synergy and hybridity of modern targeted attacks. Without this knowledge, it is impossible to show that the metric measures the security level objectively. Thirdly, there is no universal formal model for all metrics that could be used for rigorous analysis. The paper explores the possibility of defining a basic formal model (classifier) for analyzing security metrics. The proposed security assessment model takes into account not only the level of secrecy of information resources, the level of provision of security services, but also allows, based on the requirements put forward, forming the necessary set of security assessment metrics, taking into account the requirements for the continuity of business processes. The average value of the provision of security services to CPSS information resources is 0.99, with an average value of the security level of information resources of 0.8
Files
Development of a concept for cybersecurity metrics classification.pdf
Files
(791.4 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:b9b9379c8423214effdedd4b82700e68
|
791.4 kB | Preview Download |
Additional details
References
- Yevseiev, S., Ponomarenko, V., Laptiev, O., Milov, O., Korol, O., Milevskyi, S. et. al.; Yevseiev, S., Ponomarenko, V., Laptiev, O., Milov, O. (Eds.) (2021). Synergy of building cybersecurity systems. Kharkiv: РС ТЕСHNOLOGY СЕNTЕR, 188. doi: https://doi.org/10.15587/978-617-7319-31-2
- Yevseiev, S., Pohasii, S., Milevskyi, S., Milov, O., Melenti, Y., Grod, I. et. al. (2021). Development of a method for assessing the security of cyber-physical systems based on the Lotka–Volterra model. Eastern-European Journal of Enterprise Technologies, 5 (9 (113)), 30–47. doi: https://doi.org/10.15587/1729-4061.2021.241638
- INFOSEC Research Council. Hard Problem List (2005). Available at: https://www.infosec-research.org/docs_public/20051130-IRC-HPL-FINAL.pdf
- A Roadmap for Cybersecurity Research (2009). Homeland Security. Available at: https://www.dhs.gov/sites/default/files/publications/CSD-DHS-Cybersecurity-Roadmap_0.pdf
- ISO/IEC 27001:2005. Information technology – Security techniques – Information security management systems – Requirements. Available at: https://www.iso.org/standard/42103.html
- ISO/IEC 27002:2005. Information technology – Security techniques – Code of practice for information security management. Available at: https://www.iso.org/standard/50297.html
- Control Objectives for Information and related Technology (COBIT) 5 (2012). IT Governance Institute. Illinois.
- Recommended Security Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53 Revision 3. NIST. doi: https://doi.org/10.6028/nist.sp.800-53r3
- ISO/IEC 27004:2009. Information technology – Security techniques – Information security management – Measurement. Available at: https://www.iso.org/standard/42106.html
- Chew, E., Swanson, M., Stine, K. M., Bartol, N., Brown, A., Robinson, W. (2008). Performance measurement guide for information security. NIST. doi: https://doi.org/10.6028/nist.sp.800-55r1
- Hayden, L. (2010). IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data. McGraw-Hill, 396.
- Yevseiev, S., Melenti, Y., Voitko, O., Hrebeniuk, V., Korchenko, A., Mykus, S. et. al. (2021). Development of a concept for building a critical infrastructure facilities security system. Eastern-European Journal of Enterprise Technologies, 3 (9 (111)), 63–83. doi: https://doi.org/10.15587/1729-4061.2021.233533
- Yevseiev, S., Laptiev, O., Lazarenko, S., Korchenko, A., Manzhul, I. (2021). Modeling the protection of personal data from trust and the amount of information on social networks. EUREKA: Physics and Engineering, 1, 24–31. doi: https://doi.org/10.21303/2461-4262.2021.001615
- Yevseiev, S., Katsalap, V., Mikhieiev, Y., Savchuk, V., Pribyliev, Y., Milov, O. et. al. (2022). Development of a method for determining the indicators of manipulation based on morphological synthesis. Eastern-European Journal of Enterprise Technologies, 3 (9 (117)), 22–35. doi: https://doi.org/10.15587/1729-4061.2022.258675
- Agyepong, E., Cherdantseva, Y., Reinecke, P., Burnap, P. (2019). Challenges and performance metrics for security operations center analysts: a systematic review. Journal of Cyber Security Technology, 4 (3), 125–152. doi: https://doi.org/10.1080/23742917.2019.1698178
- Yee, G. (2012). The state and scientific basis of cyber security metrics. Including Canadian perspectives. Contract Report, DRDC Ottawa CR 2012-109. Available at: https://silo.tips/download/the-state-and-scientific-basis-of-cyber-security-metrics
- Stolfo, S., Bellovin, S. M., Evans, D. (2011). Measuring Security. IEEE Security & Privacy Magazine, 9 (3), 60–65. doi: https://doi.org/10.1109/msp.2011.56
- Ahmed, R. K. A. (2016). Overview of Security Metrics. Software Engineering, 4 (4), 59–64. Available at: https://www.researchgate.net/publication/311884003_Overview_of_Security_Metrics
- Perpetus, J., Houngbo, P. J., Hounsou, J. T. (2015). Measuring Information Security: Understanding And Selecting Appropriate Metrics. International Journal of Computer Science and Security (IJCSS), 9 (2). Available at: https://www.researchgate.net/publication/281648626_Measuring_Information_Security_Understanding_And_Selecting_Appropriate_Metrics
- Haque, M. A., Shetty, S., Krishnappa, B. (2019). Cyber‐Physical System Resilience. Complexity Challenges in Cyber Physical Systems, 301–337. doi: https://doi.org/10.1002/9781119552482.ch12
- Abbas Ahmed, R. K. (2016). Security Metrics and the Risks: An Overview. International Journal of Computer Trends and Technology, 41 (2), 106–112. doi: https://doi.org/10.14445/22312803/ijctt-v41p119
- Jaquith, A. (2007). Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley Professional.
- Moshtari, S., Okutan, A., Mirakhorli, M. (2022). A grounded theory based approach to characterize software attack surfaces. Proceedings of the 44th International Conference on Software Engineering. doi: https://doi.org/10.1145/3510003.3510210
- Munaiah, N., Meneely, A. (2016). Beyond the Attack Surface. Proceedings of the 2016 ACM Workshop on Software PROtection. doi: https://doi.org/10.1145/2995306.2995311
- Lallie, H. S., Debattista, K., Bal, J. (2020). A review of attack graph and attack tree visual syntax in cyber security. Computer Science Review, 35, 100219. doi: https://doi.org/10.1016/j.cosrev.2019.100219
- Noel, S., Wang, L., Singhal, A., Jajodia, S. (2010). Measuring security risk of networks using attack graphs. International Journal of Next-Generation Computing, 1 (1). Available at: https://www.researchgate.net/publication/220202986_Measuring_Security_Risk_of_Networks_Using_Attack_Graphs
- Hou, S., Chen, X., Ma, J., Zhou, Z., Yu, H. (2022). An Ontology-Based Dynamic Attack Graph Generation Approach for the Internet of Vehicles. Frontiers in Energy Research, 10. doi: https://doi.org/10.3389/fenrg.2022.928919
- Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S. (2008). An Attack Graph-Based Probabilistic Security Metric. Data and Applications Security XXII, 283–296. doi: https://doi.org/10.1007/978-3-540-70567-3_22
- Żebrowski, P., Couce‐Vieira, A., Mancuso, A. (2022). A Bayesian Framework for the Analysis and Optimal Mitigation of Cyber Threats to Cyber‐Physical Systems. Risk Analysis. doi: https://doi.org/10.1111/risa.13900
- Frigault, M., Wang, L. (2008). Measuring Network Security Using Bayesian Network-Based Attack Graphs. 2008 32nd Annual IEEE International Computer Software and Applications Conference. doi: https://doi.org/10.1109/compsac.2008.88
- Krautsevich, L., Martinelli, F., Yautsiukhin, A. (2010). Formal approach to security metrics. Proceedings of the Fourth European Conference on Software Architecture Companion Volume - ECSA '10. doi: https://doi.org/10.1145/1842752.1842787
- Agyepong, E., Cherdantseva, Y., Reinecke, P., Burnap, P. (2020). Towards a Framework for Measuring the Performance of a Security Operations Center Analyst. 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). doi: https://doi.org/10.1109/cybersecurity49315.2020.9138872
- Halonen, P., Hätönen, K. (2010). Towards holistic security management through coherent measuring. Proceedings of the Fourth European Conference on Software Architecture Companion Volume - ECSA '10. doi: https://doi.org/10.1145/1842752.1842786
- Mellado, D., Fernández-Medina, E., Piattini, M. (2010). A comparison of software design security metrics. Proceedings of the Fourth European Conference on Software Architecture Companion Volume - ECSA '10. doi: https://doi.org/10.1145/1842752.1842797
- Kevin N'DA, A. A., Matalonga, S., Dahal, K. (2021). Applicability of the Software Security Code Metrics for Ethereum Smart Contract. The International Conference on Deep Learning, Big Data and Blockchain (Deep-BDB 2021), 106–119. doi: https://doi.org/10.1007/978-3-030-84337-3_9
- Bosire, A., Kimwele, M. (2015). Advances in Measuring and Preventing Software Security Weaknesses. International Journal of Advanced Research in Computer Science and Software Engineering. 5 (12). Available at: https://www.researchgate.net/publication/338402728_Advances_in_Measuring_and_Preventing_Software_Security_Weaknesses
- Liu, Y., Traore, I., Hoole, A. M. (2008). A Service-Oriented Framework for Quantitative Security Analysis of Software Architectures. 2008 IEEE Asia-Pacific Services Computing Conference. doi: https://doi.org/10.1109/apscc.2008.17
- Hariprasad, T., Vidhyagaran, G., Seenu, K., Thirumalai, C. (2017). Software complexity analysis using halstead metrics. 2017 International Conference on Trends in Electronics and Informatics (ICEI). doi: https://doi.org/10.1109/icoei.2017.8300883
- Liu, Y., Traore, I. (2004). UML-based Security Measures of Software Products. Proceedings of International Workshop on Methodologies for Pervasive and Embedded Software (MOMPES'04).
- Wang, L., Jajodia, S., Singhal, A., Noel, S. (2010). k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks. Lecture Notes in Computer Science, 573–587. doi: https://doi.org/10.1007/978-3-642-15497-3_35
- SP 800-55 Rev. 2 (2020). PRE-DRAFT Call for Comments: Performance Measurement Guide for Information Security. Available at: https://csrc.nist.gov/publications/detail/sp/800-55/rev-2/draft
- Bernik, I., Prislan, K. (2016). Measuring Information Security Performance with 10 by 10 Model for Holistic State Evaluation. PLOS ONE, 11 (9), e0163050. doi: https://doi.org/10.1371/journal.pone.0163050
- Hernandez-Ramos, J. L., Matheu, S. N., Skarmeta, A. (2021). The Challenges of Software Cybersecurity Certification [Building Security In]. IEEE Security & Privacy, 19 (1), 99–102. doi: https://doi.org/10.1109/msec.2020.3037845
- Talbot, J., Jakeman, M. (2009). Security Risk Management. Wiley. doi: https://doi.org/10.1002/9780470494974
- Phipps, J. (2022). IT Risk Management Guide for 2022. Available at: https://www.cioinsight.com/it-management/it-risk-management/
- Lentz, R. F. (2010). Advanced Persistent Threats & Zero Day Attacks. Slide Presentation.
- Lentz, R. F. (2011). Cyber Security Maturity Model. Slide Presentation.
- Mohammad, S. M. (2020). Risk Management in Information Technology. SSRN Electronic Journal. doi: https://doi.org/10.2139/ssrn.3625242
- Postnikov, V., Spiridonov, S. (2015). Selecting Methods of the Weighting Factors of Local Criteria. Science and Education of the Bauman MSTU. doi: https://doi.org/10.7463/0615.0780334
- Yevseiev, S., Milevskyi, S., Bortnik, L., Alexey, V., Bondarenko, K., Pohasii, S. (2022). Socio-Cyber-Physical Systems Security Concept. 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA). doi: https://doi.org/10.1109/hora55278.2022.9799957