Can maturity models support cyber security?

© 2016 IEEE. We are living in a cyber space with an unprecedented rapid expansion of the space and its elements. All interactive information is processed and exchanged via this space. Clearly a well-built cyber security is vital to ensure the security of the cyber space. However the definitions and scopes of both cyber space and cyber security are still not well-defined and this makes it difficult to establish sound security models and mechanisms for protecting this space. Out of existing models, maturity models offer a manageable approach for assessing the security level of a system or organization. The paper first provides a review of various definitions of cyber space and cyber security in order to ascertain a common understanding of the space and its security. The paper investigates existing security maturity models, focusing on their defining characteristics and identifying their strengths and weaknesses. Finally, the paper discusses and suggests measures for a sound and applicable cyber security model

Current cybersecurity maturity models: How effective in healthcare cloud?

This research investigates the effective assessment of healthcare cyber security maturity models for healthcare organizations actively using cloud computing. Healthcare cyber security maturity models designate a collection of capabilities expected in a healthcare organization and facilitate its ability to identify where their practices are weak or absent and where they are truly embedded. However, these assessment practices are sometimes considered not effective because sole compliance to standards does not produce objective assessment outputs, and the performance measurements of individual IS components does not depict the overall security posture of a healthcare organization. They also do not consider the effect of the characteristics of cloud computing in healthcare. This paper presents a literature review of maturity models for cloud security assessment in healthcare and argues the need for a cloud security maturity model for healthcare organizations. This review is seeking to articulate the present lack of research in this area and present relevant healthcare cloud-specific security concerns

Capability maturity model and metrics framework for cyber cloud security

© 2017 SCPE. Cyber space is affecting all areas of our life. Cloud computing is the cutting-edge technology of this cyber space and has established itself as one of the most important resources sharing technologies for future on-demand services and infrastructures that support Internet of Things (IOTs), big data platforms and software-defined systems/services. More than ever, security is vital for cloud environment. There exist several cloud security models and standards dealing with emerging cloud security threats. However, these models are mostly reactive rather than proactive and they do not provide adequate measures to assess the overall security status of a cloud system. Out of existing models, capability maturity models, which have been used by many organizations, offer a realistic approach to address these problems using management by security domains and security assessment on maturity levels. The aim of the paper is twofold: first, it provides a review of capability maturity models and security metrics; second, it proposes a cloud security capability maturity model (CSCMM) that extends existing cyber security models with a security metric framework

A Novel Capability Maturity Model with Quantitative Metrics for Securing Cloud Computing

University of Technology Sydney. Faculty of Engineering and Information Technology.Cloud computing is a cutting-edge technology for building resource-sharing, on-demand infrastructures that support Internet of Things (IOTs), big data analytics, and software-defined systems/services. However, cloud infrastructures and their interconnections are increasingly exposed to attackers while accommodating a massive number of IOT devices and provisioning numerous sophisticated emerging applications. There exist several cloud security models and standards dealing with emerging cloud security threats. They provide simplistic and brute-force approaches to addressing the cloud security problems: preventing security breaches by cautiously avoiding possible causes or fix them through trial and error attempts. Two major issues have been identified with the current approach to cloud security. First, it lacks quantitative measures in assessing the security level of security domains within a cloud space. Second, it lacks a model that can depict the overall security status of the cloud system. In the light of the above, the aim of this dissertation is to investigate relevant quantitative security metrics and propose a novel Capability Maturity Model with Quantitative Security Metrics for Securing Cloud Computing. First, we propose a new security metric named Mean Security Remediation Cost to assess the cost attributed to cloud stakeholders when a security attack has occurred. Moreover, we propose three different quantitative novel models for quantifying the probability of a cloud threat materialising into an attack. Second, a new Cloud Security Capability Maturity Model (CSCMM) for the cloud will be proposed. The model includes cloud-specific security domains and the quantitative assessment of the overall security of the cloud under consideration. To support the measuring of security maturity levels, a security metric framework is introduced. The CSCMM Model will be quantitatively validated by proposed security metrics. We evaluate the model in a cloud computing environment and compare the consequences by simulating different parameters of the proposed security quantitative metric. The thesis contributes to the theoretical body of knowledge in cloud security. The thesis proposes for the first time a Capability Maturity Model for cloud security. Additionally, the novel model will be used in practice by managers, security experts and practitioners for both assessing the overall security status of the organisation/system and taking new quantitative measures to mitigate weaknesses of any specific aspects of the system as identified by the assessment. The major research outcomes from the thesis have been delivered in academic papers published in international peer-reviewed journals and conferences in cyber security and cloud computing

When should an organisation start vulnerability management?

Haavoittuvuuksien hallinnan aloittaminen voi olla suuri haaste monille organisaatioille, mutta näillä organisaatioilla on vaatimuksia tehdä haavoittuvuuksien hallintaa esimerkiksi standardien, regulaatioiden tai bisnessuhteiden kautta. Tutkimuksen tavoitteena oli tuottaa helposti ymmärrettävä dokumentaatio kyberturvallisuudesta, joka avustaa organisaatioita haavoittuvuuksien hallinnan aloittamisessa. Kyberturvallisuuden tueksi haavoittuvuuksien hallinnan aloittamiselle tarvittiin vertailua eri kyberturvallisuusviitekehyksistä, kyberturvallisuuden kypsyysmalleista ja haavoittuvuuksien hallinnan käyttöönottoprosesseista. Tutkimus aloitettiin etsimällä sopivia tutkimuskohteita kyberturvallisuusviitekehyksistä, kyberturvallisuuden kypsyysmalleista ja haavoittuvuuksien hallinnan käyttöönottoprosesseista. Löydettyihin tutkimuskohteisiin perehdyttiin ja niiden ominaisuuksia vertailtiin analyyttisesti. Tutkimuskohteiden vertailussa tutkimuskohteista löydettiin niiden vahvuuksia ja heikkouksia sekä ominaispiirteitä. Tutkimuksen johtopäätöksenä voitiin todeta, että lopullista kaikille organisaatioille sopivaa kyberturvallisuuden viitekehystä, kyberturvallisuuden kypsyysmallia tai haavoittuvuuksien hallinnan käyttöönottoprosessia ei löytynyt. Voidaan kuitenkin todeta, että tutkimus tuotti riittävän dokumentaation organisaatioiden kyberturvallisuuden rakentamiselle ja haavoittuvuuksien hallinnan aloittamiselle.Organisations may find vulnerability management very difficult to start conducting, but they are obligated to perform vulnerability management due to various requirements which may come from standards, regulations or business relationships. The objective of the research was to compile an easy to understand document about cyber security program for an organisation which allows them to begin vulnerability management. To support this cyber security program a strong base for vulnerability management cyber security frameworks and cyber security maturity models needed to be compared and presented. The research started by searching good research subjects for cyber security frameworks, cyber security maturity models and vulnerability management implantation processes. Once these research subjects were studied and similar features were compared analytically. The comparison results and analysis found some strengths and weaknesses of the research subjects. As the conclusion for the research there was no definite answer for all organisations, about cyber security frameworks, cyber security maturity models or vulnerability management models. The research should provide decent support for organisations to build strong basis for their cyber security program and beginning the vulnerability management

A Holistic Cybersecurity Maturity Assessment Framework for Higher Education Institutions in the United Kingdom

open access articleAs organisations are vulnerable to cyber attacks, their protection becomes a significant issue. Capability Maturity Models can enable organisations to benchmark current maturity levels against best practices. Although many maturity models have been already proposed in the literature, a need for models that integrate several regulations exists. This article presents a light web-based model that can be used as a cyber security assessment tool for Higher Education Institutes (HEIs) of the United Kingdom. The novel Holistic Cybersecurity Maturity Assessment Framework incorporates all security and privacy regulations and best practises that HEIs must be compliant to, and can be used as a self assessment or a cybersecurity audit tool

A Holistic Cybersecurity Maturity Assessment Framework for Higher Education Institutions in the United Kingdom

As organisations are vulnerable to cyberattacks, their protection becomes a significant issue. Capability Maturity Models can enable organisations to benchmark current maturity levels against best practices. Although many maturity models have been already proposed in the literature, a need for models that integrate several regulations exists. This article presents a light, web-based model that can be used as a cybersecurity assessment tool for Higher Education Institutes (HEIs) of the United Kingdom. The novel Holistic Cybersecurity Maturity Assessment Framework incorporates all security regulations, privacy regulations, and best practices that HEIs must be compliant to, and can be used as a self assessment or a cybersecurity audit tool

The global cyber security model: counteracting cyber attacks through a resilient partnership arrangement

In this paper, insights are provided into how senior managers can establish a global cyber security model that raises cyber security awareness among staff in a partnership arrangement and ensures that cyber attacks are anticipated and dealt with in real time. We deployed a qualitative research strategy that involved a group interview involving cyber security and intelligence experts. The coding approach was used to identify the themes in the data and, in addition, a number of categories and subcategories were identified. The mind map approach was utilized to identify the thought processes of senior managers in relation to ensuring that the cyber security management process is effective. The global cyber security model can be used by senior managers to establish a framework for dealing with a range of cyber security attacks, as well as to upgrade the cyber security skill and knowledge base of individuals. In order for a cyber security mentality to be established, senior managers need to ensure that staff are focused on organizational vulnerability and resilience, there is an open and transparent communication process in place, and staff are committed to sharing cyber security knowledge. By placing cyber security within the context of a partnership arrangement, senior managers can adopt a collectivist approach to cyber security and benefit from the knowledge of external experts