My problem or our problem? Exploring the use of information sharing as a component of a holistic approach to e-security in response to the growth of ‘malicious targeted attacks’

There is now a growing recognition amongst e-security specialists that the e-security environment faced by organisations is changing rapidly. This environment now sees a situation where maliciously targeted attacks are conducted by ‘guns for hire’ (hackers) and/or criminal organisations (Illett 2005; Keiser 2005). As a consequence, conventional organisational approaches to e-security are becoming increasingly problematic and inadequate. There is a need to raise awareness of these issues amongst organisations and to contribute to the generation of effective integrated solutions that address this emerging e-security environment without sacrificing user privacy and/or breaching user trust. This paper considers the potential role of e-security information sharing between organisations as a key element in the development of the integrated responses advocated. By examining information sharing in other areas of business it is evident that there are mechanisms that can facilitate these behaviours and generate benefits for organisations. Despite this growing evidence however, there remains reluctance amongst most organisations to engage in e-security related information sharing (Gross 2005). In examining these issues this paper considers mechanisms for generating stronger evidence on the role and effectiveness of e-security information sharing and ways of overcoming organisational reluctance to implement them

Feature models to boost the vulnerability management process

Vulnerability management is a critical and very challenging process that allows organisations to design a procedure to identify potential vulnerabilities, assess the level of risk, and define remediation mechanisms to address threats. Thus, the large number of configuration options in systems makes it extremely difficult to identify which configurations are affected by vulnerabilities and even assess how systems may be affected. There are several repositories to store information on systems, software vulnerabilities, and exploits. However, they are largely scattered, offer different formats and information, and their use has limitations, complicating vulnerability management automation. For this reason, we introduce a discussion concerning modelling in vulnerability management and the proposal of feature models as a means to collect the variability of software and system configurations to facilitate the vulnerability management process. This paper presents AMADEUS-Exploit, a feature model-based solution that provides query and reasoning mechanisms that make it easier for vulnerability management experts. The power of AMADEUS-Exploit is shown and evaluated in three different ways: first, the solution is compared with other vulnerability management tools; second, the solution is faced with another in a complex scenario with 4,000 vulnerabilities and 700 exploits; and finally, our solution was used in a real project demonstrating the usability of reasoning operations to determine potential vulnerabilities.Junta de Andalucía COPERNICA (P20-01224)Junta de Andalucía METAMORFOSIS (US-1381375)Ministerio de Ciencia e Innovación AETHER-US PID2020-112540RB-C4

Quantifying Impact of Cyber Actions on Missions or Business Processes: A Multilayer Propagative Approach

Ensuring the security of cyberspace is one of the most significant challenges of the modern world because of its complexity. As the cyber environment is getting more integrated with the real world, the direct impact of cybersecurity problems on actual business frequently occur. Therefore, operational and strategic decision makers in particular need to understand the cyber environment and its potential impact on business. Cyber risk has become a top agenda item for businesses all over the world and is listed as one of the most serious global risks with significant financial implications for businesses. Risk analysis is one of the primary tools used in this endeavor. Impact assessment, as an integral part of risk analysis, tries to estimate the possible damage of a cyber threat on business. It provides the main insight into risk prioritization as it incorporates business requirements into risk analysis for a better balance of security and usability. Moreover, impact assessment constitutes the main body of information flow between technical people and business leaders. Therefore, it requires the effective synergy of technological and business aspects of cybersecurity for protection against cyber threats. The purpose of this research is to develop a methodology to quantify the impact of cybersecurity events, incidents, and threats. The developed method addresses the issue of impact quantification from an interdependent system of systems point of view. The objectives of this research are (1) developing a quantitative model to determine the impact propagation within a layer of an enterprise (i.e., asset, service or business process layer); (2) developing a quantitative model to determine the impact propagation among different layers within an enterprise; (3) developing an approach to estimate the economic cost of a cyber incident or event. Although there are various studies in cybersecurity risk quantification, only a few studies focus on impact assessment at the business process layer by considering ripple effects at both the horizontal and vertical layers. This research develops an approach that quantifies the economic impact of cyber incidents, events and threats to business processes by considering the horizontal and vertical interdependencies and impact propagation within and among layers