Comprehensive Security Research to Contribute to Critical Infrastructure Protection Contributions to Security Governance in Disaster Risk Reduction

Critical infrastructure protection (CIP) has become a major issue in civil security, emergency management and natural hazard management. The all-hazard approach has gained ground on the international scale, and the “comprehensive approach” in security policies and security research has been advanced in order to meet current and future threats based on better integrated information, assessment, policies and capabilities. This paper aims to showcase this “comprehensive approach”, highlighting its character and cross-links to CI and natural hazard and disaster management. The paper also contributes to a broader perspective on CIP by addressing current European political concepts and socio-cultural conditions, as well as possible future EU roles. A focus is put on international critical infrastructure (CI) risks, and results from an Integrated Risk Taxonomy are presented. The paper concludes with proposing socio-cultural aspects for future research topics related to CI risks and security governance

Vulnerability modelling and mitigation strategies for hybrid networks

Hybrid networks nowadays consist of traditional IT components, Internet of Things (IoT) and industrial control systems (ICS) nodes with varying characteristics, making them genuinely heterogeneous in nature. Historically evolving from traditional internet-enabled IT servers, hybrid networks allow organisations to strengthen cybersecurity, increase flexibility, improve efficiency, enhance reliability, boost remote connectivity and easy management. Though hybrid networks offer significant benefits from business and operational perspectives, this integration has increased the complexity and security challenges to all connected nodes. The IT servers of these hybrid networks are high-budget devices with tremendous processing power and significant storage capacity. In contrast, IoT nodes are low-cost devices with limited processing power and capacity. In addition, the ICS nodes are programmed for dedicated functions with the least interference. The available cybersecurity solutions for hybrid networks are either for specific node types or address particular weaknesses. Due to these distinct characteristics, these solutions may place other nodes in vulnerable positions. This study addresses this gap by proposing a comprehensive vulnerability modelling and mitigation strategy. This proposed solution equally applies to each node type of hybrid network while considering their unique characteristics. For this purpose, the industry-wide adoption of the Common Vulnerability Scoring System (CVSS) has been extended to embed the distinct characteristics of each node type in a hybrid network. To embed IoT features, the ‘attack vectors’ and ‘attack complexity vectors’ are modified and another metric “human safety index”, is integrated in the ‘Base metric group’ of CVSS. In addition, the ICS related characteristics are included in the ‘Environmental metric group’ of CVSS. This metric group is further enhanced to reflect the node resilience capabilities when evaluating the vulnerability score. The resilience of a node is evaluated by analysing the complex relationship of numerous contributing cyber security factors and practices. The evolved CVSSR-IoT-ICS framework proposed in the thesis measures the given vulnerabilities by adopting the unique dynamics of each node. These vulnerability scores are then mapped in the attack tree to reveal the critical nodes and shortest path to the target node. The mitigating strategy framework suggests the most efficient mitigation strategy to counter vulnerabilities by examining the node’s functionality, its locality, centrality, criticality, cascading impacts, available resources, and performance thresholds. Various case studies were conducted to analyse and evaluate our proposed vulnerability modelling and mitigation strategies on realistic supply chain systems. These analyses and evaluations confirm that the proposed solutions are highly effective for modelling the vulnerabilities while the mitigation strategies reduce the risks in dynamic and resource-constrained environments. The unified vulnerability modelling of hybrid networks minimises ambiguities, reduces complexities and identifies hidden deficiencies. It also improves system reliability and performance of heterogeneous networks while at the same time gaining acceptance for a universal vulnerability modelling framework across the cyber industry. The contributions have been published in reputable journals and conferences.Doctor of Philosoph

Framework for Security Transparency in Cloud Computing

The migration of sensitive data and applications from the on-premise data centre to a cloud environment increases cyber risks to users, mainly because the cloud environment is managed and maintained by a third-party. In particular, the partial surrender of sensitive data and application to a cloud environment creates numerous concerns that are related to a lack of security transparency. Security transparency involves the disclosure of information by cloud service providers about the security measures being put in place to protect assets and meet the expectations of customers. It establishes trust in service relationship between cloud service providers and customers, and without evidence of continuous transparency, trust and confidence are affected and are likely to hinder extensive usage of cloud services. Also, insufficient security transparency is considered as an added level of risk and increases the difficulty of demonstrating conformance to customer requirements and ensuring that the cloud service providers adequately implement security obligations. The research community have acknowledged the pressing need to address security transparency concerns, and although technical aspects for ensuring security and privacy have been researched widely, the focus on security transparency is still scarce. The relatively few literature mostly approach the issue of security transparency from cloud providers’ perspective, while other works have contributed feasible techniques for comparison and selection of cloud service providers using metrics such as transparency and trustworthiness. However, there is still a shortage of research that focuses on improving security transparency from cloud users’ point of view. In particular, there is still a gap in the literature that (i) dissects security transparency from the lens of conceptual knowledge up to implementation from organizational and technical perspectives and; (ii) support continuous transparency by enabling the vetting and probing of cloud service providers’ conformity to specific customer requirements. The significant growth in moving business to the cloud – due to its scalability and perceived effectiveness – underlines the dire need for research in this area. This thesis presents a framework that comprises the core conceptual elements that constitute security transparency in cloud computing. It contributes to the knowledge domain of security transparency in cloud computing by proposing the following. Firstly, the research analyses the basics of cloud security transparency by exploring the notion and foundational concepts that constitute security transparency. Secondly, it proposes a framework which integrates various concepts from requirement engineering domain and an accompanying process that could be followed to implement the framework. The framework and its process provide an essential set of conceptual ideas, activities and steps that can be followed at an organizational level to attain security transparency, which are based on the principles of industry standards and best practices. Thirdly, for ensuring continuous transparency, the thesis proposes an essential tool that supports the collection and assessment of evidence from cloud providers, including the establishment of remedial actions for redressing deficiencies in cloud provider practices. The tool serves as a supplementary component of the proposed framework that enables continuous inspection of how predefined customer requirements are being satisfied. The thesis also validates the proposed security transparency framework and tool in terms of validity, applicability, adaptability, and acceptability using two different case studies. Feedbacks are collected from stakeholders and analysed using essential criteria such as ease of use, relevance, usability, etc. The result of the analysis illustrates the validity and acceptability of both the framework and tool in enhancing security transparency in a real-world environment

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

Governance of the world food system and crisis prevention

The present study offers a framework, rooted in Disaster Studies. The next few sections will first discuss the analytical tool box, which we have largely drawn from Disaster Studies. Thereafter the food regime will be looked into in the quantitative (food security, Section 3.1) and qualitative sense (food safety, Section 3.2), and the actors and rules and regulations for international food aid discussed. It will become clear that the private sector has a key role to play in both categories. Chapter 4 calls attention to the increasing complexities and uncertainties in the global food system that complicate food governance. To get anything done at all, a simplification seems necessary, such as declaring a food problem a safety issue

The future of European communication and transportation research: a research agenda

Our mobility system is changing rapidly. We are at the crossroad of major changes in the way we travel and deliver goods. Research agendas are adapting to this changed environment with new challenges and opportunities. This paper presents a research agenda for the future of transportation research structured along eight cluster topics of the Network on European Communication and Transport Activities Research (NECTAR).  The research agenda firstly highlights the growing complexity and need for multi- and interdisciplinary transportation research. Secondly, sustainability needs to be addressed in transportation research in its full meaning, including relationships between policy-making investigations and environmental and equity effects. Thirdly, ICTs and digitalisation, the development of (shared) autonomous vehicles and shared mobility will have profound impacts on economies and spatial interactions all-around the world, and availability of high resolution spatial and transportation data. Digitalisation generates many new research opportunities but also give rise to new concerns about privacy, safety, equity and public health

Complexity and Criticality in financial markets: systemic risk across frequencies and cross sections

Extreme market events and systemic collapses cause most of the popular attention to finance and financial markets. Extreme phenomena and the dynamics of con- nected/interacting systems have been the subject of financial modeling since early derivatives modeling, exposure risk modeling and portfolio construction. In the present work we discuss how traditional methods have for the most part failed to properly model the interconnected global financial and economic system. This led to systemic risk events and simplistic regulation which does not properly account for its implications. Analogously, we discuss how from as early as Mandelbrot’s works on financial prices and fat tails, academics, practitioners and regulators alike were warned of fat tails in financial modeling and in particular market making and derivatives pricing. The improper modeling or dismissal of these lies at the cen- tre of financial downturns ranging from LTCM’s collapse to the quant downturn of August 2007. The solution I promote in this thesis is that of complexity and criticality. In line with this we propose two lines of work. The former analyses markets as complex networks and their structure through to practical takeaways including a proof of concept for portfolio construction. The latter instead focuses on extreme events in high frequency markets with results for both tail modeling and systemic events and practical insights from those. Recent events have shown how retail investors and their savings are now heavily involved in financial markets. We hope that our contribution of methods of practical use for proper risk modeling will encourage their adoption by practitioners and regulators with the outcome of a more stable and efficient financial system

Supply Networks as Complex Systems: A Network-Science-Based Characterization

Outsourcing, internationalization, and complexity characterize today's aerospace supply chains, making aircraft manufacturers structurally dependent on each other. Despite several complexity-related supply chain issues reported in the literature, aerospace supply chain structure has not been studied due to a lack of empirical data and suitable analytical toolsets for studying system structure. In this paper, we assemble a large-scale empirical data set on the supply network of Airbus and apply the new science of networks to analyze how the industry is structured. Our results show that the system under study is a network, formed by communities connected by hub firms. Hub firms also tend to connect to each other, providing cohesiveness, yet making the network vulnerable to disruptions in them. We also show how network science can be used to identify firms that are operationally critical and that are key to disseminating information