Quantifying Impact of Cyber Actions on Missions or Business Processes: A Multilayer Propagative Approach

Ensuring the security of cyberspace is one of the most significant challenges of the modern world because of its complexity. As the cyber environment is getting more integrated with the real world, the direct impact of cybersecurity problems on actual business frequently occur. Therefore, operational and strategic decision makers in particular need to understand the cyber environment and its potential impact on business. Cyber risk has become a top agenda item for businesses all over the world and is listed as one of the most serious global risks with significant financial implications for businesses. Risk analysis is one of the primary tools used in this endeavor. Impact assessment, as an integral part of risk analysis, tries to estimate the possible damage of a cyber threat on business. It provides the main insight into risk prioritization as it incorporates business requirements into risk analysis for a better balance of security and usability. Moreover, impact assessment constitutes the main body of information flow between technical people and business leaders. Therefore, it requires the effective synergy of technological and business aspects of cybersecurity for protection against cyber threats. The purpose of this research is to develop a methodology to quantify the impact of cybersecurity events, incidents, and threats. The developed method addresses the issue of impact quantification from an interdependent system of systems point of view. The objectives of this research are (1) developing a quantitative model to determine the impact propagation within a layer of an enterprise (i.e., asset, service or business process layer); (2) developing a quantitative model to determine the impact propagation among different layers within an enterprise; (3) developing an approach to estimate the economic cost of a cyber incident or event. Although there are various studies in cybersecurity risk quantification, only a few studies focus on impact assessment at the business process layer by considering ripple effects at both the horizontal and vertical layers. This research develops an approach that quantifies the economic impact of cyber incidents, events and threats to business processes by considering the horizontal and vertical interdependencies and impact propagation within and among layers

From the National Cyber Maturity to the Cyber Resilience: The Lessons Learnt from the Efforts of Turkey

In this paper, the details of critical infrastructure protection program of United States of America are shared by taking the cyber resilience into account. The academic and institutional studies on the concepts of cyber maturity, critical infrastructure protection program and cyber resilience are explained in detail. By the help of these studies and national efforts, the relations among these concepts are proposed. The key components of a cyber security strategy and action plan for a cyber resilient society is proposed by taking these three concepts into account. As the final step, the recent cyber security efforts of Turkey is shared with the reader and assesses according to the determined key components

Strategies to Counter Cyber Attacks: Cyber Threats and Critical Infrastructure Protection

Today, cyber threats have the potential to harm critical infrastructures which may result in the interruption of life-sustaining services, catastrophic economic damages or severe degradation of national security. The diversity and complexity of cyber threats that exploit the vulnerabilities of critical infrastructures increase every day. . In order to lessen the potential harm of cyber threats, countermeasures have to be applied and the effectiveness of these countermeasures has to be monitored continuously. In this study, a brief definition and history of critical infrastructures are introduced. Cyber threats are examined in four fundamental categories. Vulnerabilities of critical infrastructures are categorized and examined. Finally, countermeasures that may play a key role in critical infrastructure protection programs are categorized

Digital Forensics Analysis of Spectral Estimation Methods

Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message. In today’s world, it is widely used in order to secure the information. Since digital forensics aims to detect, recover and examine the digital evidence and steganography is a method for hiding digital evidence, detecting the steganography is an important step in digital forensics process. In this paper, the traditional spectral estimation methods are introduced. The performance analysis of each method is examined by comparing all of the spectral estimation methods. Finally, from utilising those performance analyses, a brief pros and cons of the spectral estimation methods are given. Also we give a steganography demo by hiding information into a sound signal and manage to pull out the information (i.e. the true frequency of the information signal) from the sound by means of the spectral estimation methods

An Hierarchical Asset Valuation Method for Information Security Risk Analysis

The widespread use of information technology transforms businesses continuously and rapidly. Information technology introduces new threats to organizations as well. Risk analysis is an important tool in order to make correct decisions and to deal with cyber threats. Identification and valuation of assets is a crucial process that must be performed in risk analyses. Without properly identified and valued assets, the results of risk analyses lead to wrong decisions. Wrong decisions on information security may directly affect corresponding business processes. There are some finished and applied methods in literature for asset identification and valuation; however these methods are complicated and are not suitable for practical information security management projects. In this paper, a hierarchy based asset valuation method is proposed. Our method is intended to minimize the common mistakes that were done during Information Security Management Projects. The application of the method has not been performed yet; however it is thought that it can ease the processes and reduce the number of errors

An Assessment Model to Improve National Cyber Security Governance

Today, cyber space has been embraced by individuals, organizations and nations as an indispensable instrument of daily life. Accordingly, impact of cyber threats has continuously been increasing. Critical infrastructure protection and fighting against cyber threats are crucial elements of national security agendas of governments. In this regard, governments need to assess the roles and responsibilities of public and private organizations to address the problems of current cyber protection postures and to respond with reorganization and reauthorization of these postures. A risk management approach is critical in placing these efforts in an ongoing lifecycle process. In this paper, a model is proposed to be used in national cyber security risk management processes. We argue that this model simplifies and streamlines national risk management processes. For this purpose, a matrix is created to partition the problem space. Cyber threat detection and response activities constitute one dimension of the matrix. The second dimension divides the timeline of cyber incidents into three: before, during and after incidents. The resulting matrix is then populated with responsible bodies which need to address each case. As a result, a national cyber security responsibility model is proposed for policy/decision makers and academics. We believe that the proposed model would be useful for governments in analyzing their national responsibility distribution to address gaps and conflicts in their current cyber security postures and for academics in analyzing natural cyber security systems and comparative studies

Cyber Third-Party Risk Management: A Comparison of Non-Intrusive Risk Scoring Reports

Cybersecurity is a concern for organizations in this era. However, strengthening the security of an organization’s internal network may not be sufficient since modern organizations depend on third parties, and these dependencies may open new attack paths to cybercriminals. Cyber Third-Party Risk Management (C-TPRM) is a relatively new concept in the business world. All vendors or partners possess a potential security vulnerability and threat. Even if an organization has the best cybersecurity practice, its data, customers, and reputation may be at risk because of a third party. Organizations seek effective and efficient methods to assess their partners’ cybersecurity risks. In addition to intrusive methods to assess an organization’s cybersecurity risks, such as penetration testing, non-intrusive methods are emerging to conduct C-TPRM more easily by synthesizing the publicly available information without requiring any involvement of the subject organization. In this study, the existing methods for C-TPRM built by different companies are presented and compared to discover the commonly used indicators and criteria for the assessments. Additionally, the results of different methods assessing the cybersecurity risks of a specific organization were compared to examine reliability and consistency. The results showed that even if there is a similarity among the results, the provided security scores do not entirely converge

A Comparative Analysis of the National Cyber Security Strategies of Leading Nations

The rapid pace of technological developments in the area of information and communications technologies caused nations and peoples to be more reliant on cyber infrastructure to survive. Besides opportunities, the widespread use of information technology introduces new threats as well. Risks related to cyber security have started to threaten critical infrastructures, which are defined as assets that are essential for the functioning of a society and its economy. Cyber security has become one of the most serious national security concerns. In 2003 the United States was the first nation to prepare and publish a national cyber security strategy In the last ten years, 35 other nations have subsequently published their national cyber security strategy document. There are several aspects for national cyber security strategies. According to Luiijif and Healey (2012), there are five mandates of national cyber security: 1) Military cyber operations, 2) Counter cybercrime, 3) Intelligence/Counter intelligence, 4) Cyber security crisis management and critical infrastructure protection and 5) Internet governance and cyber diplomacy. In this study, the national cyber security strategies of France, Germany, The Netherlands, United Kingdom, United States and Turkey are examined and compared. Correlations between specific properties of the nation (economic power and political situation etc.) and focus and content of its cyber strategy were examined. The results of the study will provide guidance for nations that plan to prepare or update a national cyber security strategy

Cybersecurity and information assurance in Information Science curricula

As a newly emerging and one of the fastest growing fields of study, cybersecurity/information assurance has plenty to offer in terms of teaching and research. If Library and Information Science (LIS) schools are to take advantage of this fast growth in the field by expanding their program and/or course offerings, thereby increasing their enrollments, and, indeed, provide their students with opportunities to be able to take advantage of the demand for skilled manpower in cybersecurity/information assurance, it is imperative for them to systematically approach the inclusion of courses and/or programs to their curricula. A component of this systematic approach is a closer examination of programs, concentrations, and courses in cybersecurity/information assurance currently offered at similar or peer LIS schools in order to identify best practices and gaps. The study reported here is a small but important part of this effort