Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
ATZ-Fachkongress

Chassis.tech plus 2024


4 Kongresse in einer Veranstaltung

Treffen Sie in München die Fachleute von Chassis, Lenkung, Bremsen sowie Reifen/Räder.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Privacy-Preserving Distributed Economic Dispatch Protocol for Smart Grid Kapitel lesen Erstes Kapitel lesen

2018 | OriginalPaper | Buchkapitel

Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework

verfasst von : Barbara Krumay, Edward W. N. Bernroider, Roman Walser

Erschienen in: Secure IT Systems

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

In recent years, cybersecurity management has gained considerable attention due to a rising number and also increasing severity of cyberattacks in particular targeted at critical infrastructures of countries. Especially rapid digitization holds many vulnerabilities that can be easily exploited if not managed appropriately. Consequently, the European Union (EU) has enacted its first directive on cybersecurity. It is based on the Cybersecurity Framework by the US National Institute of Standards and Technology (NIST) and requires critical infrastructure organizations to regularly monitor and report their cybersecurity efforts. We investigated whether the academic body of knowledge in the area of cybersecurity metrics and controls has covered the constituent NIST functions, and also whether NIST shows any noticeable gaps in relation to literature. Our analysis revealed interesting results in both directions, pointing to imbalances in the academic discourse and underrepresented areas in the NIST framework. In terms of the former, we argue that future research should engage more into detecting, responding and recovering from incidents. Regarding the latter, NIST could also benefit from extending into a number of identified topic areas, for example, natural disasters, monetary aspects, and organizational climate.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel UpDroid: Updated Android Malware and Its Familial Classification
Nächstes Kapitel Next Generation Cryptographic Ransomware
Literatur
1.
European Political Strategy Centre: Building an Effective European Cyber Shield, p. 16 (2017)
2.
European Commission: The Directive on Security of Network and Information Systems (NIS Directive). In: Union, O.J.o.t.E. (ed.), vol. L194, pp. 1–30 (2018)
3.
European Commission: July Infringements Package: Key Decisions. July Infringements Package: Key Decisions, (2018)
4.
Hathaway, O.A., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., Spiegel, J.: The law of cyber-attack. Calif. Law Rev. 100, 817–886 (2012)
5.
Nagurney, A., Shukla, S.: Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability. European Journal of Operational Research 260, 588–600 (2017)MathSciNetCrossRef
6.
Accenture: Cyberthreat Scape Report (2017)
7.
EY: Cybersecurity Regained: Preparing to Face Cyber Attacks (2017)
8.
9.
Melnyk, S.A., Stewart, D.M., Swink, M.: Metrics and performance measurement in operations management: dealing with the metrics maze. J. Oper. Manag. 22, 209–218 (2004)CrossRef
10.
Pfleeger, S.L., Cunningham, R.K.: Why measuring security is hard. IEEE Secur. Priv. Mag. 8, 46–54 (2010)CrossRef
11.
Sridhar, S., Hahn, A., Govindarasu, M.: Framework for improving critical infrastructure cybersecurity, Version 1.1, Gaithersburg, MD, vol. 100, pp. 210–224 (2018)
12.
Nicho, M., Muamaar, S.: Towards a taxonomy of challenges in an integrated IT governance framework implementation. J. Int. Technol. Inf. Manag. 25, 2 (2016)
13.
Dimensional Research: Trends in Security Framework Adoption (2016)
14.
European Commission: Fact Sheet - Directive on Security of Network and Information Systems, the First EU-wide Legislation on Cybersecurity, vol. 2020, pp. 7–10 (2018)
15.
Levy, Y., Ellis, T.J.: A systems approach to conduct an effective literature review in support of information systems research. Informing Sci. 9 (2006)CrossRef
16.
Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Quarterly xiii-xxiii (2002)
17.
Torres, J.M., Sarriegi, J.M., Santos, J., Serrano, N.: Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness. In: International Conference on Information Security, pp. 530–545. LNCS, (2006)
18.
Bernik, I., Prislan, K.: Measuring information security performance with 10 by 10 model for holistic state evaluation. PLoS ONE 11, 1–33 (2016)CrossRef
19.
Lombard, M., Snyder-Duch, J., Bracken, C.C.: Content analysis in mass communication: Assessment and reporting of intercoder reliability. Hum. Commun. Res. 28, 587–604 (2002)CrossRef
20.
Strauss, A., Corbin, J.M.: Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Sage Publications, Inc. (1990)
21.
Chu, A.M., Chau, P.Y.: Development and validation of instruments of information security deviant behavior. Decis. Support Syst. 66, 93–101 (2014)CrossRef
22.
Sohn, M.H., You, T., Lee, S.-L., Lee, H.: Corporate strategies, environmental forces, and performance measures: a weighting decision support system using the k-nearest neighbor technique. Expert Syst. Appl. 25, 279–292 (2003)CrossRef
23.
Asosheh, A., Nalchigar, S., Jamporazmey, M.: Information technology project evaluation: an integrated data envelopment analysis and balanced scorecard approach. Expert Syst. Appl. 37, 5931–5938 (2010)CrossRef
24.
Knowles, W., Prince, D., Hutchison, D., Disso, J.F.P., Jones, K.: A survey of cyber security management in industrial control systems. Int. J. Crit. Infrastruct. Prot. 9, 52–80 (2015)CrossRef
25.
Francis, R., Bekera, B.: A metric and frameworks for resilience analysis of engineered and infrastructure systems. Reliab. Eng. Syst. Saf. 121, 90–103 (2014)CrossRef
26.
Hahn, A., Govindarasu, M.: Cyber attack exposure evaluation framework for the smart grid. IEEE Trans. Smart Grid 2, 835–843 (2011)CrossRef
27.
Hahn, A., Ashok, A., Sridhar, S., Govindarasu, M.: Cyber-physical security testbeds: Architecture, application, and evaluation for smart grid. IEEE Trans. Smart Grid 4, 847–855 (2013)CrossRef
28.
Feng, N., Wang, H.J., Li, M.: A Security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57–73 (2014)CrossRef
29.
Dhillon, G., Torkzadeh, G.: Value-focused asessment of information system security in organizations. Inf. Syst. J. 16, 293–314 (2006)CrossRef
30.
Bojanc, R., Jerman-Blažič, B.: An economic modelling approach to information security risk management. Int. J. Inf. Manage. 28, 413–422 (2008)CrossRef
31.
Arghandeh, R., von Meier, A., Mehrmanesh, L., Mili, L.: On the definition of cyber-physical resilience in power systems. Renew. Sustain. Energy Rev. 58, 1060–1069 (2016)CrossRef
32.
Ittner, C.D., Larcker, D.F., Meyer, M.W.: Subjectivity and the weighting of performance measures: evidence from a balanced scorecard. Account. Rev. 78, 725–758 (2003)CrossRef
33.
Huang, S.-M., Lee, C.-L., Kao, A.-C.: Balancing performance measures for information security management: A balanced scorecard framework. Ind. Manag. Data Syst. 106, 242–255 (2006)CrossRef
34.
Potter, J.G., Hsiung, H.: Service-level agreements: aligning performance and expectations. IT Prof. 10, 41–47 (2008)CrossRef
35.
Abuhussein, A., Bedi, H., Shiva, S.: Evaluating security and privacy in cloud computing services: a stakeholder’s perspective. In: International Conference for Internet Technology And Secured Transactions 2012, pp. 388–395. IEEE (2012)
36.
Sahibudin, S., Sharifi, M., Ayat, M.: Combining ITIL, COBIT and ISO/IEC 27002 in order to design a comprehensive IT framework in organizations. In: Second Asia International Conference on Modeling and Simulation, AICMS, pp. 749–753 (2008)
37.
Jufri, F.H., Kim, J.-S., Jung, J.: Analysis of determinants of the impact and the grid capability to evaluate and improve grid resilience from extreme weather event. Energies 10, 1–7 (2017)CrossRef
38.
Zammani, M., Razali, R.: An empirical study of information security management success factors. Int. J. Adv. Sci., Eng. Inf. Technol. 6, 904–913 (2016)CrossRef
39.
Ben-Aissa, A., Abercrombie, R.K., Sheldon, F.T., Mili, A.: Defining and computing a value based cyber-security measure. Inf. Syst. E-Bus. Manag. 10, 433–453 (2012)CrossRef
40.
Rabai, L.B.A., Jouini, M., Aissa, A.B., Mili, A.: A cybersecurity model in cloud computing environments. J. King Saud Univ. Comput. Inf. Sci. 25, 63–75 (2013)CrossRef
41.
Merete, H.J., Albrechtsen, E., Hovden, J.: Implementation and effectiveness of organizational information security measures. Inf. Manag. Comput. Secur. 16, 377–397 (2008)CrossRef
42.
Flowerday, S.V., Tuyikeze, T.: Information security policy development and implementation: the what, how and who. Comput. Secur. 61, 169–183 (2016)CrossRef
43.
van Eeten, M.J., Bauer, J.M.: Economics of Malware: Security Cecisions, Incentives and Externalities. OECD Science, Technology and Industry Working Papers 2008, pp. 1–68 (2008)
44.
Stapelberg, R.F.: Infrastructure systems interdependencies and risk informed decision making (RIDM): impact scenario analysis of infrastructure risks induced by natural, technological and intentional hazards. J. Syst., Cybern. Inform. 6, 21–27 (2008)
45.
Bauer, S., Bernroider, E.W.: From information security awareness to reasoned compliant action: analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database DATABASE Adv. Inf. Syst. 48, 44–68 (2017)CrossRef
46.
Fogel, K., El-Khatib, R., Feng, N.C., Torres-Spelliscy, C.: Compliance costs and disclosure requirement mandates: some evidence. Res. Account. Regul. 27, 83–87 (2015)CrossRef
47.
Zimmerman, R., Restrepo, C.E.: The next step: quantifying infrastructure interdependencies to improve security. Int. J. Crit. Infrastruct. 2, 215–230 (2006)CrossRef
48.
Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)CrossRef
49.
Oh, E.H., Deshmukh, A., Hastak, M.: Vulnerability assessment of critical infrastructure, associated industries, and communities during extreme events. In: Construction Research Congress 2010: Innovation for Reshaping Construction Practice, pp. 449–469 (2010)
50.
Chen, Y.-R., Chen, S.-J., Hsiung, P.-A., Chou, I.-H.: Unified security and safety risk assessment - a case study on nuclear power plant. In: 2014 International Conference on Trustworthy Systems and their Applications (TSA), pp. 22–28. IEEE (2014)
51.
Li, G., et al.: Risk analysis for distribution systems in the northeast US under wind storms. IEEE Trans. Power Syst. 29, 889–898 (2014)CrossRef
Metadaten
Titel
Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework
verfasst von
Barbara Krumay
Edward W. N. Bernroider
Roman Walser
Copyright-Jahr
2018
Buch
Secure IT Systems

Print ISBN: 978-3-030-03637-9

Electronic ISBN: 978-3-030-03638-6

Copyright-Jahr: 2018

DOI
https://doi.org/10.1007/978-3-030-03638-6_23

Premium Partner

    Bildnachweise