TOP 5: Cybersecurity Framework Articles/Reviews
Some modern approaches to operational and support cyber constructs
Alvarenga, A., & Tanev, G. (2017). A cybersecurity risk assessment framework that integrates value-sensitive design. Technology Innovation Management Review, 7(4), 32-43.
Alvarenga and Tanev (2017) conduct a literature review about the current challenges of medical devices and the application of cybersecurity controls against a myriad of such devices. Their main objective is to introduce security efforts as not just an obligation by medical device manufacturers, but a value-added component.
The authors suggest a value-sensitive framework where multiple stakeholders contribute to the overall security of the device. This includes manufacturers, end users, suppliers, etc., who provide a relativistic score that is used to drive risk management. They suggest scores such as “like,” “dislike,” “recommend,” and “do not recommend” in order to derive a focused application of controls through metaphor generation. This could include, for example, wireless enabling that may result in unnecessary device battery drain. Based upon aggregated corporate responses, the control is either applied or not (Alvarenga & Tanev, 2017). The article affords a risk management framework suggestion to better tailor security controls.
A weakness appears to be the over-democratization of risk management; with so many participants, with varying degrees of technical skills and interest, it appears cumbersome.
Hu, Z., Gnatyuk, V., Sydorenko, V., Odarchenko, R., & Gnatyuk, S. (2017). Method for cyberincidents network-centric monitoring in critical information infrastructure. International Journal of Computer Network and Information Security, 9(6), 30.
The authors suggest a method of a network-centric monitoring of cyber incidents. Their approach looks at how to mathematically determine a network components’ values and their need for protection.
They accomplish this by using an eight-phase approach that includes: 1) cyberattack classification, 2) attack type, 3) cyber incident categorization, 4) rules based upon the incident, 5) a device’s need for protection, 6) the impacts, 7) the most critical components requiring protection, and 8) the ranking of the cyber incidents danger at the component level.
This article is for the advance mathematics and statistics expert. They offer their probabilistic equations and formulas, and framework as a rule-based solution to monitoring network attacks (Hu, Gnatyuk, V., Sydorenko, Odarchenko, and Gnatyuk, S., 2017).
The weakness of this article is that is only designed to detect and not respond to a threat. (This suggests that a data science and a more proactive response approaches offer a new avenue of needed academic research.)
Katzan, H. (2012). Cybersecurity service model. Journal of Service Science (Online), 5(2), 71.
Katzen (2012) offers a new view of cybersecurity from a service model perspective. He discusses the complementary nature of the service provider to service client. The article is written for the beginner cybersecurity specialist in understanding how service model theory may be applied to the cybersecurity protection challenges. He begins with a description of service collectivism as a mathematical relationship between the provider and client—(S: P -> C). He discusses collaboration with regards to cybersecurity collaboration of system components with respect to security controls. He continues with a description of distributed security where all components across the network are mutually supporting in thwarting potential security threats—a defense in depth consideration. He concludes with an introduction of a Monroe Doctrine for Cybersecurity. Essentially, if you intrude into a network, you may be subject to a response of some level (Katzen, 2012).
An apparent weakness is in his call for a Monroe Doctrine consideration. While there are diverse positions about “hack-back” activities by businesses and agencies, it is likely that escalation may be far more damaging long-term for both parties if pursued.
Oltramari, A., & Kott, A. (2018). Towards a reconceptualisation of cyber risk: An empirical and ontological study. Journal of Information Warfare, 17(1), 49-73.
Oltramari and Kott (2018) attempt an empirical review of the disconnect within the cybersecurity community with regards to cyber risk. This academic article is written for beginner through advance cyber-defender interested in better understanding the problems with current cyber risk methods.
They suggest that there is a lack of understanding of the basic cyber risk terminologies (ontology). Then, how good are cyber-defensive security measures? The authors suggest that the current defender-centric model only identifies a small portion of the actual risk. They further identify that cyber risk quantification is no better than ad hoc and is “dangerously” reliant on qualitative human evaluation vice a true quantification approach (Oltramari & Kott, 2018, p. 55). They recommend a need for continuous evaluation of the adaptability of attacker versus defender—essentially, a constant “wargaming” is needed to provide a more proactive response versus the classic reactive mode (Oltramari & Kott, 2018).
A strength of this article is in its idea of using a continual wargaming tactic that may make sense to better respond to cyber-threats more proactively.
Watkins, L. A., & Hurley, J. S. (2015). Cyber maturity as measured by scientific-based risk metrics. Journal of Information Warfare, 14(3), 57-65.
Watkins and Hurley (2015) identify the issue of cybersecurity protections are too network-centric. They suggest a need for a greater focus on quantifiable cyber threats and vulnerabilities. The article is written for the beginner to advance student interested in the efforts to better quantify risk scoring in the field of cybersecurity.
They propose a Five Step Maturity Model that enhances trust between what they call “The Triad” of “citizens, defense, and intelligence” (Watkins & Hurley, 2015, p 58). They further explore the application of associated risk scoring methods that include the efforts of Microsoft and Google. These works assign qualitative ratings, for example, high or low, and then assign a numerical factor of 1 or ½. The authors conclude that their model will provide scoring that can be used to predict future patterns of behavior and threat trends (Watkins & Hurley, 2015).
While the framework does not appear to be “predictive” as described, it certainly offers a foundation to prioritize personnel, funding, and other resources to reduce risk of an IT environment.
Ms. Columbus has worked in the Intelligence Community (IC) for over 20 years. She retired from the US Air Force in 2014 after working as a Senior Advisor providing authoritative advice on all aspects of Cyberspace operations, force structure and organizational concepts. She oversaw strategic support activities to enable the right mix of cyber capabilities for future operations.