​Cyber Security and Risk Management Read Four (4) academically reviewed articles on Cyber Security and Risk Management and complete the following activities

timer Asked: Feb 5th, 2019
account_balance_wallet $10

Question Description

Cyber Security and Risk Management

Read Four (4) academically reviewed articles on Cyber Security and Risk Management and complete the following activities:

(Wikipedia articles will not be accepted. Professor may check originality of all posts. Avoid copy-and-paste.

1. Summarize all four (4) articles in 300 words or more. Please use your own words. No copy-and-paste

2. Base on your article review and the assigned reading, discuss the relationship between cyber security and risk management.

3. As an IT manager, discuss how you will use the concepts discussed in the four articles in the management of IT risks within your company.

Please use APA throughout.

Unformatted Attachment Preview

applied sciences Article An Integrated Cyber Security Risk Management Approach for a Cyber-Physical System Halima Ibrahim Kure 1, * 1 2 * ID , Shareeful Islam 1, * ID and Mohammad Abdur Razzaque 2 School of Architecture, Computing and Engineering, University of East London, London E16 2RD, UK School of Computing, Media and Arts, Teesside University, Middleborough TS1 3BX, UK; m.razzaque@tees.ac.uk Correspondence: h.kure@uel.ac.uk (H.I.K.); shareeful@uel.ac.uk (S.I.); Tel.: +44-208-223-7273 (H.I.K. & S.I.) Received: 30 March 2018; Accepted: 16 May 2018; Published: 30 May 2018   Abstract: A cyber-physical system (CPS) is a combination of physical system components with cyber capabilities that have a very tight interconnectivity. CPS is a widely used technology in many applications, including electric power systems, communications, and transportation, and healthcare systems. These are critical national infrastructures. Cybersecurity attack is one of the major threats for a CPS because of many reasons, including complexity and interdependencies among various system components, integration of communication, computing, and control technology. Cybersecurity attacks may lead to various risks affecting the critical infrastructure business continuity, including degradation of production and performance, unavailability of critical services, and violation of the regulation. Managing cybersecurity risks is very important to protect CPS. However, risk management is challenging due to the inherent complex and evolving nature of the CPS system and recent attack trends. This paper presents an integrated cybersecurity risk management framework to assess and manage the risks in a proactive manner. Our work follows the existing risk management practice and standard and considers risks from the stakeholder model, cyber, and physical system components along with their dependencies. The approach enables identification of critical CPS assets and assesses the impact of vulnerabilities that affect the assets. It also presents a cybersecurity attack scenario that incorporates a cascading effect of threats and vulnerabilities to the assets. The attack model helps to determine the appropriate risk levels and their corresponding mitigation process. We present a power grid system to illustrate the applicability of our work. The result suggests that risk in a CPS of a critical infrastructure depends mainly on cyber-physical attack scenarios and the context of the organization. The involved risks in the studied context are both from the technical and nontechnical aspects of the CPS. Keywords: cybersecurity; risk management; cyber-physical systems; cybersecurity attack scenario; supervisory control and data acquisition (SCADA) systems; cascading effect 1. Introduction Generally, cyber-physical systems are real-time and robust independent systems with high performances requirements [1]. They are used in many application domains, including critical infrastructures, such as the national power grid, transportation, medical, and defense. These applications require the attainment of stability, performance, reliability, efficiency, and robustness, which require tight integration of computing, communication, and control technological systems [2]. CPSs of critical infrastructures have always been the target of criminals and are affected by security threats [3] because of their complexity and cyber-physical connectivity. These CPSs face security breaches when people, processes, technology, or other components are being attacked or risk management systems are missing, inadequate, or fail in any way. The attackers target confidential Appl. Sci. 2018, 8, 898; doi:10.3390/app8060898 www.mdpi.com/journal/applsci Appl. Sci. 2018, 8, 898 2 of 29 data, such as customer information or other valuable records [4]. It is likely that the threats of CPSs will only increase in the future as the use of these systems become widespread. However, there are sensible safety measures that organizations can consider to minimize losses from their destruction. It is possible to control damages and recover from an attack and its consequences with the appropriate insight through research and a domain expert’s assistance [5]. Managing CPS security risk is not about eliminating all risks; it is about determining and understanding the risk rating of events and putting the right processes or controls in place to manage them in accordance with the organization’s risk tolerance level. Risk management is a continuous process, not a one-time event [3]. In response to an event(s), there is an urgent need for organizations to truly understand their cyber-physical security status and employ the necessary and urgent corrective actions to rectify weaknesses [6]. Risk can be defined as an uncertain event that may occur due to a system malfunction or failure that could harm assets, such as human beings or the environment, and also influence the organization’s achievement on strategic, operational, and financial objectives [7]. Risk management is a key discipline for making effective decisions and communicating the results within organizations. It proactively identifies potential managerial and technical problems so that appropriate actions can be taken to reduce or eliminate the probability and/or impact of these problems [8]. There are many existing risk management methods for CPSs [9–12] However risk management in CPSs is challenging because of the increased complexity of the systems, the evolution of risk levels, human factor threats comprising of unintentional breaches of security, the unsuspicious use of infected information media giving away sensitive information, and lack of awareness and human errors [13]. In addition, cascading failures occur because of interdependencies among components and infrastructures. Importantly, threats affecting one part of a CPS can propagate to other parts through the network, which interconnects different parts of the CPS and affects other parts. As security threats grow, the organization needs a comprehensive cybersecurity risk management system to identify unique cybersecurity threats and their trends. The authors of a previous paper [14] discussed the challenges for securing CPS and analyzed security mechanisms for prevention, detection and recovery, resilience, and deterrence of attacks for securing CPS. A previous work [15] proposed a layered approach for evaluating risk based on security to prevent, mitigate, and tolerate attacks both on physical power applications and cyber infrastructures. The paper identifies the importance of combining both power application security and supporting infrastructure security into the risk assessment process and provides a methodology for impact evaluation. Also, another paper Ref. [11] provides an overview of a number of important real-life issues of cybersecurity and risk assessment for supervisory control and data acquisition (SCADA) and distributed control systems (DCS). The paper discussed the various compromise graphs and augmented vulnerability trees that quantitatively determine the probability of an attack, impact of the attack, and the reduction in risk as a result of a particular countermeasure. All these works, and more, are presented in the related work section emphasize: the importance of cybersecurity risks management for CPSs. However, comprehensive and integrated risk management practice is not sufficiently addressed in these works. The novel contributions of this paper are: (i) A comprehensive integrated cybersecurity risk management framework that explicitly considers risk from a holistic perspective of the stakeholder model, cross functions risks, and existing risk management frameworks; (ii) the integration of the cascading effect from interdependent CPS components considering vulnerability, threats, and risks to an asset; and (iii) an evaluation of the proposed integrated risk management approach into a real cyber physical system. The result from this case study outlines the applicability of the proposed approach. We also compared the identified results with the existing results to demonstrate the impact of integrated risk management as approach to the CPS. The remainder of the paper is structured as follows. Section 2 outlines state-of-the-art cyber security risk management practices for the cyber physical system and existing framework and standards. Section 3 provides the rationale for the integrated risk management approach. Section 4 presents the proposed cyber security risks management framework including the concepts and Appl. Sci. 2018, 8, 898 3 of 29 algorithms. Section 5 demonstrates the evaluation results of the implementation of the proposed approach into a real smart grid system. This section also discusses of the various parts of the approach and compares it with other works. Section 6 provides the validity of the study, and finally Section 7 concludes the work and presents a few directions for future work. 2. Related Work Cybersecurity risk management in CPSs is a very active research area, and a significant number of research works have been published in this area. We divided these works into three categories: (1) security risks management methods for CPS; (2) cyber security in smart grid; and (3) security risk management frameworks/standards/guidelines and presented the summary in the following. 2.1. Security Risks Management for Cyber-Physical System A Risk Breakdown Structure (RBS) approach was proposed for managing the risks of CPS as previously described [16]. Countermeasures were proposed on the basis of the risk matrix method and classified. Risk values were introduced in an information security management system (ISMS) and quantitative evaluation was conducted for detailed risk assessment. The quantitative evaluation showed that the proposed countermeasures could reduce risk to some extent. Investigation into the cost-effectiveness of the proposed countermeasures is an important future work. Cherdantseva et al. [9] reviewed the state-of-the-art practices in cybersecurity risk assessment of the SCADA systems using aim, application domain, stages of risk management, risk management concepts, impact measurement, and sources of probabilistic data, evaluation, and tool support. Despite a large number of risk assessment methods for SCADA systems, the need for a comprehensive method that would cover all stages of risk management process is missing. The authors of a previous paper [10] proposed a new approach for assessing the organization’s vulnerability to information-security breaches using the threat-impact index and cyber-vulnerability indexes based on vulnerability trees. This helps managers determine the current level of security and helps them select security mechanisms. However, probability added to each damage category would help to further quantify the risk associated with information systems. Hahn et al. [11] provided an overview of smart grid security, including the set of controls, communication, and physical system components required to provide an accurate cyber-physical environment. Several attack-impact evaluations were performed on the system such as availability and integrity attacks. There are other works that [12] focus on detecting computer attacks which change the behavior of the targeted control systems by understanding the consequences of the attack for risk assessment. Wu et al. [1] proposed a quantitative risk assessment model that focuses on the CPS running conditions and calculates risk in real-time using users’ responses to risk at certain times. It provides users with attack information such as the type of attack, frequency, and target host ID and source host ID. Ten et al. proposed a cyber-security framework of the SCADA system as a critical infrastructure using real-time monitoring, anomaly detection, and impact analysis with an attack tree-based methodology, and mitigation strategies [17]. 2.2. Cyber Security in Smart Grid There are other works that focus on the security of smart grid. For instance Gai et al. [18] proposed an attack strategy approach using spoofing and jamming in order to interfere with the maximum number of signal channels. The approach used distributed power usage on both spoofing and jamming attacks by applying dynamic programming and was evaluated by subsequent experiments. However, this approach is most applicable to the power grid infrastructure. The authors of a previous paper Ref. [19] proposed a dynamic energy-aware cloudlet-based mobile cloud computing model (DECM) that focuses on solving additional energy consumptions during wireless communication in a power grid environment. The approach contributed to solving energy wastage problems within a dynamic networking environment, however, the applicability of the model needs to be tested in multiple industries with other service requirements. A fully homomorphic encryption for blend Appl. Sci. 2018, 8, 898 4 of 29 operations (FHE-BO) model was proposed Ref. [20] which focuses on calculating encrypted real numbers. The encryption-decryption approach successfully acquired correct outputs from decrypting cypher-results of blend operations. The authors of a previous paper Ref. [19,21] discussed different unified approaches for security risk management in the context of the smart power grid. Risk assessment methodologies proposed included threat and vulnerability modeling schemes which help in identifying and categorizing threats, analyzing their impacts, and prioritizing them. A previous work Ref. [22] surveys the risk assessment methods, major challenges, and controls for various aspects of the smart grid such as SCADA systems and communication networks, in order to address the challenges facing the smart grid technologies. However, smart grids, as a provider, require a comprehensive cyber security solution by supporting stakeholders and assessing vulnerabilities and cyber threats and integrating systems to provide guidelines for effective risk management. The authors of Ref. [23] discussed the risk of cyber-attack on smart metering systems by applying methods and concepts from cyber-attack scenarios in a smart grid system. 2.3. Frameworks/Standards/Guidelines There are widely accepted risk management standards such as ISO 31000 that provide guidelines for risk management activities which also consider risk management as an integral part of the overall organizational processes, including strategic planning and management processes [24]. IEC 31010 is also another recognized risk management method and technique [25]. The NIST framework focuses on managing cyber-security risk and NERC CIP standards for the identification and protection of critical cyber assets that support the reliable operation of the electric power grid. The NIST framework [26] is a risk-based approach for managing cyber-security risk. It is applied to deliver a complete platform that identifies relevant paths, providing guidance that ranges from requirements to implementation. Critical infrastructure organization can use the NIST framework alongside their existing frameworks to systematically identify, manage, and assess cybersecurity risk. It can serve as the basis for a new cybersecurity program or a mechanism for improving its existing programs. The outcome of the framework will serve as the basis for the on-going operation of the system, which includes reassessment to verify that the cybersecurity requirements are fulfilled [27]. A particular goal driven risk management approach [28,29] emphasizes the identification of goals as objectives specific to the organization mission. Risks are considered as an obstruction to the goal so that identified risks are assessed based on which goals they oppose. The approach is applied in various domains such as software development project and cloud computing. Several observations were made from reviewing the existing works. • • • • Cherdantseva et al. [9] reviewed existing cyber security risk assessment works and concluded that it is necessary to have a comprehensive risk management method which will cover all stages of the risk management process. Different risk management approaches for smart grid were also discussed in a previous work [21]. However, risk management from a holistic perspective that incorporates all aspects of a smart grid and their interdependencies is needed. Most of the risk management approaches emphasize assessing vulnerabilities and identifying threats but lack emphasis on the cascading effect of vulnerabilities and threats to the asset. The existing works provide limited efforts in considering the estimation of an accurate risk level for the organization. Our work intends to fill these gaps by proposing an integrated cyber-security risk management approach. The novelty of this work is a comprehensive cyber-security risk management framework that considers all phases of the risk management process. We follow the existing risk management standard and framework with a holistic view of the risks and propose our approach. In particular, the proposed work is initiated by understanding of the business context and current risk management status of the organization. The approach considers cascading vulnerabilities and threats to generate Appl. Sci. 2018, 8, 898 5 of 29 a cyber-attack scenario and the impact of the risks are considered from the CPS organization’s key performance indicators (KPIs) to generate the accurate risk levels. 3. The Rationale for an Integrated Risk Management Approach An integrated risk management includes a combination of various components of a CPS which are interdependent and necessary for successful risk management. It needs to be a part of an organization’s strategy in order to address the organization’s risk management principles. Critical infrastructure organizations (i.e., health, financial, telecommunications, transportation, energy, and water) are always the targets for attackers and face different types of risks [30]. An integrated risk management scheme enforces a constant assessment of potential risks at every level in an organization and gathers the results at the corporate level to enable priority setting and minimize risk. The identification, assessment, and management of risks throughout the organization help to avoid greater risks and foster improvement of the organization. Traditional security risk assessment methods only address IT security risk or compliance risk. The integrated risk management framework will build a holistic solution considering the technical and nontechnical aspects of the organization. Figure 1 shows several areas that will incorporate into an integrated risk management approach. The main components of the integrated risk management framework are: • • • Integration of stakeholder’s model: The integration of the stakeholder’s model for risk management is a means of achieving greater inclusivity in an organization, and it is important for an organization to understand its own security risk management practices. This approach shows the importance of security from each and every area of the business enterprise of a critical infrastructure organization by making it clear to managers and subsequently enhancing employee commitment. In a traditional security risk assessment having just one stakeholder, which could be the compliance manager or security director, the value of the security risk assessment process is limited. An integrated risk management approach seeks to relate vulnerability findings and IT control gaps in the context of how such findings may affect attackers, users, government, shareholders, regulatory authorities, numerous individuals, or groups across an organization. It also deals with the human issues for risk management. Measurement of cross-functional risks from organizational context: An ef ...
Purchase answer to see full attachment

Tutor Answer

School: UCLA


Running head: CYBER SECURITY


Cyber Security and Risk Management
Name of Student:
Institute of Affiliation:



Cyber Security and Risk Management
The growing advancements in technology have not only resulted in massive
developments in various fields but also contributed greatly to various problems (Kure, Islam &
Razzaque, 2018). Technology has been integrated almost in every field with such areas as
medicine, communication, transport, business and baking witnessing tremendous growth as a
result of the various technological advancements (Quigley & Roy, 2012). However, these
advancements have come with their own risks and problems which pose a major challenge not
only to individuals and organizations but also to various countries across the globe. The topic of
cybersecurity is a rather wide one since it cuts across almost every field.
Cybersecurity can be viewed as all the processes and measures which have been taken up
by individuals, organizations as well as governments in protecting all the systems connected via
internet; the systems include both the software and hardware as well as the data and information
obtained and transmitted through these system (Quigley & Roy, 2012) Risk management
encompasses all the measures put in place in order to either prevent the occurrence and effects of
certain risks or minimize the occurrences of these risks (Quigley & Roy, 2012). Thus cyber
security and risk management can be thought of as the processes and measures put in place to
prevent or minimize all the risks associated with the use of all the internet connected systems in
an organization, a country as well as throughout the world (Kure, Islam & Razzaque, 2018).
Articles on Cyber Security and Risk Management
The journal article by Fazlida & Said (2015) talks about info...

flag Report DMCA

Thanks, good work

Similar Questions
Hot Questions
Related Tags
Study Guides

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors