Yet another cybersecurity risk assessment framework-Reference-Cited by-同舟云学术

Yet another cybersecurity risk assessment framework

Published:2023-07-14 Issue:6 Volume:22 Page:1713-1729
ISSN:1615-5262
Container-title:International Journal of Information Security
language:en
Short-container-title:Int. J. Inf. Secur.

Author:

Ekstedt Mathias,Afzal Zeeshan,Mukherjee Preetam,Hacks Simon,Lagerström Robert

Abstract

AbstractIT systems pervade our society more and more, and we become heavily dependent on them. At the same time, these systems are increasingly targeted in cyberattacks, making us vulnerable. Enterprise and cybersecurity responsibles face the problem of defining techniques that raise the level of security. They need to decide which mechanism provides the most efficient defense with limited resources. Basically, the risks need to be assessed to determine the best cost-to-benefit ratio. One way to achieve this is through threat modeling; however, threat modeling is not commonly used in the enterprise IT risk domain. Furthermore, the existing threat modeling methods have shortcomings. This paper introduces a metamodel-based approach named Yet Another Cybersecurity Risk Assessment Framework (Yacraf). Yacraf aims to enable comprehensive risk assessment for organizations with more decision support. The paper includes a risk calculation formalization and also an example showing how an organization can use and benefit from Yacraf.

Funder

Royal Institute of Technology

Publisher

Springer Science and Business Media LLC

Subject

Computer Networks and Communications,Safety, Risk, Reliability and Quality,Information Systems,Software

Link

https://link.springer.com/content/pdf/10.1007/s10207-023-00713-y.pdf

Reference46 articles.

1. Alam, M., Breu, R., Hafner, M.: Model-driven security engineering for trust management in secret. J. Softw. 2(1), 47–59 (2007)

2. Almorsy, M., Grundy, J.: Secdsvl: A domain-specific visual language to support enterprise security modelling. In: 23rd Australian Software Engineering Conference (ASWEC), pp. 152–161 (2014)

3. Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from uml models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. (TOSEM) 15(1), 39–91 (2006)

4. Basin, D., Clavel, M., Egea, M.: A decade of model-driven security. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, pp. 1–10 (2011)

5. Beckers, K., Heisel, M., Solhaug, B., Stølen, K.: ISMS-CORAS: A structured method for establishing an ISO 27001 compliant information security management system. In: Heisel, M., Joosen, W., López, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems-Current Research. Lecture Notes in Computer Science, vol. 8431, pp. 315–344. Springer (2014)

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. How do Gender and Age Similarities with a Potential Social Engineer Influence One's Trust and Willingness to Take Security Risks?;2024-05-15

2. IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture;Information;2024-01-17