Skip to main content
SpringerLink
Log in
Book cover

Nordic Conference on Secure IT Systems

NordSec 2018: Secure IT Systems pp 369–384Cite as

Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11252))

Abstract

In recent years, cybersecurity management has gained considerable attention due to a rising number and also increasing severity of cyberattacks in particular targeted at critical infrastructures of countries. Especially rapid digitization holds many vulnerabilities that can be easily exploited if not managed appropriately. Consequently, the European Union (EU) has enacted its first directive on cybersecurity. It is based on the Cybersecurity Framework by the US National Institute of Standards and Technology (NIST) and requires critical infrastructure organizations to regularly monitor and report their cybersecurity efforts. We investigated whether the academic body of knowledge in the area of cybersecurity metrics and controls has covered the constituent NIST functions, and also whether NIST shows any noticeable gaps in relation to literature. Our analysis revealed interesting results in both directions, pointing to imbalances in the academic discourse and underrepresented areas in the NIST framework. In terms of the former, we argue that future research should engage more into detecting, responding and recovering from incidents. Regarding the latter, NIST could also benefit from extending into a number of identified topic areas, for example, natural disasters, monetary aspects, and organizational climate.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. European Political Strategy Centre: Building an Effective European Cyber Shield, p. 16 (2017)

    Google Scholar 

  2. European Commission: The Directive on Security of Network and Information Systems (NIS Directive). In: Union, O.J.o.t.E. (ed.), vol. L194, pp. 1–30 (2018)

    Google Scholar 

  3. European Commission: July Infringements Package: Key Decisions. July Infringements Package: Key Decisions, (2018)

    Google Scholar 

  4. Hathaway, O.A., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., Spiegel, J.: The law of cyber-attack. Calif. Law Rev. 100, 817–886 (2012)

    Google Scholar 

  5. Nagurney, A., Shukla, S.: Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability. European Journal of Operational Research 260, 588–600 (2017)

    Article  MathSciNet  Google Scholar 

  6. Accenture: Cyberthreat Scape Report (2017)

    Google Scholar 

  7. EY: Cybersecurity Regained: Preparing to Face Cyber Attacks (2017)

    Google Scholar 

  8. ISACA (2018). https://www.isaca.org/Pages/Glossary.aspx

  9. Melnyk, S.A., Stewart, D.M., Swink, M.: Metrics and performance measurement in operations management: dealing with the metrics maze. J. Oper. Manag. 22, 209–218 (2004)

    Article  Google Scholar 

  10. Pfleeger, S.L., Cunningham, R.K.: Why measuring security is hard. IEEE Secur. Priv. Mag. 8, 46–54 (2010)

    Article  Google Scholar 

  11. Sridhar, S., Hahn, A., Govindarasu, M.: Framework for improving critical infrastructure cybersecurity, Version 1.1, Gaithersburg, MD, vol. 100, pp. 210–224 (2018)

    Google Scholar 

  12. Nicho, M., Muamaar, S.: Towards a taxonomy of challenges in an integrated IT governance framework implementation. J. Int. Technol. Inf. Manag. 25, 2 (2016)

    Google Scholar 

  13. Dimensional Research: Trends in Security Framework Adoption (2016)

    Google Scholar 

  14. European Commission: Fact Sheet - Directive on Security of Network and Information Systems, the First EU-wide Legislation on Cybersecurity, vol. 2020, pp. 7–10 (2018)

    Google Scholar 

  15. Levy, Y., Ellis, T.J.: A systems approach to conduct an effective literature review in support of information systems research. Informing Sci. 9 (2006)

    Article  Google Scholar 

  16. Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Quarterly xiii-xxiii (2002)

    Google Scholar 

  17. Torres, J.M., Sarriegi, J.M., Santos, J., Serrano, N.: Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness. In: International Conference on Information Security, pp. 530–545. LNCS, (2006)

    Google Scholar 

  18. Bernik, I., Prislan, K.: Measuring information security performance with 10 by 10 model for holistic state evaluation. PLoS ONE 11, 1–33 (2016)

    Article  Google Scholar 

  19. Lombard, M., Snyder-Duch, J., Bracken, C.C.: Content analysis in mass communication: Assessment and reporting of intercoder reliability. Hum. Commun. Res. 28, 587–604 (2002)

    Article  Google Scholar 

  20. Strauss, A., Corbin, J.M.: Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Sage Publications, Inc. (1990)

    Google Scholar 

  21. Chu, A.M., Chau, P.Y.: Development and validation of instruments of information security deviant behavior. Decis. Support Syst. 66, 93–101 (2014)

    Article  Google Scholar 

  22. Sohn, M.H., You, T., Lee, S.-L., Lee, H.: Corporate strategies, environmental forces, and performance measures: a weighting decision support system using the k-nearest neighbor technique. Expert Syst. Appl. 25, 279–292 (2003)

    Article  Google Scholar 

  23. Asosheh, A., Nalchigar, S., Jamporazmey, M.: Information technology project evaluation: an integrated data envelopment analysis and balanced scorecard approach. Expert Syst. Appl. 37, 5931–5938 (2010)

    Article  Google Scholar 

  24. Knowles, W., Prince, D., Hutchison, D., Disso, J.F.P., Jones, K.: A survey of cyber security management in industrial control systems. Int. J. Crit. Infrastruct. Prot. 9, 52–80 (2015)

    Article  Google Scholar 

  25. Francis, R., Bekera, B.: A metric and frameworks for resilience analysis of engineered and infrastructure systems. Reliab. Eng. Syst. Saf. 121, 90–103 (2014)

    Article  Google Scholar 

  26. Hahn, A., Govindarasu, M.: Cyber attack exposure evaluation framework for the smart grid. IEEE Trans. Smart Grid 2, 835–843 (2011)

    Article  Google Scholar 

  27. Hahn, A., Ashok, A., Sridhar, S., Govindarasu, M.: Cyber-physical security testbeds: Architecture, application, and evaluation for smart grid. IEEE Trans. Smart Grid 4, 847–855 (2013)

    Article  Google Scholar 

  28. Feng, N., Wang, H.J., Li, M.: A Security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57–73 (2014)

    Article  Google Scholar 

  29. Dhillon, G., Torkzadeh, G.: Value-focused asessment of information system security in organizations. Inf. Syst. J. 16, 293–314 (2006)

    Article  Google Scholar 

  30. Bojanc, R., Jerman-Blažič, B.: An economic modelling approach to information security risk management. Int. J. Inf. Manage. 28, 413–422 (2008)

    Article  Google Scholar 

  31. Arghandeh, R., von Meier, A., Mehrmanesh, L., Mili, L.: On the definition of cyber-physical resilience in power systems. Renew. Sustain. Energy Rev. 58, 1060–1069 (2016)

    Article  Google Scholar 

  32. Ittner, C.D., Larcker, D.F., Meyer, M.W.: Subjectivity and the weighting of performance measures: evidence from a balanced scorecard. Account. Rev. 78, 725–758 (2003)

    Article  Google Scholar 

  33. Huang, S.-M., Lee, C.-L., Kao, A.-C.: Balancing performance measures for information security management: A balanced scorecard framework. Ind. Manag. Data Syst. 106, 242–255 (2006)

    Article  Google Scholar 

  34. Potter, J.G., Hsiung, H.: Service-level agreements: aligning performance and expectations. IT Prof. 10, 41–47 (2008)

    Article  Google Scholar 

  35. Abuhussein, A., Bedi, H., Shiva, S.: Evaluating security and privacy in cloud computing services: a stakeholder’s perspective. In: International Conference for Internet Technology And Secured Transactions 2012, pp. 388–395. IEEE (2012)

    Google Scholar 

  36. Sahibudin, S., Sharifi, M., Ayat, M.: Combining ITIL, COBIT and ISO/IEC 27002 in order to design a comprehensive IT framework in organizations. In: Second Asia International Conference on Modeling and Simulation, AICMS, pp. 749–753 (2008)

    Google Scholar 

  37. Jufri, F.H., Kim, J.-S., Jung, J.: Analysis of determinants of the impact and the grid capability to evaluate and improve grid resilience from extreme weather event. Energies 10, 1–7 (2017)

    Article  Google Scholar 

  38. Zammani, M., Razali, R.: An empirical study of information security management success factors. Int. J. Adv. Sci., Eng. Inf. Technol. 6, 904–913 (2016)

    Article  Google Scholar 

  39. Ben-Aissa, A., Abercrombie, R.K., Sheldon, F.T., Mili, A.: Defining and computing a value based cyber-security measure. Inf. Syst. E-Bus. Manag. 10, 433–453 (2012)

    Article  Google Scholar 

  40. Rabai, L.B.A., Jouini, M., Aissa, A.B., Mili, A.: A cybersecurity model in cloud computing environments. J. King Saud Univ. Comput. Inf. Sci. 25, 63–75 (2013)

    Article  Google Scholar 

  41. Merete, H.J., Albrechtsen, E., Hovden, J.: Implementation and effectiveness of organizational information security measures. Inf. Manag. Comput. Secur. 16, 377–397 (2008)

    Article  Google Scholar 

  42. Flowerday, S.V., Tuyikeze, T.: Information security policy development and implementation: the what, how and who. Comput. Secur. 61, 169–183 (2016)

    Article  Google Scholar 

  43. van Eeten, M.J., Bauer, J.M.: Economics of Malware: Security Cecisions, Incentives and Externalities. OECD Science, Technology and Industry Working Papers 2008, pp. 1–68 (2008)

    Google Scholar 

  44. Stapelberg, R.F.: Infrastructure systems interdependencies and risk informed decision making (RIDM): impact scenario analysis of infrastructure risks induced by natural, technological and intentional hazards. J. Syst., Cybern. Inform. 6, 21–27 (2008)

    Google Scholar 

  45. Bauer, S., Bernroider, E.W.: From information security awareness to reasoned compliant action: analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database DATABASE Adv. Inf. Syst. 48, 44–68 (2017)

    Article  Google Scholar 

  46. Fogel, K., El-Khatib, R., Feng, N.C., Torres-Spelliscy, C.: Compliance costs and disclosure requirement mandates: some evidence. Res. Account. Regul. 27, 83–87 (2015)

    Article  Google Scholar 

  47. Zimmerman, R., Restrepo, C.E.: The next step: quantifying infrastructure interdependencies to improve security. Int. J. Crit. Infrastruct. 2, 215–230 (2006)

    Article  Google Scholar 

  48. Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)

    Article  Google Scholar 

  49. Oh, E.H., Deshmukh, A., Hastak, M.: Vulnerability assessment of critical infrastructure, associated industries, and communities during extreme events. In: Construction Research Congress 2010: Innovation for Reshaping Construction Practice, pp. 449–469 (2010)

    Google Scholar 

  50. Chen, Y.-R., Chen, S.-J., Hsiung, P.-A., Chou, I.-H.: Unified security and safety risk assessment - a case study on nuclear power plant. In: 2014 International Conference on Trustworthy Systems and their Applications (TSA), pp. 22–28. IEEE (2014)

    Google Scholar 

  51. Li, G., et al.: Risk analysis for distribution systems in the northeast US under wind storms. IEEE Trans. Power Syst. 29, 889–898 (2014)

    Article  Google Scholar 

Download references

Acknowledgements

This study was funded by the KIRAS Security Program of the National Austrian Research Promotion Agency (FFG) as part of the project CRISCROSS (No. 10652570).

Author information

Authors and Affiliations

  1. Johannes Kepler University Linz, Linz, Austria

    Barbara Krumay

  2. WU Vienna University of Economics and Business, Vienna, Austria

    Edward W. N. Bernroider & Roman Walser

Authors
  1. Barbara Krumay
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Edward W. N. Bernroider
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Roman Walser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Barbara Krumay .

Editor information

Editors and Affiliations

  1. University of Oslo, Oslo, Norway

    Nils Gruschka

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Krumay, B., Bernroider, E.W.N., Walser, R. (2018). Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-03638-6_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-03637-9

  • Online ISBN: 978-3-030-03638-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation