Abstract
The objective of this research is to lay the foundations for the development of a scientific theory that determines (all and only) the possible insecure and secure configurations of any abstract system to be used for the risk assessment of systems. We claim that cybersecurity weaknesses (i.e. errors) are at the beginning of the causality chain that leads to cybersecurity attacks. We formulate a hypothesis that we use to predict the weaknesses in the architectural design of a system. Our hypothesis allows for the definition of a mathematical formula which describes the cybersecurity of a system. We implemented a prototype cybersecurity risk assessment tool that, based on our hypothesis, predicts the weaknesses in a UML model of a (cyber-physical) system.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Einstein to Popper: “[...] and I think (like you, by the way) that theory cannot be fabricated out of the results of observation, but that it can only be invented.” [15].
- 2.
In the remainder of this paper, we will use the word hypothesis to refer to “scientific hypothesis” as a proposed scientific theory that has not gone through an extensive series of tests. We use “logical theory” to refer to a set of formal logical axioms.
- 3.
Intuitively, as we will see later, assertions correspond to an exchange of information between agents, beliefs to internal information considered true by the agent, and facts to requirements.
- 4.
Nothing prevents us from introducing additional constraints to the channel as storing assertions that are transferred over the channel, or filter out some input-assertions.
- 5.
In other words, \(\sigma \) returns 1 if and only if a configuration is satisfiable with the respect to the axioms of the RCC.
References
Blank, R.M., Gallagher, P.D.: NIST special publication 800-53 revision 4 - security and privacy controls for federal information systems and organizations. National Institute of Standards and Technology Special Publication, April 2013
Common attack pattern enumeration and classification. https://capec.mitre.org/
CWE view: Research concepts. https://cwe.mitre.org/data/definitions/1000.html
FAQ - what is the difference between a software vulnerability and software weakness? https://cwe.mitre.org/about/faq.html#A.2
de Gramatica, M., Labunets, K., Massacci, F., Paci, F., Tedeschi, A.: The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals. In: Fricker, S.A., Schneider, K. (eds.) REFSQ 2015. LNCS, vol. 9013, pp. 98–114. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16101-3_7
Grütter, R., Scharrenbach, T., Bauer-Messmer, B.: Improving an RCC-derived geospatial approximation by OWL axioms. In: Sheth, A., et al. (eds.) ISWC 2008. LNCS, vol. 5318, pp. 293–306. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88564-1_19
Herley, C.: Unfalsifiability of security claims. Proc. Natl. Acad. Sci. (PNAS) 113(23), 6415–6420 (2016)
Wikipedia Foundation Inc., Exploit (computer security), 18 March 2022. https://en.wikipedia.org/wiki/Exploit_(computer_security)
Lin, T.Y., Liu, Q., Yao, Y.Y.: Logics systems for approximate reasoning: approximation via rough sets and topological spaces. In: International Symposium on Methodologies for Intelligent Systems (1994)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12323-8
Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0. In: FIRST-Forum of Incident Response and Security Teams, vol. 1, p. 23 (2007)
MITRE. Att &ck. https://attack.mitre.org/
MITRE. Common vulnerabilities and exposures (CVE). https://cve.mitre.org/
Committee on National Security Systems (CNSS). Glossary no 4009. National Information Assurance (IA) Glossary, 06 April 2015. https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf
Popper, K.R.: The Logic of Scientific Discovery. New York, London (1959)
Rachavelpula, S.: The category of mereotopology and its ontological consequences. In: Neaton, M., Peter, P. (eds.) University of Chicago Mathematics Research Program (2017)
Samonas, S., Coss, D.: The CIA strikes back: redefining confidentiality, integrity and availability in security. J. Inf. Syst. Secur. 10(3) (2014)
Santacà, K., Cristani, M., Rocchetto, M., Viganò, L.: A topological categorization of agents for the definition of attack states in multi-agent systems. In: Proceedings of the European Conference on Multi-Agent Systems and Agreement Technologies (EUMAS), pp. 261–276 (2016)
Smith, B.: Mereotopology: a theory of parts and boundaries. Data Knowl. Eng. 20(3), 287–303 (1996). Modeling Parts and Wholes
Stallman, R.: The hacker community and ethics: an interview with Richard M. Stallman (2002). https://www.gnu.org/philosophy/rms-hack.html
National Institute of Standards and Technologies (NIST). National vulnerability database. https://nvd.nist.gov/
Threatmodeler. Threatmodeler. https://threatmodeler.com/
V-Research. V-research cybersecurity repository. https://github.com/v-research/cybersecurity
Varzi, A.C.: On the boundary between mereology and topology. In: Proceedings of the International Wittgenstein Symposium, pp. 261–276 (1994)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A A Class Diagram for \(\mathcal {A}\mathcal {B}\mathcal {F}\)-Framework
The Class Diagram for the Engineering of the \(\mathcal {A}\mathcal {B}\mathcal {F}\)-framework is reported in Fig. 6. A specification of a CPS is viewed as an aggregation of architectures which can describe the functional or physical requirements. The physical components of the architecture are input/output ports and channels (aggregations of pairs of ports) while functional blocks are the only constituents of the functional architecture. All of the classes are abstract except input/output ports and functional blocks. Therefore, agents (which represents sub-systems or components) are composed by ports and functional blocks, as an aggregation of architectures.
B B Overview of the Results of the Tool
In Fig. 5 we show a screenshot of the results reported by our tool.
Partial View of the results in the spreadsheet file
\(\mathcal {A}\mathcal {B}\mathcal {F}\)-framework for CPS design – Class Diagram
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ambrosi, M., Beltramini, F., De Meo, F., Nardi, O., Pacchin, M., Rocchetto, M. (2022). The Etiology of Cybersecurity. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2022. Lecture Notes in Computer Science, vol 13285. Springer, Cham. https://doi.org/10.1007/978-3-031-16815-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-16815-4_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-16814-7
Online ISBN: 978-3-031-16815-4
eBook Packages: Computer ScienceComputer Science (R0)