Abstract
Critical National Information Infrastructure (CNII) that supports modern society is faced with constantly evolving threats due to inherent vulnerabilities and complex interlace of interdependencies. Thus, traditional approaches in protecting critical infrastructure can no longer suffice. Successful cyberattacks against CNII may have a debilitating impact on a nation due to cascading or common cause effects. Therefore, to ensure the continuous availability of CNII, the infrastructure must be prepared to be resilient to cyberattacks. Consequently, CNII organisations need to understand their cybersecurity maturity status and identify the gaps to aid improvement. Current approaches in gauging infrastructural resilience are qualitative and cannot quantify the degree of maturity. Thus, this article presents a Cybersecurity Resilience Measurement Model (CRMM) for quantitative assessment of CNII resilience maturity. Considering the effects of pre-event, during-event and post-event factors, the concept of CNII Resilience Quadrant (CNIIRQ) was developed for the comparative analysis of organisations. The CRMM was evaluated using data collected from 20 CNII organisations and it accurately gave the CNII Resilience Index. A grouping of CNIIRI of the organisations in CNIIRQ showed that 35% of them fall in Q4—a level of optimised resilience, 10% are in Q1, depicting an initial and weak resilience. Analysis of the Resilience Temporal Dimensions (RTDs) and Resilient Functions (RFs) revealed that while most of the organisations are prepared to resist attacks (pre-event), there is weak preparedness to respond to or recover from successful cyberattacks. The implication is that these organisations have gaps in during-event and post-event capabilities that need to be addressed.
Similar content being viewed by others
References
Harašta J. Legally critical: defining critical infrastructure in an interconnected world. IJCIP. 2018;000:1–10.
Sharma M. Securing critical information infrastructure global perspectives and practices, First. New Delhi: Institute for Defence Studies and Analyses; 2017.
Pursiainen C, Rød B, Baker G, Honfi D, Lange D. Critical infrastructure resilience index. In: 26th European Safety and Reliability conference, ESREL, 2017, pp. 2183–2189.
Australian Government, Critical infrastructure resilience strategy, no. September 2001; 2010.
Thompson MA, Ryan MJ, Slay J, Mclucas AC. A new resilience taxonomy. Incose Int Symp. 2016;26(1):1318–30.
Petersen L, et al. Resilience for whom ? The general public’s tolerance levels as CI resilience criteria. Int J Crit Infrastruct Protect. 2020;28:100340.
Petit F, Bassett G, Buehring WA, Whitfield RG. Resilience measurement index: an indicator of critical infrastructure resilience. no. April, p. 70; 2013.
Rehak D, Senovsky P, Hromada M, Lovecek T. Complex approach to assessing resilience of critical infrastructure elements. Int J Crit Infrastruct Prot. 2019;25:125–38.
Becker J, Knackstedt R, Pöppelbuß J. Developing maturity models for it management – a procedure model and its application. Entwicklung von Reifegradmodellen für das IT-Management – Vor. und Prakt. Anwendung. WIRTSCHAFTSINFORMATIK., p. Ralf Knackstedt; 2009.
Aliyu A, et al. A holistic cybersecurity maturity assessment framework for higher education institutions in the United Kingdom. Appl Sci MDPI. 2020;10(10):3660.
Bruneau M, et al. A framework to quantitatively assess and enhance the seismic resilience of communities. Earthq Spectra. 2003;19(4):733–52.
USA Patriot Act. USA PATRIOT act additional reauthorizing amendments Act of 2006 (S. 2271). vol. 2005, pp. 1–6; 2001.
F. Draft. Republic of Ghana Ministry of Communications Ghana National Cyber Security Policy & Strategy Final Draft; 2015.
F. Republic. National cybersecurity policy and strategy, no. February; 2021.
ITU-T. Risk and resilience report 9 measuring critical infrastructure resilience : possible indicators. ETH, Zurich; 2014.
ENISA. Methodologies for the identification of Critical Information Infrastructure assets and services, no. December; 2014.
Klaver M, Luiijf E. Analyzing the cyber risk in critical infrastructures. In: Issues on risk analysis for critical infrastructure protection, IntechOpen; 2021.
Luiijf HAM, Nieuwenhuijs AH, Klaver MHA, Van Eeten MJG, Cruz E. Empirical findings on European critical infrastructure dependencies. Int J Syst Syst Eng. 2010;2(1):3–18.
Iturriza M, Labaka L, Sarriegi JM, Hernantes J. Modelling methodologies for analysing critical infrastructures. J Simul. 2018;7778:1–16.
Mbanaso UM, Kulugh VE. Empirical findings of assessment of critical infrastructure degree of dependency on ICT. In: International Conference on Cybersecurity in Emerging Digital Era, 2021, no. Ci.
Mbanaso UM, Kulugh VE. Empirical findings of assessment of critical infrastructure degree of dependency on ICT. no. Cii.
Tatar U, Gokce Y, Gheorghe A. Strategic cyber defense: a multidisciplinary perspective. In: NATO Advanced Research Workshop on A Framework for a Military Cyber Defense Strategy; 2017.
Levesque M. Understanding cybersecurity maturity models within the context of energy regulations. Europe and Eurasia; 2020.
Hernantes J, Maraña P, Gimenez R, Sarriegi JM, Labaka L. Towards resilient cities: a maturity model for operationalizing resilience. Cities. 2019;84:96–103.
Pereira R, Serrano J. A review of methods used on IT maturity models development: a systematic literature review and a critical analysis. J Inf Technol. 2020;00:1–18.
Mettler T. Maturity assessment models: a design science research approach. Int J Soc Syst Sci. 2011;3:81.
Caralli R, Knight M, Montgomery A. Maturity models 101 : a primer for applying maturity models to smart grid security, resilience, and interoperability. CERT/Software Eng. Inst., no. November; 2012.
Baumgartner J, Hood J, Korcher T, Steinberg B, Lagraffe D. Cybersecurity capability maturity model ( C2M2 ) Version 2.0; 2019.
Rod B, Babaradi A, Gudmestad OT. Characteristics of arctic infrastructure resilience: application of expert judgement. In: Twenty-sixth (2016) International Ocean and Polar Engineering Conference; 2016, pp. 1226–1233.
Tim P, Jonas H. Measuring resilience: benefits and limitations of resilience indices, no. March, p. 26; 2012.
Manyena B, O’Brien G, O’Keefe P, Rose J. Disaster resilience: a bounce back orbounce forward ability? Int J Justice Sustain. 2011;16(5):417–24.
Kerner D, Thomas JS. Resilience attributes of social-ecological systems: framing metrics for management. Resources. 2014;3:672–702.
Fletcher D, Sarkar M. Psychological resilience: a review and critique of definitions, concepts, and theory. Eur Psychol. 2013;18(1):12–23.
Carlson JL, et al. Resilience: theory and application. Argonne Natl Lab. 2012. https://doi.org/10.2172/1044521.
NIST. Framework for improving critical infrastructure cybersecurity, Version 1.1; 2018.
USA Department of Defense (DoD).“Cybersecurity maturity model certification (CMMC); 2020.
Mbanaso UM, Abrahams L, Apene Z. Conceptual design of a cybersecurity resilience maturity measurement (CRMM) framework. Afr J Inf Commun. 2019;23:1–26.
Rød B, Pursiainen C, Reitan NK, Storesund K, Lange D, Da Silva MM. Evaluation of resilience assessment methodologies. In Cepin M, Bris R, editors, safety and reliability—theory and applications. In: 27th European Safety and Reliability Conference, ESREL; 2018, pp. 1039–1051.
Creswell JW. Research design: qualitative, quantitative and mixed methods approaches. 4th ed. Califonia: SAGE Publications Inc; 2014.
Oates BJ. Researching information systems and computing. SAGE Publications Ltd; 2006.
Hevner AR, March ST, Park J, Ram S. Design science in information systems research. MIS Q Manag Inf Syst. 2004;28(1):75–105.
Centre for Internet Security (CIS). CIS Critical Security Controls; 2021.
ITU. Global cybersecurity index: measuring commitment to cybersecurity, Geneva, Switzerland; 2020.
Walker G, Sommerville I. Socio-technical systems: from design method to systems engineering. Interact Comput. 2010;23(2011):4–17.
Mbanaso UM. An investigation of cybersecurity vulnerability landscape. Int Conf Emerg Appl Technol Indust. 2020;4:110–23.
Smith A, Stirling A. Social-ecological resilience and sociotechnical transitions: critical issues for sustainability governance: STEPS Working Paper 8, Brighton: STEPS Centre, 2008.
Mbanaso UM, Abrahams L, Apene OZ. Conceptual design of a cybersecurity resilience maturity measurement (CRMM) framework. Afr J Inf Commun. 2019;23(23):1–26.
Ross R, Pilliteri V, Graudbart R, Bodeau D, Mcquaid R. Developing cyber resilient systems: a systems security approach. NIST, 2019.
Framework for improving critical infrastructure cybersecurity; 2018.
Uher J. Quantitative data from rating scales : An epistemological and methodological enquiry. Front. Psychol. 2018;9(2599).
C Information, S Manager, IS Control, S Tools, R Meadows. COBIT® 5 Implementation—supplemental tools and materials table of contents, pp. 2–4; 2013.
Mbanaso U, Kulugh V, Musa H, Aimufua G, Conceptual Framework for the Assessment of the Degree of Dependency of Critical National Infrastructure on ICT in Nigeria, vol. 1, no. Icecco; 2019.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interest
This article is part of the Cybersecurity and Critical National Infrastructure (CNI) research project which is supported by TETFund National Research Fund (NRF) research grant TETF/DR&D/CE/NRF/UNI/KEFFI/VOL.1/B5 to Nasarawa State University, Keffi, Nigeria.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article is part of the topical collection “Cyber Security and Privacy in Communication Networks” guest edited by Rajiv Misra, RK Shyamsunder, Alexiei Dingli, Natalie Denk, Omer Rana, Alexander Pfeiffer, Ashok Patel and Nishtha Kesswani.
Rights and permissions
About this article
Cite this article
Kulugh, V.E., Mbanaso, U.M. & Chukwudebe, G. Cybersecurity Resilience Maturity Assessment Model for Critical National Information Infrastructure. SN COMPUT. SCI. 3, 217 (2022). https://doi.org/10.1007/s42979-022-01108-x
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42979-022-01108-x