Skip to main content

Advertisement

SpringerLink
Log in

Cybersecurity Resilience Maturity Assessment Model for Critical National Information Infrastructure

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Critical National Information Infrastructure (CNII) that supports modern society is faced with constantly evolving threats due to inherent vulnerabilities and complex interlace of interdependencies. Thus, traditional approaches in protecting critical infrastructure can no longer suffice. Successful cyberattacks against CNII may have a debilitating impact on a nation due to cascading or common cause effects. Therefore, to ensure the continuous availability of CNII, the infrastructure must be prepared to be resilient to cyberattacks. Consequently, CNII organisations need to understand their cybersecurity maturity status and identify the gaps to aid improvement. Current approaches in gauging infrastructural resilience are qualitative and cannot quantify the degree of maturity. Thus, this article presents a Cybersecurity Resilience Measurement Model (CRMM) for quantitative assessment of CNII resilience maturity. Considering the effects of pre-event, during-event and post-event factors, the concept of CNII Resilience Quadrant (CNIIRQ) was developed for the comparative analysis of organisations. The CRMM was evaluated using data collected from 20 CNII organisations and it accurately gave the CNII Resilience Index. A grouping of CNIIRI of the organisations in CNIIRQ showed that 35% of them fall in Q4—a level of optimised resilience, 10% are in Q1, depicting an initial and weak resilience. Analysis of the Resilience Temporal Dimensions (RTDs) and Resilient Functions (RFs) revealed that while most of the organisations are prepared to resist attacks (pre-event), there is weak preparedness to respond to or recover from successful cyberattacks. The implication is that these organisations have gaps in during-event and post-event capabilities that need to be addressed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

(Source: Author)

Fig. 2
Fig. 3

(Source: Author based [35])

Fig. 4

(Source: Author based on [35])

Fig. 5

(Source: Author, based [35])

Fig. 6

(Source: Author, based on [35])

Fig. 7

(Source, Author, based on [35])

Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

References

  1. Harašta J. Legally critical: defining critical infrastructure in an interconnected world. IJCIP. 2018;000:1–10.

    Google Scholar 

  2. Sharma M. Securing critical information infrastructure global perspectives and practices, First. New Delhi: Institute for Defence Studies and Analyses; 2017.

  3. Pursiainen C, Rød B, Baker G, Honfi D, Lange D. Critical infrastructure resilience index. In: 26th European Safety and Reliability conference, ESREL, 2017, pp. 2183–2189.

  4. Australian Government, Critical infrastructure resilience strategy, no. September 2001; 2010.

  5. Thompson MA, Ryan MJ, Slay J, Mclucas AC. A new resilience taxonomy. Incose Int Symp. 2016;26(1):1318–30.

    Article  Google Scholar 

  6. Petersen L, et al. Resilience for whom ? The general public’s tolerance levels as CI resilience criteria. Int J Crit Infrastruct Protect. 2020;28:100340.

    Article  Google Scholar 

  7. Petit F, Bassett G, Buehring WA, Whitfield RG. Resilience measurement index: an indicator of critical infrastructure resilience. no. April, p. 70; 2013.

  8. Rehak D, Senovsky P, Hromada M, Lovecek T. Complex approach to assessing resilience of critical infrastructure elements. Int J Crit Infrastruct Prot. 2019;25:125–38.

    Article  Google Scholar 

  9. Becker J, Knackstedt R, Pöppelbuß J. Developing maturity models for it management – a procedure model and its application. Entwicklung von Reifegradmodellen für das IT-Management – Vor. und Prakt. Anwendung. WIRTSCHAFTSINFORMATIK., p. Ralf Knackstedt; 2009.

  10. Aliyu A, et al. A holistic cybersecurity maturity assessment framework for higher education institutions in the United Kingdom. Appl Sci MDPI. 2020;10(10):3660.

    Article  Google Scholar 

  11. Bruneau M, et al. A framework to quantitatively assess and enhance the seismic resilience of communities. Earthq Spectra. 2003;19(4):733–52.

    Article  Google Scholar 

  12. USA Patriot Act. USA PATRIOT act additional reauthorizing amendments Act of 2006 (S. 2271). vol. 2005, pp. 1–6; 2001.

  13. F. Draft. Republic of Ghana Ministry of Communications Ghana National Cyber Security Policy & Strategy Final Draft; 2015.

  14. F. Republic. National cybersecurity policy and strategy, no. February; 2021.

  15. ITU-T. Risk and resilience report 9 measuring critical infrastructure resilience : possible indicators. ETH, Zurich; 2014.

  16. ENISA. Methodologies for the identification of Critical Information Infrastructure assets and services, no. December; 2014.

  17. Klaver M, Luiijf E. Analyzing the cyber risk in critical infrastructures. In: Issues on risk analysis for critical infrastructure protection, IntechOpen; 2021.

  18. Luiijf HAM, Nieuwenhuijs AH, Klaver MHA, Van Eeten MJG, Cruz E. Empirical findings on European critical infrastructure dependencies. Int J Syst Syst Eng. 2010;2(1):3–18.

    Article  Google Scholar 

  19. Iturriza M, Labaka L, Sarriegi JM, Hernantes J. Modelling methodologies for analysing critical infrastructures. J Simul. 2018;7778:1–16.

    Google Scholar 

  20. Mbanaso UM, Kulugh VE. Empirical findings of assessment of critical infrastructure degree of dependency on ICT. In: International Conference on Cybersecurity in Emerging Digital Era, 2021, no. Ci.

  21. Mbanaso UM, Kulugh VE. Empirical findings of assessment of critical infrastructure degree of dependency on ICT. no. Cii.

  22. Tatar U, Gokce Y, Gheorghe A. Strategic cyber defense: a multidisciplinary perspective. In: NATO Advanced Research Workshop on A Framework for a Military Cyber Defense Strategy; 2017.

  23. Levesque M. Understanding cybersecurity maturity models within the context of energy regulations. Europe and Eurasia; 2020.

  24. Hernantes J, Maraña P, Gimenez R, Sarriegi JM, Labaka L. Towards resilient cities: a maturity model for operationalizing resilience. Cities. 2019;84:96–103.

    Article  Google Scholar 

  25. Pereira R, Serrano J. A review of methods used on IT maturity models development: a systematic literature review and a critical analysis. J Inf Technol. 2020;00:1–18.

    Google Scholar 

  26. Mettler T. Maturity assessment models: a design science research approach. Int J Soc Syst Sci. 2011;3:81.

    Article  Google Scholar 

  27. Caralli R, Knight M, Montgomery A. Maturity models 101 : a primer for applying maturity models to smart grid security, resilience, and interoperability. CERT/Software Eng. Inst., no. November; 2012.

  28. Baumgartner J, Hood J, Korcher T, Steinberg B, Lagraffe D. Cybersecurity capability maturity model ( C2M2 ) Version 2.0; 2019.

  29. Rod B, Babaradi A, Gudmestad OT. Characteristics of arctic infrastructure resilience: application of expert judgement. In: Twenty-sixth (2016) International Ocean and Polar Engineering Conference; 2016, pp. 1226–1233.

  30. Tim P, Jonas H. Measuring resilience: benefits and limitations of resilience indices, no. March, p. 26; 2012.

  31. Manyena B, O’Brien G, O’Keefe P, Rose J. Disaster resilience: a bounce back orbounce forward ability? Int J Justice Sustain. 2011;16(5):417–24.

    Google Scholar 

  32. Kerner D, Thomas JS. Resilience attributes of social-ecological systems: framing metrics for management. Resources. 2014;3:672–702.

    Article  Google Scholar 

  33. Fletcher D, Sarkar M. Psychological resilience: a review and critique of definitions, concepts, and theory. Eur Psychol. 2013;18(1):12–23.

    Article  Google Scholar 

  34. Carlson JL, et al. Resilience: theory and application. Argonne Natl Lab. 2012. https://doi.org/10.2172/1044521.

    Article  Google Scholar 

  35. NIST. Framework for improving critical infrastructure cybersecurity, Version 1.1; 2018.

  36. USA Department of Defense (DoD).“Cybersecurity maturity model certification (CMMC); 2020.

  37. Mbanaso UM, Abrahams L, Apene Z. Conceptual design of a cybersecurity resilience maturity measurement (CRMM) framework. Afr J Inf Commun. 2019;23:1–26.

    Google Scholar 

  38. Rød B, Pursiainen C, Reitan NK, Storesund K, Lange D, Da Silva MM. Evaluation of resilience assessment methodologies. In Cepin M, Bris R, editors, safety and reliability—theory and applications. In: 27th European Safety and Reliability Conference, ESREL; 2018, pp. 1039–1051.

  39. Creswell JW. Research design: qualitative, quantitative and mixed methods approaches. 4th ed. Califonia: SAGE Publications Inc; 2014.

    Google Scholar 

  40. Oates BJ. Researching information systems and computing. SAGE Publications Ltd; 2006.

    Google Scholar 

  41. Hevner AR, March ST, Park J, Ram S. Design science in information systems research. MIS Q Manag Inf Syst. 2004;28(1):75–105.

    Article  Google Scholar 

  42. Centre for Internet Security (CIS). CIS Critical Security Controls; 2021.

  43. ITU. Global cybersecurity index: measuring commitment to cybersecurity, Geneva, Switzerland; 2020.

  44. Walker G, Sommerville I. Socio-technical systems: from design method to systems engineering. Interact Comput. 2010;23(2011):4–17.

    Google Scholar 

  45. Mbanaso UM. An investigation of cybersecurity vulnerability landscape. Int Conf Emerg Appl Technol Indust. 2020;4:110–23.

    Google Scholar 

  46. Smith A, Stirling A. Social-ecological resilience and sociotechnical transitions: critical issues for sustainability governance: STEPS Working Paper 8, Brighton: STEPS Centre, 2008.

  47. Mbanaso UM, Abrahams L, Apene OZ. Conceptual design of a cybersecurity resilience maturity measurement (CRMM) framework. Afr J Inf Commun. 2019;23(23):1–26.

    Google Scholar 

  48. Ross R, Pilliteri V, Graudbart R, Bodeau D, Mcquaid R. Developing cyber resilient systems: a systems security approach. NIST, 2019.

  49. Framework for improving critical infrastructure cybersecurity; 2018.

  50. Uher J. Quantitative data from rating scales : An epistemological and methodological enquiry. Front. Psychol. 2018;9(2599).

  51. C Information, S Manager, IS Control, S Tools, R Meadows. COBIT® 5 Implementation—supplemental tools and materials table of contents, pp. 2–4; 2013.

  52. Mbanaso U, Kulugh V, Musa H, Aimufua G, Conceptual Framework for the Assessment of the Degree of Dependency of Critical National Infrastructure on ICT in Nigeria, vol. 1, no. Icecco; 2019.

Download references

Author information

Authors and Affiliations

  1. Centre for Cyberspace Studies, Nasarawa State University, Keffi, Nigeria

    Victor Emmanuel Kulugh & Uche M. Mbanaso

  2. School of Information and Communication Technology, Federal University of Technology, Owerri, Nigeria

    Gloria Chukwudebe

Authors
  1. Victor Emmanuel Kulugh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Uche M. Mbanaso
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gloria Chukwudebe
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Victor Emmanuel Kulugh.

Ethics declarations

Conflict of Interest

This article is part of the Cybersecurity and Critical National Infrastructure (CNI) research project which is supported by TETFund National Research Fund (NRF) research grant TETF/DR&D/CE/NRF/UNI/KEFFI/VOL.1/B5 to Nasarawa State University, Keffi, Nigeria.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Cyber Security and Privacy in Communication Networks” guest edited by Rajiv Misra, RK Shyamsunder, Alexiei Dingli, Natalie Denk, Omer Rana, Alexander Pfeiffer, Ashok Patel and Nishtha Kesswani.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kulugh, V.E., Mbanaso, U.M. & Chukwudebe, G. Cybersecurity Resilience Maturity Assessment Model for Critical National Information Infrastructure. SN COMPUT. SCI. 3, 217 (2022). https://doi.org/10.1007/s42979-022-01108-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-022-01108-x

Keywords

Search

Navigation