Skip to main content
SpringerLink
Log in

Asset criticality and risk prediction for an effective cybersecurity risk management of cyber-physical system

  • Original Article
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

Risk management plays a vital role in tackling cyber threats within the cyber-physical system (CPS). It enables identifying critical assets, vulnerabilities and threats and determining suitable proactive control measures for the risk mitigation. However, due to the increased complexity of the CPS, cyber-attacks nowadays are more sophisticated and less predictable, which makes risk management task more challenging. This paper aims for an effective cybersecurity risk management (CSRM) practice using assets criticality, predication of risk types and evaluating the effectiveness of existing controls. We follow a number of techniques for the proposed unified approach including fuzzy set theory for the asset criticality, machine learning classifiers for the risk predication and comprehensive assessment model (CAM) for evaluating the effectiveness of the existing controls. The proposed approach considers relevant CSRM concepts such as asset, threat actor, attack pattern, tactic, technique and procedure (TTP), and controls and maps these concepts with the VERIS community dataset (VCDB) features for the risk predication. The experimental results reveal that using the fuzzy set theory in assessing assets criticality supports stakeholder for an effective risk management practice. Furthermore, the results have demonstrated the machine learning classifiers exemplary performance to predict different risk types including denial of service, cyber espionage and crimeware. An accurate prediction of risk can help organisations to determine the suitable controls in proactive manner to manage the risk.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  1. Wu W, Kang R, Li Z (2015) Risk assessment method for cyber security of cyber physical systems. In: 2015 first international conference on reliability systems engineering (ICRSE), pp 1–5

  2. Kim K-D, Kumar PR (2013) An overview and some challenges in cyber-physical systems. J Indian Inst Sci 93(3):341–352

    Google Scholar 

  3. Fossi et al (2011) Symantec internet security threat report trends for 2010, vol 16, SymantecCorporation, 350 Ellis Street,  Mountain View, CA 94043 USA, Tech. Rep.

  4. Experian (2015)  2015 Second Annual Data Breach Industry Forecast. White paper, Experian. https://www.experian.com/databreach

  5. Boyson S (2014) Cyber supply chain risk management: revolutionizing the strategic control of critical IT systems. Technovation 34(7):342–353

    Article  Google Scholar 

  6. Yen T-F, Heorhiadi V, Oprea A, Reiter MK, Juels A (2014) An epidemiological study of malware encounters in a large enterprise. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, pp 1117–1130

  7. Canali D, Bilge L, Balzarotti D (2014) On the effectiveness of risk prediction based on users browsing behaviour. In: Proceedings of the 9th ACM symposium on Information, computer and communications security, pp 171–182

  8. Soska K, Christin N (2014) Automatically detecting vulnerable websites before they turn malicious. In: 23rd {USENIX} security symposium ({USENIX} Security 14), pp 625–640

  9. Liu Y et al (2015) Cloudy with a chance of breach: Forecasting cyber security incidents. In: 24th {USENIX} security symposium ({USENIX} Security 15), pp 1009–1024

  10. Veeramachaneni K, Arnaldo I, Korrapati V, Bassias C, Li K (2016) AI^ 2: training a big data machine to defend. In: 2016 IEEE 2nd international conference on big data security on cloud (BigDataSecurity), IEEE international conference on high performance and smart computing (HPSC), and IEEE international conference on intelligent data and security (IDS), pp 49–54

  11. Sebastiani F (2002) Machine learning in automated text categorization. ACM Comput Surv 34(1):1–47

    Article  Google Scholar 

  12. Nguyen HT, Franke K (2012) Adaptive intrusion detection system via online machine learning. In: 2012 12th international conference on hybrid intelligent systems (HIS), pp 271–277

  13. Yavanoglu O, Aydos M (2017) A review on cyber security datasets for machine learning algorithms. In: 2017 IEEE international conference on big data (Big Data), pp 2186–2193

  14. Sahoo D, Liu C, Hoi SCH (2017) Malicious URL detection using machine learning: a survey. arXiv Prepr. arXiv1701.07179

  15. Yang Y, Mclaughlin K, Sezer S, Littler, T (2013) Intrusion detection system for network security in synchrophasor systems. In: Proceeding IET international conference on information and communications technologies (IETICT 2013). China, pp 246–252

  16. Beaver JM, Borges-Hink RC, Buckner MA (2013) An evaluation of machine learning methods to detect malicious SCADA communications. In: 2013 12th international conference on machine learning and applications, vol 2, pp 54–59

  17. Sun D, Wu Z, Wang Y, Lv Q, Hu B (2019) Risk prediction for imbalanced data in cyber security: a siamese network-based deep learning classification framework. In: 2019 international joint conference on neural networks (IJCNN), pp 1–8

  18. Bilge L, Han Y, Dell’Amico M (2017) Riskteller: predicting the risk of cyber incidents. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1299–1311

  19. Subroto A, Apriyana A (2019) Cyber risk prediction through social media big data analytics and statistical machine learning. J Big Data 6(1):50

    Article  Google Scholar 

  20. de Gusmão APH, Silva MM, Poleto T, de Silva LC, Costa APCS (2018) Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory. Int J Inf Manag 43:248–260

    Article  Google Scholar 

  21. Zhang Q, Zhou C, Xiong N, Qin Y, Li X, Huang S (2015) Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE Trans Syst Man Cybern Syst 46(10):1429–1444

    Article  Google Scholar 

  22. Chen J, Li K, Rong H, Bilal K, Li K, Philip SY (2019) A periodicity-based parallel time series prediction algorithm in cloud computing environments. Inf Sci (Ny) 496:506–537

    Article  Google Scholar 

  23. Chen J et al (2016) A parallel random forest algorithm for big data in a spark cloud computing environment. IEEE Trans Parallel Distrib Syst 28(4):919–933

    Article  Google Scholar 

  24. Chen J, Li K, Tang Z, Bilal K, Li K (2016) A parallel patient treatment time prediction algorithm and its applications in hospital queuing-recommendation in a big data environment. IEEE Access 4:1767–1783

    Article  Google Scholar 

  25. Cardenas A, Amin S, Sinopoli B, Giani A, Perrig A, Sastry S (2009) Challenges for securing cyber physical systems. In: Workshop on future directions in cyber-physical systems security, vol 5

  26. Sridhar S, Hahn A, Govindarasu M (2012) Cyber–physical system security for the electric power grid. Proc IEEE 100(1):210–224

    Article  Google Scholar 

  27. Livadas C, Walsh R, Lapsley D, Strayer WT (2006) Usilng machine learning technliques to identify botnet traffic. In: Proceedings. 2006 31st IEEE conference on local computer networks, pp 967–974

  28. Stergiopoulos G, Dedousis P, Gritzalis D (2020) Automatic network restructuring and risk mitigation through business process asset dependency analysis. Comput Secur 101869

  29. Cybersecurity CI (2014) Framework for improving critical infrastructure cybersecurity. Framework 1:11

    Google Scholar 

  30. ISO 27005:2011 Information Techniques- Information Security Risk Management, International Organization for Standardization (ISO) 2009

  31. ISO 27001:2017: Information Technology -Security Techniques-Information Security Management System Requirements, International Organization for Standardization (ISO), 2011

  32. Kure HI, Islam S, Razzaque MA (2018) An integrated cyber security risk management approach for a cyber-physical system. Appl Sci 8(6):898

    Article  Google Scholar 

  33. Zimmermann H-J (2011)Fuzzy set theory—and its applications. Springer Science & Business Media

  34. Martin RA (2007) Common weakness enumeration. Mitre Corp.

  35. CIS_CSC (2018) The Critical Security Controls For Effective Cyber Defense, Cent. Internet Secur

  36. Dittmeier C, Casati P (2014) Evaluating internal control systems: a comprehensive assessment model (CAM) for enterprise risk management. Altamonte Springs, Florida Inst. Intern. Audit. Res. Found

  37. Firoiu M (2015) General considerations on risk management and information system security assessment according to ISO/IEC 27005: 2011 and ISO 31000: 2009 standards. Calitatea 16(149):93

    Google Scholar 

  38. Alidoosti A, Jamshidi A, Yakhchali S, Basiri M, Azizi R, Yazdani-Chamzini A (2012) Fuzzy logic for pipelines risk assessment. Manag Sci Lett 2(5):1707–1716

    Article  Google Scholar 

  39. Waedt K, Ciriello A, Parekh M, Bajramovic E (2016) Automatic assets identification for smart cities: prerequisites for cybersecurity risk assessments. In: 2016 IEEE international smart cities conference (ISC2), pp 1–6

  40. Salman T, Bhamare D, Erbad A, Jain R, Samaka M (2017) Machine learning for anomaly detection and categorization in multi-cloud environments. In: 2017 IEEE 4th international conference on cyber security and cloud computing (CSCloud), pp 97–103

  41. Sarabi A, Naghizadeh P, Liu Y, Liu M (2015) Prioritizing security spending: a quantitative analysis of risk distributions for different business profiles. In: 14th Annual workshop on the economics of information security (WEIS 2015). Delft, The Netherlands, 22–23 June

Download references

Acknowledgements

This work has received funding from the Nigerian Petroleum Development Trust Fund (PTDF).

Author information

Authors and Affiliations

  1. School of Architecture, Computing and Engineering, University of East London, London, UK

    Halima Ibrahim Kure, Shareeful Islam & Mustansar Ghazanfar

  2. Institute of Applied Technology, Abu Dhabi Poly Technic, Abu Dhabi, UAE

    Asad Raza

  3. Department of Information Technology, Bahauddin Zakariya University, Multan, Pakistan

    Maruf Pasha

Authors
  1. Halima Ibrahim Kure
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shareeful Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mustansar Ghazanfar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Asad Raza
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Maruf Pasha
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maruf Pasha.

Ethics declarations

Conflict of interest

The authors declare there is no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kure, H.I., Islam, S., Ghazanfar, M. et al. Asset criticality and risk prediction for an effective cybersecurity risk management of cyber-physical system. Neural Comput & Applic 34, 493–514 (2022). https://doi.org/10.1007/s00521-021-06400-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-021-06400-0

Keywords

Search

Navigation