Skip to main content
SpringerLink
Log in

AVARCIBER: a framework for assessing cybersecurity risks

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

The identification and assessment of risks are a fundamental part of cybersecurity. Determining the elements that participate in this field is difficult because there is no exclusive approach to cybersecurity. This document aims to provide a framework to identify and assess cybersecurity risks. For this, a systematic review of the studies related to cybersecurity risk taxonomies was carried out. The main elements of the proposed conceptual model and framework have been determined by applying the snowball technique. To validate the implementation of the proposed framework, a case study has been implemented at the Ecuadorian Social Security Institute. The first task was to consolidate the information in a baseline. Once the baseline was obtained, the defined framework has been applied. As a result, through the use of the proposed framework, the assessment process has improved the decision-making process regarding the importance and criticality of the risks and countermeasures that must be applied.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

References

  1. Mendoza, M.A.: ¿Ciberseguridad o seguridad de la información? Aclarando la diferencia. https://www.welivesecurity.com/la-es/2015/06/16/ciberseguridad-seguridad-informacion-diferencia/ (2015)

  2. Donaldson, S.E., Siegel, S.G., Williams, C.K., Aslam, A.: Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats, pp. 24–25. Apress, New York (2015)

    Book  Google Scholar 

  3. ESET: TENDENCIAS 2019: Privacidad e intrusión en la aldea global. www.eset.com (2019)

  4. OEA: Ciberseguridad marco nist. http://www.oas.org/es/ (2019)

  5. Truta, F.: The top five cybersecurity incidents of 2018. https://businessinsights.bitdefender.com/the-five-key-security-incidents-of-2018 (2018)

  6. Rea-Guaman, A.M., Sánchez-García, I.D., San Feliu, T., Calvo-Manzano, J.A.: Maturity Models in Cybersecurity: a systematic review. In: 12th Conferencia Ibérica de Sistemas y Tecnologías de Información (CISTI’17). Lisbon (2017)

  7. Department of Energy: Cybersecurity Capability Maturity Model (C2M2): Version 1.1. Technical report, Department of Homeland Security (2014)

  8. US Department of Homeland Security: Cybersecurity Capability Maturity Model: Version 1.0. White paper, Department of Homeland Security (2014)

  9. SSE Project Team: System Security Engineering Capability Maturity Model (SSE-CMM): Model Description Document Version 3.0. Technical report, SSE-CMM (2003)

  10. White, G.B.: The community cyber security maturity model. In: IEEE International Conference on Technologies for Homeland Security, pp. 173–178. IEEE Press, Wakefield (2011)

  11. ISO 38500: Corporate Governance of Information Technology. http://www.iso.org (2015)

  12. Awan, M.S.K., Burnap, P., Rana, O.: Identifying cyber risk hotspots: a framework for measuring temporal variance in computer network risk. Comput. Secur. 57, 31–46 (2016). https://doi.org/10.1016/j.cose.2015.11.00

    Article  Google Scholar 

  13. Delmee, F.: The Structure of a Cyber Risk a Scenario Based Approach in Cyber Risk. Utrecht University Repository, Utrecht (2016)

    Google Scholar 

  14. Cebula, J.J., Young, L.R.: A Taxonomy of Operational Cyber Security Risks, pp. 1–47. Software Engineering Institute, Carnegie-Mellon University, Pittsburgh (2010). https://doi.org/10.1007/978-1-4419-7133-3

    Book  Google Scholar 

  15. NIST: Guide for conducting risk assessments. NIST Special Publication, Gaithersburg (2012). https://doi.org/10.6028/NIST.SP.800-30r1

    Book  Google Scholar 

  16. Standard, I.: INTERNATIONAL STANDARD ISO/IEC 27005 Information security risk management (2011)

  17. Dobson, I., Hietala, J.: Risk Management: The Open Group Guide. 118. http://books.google.com/books?id=p4f8jUT2wgUC&pgis=1 (2011)

  18. Initiative, J.T.F.T.: Managing Information Security Risk. Nist Special Publication, Gaithersburg (2011). https://doi.org/10.1007/s10845-012-0683-0

    Book  Google Scholar 

  19. Caralli, R., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing OCTAVE allegro: improving the information security risk assessment process. Young (May), pp. 1–113 (2007)

  20. Singh, V.: Revisiting security ontologies. Int. J. Comput. Sci. Issues 11(6), 150–159 (2014)

    Google Scholar 

  21. Singhal, A., Wijesekera, D.: Ontologies for modeling enterprise level security metrics. In: Proceedings of the sixth annual workshop on cyber security and information intelligence research—CSIIRW ’10, 1. https://doi.org/10.1145/1852666.1852731 (2010)

  22. Singhal, A., Singapogu, S.: Security Ontologies for Modeling Enterprise Level Risk Assessment. NIST Special Publication, Gaithersburg (2012)

    Google Scholar 

  23. Goodwin, C., Nicholas, J.P., Bryant, J., Ciglic, K., Kleiner, A., Kutterer, C., Sullivan, K., et al.: A framework for cybersecurity information sharing and risk reduction, pp. 1–24. http://download.microsoft.com/download/8/0/1/801358EC-2A0A-4675-A2E7-96C2E7B93E73/Framework_for_Cybersecurity_Info_Sharing.pdf (2015)

  24. Rea-Guaman, A.M., San, Feliu T., Calvo-Manzano, J.A., Sanchez-Garcia, I.D.: Systematic review: cybersecurity risk taxonomy. In: Mejia, J., Muñoz, M., Rocha, Á., Quiñonez, Y., Calvo-Manzano, J. (eds.) Trends and Applications in Software Engineering. CIMPS 2017. Advances in Intelligent Systems and Computing, vol. 688. Springer, Cham (2018)

    Google Scholar 

  25. Baltar, F., Brunet, I.: Social research 2.0: virtual snowball sampling method using Facebook. Internet Res. 22(1), 57–74 (2012)

    Article  Google Scholar 

  26. Buchanan, L., Larkin, M., D’Amico, A.: Mission assurance proof-of-concept: mapping dependencies among cyber assets, missions, and users. In: 2012 IEEE International Conference on Technologies for Homeland Security, HST 2012, pp. 298–304. https://doi.org/10.1109/THS.2012.6459865 (2012)

  27. Shamala, P., Ahmad, R.: A proposed taxonomy of assets for information security risk assessment (ISRA). In: 2014 4th World Congress on Information and Communication Technologies, WICT 2014, pp. 29–33. https://doi.org/10.1109/WICT.2014.7077297 (2014)

  28. Wielki, J.: A Framework of the Impact of Cyberspace on Contemporary Organizations. IEEE, Piscataway (2006)

    Book  Google Scholar 

  29. Yazid, A.I.S., Faizal, M.A., Rabiah, A., Shahrin, S., Solahuddin, S.: Enhancement of asset value classification for mobile devices. In: Proceedings 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic, CyberSec 2012, pp. 106–110. https://doi.org/10.1109/CyberSec.2012.6246097 (2012)

  30. Farooq, A., Kakakhel, S.R.U., Virtanen, S., Isoaho, J.: A taxonomy of perceived information security and privacy threats among IT security students. In: 2015 10th International Conference for Internet Technology and Secured Transactions, ICITST 2015, pp. 280–286. https://doi.org/10.1109/ICITST.2015.7412106 (2016)

  31. Yu, Z., Thomborson, C., Wang, C., Fu, J., Wang, J.: A security model for VoIP steganography. In: 1st International Conference on Multimedia Information Networking and Security, MINES 2009, vol. 1, pp. 35–40. https://doi.org/10.1109/MINES.2009.227 (2009)

  32. Razzaq, A., Anwar, Z., Ahmad, H.F., Latif, K., Munir, F.: Ontology for attack detection: an intelligent approach to web application security. Comput. Secur. 45, 124–146 (2014). https://doi.org/10.1016/j.cose.2014.05.005

    Article  Google Scholar 

  33. Shameli-Sendi, A., Aghababaei-Barzegar, R., Cheriet, M.: Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57, 14–30 (2016). https://doi.org/10.1016/j.cose.2015.11.001

    Article  Google Scholar 

  34. Bazaz, A., Arthur, J.D.: Towards a taxonomy of vulnerabilities. In: Proceedings of the Annual Hawaii International Conference on System Sciences, (c), pp. 1–10. https://doi.org/10.1109/HICSS.2007.566 (2007)

  35. Zhao, Z., Dai, Y.:. A new method of vulnerability taxonomy based on information security attributes. In: 2012 IEEE 12th International Conference on Computer and Information Technology, pp. 739–741. https://doi.org/10.1109/CIT.2012.152 (2012)

  36. Ahmad, N.H., Aljunid, S.A., & Manan, J.L.A.: Understanding vulnerabilities by refining taxonomy. In: Proceedings of the 2011 7th International Conference on Information Assurance and Security, IAS 2011, pp. 25–29. https://doi.org/10.1109/ISIAS.2011.6122789 (2011)

  37. Igure, V.M., Williams, R.D.: Taxonomies of attacks and vulnerabilities in computer systems. IEEE Commun. Surv. Tutor. 10(1), 6–19 (2008). https://doi.org/10.1109/COMST.2008.4483667

    Article  Google Scholar 

  38. Marinos, L.: Threat taxonomy: a tool for structuring threat information. Initial report. (January), pp. 1–24. https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information (2016)

Download references

Author information

Authors and Affiliations

  1. School of Computer Engineering, Universidad Politécnica de Madrid, Madrid, Spain

    Angel Marcelo Rea-Guaman, Tomas San Feliu & Jose A. Calvo-Manzano

  2. Centro de Investigación en Matemáticas A.C., Zacatecas, Mexico

    Jezreel Mejía

Authors
  1. Angel Marcelo Rea-Guaman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jezreel Mejía
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tomas San Feliu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jose A. Calvo-Manzano
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jezreel Mejía.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rea-Guaman, A.M., Mejía, J., San Feliu, T. et al. AVARCIBER: a framework for assessing cybersecurity risks. Cluster Comput 23, 1827–1843 (2020). https://doi.org/10.1007/s10586-019-03034-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-019-03034-9

Keywords

Search

Navigation