Development of a concept for cybersecurity metrics classification

Authors

DOI:

https://doi.org/10.15587/1729-4061.2022.263416

Keywords:

security metrics, security assessment model, security metrics classifier, threat synergy

Abstract

The development of the IT industry and computing resources allows the formation of cyberphysical social systems (CPSS), which are the integration of wireless mobile and Internet technologies and the combination of the Internet of things with the technologies of cyberphysical systems. To build protection systems, while minimizing both computing and economic costs, various sets of security profiles are used, ensuring the continuity of critical business processes. To assess/compare the level of CPSS security, various assessment methods based on a set of metrics are generally used. Security metrics are tools for providing up-to-date information about the state of the security level, cost characteristics/parameters from both the defense and attack sides. However, the choice of such sets is not always the same/understandable to the average person. This, firstly, leads to the absence of a generally accepted and unambiguous definition, which means that one system is more secure than another. Secondly, it does not take into account the signs of synergy and hybridity of modern targeted attacks. Without this knowledge, it is impossible to show that the metric measures the security level objectively. Thirdly, there is no universal formal model for all metrics that could be used for rigorous analysis. The paper explores the possibility of defining a basic formal model (classifier) for analyzing security metrics. The proposed security assessment model takes into account not only the level of secrecy of information resources, the level of provision of security services, but also allows, based on the requirements put forward, forming the necessary set of security assessment metrics, taking into account the requirements for the continuity of business processes. The average value of the provision of security services to CPSS information resources is 0.99, with an average value of the security level of information resources of 0.8

Author Biographies

Serhii Yevseiev, National Technical University “Kharkiv Polytechnic Institute”

Doctor of Technical Sciences, Professor, Head of Department

Department of Cyber Security

Oleksandr Milov, National Technical University “Kharkiv Polytechnic Institute”

Doctor of Technical Sciences, Professor

Department of Cyber Security

Ivan Opirskyy, Lviv Polytechnic National University

Doctor of Technical Sciences, Professor

Department of Information Security

Olha Dunaievska, National Technical University “Kharkiv Polytechnic Institute”

PhD, Associate Professor

Department of Computer Mathematics and Data Analysis

Oleksandr Huk, National Defence University of Ukraine named after Ivan Cherniakhovskyi

Adjunct

Department of Communications and Automated Control Systems

Volodymyr Pogorelov, National Aviation University

PhD, Associate Professor

Department of Information Technology Security

Kyrylo Bondarenko, Simon Kuznets Kharkiv National University of Economics

Postgraduate Student

Department of Cyber Security and Information Technologies

Nataliia Zviertseva, National Technical University “Kharkiv Polytechnic Institute”

Postgraduate Student

Department of Software Engineering and Management Intelligent Technologies

Yevgen Melenti, Juridical Personnel Training Institute for the Security Service of Ukraine Yaroslav Mudryi National Law University

PhD, Associate Professor

Special Department No. 3 “Tactical-Special Training, Marksmanship Training and Special Physical Training”

Bogdan Tomashevsky, Ternopil Ivan Puluj National Technical University

PhD, Senior Researcher

Department of Cyber Security

References

  1. Yevseiev, S., Ponomarenko, V., Laptiev, O., Milov, O., Korol, O., Milevskyi, S. et. al.; Yevseiev, S., Ponomarenko, V., Laptiev, O., Milov, O. (Eds.) (2021). Synergy of building cybersecurity systems. Kharkiv: РС ТЕСHNOLOGY СЕNTЕR, 188. doi: https://doi.org/10.15587/978-617-7319-31-2
  2. Yevseiev, S., Pohasii, S., Milevskyi, S., Milov, O., Melenti, Y., Grod, I. et. al. (2021). Development of a method for assessing the security of cyber-physical systems based on the Lotka–Volterra model. Eastern-European Journal of Enterprise Technologies, 5 (9 (113)), 30–47. doi: https://doi.org/10.15587/1729-4061.2021.241638
  3. INFOSEC Research Council. Hard Problem List (2005). Available at: https://www.infosec-research.org/docs_public/20051130-IRC-HPL-FINAL.pdf
  4. A Roadmap for Cybersecurity Research (2009). Homeland Security. Available at: https://www.dhs.gov/sites/default/files/publications/CSD-DHS-Cybersecurity-Roadmap_0.pdf
  5. ISO/IEC 27001:2005. Information technology – Security techniques – Information security management systems – Requirements. Available at: https://www.iso.org/standard/42103.html
  6. ISO/IEC 27002:2005. Information technology – Security techniques – Code of practice for information security management. Available at: https://www.iso.org/standard/50297.html
  7. Control Objectives for Information and related Technology (COBIT) 5 (2012). IT Governance Institute. Illinois.
  8. Recommended Security Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53 Revision 3. NIST. doi: https://doi.org/10.6028/nist.sp.800-53r3
  9. ISO/IEC 27004:2009. Information technology – Security techniques – Information security management – Measurement. Available at: https://www.iso.org/standard/42106.html
  10. Chew, E., Swanson, M., Stine, K. M., Bartol, N., Brown, A., Robinson, W. (2008). Performance measurement guide for information security. NIST. doi: https://doi.org/10.6028/nist.sp.800-55r1
  11. Hayden, L. (2010). IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data. McGraw-Hill, 396.
  12. Yevseiev, S., Melenti, Y., Voitko, O., Hrebeniuk, V., Korchenko, A., Mykus, S. et. al. (2021). Development of a concept for building a critical infrastructure facilities security system. Eastern-European Journal of Enterprise Technologies, 3 (9 (111)), 63–83. doi: https://doi.org/10.15587/1729-4061.2021.233533
  13. Yevseiev, S., Laptiev, O., Lazarenko, S., Korchenko, A., Manzhul, I. (2021). Modeling the protection of personal data from trust and the amount of information on social networks. EUREKA: Physics and Engineering, 1, 24–31. doi: https://doi.org/10.21303/2461-4262.2021.001615
  14. Yevseiev, S., Katsalap, V., Mikhieiev, Y., Savchuk, V., Pribyliev, Y., Milov, O. et. al. (2022). Development of a method for determining the indicators of manipulation based on morphological synthesis. Eastern-European Journal of Enterprise Technologies, 3 (9 (117)), 22–35. doi: https://doi.org/10.15587/1729-4061.2022.258675
  15. Agyepong, E., Cherdantseva, Y., Reinecke, P., Burnap, P. (2019). Challenges and performance metrics for security operations center analysts: a systematic review. Journal of Cyber Security Technology, 4 (3), 125–152. doi: https://doi.org/10.1080/23742917.2019.1698178
  16. Yee, G. (2012). The state and scientific basis of cyber security metrics. Including Canadian perspectives. Contract Report, DRDC Ottawa CR 2012-109. Available at: https://silo.tips/download/the-state-and-scientific-basis-of-cyber-security-metrics
  17. Stolfo, S., Bellovin, S. M., Evans, D. (2011). Measuring Security. IEEE Security & Privacy Magazine, 9 (3), 60–65. doi: https://doi.org/10.1109/msp.2011.56
  18. Ahmed, R. K. A. (2016). Overview of Security Metrics. Software Engineering, 4 (4), 59–64. Available at: https://www.researchgate.net/publication/311884003_Overview_of_Security_Metrics
  19. Perpetus, J., Houngbo, P. J., Hounsou, J. T. (2015). Measuring Information Security: Understanding And Selecting Appropriate Metrics. International Journal of Computer Science and Security (IJCSS), 9 (2). Available at: https://www.researchgate.net/publication/281648626_Measuring_Information_Security_Understanding_And_Selecting_Appropriate_Metrics
  20. Haque, M. A., Shetty, S., Krishnappa, B. (2019). Cyber‐Physical System Resilience. Complexity Challenges in Cyber Physical Systems, 301–337. doi: https://doi.org/10.1002/9781119552482.ch12
  21. Abbas Ahmed, R. K. (2016). Security Metrics and the Risks: An Overview. International Journal of Computer Trends and Technology, 41 (2), 106–112. doi: https://doi.org/10.14445/22312803/ijctt-v41p119
  22. Jaquith, A. (2007). Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley Professional.
  23. Moshtari, S., Okutan, A., Mirakhorli, M. (2022). A grounded theory based approach to characterize software attack surfaces. Proceedings of the 44th International Conference on Software Engineering. doi: https://doi.org/10.1145/3510003.3510210
  24. Munaiah, N., Meneely, A. (2016). Beyond the Attack Surface. Proceedings of the 2016 ACM Workshop on Software PROtection. doi: https://doi.org/10.1145/2995306.2995311
  25. Lallie, H. S., Debattista, K., Bal, J. (2020). A review of attack graph and attack tree visual syntax in cyber security. Computer Science Review, 35, 100219. doi: https://doi.org/10.1016/j.cosrev.2019.100219
  26. Noel, S., Wang, L., Singhal, A., Jajodia, S. (2010). Measuring security risk of networks using attack graphs. International Journal of Next-Generation Computing, 1 (1). Available at: https://www.researchgate.net/publication/220202986_Measuring_Security_Risk_of_Networks_Using_Attack_Graphs
  27. Hou, S., Chen, X., Ma, J., Zhou, Z., Yu, H. (2022). An Ontology-Based Dynamic Attack Graph Generation Approach for the Internet of Vehicles. Frontiers in Energy Research, 10. doi: https://doi.org/10.3389/fenrg.2022.928919
  28. Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S. (2008). An Attack Graph-Based Probabilistic Security Metric. Data and Applications Security XXII, 283–296. doi: https://doi.org/10.1007/978-3-540-70567-3_22
  29. Żebrowski, P., Couce‐Vieira, A., Mancuso, A. (2022). A Bayesian Framework for the Analysis and Optimal Mitigation of Cyber Threats to Cyber‐Physical Systems. Risk Analysis. doi: https://doi.org/10.1111/risa.13900
  30. Frigault, M., Wang, L. (2008). Measuring Network Security Using Bayesian Network-Based Attack Graphs. 2008 32nd Annual IEEE International Computer Software and Applications Conference. doi: https://doi.org/10.1109/compsac.2008.88
  31. Krautsevich, L., Martinelli, F., Yautsiukhin, A. (2010). Formal approach to security metrics. Proceedings of the Fourth European Conference on Software Architecture Companion Volume - ECSA ’10. doi: https://doi.org/10.1145/1842752.1842787
  32. Agyepong, E., Cherdantseva, Y., Reinecke, P., Burnap, P. (2020). Towards a Framework for Measuring the Performance of a Security Operations Center Analyst. 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). doi: https://doi.org/10.1109/cybersecurity49315.2020.9138872
  33. Halonen, P., Hätönen, K. (2010). Towards holistic security management through coherent measuring. Proceedings of the Fourth European Conference on Software Architecture Companion Volume - ECSA ’10. doi: https://doi.org/10.1145/1842752.1842786
  34. Mellado, D., Fernández-Medina, E., Piattini, M. (2010). A comparison of software design security metrics. Proceedings of the Fourth European Conference on Software Architecture Companion Volume - ECSA ’10. doi: https://doi.org/10.1145/1842752.1842797
  35. Kevin N’DA, A. A., Matalonga, S., Dahal, K. (2021). Applicability of the Software Security Code Metrics for Ethereum Smart Contract. The International Conference on Deep Learning, Big Data and Blockchain (Deep-BDB 2021), 106–119. doi: https://doi.org/10.1007/978-3-030-84337-3_9
  36. Bosire, A., Kimwele, M. (2015). Advances in Measuring and Preventing Software Security Weaknesses. International Journal of Advanced Research in Computer Science and Software Engineering. 5 (12). Available at: https://www.researchgate.net/publication/338402728_Advances_in_Measuring_and_Preventing_Software_Security_Weaknesses
  37. Liu, Y., Traore, I., Hoole, A. M. (2008). A Service-Oriented Framework for Quantitative Security Analysis of Software Architectures. 2008 IEEE Asia-Pacific Services Computing Conference. doi: https://doi.org/10.1109/apscc.2008.17
  38. Hariprasad, T., Vidhyagaran, G., Seenu, K., Thirumalai, C. (2017). Software complexity analysis using halstead metrics. 2017 International Conference on Trends in Electronics and Informatics (ICEI). doi: https://doi.org/10.1109/icoei.2017.8300883
  39. Liu, Y., Traore, I. (2004). UML-based Security Measures of Software Products. Proceedings of International Workshop on Methodologies for Pervasive and Embedded Software (MOMPES’04).
  40. Wang, L., Jajodia, S., Singhal, A., Noel, S. (2010). k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks. Lecture Notes in Computer Science, 573–587. doi: https://doi.org/10.1007/978-3-642-15497-3_35
  41. SP 800-55 Rev. 2 (2020). PRE-DRAFT Call for Comments: Performance Measurement Guide for Information Security. Available at: https://csrc.nist.gov/publications/detail/sp/800-55/rev-2/draft
  42. Bernik, I., Prislan, K. (2016). Measuring Information Security Performance with 10 by 10 Model for Holistic State Evaluation. PLOS ONE, 11 (9), e0163050. doi: https://doi.org/10.1371/journal.pone.0163050
  43. Hernandez-Ramos, J. L., Matheu, S. N., Skarmeta, A. (2021). The Challenges of Software Cybersecurity Certification [Building Security In]. IEEE Security & Privacy, 19 (1), 99–102. doi: https://doi.org/10.1109/msec.2020.3037845
  44. Talbot, J., Jakeman, M. (2009). Security Risk Management. Wiley. doi: https://doi.org/10.1002/9780470494974
  45. Phipps, J. (2022). IT Risk Management Guide for 2022. Available at: https://www.cioinsight.com/it-management/it-risk-management/
  46. Lentz, R. F. (2010). Advanced Persistent Threats & Zero Day Attacks. Slide Presentation.
  47. Lentz, R. F. (2011). Cyber Security Maturity Model. Slide Presentation.
  48. Mohammad, S. M. (2020). Risk Management in Information Technology. SSRN Electronic Journal. doi: https://doi.org/10.2139/ssrn.3625242
  49. Postnikov, V., Spiridonov, S. (2015). Selecting Methods of the Weighting Factors of Local Criteria. Science and Education of the Bauman MSTU. doi: https://doi.org/10.7463/0615.0780334
  50. Yevseiev, S., Milevskyi, S., Bortnik, L., Alexey, V., Bondarenko, K., Pohasii, S. (2022). Socio-Cyber-Physical Systems Security Concept. 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA). doi: https://doi.org/10.1109/hora55278.2022.9799957

Downloads

Published

2022-08-31

How to Cite

Yevseiev, S., Milov, O., Opirskyy, I., Dunaievska, O., Huk, O., Pogorelov, V., Bondarenko, K., Zviertseva, N., Melenti, Y., & Tomashevsky, B. (2022). Development of a concept for cybersecurity metrics classification . Eastern-European Journal of Enterprise Technologies, 4(4 (118), 6–18. https://doi.org/10.15587/1729-4061.2022.263416

Issue

Vol. 4 No. 4 (118) (2022): Mathematics and Cybernetics - applied aspects

Section

Mathematics and Cybernetics - applied aspects

License

Copyright (c) 2022 Serhii Yevseiev, Oleksandr Milov, Ivan Opirskyy, Olha Dunaievska, Oleksandr Huk, Volodymyr Pogorelov, Kyrylo Bondarenko, Nataliia Zviertseva, Yevgen Melenti, Bogdan Tomashevsky

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.

A license agreement is a document in which the author warrants that he/she owns all copyright for the work (manuscript, article, etc.).
The authors, signing the License Agreement with TECHNOLOGY CENTER PC, have all rights to the further use of their work, provided that they link to our edition in which the work was published.
According to the terms of the License Agreement, the Publisher TECHNOLOGY CENTER PC does not take away your copyrights and receives permission from the authors to use and dissemination of the publication through the world's scientific resources (own electronic resources, scientometric databases, repositories, libraries, etc.).
In the absence of a signed License Agreement or in the absence of this agreement of identifiers allowing to identify the identity of the author, the editors have no right to work with the manuscript.
It is important to remember that there is another type of agreement between authors and publishers – when copyright is transferred from the authors to the publisher. In this case, the authors lose ownership of their work and may not use it in any way.