KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Advanced approach to information security management system utilizing maturity models in critical infrastructure

  • You, Youngin (Institute of Cyber Security & Privacy (ICSP), Korea University) ;
  • Oh, Junhyoung (Institute of Cyber Security & Privacy (ICSP), Korea University) ;
  • Kim, Sooheon (Data Marketing Korea Research Lab) ;
  • Lee, Kyungho (Institute of Cyber Security & Privacy (ICSP), Korea University)
  • Received : 2018.02.27
  • Accepted : 2018.05.15
  • Published : 2018.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

As the area covered by the CPS grows wider, agencies such as public institutions and critical infrastructure are collectively measuring and evaluating information security capabilities. Currently, these methods of measuring information security are a concrete method of recommendation in related standards. However, the security controls used in these methods are lacking in connectivity, causing silo effect. In order to solve this problem, there has been an attempt to study the information security management system in terms of maturity. However, to the best of our knowledge, no research has considered the specific definitions of each level that measures organizational security maturity or specific methods and criteria for constructing such levels. This study developed an information security maturity model that can measure and manage the information security capability of critical infrastructure based on information provided by an expert critical infrastructure information protection group. The proposed model is simulated using the thermal power sector in critical infrastructure of the Republic of Korea to confirm the possibility of its application to the field and derive core security processes and goals that constitute infrastructure security maturity. The findings will be useful for future research or practical application of infrastructure ISMSs.

Keywords

References

  1. Q. Shafi, "Cyber Physical Systems Security: A Brief Survey," in Proc. of 2012 12th Int. Conf. Comput. Sci. Its Appl., pp. 146-150, 2012.
  2. S. Amin, G. A. Schwartz, and A. Hussain, "In Quest of Benchmarking Security Risks to Cyber-Physical Systems," IEEE Network, vol. 27, no. 1, pp. 19-24, February, 2013. https://doi.org/10.1109/MNET.2013.6423187
  3. R. Bojanc and B. Jerman-Blazic, "A Quantitative Model for Information-Security Risk Management," Eng. Manag. J., vol. 25, no. 2, pp. 25-37, 2013. https://doi.org/10.1080/10429247.2013.11431972
  4. W. Knowles, J. M. Such, A. Gouglidis, G. Misra, and A. Rashid, "Assurance Techniques for Industrial Control Systems (ICS)," in Proc. of First ACM Work. Cyber-Physical Syst. pp. 101-112, 2015.
  5. T. C. C. Tan, A. B. Ruighaver, and A. Ahmad, "Information Security Governance : When Compliance Becomes More Important than Security," in Proc. of IFIP, pp. 55-67, 2010.
  6. Y. You, I. Cho, and K. Lee, "An advanced approach to security measurement system," J. Supercomput, vol. 72, no. 9, pp. 3443-3454, 2016. https://doi.org/10.1007/s11227-015-1585-7
  7. K. L. Thomson and R. von Solms, "Towards an Information Security Competence Maturity Model," Comput. Fraud Secur., vol. 2006, no. 5, pp. 11-15, 2006. https://doi.org/10.1016/S1361-3723(06)70356-6
  8. T. De Bruin, R. Freeze, U. Kaulkarni, and M. Rosemann, "Understanding the Main Phases of Developing a Maturity Assessment Model," in Proc. of Australas. Conf. Inf. Syst., pp. 8-19, November 29 - December 2, 2005.
  9. B. Karabacak, S. O. Yildirim, and N. Baykal, "A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness," Int. J. Crit. Infrastruct. Prot., vol. 15, pp. 47-59, 2016. https://doi.org/10.1016/j.ijcip.2016.10.001
  10. ISA99 committee, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program, ISA, January, 2009.
  11. M. M. Lessing, "Best practices show the way to Information Security Maturity," in Proc. of 6th Natl. Conf. Process Establ. Assess. Improv. Inf. Technol., pp. 1-9, September 17-19, 2008.
  12. CMMI Team, CMMI (R) for Development, Version 1 . 2, Software Engineering Institute, Pittsburgh, August, 2006.
  13. H. Linstone, M. Turoff, The Delphi method: Techniques and applications. Addison-Wesley, 1975.
  14. S. Yulianto, C. Lim, and B. Soewito, "Information security maturity model: A best practice driven approach to PCI DSS compliance," in Proc. of 2016 IEEE Reg. 10 Symp. TENSYMP 2016, pp. 65-70, May 9-10, 2016.
  15. G. a Francia, D. Thornton, and J. Dawson, "Security Best Practices and Risk Assessment of SCADA and Industrial Control Systems," in Proc. of Int. Conf. on Security and Management. pp.1-7, July 16-19, 2012.
  16. Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones and H. Soulsby, "A review of cyber security risk assessment methods for SCADA systems," Comput. Secur., vol. 56, pp. 1-27, 2016. https://doi.org/10.1016/j.cose.2015.09.009
  17. J. Becker, R. Knackstedt, and J. Poppelbuss, "Developing Maturity Models for IT Management," Bus. Inf. Syst. Eng., vol. 1, no. 3, pp. 213-222, 2009. https://doi.org/10.1007/s12599-009-0044-5
  18. J. D. Herbsleb, D. R. Goldensen, D. Zubrow, W. Hayes, and M. Paulk, "Software quality and the Capability Maturity Model," Commun. ACM, vol. 40, no. 6, pp. 30-40, 1997. https://doi.org/10.1145/255656.255692
  19. T. Takemura and A. Komatsu, "Who Sometimes Violates the Rule of the Organizations?: Empirical Study on Information Security Behaviors and Awareness," WEIS, pp. 1-21, 2012.
  20. ISA99 committee, "Security for Industrial Automation and Control Systems Part 1 : Terminology, Concepts, and Models," ISA, October, 2007.
  21. ISA99 committee, "Security for industrial automation and control systems. Part 3-3: System security requirements and security levels," ISA, Agust, 2013.
  22. G. Dimic, N. D. Sidiropoulos, and R. Zhang, "Medium access control-physical cross-layer design," IEEE Signal Process. Mag., vol. 21, no. 5, pp. 40-50, 2004.
  23. E. Amankwa, M. Loock, and E. Kritzinger, "A conceptual analysis of information security education, information security training and information security awareness definitions," in Proc. of 9th Int. Conf. Internet Technol. Secur. Trans., pp. 248-252, December 8-10, 2014.
  24. P. Ifinedo, "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory," Comput. Secur., vol. 31, no. 1, pp. 83-95, 2012. https://doi.org/10.1016/j.cose.2011.10.007
  25. H. A. Kruger and W. D. Kearney, "A prototype for assessing information security awareness," Comput. Secur., vol. 25, no. 4, pp. 289-296, 2006. https://doi.org/10.1016/j.cose.2006.02.008
  26. ISM3, ISM3 Handbook, ISM3 Consortium, 2007.
  27. M. F. Saleh, "Information Security Maturity Model," Int. J. Comput. Sci. Secur, vol. 5, no. 3, pp. 316-337, 2011.
  28. G. Karokola and Y. Louise, "Discussing E-Government Maturity Models for the Developing World-Security View," in Proc. of SSA 2009, pp. 81-98, August, 2009.
  29. T. Yamada, "A politically feasible social security reform with a two-tier structure," J. Jpn. Int. Econ, vol. 25, no. 3, pp. 199-224, 2011. https://doi.org/10.1016/j.jjie.2011.07.002
  30. D. L. Moody, "The Method Evaluation Model : A Theoretical Model for Validating Information Systems Design Methods," in Proc. of ECIS 2003, no. 79, 2003.
  31. ISO/IEC JTC, "INTERNATIONAL STANDARD ISO / IEC Information technology - Security techniques - Information security management systems - Requirements," 2nd Edition, ISO/IEC 2013.
  32. NIST SP 800 JTF, "Security and Privacy Controls for Federal Information Systems and Organizations Security and Privacy Controls for Federal Information Systems and Organizations," Revision 4, NIST, 2014.
  33. K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, "NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security," Revision 2, NIST, 2015.
  34. A. Segev, J. Porra, and M. Roldan, "Internet Security AND THE CASE OF BANK OF AMERICA," Commun. ACM, vol. 41, no. 10, pp. 81-87, 1998.

Cited by

  1. Digital Tourism Security System for Nepal vol.14, pp.11, 2020, https://doi.org/10.3837/tiis.2020.11.005