Advanced approach to information security management system utilizing maturity models in critical infrastructure |
You, Youngin
(Institute of Cyber Security & Privacy (ICSP), Korea University)
Oh, Junhyoung (Institute of Cyber Security & Privacy (ICSP), Korea University) Kim, Sooheon (Data Marketing Korea Research Lab) Lee, Kyungho (Institute of Cyber Security & Privacy (ICSP), Korea University) |
1 | S. Amin, G. A. Schwartz, and A. Hussain, "In Quest of Benchmarking Security Risks to Cyber-Physical Systems," IEEE Network, vol. 27, no. 1, pp. 19-24, February, 2013. DOI |
2 | R. Bojanc and B. Jerman-Blazic, "A Quantitative Model for Information-Security Risk Management," Eng. Manag. J., vol. 25, no. 2, pp. 25-37, 2013. DOI |
3 | W. Knowles, J. M. Such, A. Gouglidis, G. Misra, and A. Rashid, "Assurance Techniques for Industrial Control Systems (ICS)," in Proc. of First ACM Work. Cyber-Physical Syst. pp. 101-112, 2015. |
4 | T. C. C. Tan, A. B. Ruighaver, and A. Ahmad, "Information Security Governance : When Compliance Becomes More Important than Security," in Proc. of IFIP, pp. 55-67, 2010. |
5 | Y. You, I. Cho, and K. Lee, "An advanced approach to security measurement system," J. Supercomput, vol. 72, no. 9, pp. 3443-3454, 2016. DOI |
6 | K. L. Thomson and R. von Solms, "Towards an Information Security Competence Maturity Model," Comput. Fraud Secur., vol. 2006, no. 5, pp. 11-15, 2006. DOI |
7 | T. De Bruin, R. Freeze, U. Kaulkarni, and M. Rosemann, "Understanding the Main Phases of Developing a Maturity Assessment Model," in Proc. of Australas. Conf. Inf. Syst., pp. 8-19, November 29 - December 2, 2005. |
8 | B. Karabacak, S. O. Yildirim, and N. Baykal, "A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness," Int. J. Crit. Infrastruct. Prot., vol. 15, pp. 47-59, 2016. DOI |
9 | ISA99 committee, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program, ISA, January, 2009. |
10 | M. M. Lessing, "Best practices show the way to Information Security Maturity," in Proc. of 6th Natl. Conf. Process Establ. Assess. Improv. Inf. Technol., pp. 1-9, September 17-19, 2008. |
11 | J. Becker, R. Knackstedt, and J. Poppelbuss, "Developing Maturity Models for IT Management," Bus. Inf. Syst. Eng., vol. 1, no. 3, pp. 213-222, 2009. DOI |
12 | CMMI Team, CMMI (R) for Development, Version 1 . 2, Software Engineering Institute, Pittsburgh, August, 2006. |
13 | H. Linstone, M. Turoff, The Delphi method: Techniques and applications. Addison-Wesley, 1975. |
14 | S. Yulianto, C. Lim, and B. Soewito, "Information security maturity model: A best practice driven approach to PCI DSS compliance," in Proc. of 2016 IEEE Reg. 10 Symp. TENSYMP 2016, pp. 65-70, May 9-10, 2016. |
15 | G. a Francia, D. Thornton, and J. Dawson, "Security Best Practices and Risk Assessment of SCADA and Industrial Control Systems," in Proc. of Int. Conf. on Security and Management. pp.1-7, July 16-19, 2012. |
16 | Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones and H. Soulsby, "A review of cyber security risk assessment methods for SCADA systems," Comput. Secur., vol. 56, pp. 1-27, 2016. DOI |
17 | J. D. Herbsleb, D. R. Goldensen, D. Zubrow, W. Hayes, and M. Paulk, "Software quality and the Capability Maturity Model," Commun. ACM, vol. 40, no. 6, pp. 30-40, 1997. DOI |
18 | T. Takemura and A. Komatsu, "Who Sometimes Violates the Rule of the Organizations?: Empirical Study on Information Security Behaviors and Awareness," WEIS, pp. 1-21, 2012. |
19 | ISA99 committee, "Security for Industrial Automation and Control Systems Part 1 : Terminology, Concepts, and Models," ISA, October, 2007. |
20 | ISA99 committee, "Security for industrial automation and control systems. Part 3-3: System security requirements and security levels," ISA, Agust, 2013. |
21 | G. Dimic, N. D. Sidiropoulos, and R. Zhang, "Medium access control-physical cross-layer design," IEEE Signal Process. Mag., vol. 21, no. 5, pp. 40-50, 2004. |
22 | ISM3, ISM3 Handbook, ISM3 Consortium, 2007. |
23 | E. Amankwa, M. Loock, and E. Kritzinger, "A conceptual analysis of information security education, information security training and information security awareness definitions," in Proc. of 9th Int. Conf. Internet Technol. Secur. Trans., pp. 248-252, December 8-10, 2014. |
24 | P. Ifinedo, "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory," Comput. Secur., vol. 31, no. 1, pp. 83-95, 2012. DOI |
25 | H. A. Kruger and W. D. Kearney, "A prototype for assessing information security awareness," Comput. Secur., vol. 25, no. 4, pp. 289-296, 2006. DOI |
26 | M. F. Saleh, "Information Security Maturity Model," Int. J. Comput. Sci. Secur, vol. 5, no. 3, pp. 316-337, 2011. |
27 | G. Karokola and Y. Louise, "Discussing E-Government Maturity Models for the Developing World-Security View," in Proc. of SSA 2009, pp. 81-98, August, 2009. |
28 | T. Yamada, "A politically feasible social security reform with a two-tier structure," J. Jpn. Int. Econ, vol. 25, no. 3, pp. 199-224, 2011. DOI |
29 | D. L. Moody, "The Method Evaluation Model : A Theoretical Model for Validating Information Systems Design Methods," in Proc. of ECIS 2003, no. 79, 2003. |
30 | ISO/IEC JTC, "INTERNATIONAL STANDARD ISO / IEC Information technology - Security techniques - Information security management systems - Requirements," 2nd Edition, ISO/IEC 2013. |
31 | NIST SP 800 JTF, "Security and Privacy Controls for Federal Information Systems and Organizations Security and Privacy Controls for Federal Information Systems and Organizations," Revision 4, NIST, 2014. |
32 | A. Segev, J. Porra, and M. Roldan, "Internet Security AND THE CASE OF BANK OF AMERICA," Commun. ACM, vol. 41, no. 10, pp. 81-87, 1998. |
33 | Q. Shafi, "Cyber Physical Systems Security: A Brief Survey," in Proc. of 2012 12th Int. Conf. Comput. Sci. Its Appl., pp. 146-150, 2012. |
34 | K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, "NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security," Revision 2, NIST, 2015. |