Browse > Article
http://dx.doi.org/10.3837/tiis.2018.10.020

Advanced approach to information security management system utilizing maturity models in critical infrastructure  

You, Youngin (Institute of Cyber Security & Privacy (ICSP), Korea University)
Oh, Junhyoung (Institute of Cyber Security & Privacy (ICSP), Korea University)
Kim, Sooheon (Data Marketing Korea Research Lab)
Lee, Kyungho (Institute of Cyber Security & Privacy (ICSP), Korea University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.12, no.10, 2018 , pp. 4995-5014 More about this Journal
Abstract
As the area covered by the CPS grows wider, agencies such as public institutions and critical infrastructure are collectively measuring and evaluating information security capabilities. Currently, these methods of measuring information security are a concrete method of recommendation in related standards. However, the security controls used in these methods are lacking in connectivity, causing silo effect. In order to solve this problem, there has been an attempt to study the information security management system in terms of maturity. However, to the best of our knowledge, no research has considered the specific definitions of each level that measures organizational security maturity or specific methods and criteria for constructing such levels. This study developed an information security maturity model that can measure and manage the information security capability of critical infrastructure based on information provided by an expert critical infrastructure information protection group. The proposed model is simulated using the thermal power sector in critical infrastructure of the Republic of Korea to confirm the possibility of its application to the field and derive core security processes and goals that constitute infrastructure security maturity. The findings will be useful for future research or practical application of infrastructure ISMSs.
Keywords
Critical infrastructure; Information Security Management System; Maturity model; Security evaluation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Amin, G. A. Schwartz, and A. Hussain, "In Quest of Benchmarking Security Risks to Cyber-Physical Systems," IEEE Network, vol. 27, no. 1, pp. 19-24, February, 2013.   DOI
2 R. Bojanc and B. Jerman-Blazic, "A Quantitative Model for Information-Security Risk Management," Eng. Manag. J., vol. 25, no. 2, pp. 25-37, 2013.   DOI
3 W. Knowles, J. M. Such, A. Gouglidis, G. Misra, and A. Rashid, "Assurance Techniques for Industrial Control Systems (ICS)," in Proc. of First ACM Work. Cyber-Physical Syst. pp. 101-112, 2015.
4 T. C. C. Tan, A. B. Ruighaver, and A. Ahmad, "Information Security Governance : When Compliance Becomes More Important than Security," in Proc. of IFIP, pp. 55-67, 2010.
5 Y. You, I. Cho, and K. Lee, "An advanced approach to security measurement system," J. Supercomput, vol. 72, no. 9, pp. 3443-3454, 2016.   DOI
6 K. L. Thomson and R. von Solms, "Towards an Information Security Competence Maturity Model," Comput. Fraud Secur., vol. 2006, no. 5, pp. 11-15, 2006.   DOI
7 T. De Bruin, R. Freeze, U. Kaulkarni, and M. Rosemann, "Understanding the Main Phases of Developing a Maturity Assessment Model," in Proc. of Australas. Conf. Inf. Syst., pp. 8-19, November 29 - December 2, 2005.
8 B. Karabacak, S. O. Yildirim, and N. Baykal, "A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness," Int. J. Crit. Infrastruct. Prot., vol. 15, pp. 47-59, 2016.   DOI
9 ISA99 committee, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program, ISA, January, 2009.
10 M. M. Lessing, "Best practices show the way to Information Security Maturity," in Proc. of 6th Natl. Conf. Process Establ. Assess. Improv. Inf. Technol., pp. 1-9, September 17-19, 2008.
11 J. Becker, R. Knackstedt, and J. Poppelbuss, "Developing Maturity Models for IT Management," Bus. Inf. Syst. Eng., vol. 1, no. 3, pp. 213-222, 2009.   DOI
12 CMMI Team, CMMI (R) for Development, Version 1 . 2, Software Engineering Institute, Pittsburgh, August, 2006.
13 H. Linstone, M. Turoff, The Delphi method: Techniques and applications. Addison-Wesley, 1975.
14 S. Yulianto, C. Lim, and B. Soewito, "Information security maturity model: A best practice driven approach to PCI DSS compliance," in Proc. of 2016 IEEE Reg. 10 Symp. TENSYMP 2016, pp. 65-70, May 9-10, 2016.
15 G. a Francia, D. Thornton, and J. Dawson, "Security Best Practices and Risk Assessment of SCADA and Industrial Control Systems," in Proc. of Int. Conf. on Security and Management. pp.1-7, July 16-19, 2012.
16 Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones and H. Soulsby, "A review of cyber security risk assessment methods for SCADA systems," Comput. Secur., vol. 56, pp. 1-27, 2016.   DOI
17 J. D. Herbsleb, D. R. Goldensen, D. Zubrow, W. Hayes, and M. Paulk, "Software quality and the Capability Maturity Model," Commun. ACM, vol. 40, no. 6, pp. 30-40, 1997.   DOI
18 T. Takemura and A. Komatsu, "Who Sometimes Violates the Rule of the Organizations?: Empirical Study on Information Security Behaviors and Awareness," WEIS, pp. 1-21, 2012.
19 ISA99 committee, "Security for Industrial Automation and Control Systems Part 1 : Terminology, Concepts, and Models," ISA, October, 2007.
20 ISA99 committee, "Security for industrial automation and control systems. Part 3-3: System security requirements and security levels," ISA, Agust, 2013.
21 G. Dimic, N. D. Sidiropoulos, and R. Zhang, "Medium access control-physical cross-layer design," IEEE Signal Process. Mag., vol. 21, no. 5, pp. 40-50, 2004.
22 ISM3, ISM3 Handbook, ISM3 Consortium, 2007.
23 E. Amankwa, M. Loock, and E. Kritzinger, "A conceptual analysis of information security education, information security training and information security awareness definitions," in Proc. of 9th Int. Conf. Internet Technol. Secur. Trans., pp. 248-252, December 8-10, 2014.
24 P. Ifinedo, "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory," Comput. Secur., vol. 31, no. 1, pp. 83-95, 2012.   DOI
25 H. A. Kruger and W. D. Kearney, "A prototype for assessing information security awareness," Comput. Secur., vol. 25, no. 4, pp. 289-296, 2006.   DOI
26 M. F. Saleh, "Information Security Maturity Model," Int. J. Comput. Sci. Secur, vol. 5, no. 3, pp. 316-337, 2011.
27 G. Karokola and Y. Louise, "Discussing E-Government Maturity Models for the Developing World-Security View," in Proc. of SSA 2009, pp. 81-98, August, 2009.
28 T. Yamada, "A politically feasible social security reform with a two-tier structure," J. Jpn. Int. Econ, vol. 25, no. 3, pp. 199-224, 2011.   DOI
29 D. L. Moody, "The Method Evaluation Model : A Theoretical Model for Validating Information Systems Design Methods," in Proc. of ECIS 2003, no. 79, 2003.
30 ISO/IEC JTC, "INTERNATIONAL STANDARD ISO / IEC Information technology - Security techniques - Information security management systems - Requirements," 2nd Edition, ISO/IEC 2013.
31 NIST SP 800 JTF, "Security and Privacy Controls for Federal Information Systems and Organizations Security and Privacy Controls for Federal Information Systems and Organizations," Revision 4, NIST, 2014.
32 A. Segev, J. Porra, and M. Roldan, "Internet Security AND THE CASE OF BANK OF AMERICA," Commun. ACM, vol. 41, no. 10, pp. 81-87, 1998.
33 Q. Shafi, "Cyber Physical Systems Security: A Brief Survey," in Proc. of 2012 12th Int. Conf. Comput. Sci. Its Appl., pp. 146-150, 2012.
34 K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, "NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security," Revision 2, NIST, 2015.