Title :
Goal-based assessment for the cybersecurity of critical infrastructure
Author :
Merrell, Samuel A. ; Moore, Andrew P. ; Stevens, James F.
Author_Institution :
Software Eng. Inst., Pittsburgh, PA, USA
Abstract :
Undertaking a comprehensive cybersecurity risk assessment of the networks and systems of a single infrastructure, or even a single organization of moderate size, requires significant resources. Efforts to simplify the assessment instrument usually obscure the ultimate goal of the assessment and the motivations for the assessment questions. This can make it difficult for assessors to justify the questions and can undermine the credibility of the assessment in the eyes of the organizations assessed. This paper describes the use of assurance cases to help address these problems. Viewing an assessment approach in terms of an assurance case clarifies the underlying motivation for the assessment and supports more rigorous analysis. The paper also shows how the assurance case method has been used to guide the development of an assessment approach called the Cyber Resilience Review (CRR), developed for the U.S. Department of Homeland Security.
Keywords :
computer crime; computer network security; mathematical programming; risk analysis; U.S. Department of Homeland Security; critical infrastructure; cyber resilience review; cybersecurity; goal-based assessment; motivation; risk assessment; Computer security; Context; Organizations; Resilience; Safety; Standards organizations; assurance cases; critical infrastructure; cyber resilience; cybersecurity; risk assessment;
Conference_Titel :
Technologies for Homeland Security (HST), 2010 IEEE International Conference on
Conference_Location :
Waltham, MA
Print_ISBN :
978-1-4244-6047-2
DOI :
10.1109/THS.2010.5655090
