Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
MILITARY-BASED CYBER RISK ASSESSMENT FRAMEWORK FOR SUPPORTING CYBER WARFARE IN THAILAND
Aniwat Hemanidhi & Sanon Chimmanee Faculty of Information Technology Rangsit University, Thailand
[email protected]; [email protected]
ABSTRACT
Information Technology (IT) Risk Management is designed to confirm the sufficiency of information security. There are many risk management/assessment standards, e.g. IS0 27005:2011 and NIST SP 800-30rev1, which are mainly designed for general organizations such as governments or businesses. Cyber risk assessment focused on military strategy has been rarely studied. Hence, this paper presents an innovative cyber risk assessment conceptual framework named “Cyber Risk Assessment (CRA)” which is extended from previous work with Military Risk Evaluation (MRE). This proposed CRA is the collection and integration of both quantitative and qualitative data. The Vulnerability Detection (VD) tools in Network Risk Evaluation (the previous studies) were used for the quantitative data collection and the focus group in the MRE (the proposed method) was used to collect qualitative data, which enhance the general risk assessment standard to achieve the objective of the research. The complexity of cyberspace domains with a military perspective is thoughtfully contemplated into the cyber risk assessment for national cyber security. Results of the proposed framework enable the possibility of cyber risk evaluation into score for national cyber security planning.
Keywords: Cyber risk assessment, risk management, cyber security, cyber warfare, Network Centric Warfare.
Received: 2 December 2016 Accepted: 15 March 2017
192 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
INTRODUCTION
Risk management is a substantial solution to deal with IT risks. It integrates entire organization processes together. In accordance with ISO 31000:2009 (ISO, 2009), risk assessment is the core process within risk management. There are 3 phases in risk assessment including risk identification, risk analysis and risk evaluation. Typically, organizations manage risks with risk assessment process in order to modify risk treatment as satisfied by the risk criteria. Numbers of IT and computer security standards have been developed and updated continuously to manage information security, e.g. ISO/IEC 27000 Series (ISO/IEC, 2014) and NIST SP 800-82rev2 (NIST, 2015). Generally, information security management system (ISMS) standards, such as ISO 27001:2013 (ISO, 2013), will explain the information security terminology and risk management process but leave methodology open for organizations to choose the most appropriate one for themselves. However, main concerns of these standards remain business continuity and disaster recovery. Risk management standards for some specific types of organization may be available. For example, ISO 27799:2016 (ISO, 2016) provides implementation guidance for the controls that could be effectively used for managing health information security. Unfortunately, risk management for extremely dangerous threats that could be part of Cyber Warfare (CW), for example, Advance Persistent Threat (APT)/Nation state, is not completely clarified by these famous standards and frameworks.
Cyberspace is the latest domain within a military battlefield. It is a logical domain which is very sophisticated and difficult to control. Also, there are many uncertain stakeholders in cyberspace. General users around the world could elevate themselves as anonymous cyber criminals, terrorists and warriors at any time. Attackers can penetrate targets via the World Wide Web (WWW) using reconditely technical skills and supported tools. Regular IT equipment could be converted into cyber weapons instantaneously. For threat to the nation state or corporate espionage to gain more military or economic advantage, it is much cheaper and more efficient to conduct cyber operations than use traditional spies. Many organizations and countries are developing plans and capabilities to use the WWW to cause or increase the impact of terrorism and even full-scale wars (Andress & Winterfeld, 2011). One demonstration was the cyberattacks on Estonia in April and May 2007 by digital activists from the Russian diaspora (Herzog, 2011). This resulted in preventing Estonia public services from conducting their functions for two weeks.
Other serious examples are cyber attacking of Iran nuclear power plan by the American-Israeli Stuxnet virus in 2010 (Karnouskos, 2011), cyber
193 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222 attacking of the computers of South Korean hydro and nuclear power operator suspected by North Korea in 2014, and hacking of Sony Picture Entertainment in November, 2014. In this century, threat spectrum becomes far more complicated and dangerous than ever. Modern military troops must be trained in both basic military operations and insidious cyber threats in multidimensional environments. Hence, this paper presents an innovative “Cyber Risk Assessment (CRA)” conceptual framework which intends to extend the previous Cyber Risk Evaluation (CRE) framework in order to fulfill risk assessment standards based on NIST SP 800-115 (NIST, 2008) and ISO 31000:2009 (ISO, 2009). Military Risk Evaluation (MRE) is presented based on Critical Security Metric (Sun, Jajodia, Li, Cheng, Tang, & Singhal, 2010) and Network Centric Warfare (NCW) (DOD, 2003). It is also extended to Risk Environment (RE) with additional likelihood of occurrence and magnitude of impact. In other words, the proposed CRA involves the collection and integration of both quantitative and qualitative data. The VD tools in Network Risk Evaluation (NRE) were used for the quantitative data collection, and the focus group in the MRE (the proposed method) was used to collect qualitative data. The outcome is Cyber Risk Assessment in military perspective, which is very useful for supporting cyber warfare.
LITERATURE REVIEW
Information and Asset Security have been developed continuously covering physical, communication, emission, computer, network, information and cyber security. No perfect solution could secure everything at the same time. The best security is perhaps to apply all of them together. Our research concentrates on the integration of network and information security that lead to cybersecurity in military concerns. Many concepts and research articles related to cybersecurity, cyber warfare, Network Centric Warfare (NCW), social network and SCADA were reviewed.
IT SECURITY AND RISK MANAGEMENT/ASSESSMENT STANDARDS
IT security relied on standards, protocols and procedures from numbers of vendors and related organizations. Many products from vendors are introduced to public companies and government agencies. Vulnerability Detection (VD) tools are prominent equipment used for scanning, detecting and analyzing vulnerabilities on each host. An important outcome is risk analysis for cyber
194 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222 defense purposes. Security metrics and related standards are background features that significantly influence the results of VD tools. In one ofour previous works (Chimmanee, Veeraprasit, Sriphrew, & Hemanidhi, 2012), we compared the scanning performance of two VD tools (NetClarity and Nessus). The result showed that each VD tool has unequal ability to detect hosts and vulnerabilities. Classification for the risk level of found vulnerabilities are also very diversified. The same vulnerability, as specified by the Common Vulnerabilities and Exposures list (The MITRE Corporation, 2017) from the U.S. National Vulnerability Database (NVD), detected from different VD tools, may be ranged at different risk levels. Thus, we proposed Network Risk Metric (NRM) to grade the different results from them (Hemanidhi, Chimmanee, & Sanguansat, 2012). In 2014, an additional open-source software-based VD tool, Retina, was applied. Unbiased Network Risk Evaluation (NRE) from NRM was presented (Hemanidhi, Chimmanee & Sanguansat, 2014). Later, with the original idea of “the same network infrastructure may have different IT risks depending on its attractive value”, the authors introduced the Risk Environment (RE) and the Cyber Risk Evaluation (CRE) framework based on military operation, which were compiled from the integration of NRM and RE (Hemanidhi, Chimmanee & Kimpan, 2015). This paper presented only an abstract idea of the framework. Lastly, isolating from any standard, the authors demonstrated two case studies of the CRE framework (Hemanidhi, Chimmanee, Sanguansat & Nuchampun, 2015). Summary of previous works and literature reviews about IT security, Vulnerability Analysis, Risk management/assessment standards, and related articles are briefed in Table 1.
Table 1
Summary of Previous Works and Literature Reviews about IT Security, Vulnerability Analysis, Risk Management/Assessment Standards, and Related Articles
Domains Topics References Contributions/Explanations Vulnerability ITU-T X.805 (Cho et al., 2005) Vulnerability analysis method for analysis developing security framework of NGN infrastructure and services.
Vulnerability CVSS Version 2.0 (Mell et al., 2007) A complete guide to the CVSS analysis (Supersedes CVSS Version 2.0, an open framework v1.0:2004) for communicating the characteristics and impacts of IT vulnerability. (continued)
195 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Domains Topics References Contributions/Explanations Risk Enterprise level IT (Aziz and Presents a framework that management risk management Hashim, 2008) organizes IT risks into five (Basis of enterprise categories: infrastructure risk assessment development and support, model) operations and maintenance of business process, office level support, software development, and outsourcing management.
IT security ISO/IEC (ISO/IEC, 2009) Information security management - 27004:2009 measurement
Risk ISO/IEC (ISO/IEC, 2009) Risk management - principles and management 31000:2009 guidelines
Vulnerability Fuzzy heuristic (Subramanian et Proves that appropriate metrics analysis design for diagnosis al., 2009) are needed to grade the various of web-based vulnerabilities from different vulnerabilities scanners.
IT security ISO/IEC (ISO/IEC, 2010) ISMS implementation guidance 27003:2010
IT security Automatic security (Sun et al., 2010) Security metric collection, analysis system management, and visualization for using security scalable and automatic security metrics analysis. Four critical metrics are described: service, location, role, and asset.
Vulnerability Fuzzy classification (Loh et al., 2010) Metrics for web application analysis metrics for scanner scanner assessment and assessment and vulnerability reporting. vulnerability reporting
Table 1
Summary of Previous Works and Literature Reviews about IT Security, Vulnerability Analysis, Risk Management/Assessment Standards, and Related Articles
Domains Topics References Contributions/Explanations IT security Security metrics: (Purboyo et al., Identifies many open A brief survey 2011) problems in security metrics area. (continued)
196 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Domains Topics References Contributions/Explanations IT security and ISO/IEC 27005:2011 (ISO/IEC, 2011) Information security risk risk management (Supersedes ISO/IEC management 27005:2008)
Vulnerability NetClarity auditor (Veeraprasit et al., Compares performance of analysis and Nessus 2012) hardware-based and software- comparison for based vulnerability detection vulnerability tools upon network of an detection on Rangsit educational institution. university network
Vulnerability A performance (Chimmanee et Compares performance of analysis comparison of VD al., 2012) two VD tools in 3 categories: between NetClarity searching ability, scanning auditor and open time and the ability of source Nessus detection.
IT security and COBIT 5 (ISACA, 2012) A business framework for the risk management governance and management of enterprise IT.
Risk management NIST SP 800-30rev1 (NIST, 2012) Guidance for conducting (Revision 1) risk assessment of federal information systems and organizations.
Risk management Risk evaluation by (Hemanidhi et al., Proposed unbiasedly Network VD tools for IT 2012) Risk Evaluation (NRE) to a Department of the military IT unit. Royal Thai Army
IT security ISO/IEC 27001:2013 (ISO/IEC, 2013) ISMS - Requirements (Supersedes ISO/IEC 27001:2005)
IT security ISO/IEC 27002:2013 (ISO/IEC, 2013) Code of practice for (Supersedes ISO information security 27002:2005) management
Risk management Network Risk (Hemanidhi et al., Introduced NRM for grading Evaluation from 2014) distinctive results of various security metric vulnerability detection tools. of vulnerability The outcome is an unbiased detection tools NRE for overall network.
Risk management Cyber Risk (Hemanidhi et al., Proposed new idea of risk Evaluation (CRE) 2015) evaluation under military framework based on operation environment. risk environment of Methodology concept is military operation loosely designed. (continued)
197 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Domains Topics References Contributions/Explanations IT security ISO/IEC (ISO/IEC, 2016) ISMS - Overview and 27000-Series vocabulary (ISO27k) (4th ed.) *The first standard of this (Supersedes ISO/IEC series is ISO/IEC 17799:2000 27000 (3rd ed.):2014)
IT security ISO 27799:2016 (ISO, 2016) Health informatics - (Supersedes ISO Information security 27799:2008) management in health using ISO/IEC 27002
NETWORK CENTRIC WARFARE (NCW), MILITARY OPERATION AND OTHER TOPICS RELATED TO CYBER WARFARE
It is not only the U.S. that is awake about the new form of war in cyberspace domain. After the cyberattack on Estonia in April 2007, the North Atlantic Treaty Organization (NATO) has become a conscious region started to prepare for the possibility of forthcoming cyberwar. The Science and Technology Committee (STC) of the NATO Parliamentary Assembly have continuously managed to conduct conferences on cyber security matter since 2009. On November 23, 2014, the STC stated that cyber security is a crucial international concern. The STC pointed out the wide divergence of cyber security capabilities among their members. Attacking on allies with weak cyber security capabilities can lead to severe effects on all nations. The NATO defense planning process is developing an integration of cyber defense capabilities among their members (Vitel, 2014). In fact, it is hard to demarcate the boundary of cyberwar, cyberterrorism, and cybercrime. Ophardt (2010) pointed out that cyberwar is challenging the traditional concepts of territory. Cyber aggression by non-state collective actors could turn into sociological cybercrime or cyberwar. The International Criminal Court (ICC) should be part of a solution to address these cyber threats and the new international legal framework must consider the power of sociological forces in cyberspace. Critical examples of cyber warfare are as follows.
Supervisory Control and Data Acquisition (SCADA)
Traditionally, SCADA is implemented to manage Power/Nuclear Plants. On December 22, 2014, the Wall Street Journal reported that computers at South Korea’s nuclear-plant operator of the Korea Hydro & Nuclear Power Co Ltd. (KHNP) had been hacked since December 15, 2014 (Kwaak, 2014). The
198 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
U.S. not only accused North Korea for this cyber attack but also the previous hacking of the Sony Picture Entertainment earlier in November, 2014. Even if these circumstances remain unclear but main digital evidences pointed to North Korea, which admitted to forming a hacker team. The U.S. and South Korea need to observe North Korea’s cyberwarfare capabilities seriously since them. This is a clear example that cyber warfare incidents threaten the national security of a state.
Online Social Networks (OSNs)
In the last decade, Thailand was confronted with waves of political difficulties that led to tremendous political changes. Social networks have been utilized by various groups to gain both tangible and intangible power from human assets. The Royal Thai Ministry of Defense is a core executive of the Council of Ministers that needs to cooperate with the government to cease protestors’ intimidated activities. The Royal Thai Armed Forces found itself in a cumbersome status of how to manage the balance between the stability of the government and the liberty of the Thai citizens in a democracy. Notwithstanding, many websites and networks of the Royal Thai Armed Forces became cyber attacking targets (from various groups of protestors) via the Internet.
Thailand has 28 million Facebook users (the 9th position worldwide). Yet another 30 million LINE users rank Thailand as the 2nd LINE community in the world after Japan. From the Thailand Internet user profile 2015 (ETDA, 2015), 81.2% of Thai people access the Internet via smart phones 5.7 hours a day and 82.7% of smart phone use is for communication over famous social networks such as Facebook (92.1%) and LINE (85.1%). Sharing information through the social media in Thailand is extremely quick. Therefore, information operation and cyberwar via social network on mobile devices are critical in Thailand. According to Singer (2015), ISIS uses the social media as a weapon. Protestors in Thailand use OSNs to share information against the government. At any stage, it is possible that terrorists could impersonate themselves as members of protestors and mislead the group into their courses. Thus, OSNs gain implicit cyber power to menace the national security. The contribution of the proposed framework is displayed by its capabilities in assessing cyber risk from the cognitive and information domains of NCW. Summary of the literature review about NCW, Military Operation, and other topics related to cyber warfare are in Table 2.
199 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Table 2
Summary of the Literature Reviews about Network Centric Warfare (NCW), Military Operation, and Other Topics Related to Cyber Warfare
Domains Topics References Contributions/Explanations Military FM 34-130 (DOA, 1994) Intelligence preparation of the battlefield. The battlefield environment, effects and threat evaluation are defined.
Network centric Network Centric (DOD, 2003) Description of NCW and Warfare (NCW) its three domains: Physical, information and cognitive.
Cyber Cyber warfare (Ophardt, 2010) The need for individual and the crime of accountability on future aggression battlefields.
Military JP 3-0 (DOD, 2011) Guidelines for the Armed Forces (Joint operation) in joint operations across the range of military operation. 3 levels of war are described including strategic, operational and tactical level.
Cyber Cyber warfare (Andress & Techniques, tactics and tools for Winterfeld, 2011) security practitioners.
Cyber Revisiting the (Herzog et al., A summation of the cyberattacks Estonian cyber 2011) on Estonia in April and May attacks: Digital 2007 by digital activists. threats and multinational.
SCADA Stuxnet worm (Karnouskos, Investigation on the Stuxnet impact on industrial 2011) worm which could be used as a cyber-physical potential cyber weapon targeting system security to attack critical system infrastructures, e.g. SCADA.
Military ADRP 3-0 (DOA, 2012) Unified land operations. Description of the army operational concept and combat power.
(continued)
200 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Domains Topics References Contributions/Explanations Information FM 3-13 (DOA, 2013) Inform and influence activities. operation Information environment is described and categorized into 3 dimensions of NCW.
SCADA The real story of (Kushner, 2013) Cyber worm designed to modify Stuxnet [Online] the execution code in PLCs of the Siemens SCADA systems.
Cyber Cyber space and (Vitel, 2014) Informing concern of cyber Euro-Atlantic threats against all countries security that rely heavily on computer networks and systems.
Table 2
Summary of the Literature Reviews about Network Centric Warfare (NCW), Military Operation, and other Topics Related to Cyber Warfare
Domains Topics References Contributions/Explanations Cyber Joint publication 3-13 (DOD, 2014) Information operations: (Incorporating change 1) Cyberspace is identified as a global domain and recognized as a new military battlefield. SCADA South Korea Nuclear (Kwaak, 2014) Critical cyber attacking that Plant Operator Hacked threatens the national cyber [Online] security. Cyber Cyber risk evaluation Hemanidhi et. Introduced CRE that integrates (CRE) framework for al., 2015) risks from NRM and RE network centric warfare together. No risk management standards are applied. SCADA NIST SP 800-82rev2 (NIST, 2015) Guide to Industrial Control (Revision 2) Systems (ICS) security including SCADA Systems OSNs Terror on twitter: How (Singer et al., 2015) OSNs as potential weapons for ISIS is taking war to terrorist. social media and social media is fighting back SCADA A review of cyber (Cherdantseva et Twenty-four risk assessment security risk assessment al., 2016) methods developed for or methods for SCADA applied in the context of a systems SCADA system.
201 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
PROPOSED FRAMEWORK
This paper presents a novel conceptual framework called “Cyber Risk Assessment (CRA)” which applied the mixed research method as explained by Creswell (2014). This framework was vertically divided into 2 major parts: Network Risk Evaluation (NRE) and Military Risk Evaluation (MRE). In the first part, quantitative data from NRE was analyzed from the vulnerability scanning of various VD tools using the testing and examination methodology. In the second part, qualitative data from MRE was gathered from discussions of military professionals and IT/Cyber specialists using the focus group methodology. Full details of this research methodology are described in the next section. This framework was designed with respect to the ISO 31000:2009 standard, therefore, both NRE and MRE were horizontally differentiated into 3 phases including cyber risk identification, cyber risk analysis, and cyber risk evaluation. The entire conceptual CRA framework is shown in Figure 1. Quantitative data from NRE is the upper part while qualitative data from MRE is the lower part.
Figure 1. Cyber risk assessment (CRA) conceptual framework.
202 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Figure 2. Network risk evaluation (NRE) concept.
PART 1: NETWORK RISK EVALUATION (NRE)
As mentioned above, each major part will be separated into 3 phases including cyber risk identification, analysis and evaluation. The general concept of NRE is shown in Figure 2.
NRE Phase 1: Cyber Risk Identification
Basically, risk identification is to identify risks from the sources, targets, events, causes and potential consequences. It would include identification of assets, threats, existing controls, vulnerabilities and consequences. There are several types of vulnerabilities, for instance, vulnerabilities from the strategic level (policy, plan, procedure, and so on), human vulnerability (training, awareness, responsibilities, and so on), vulnerabilities from techniques and physical vulnerabilities. In the first phase of NRE, we focused on technical vulnerability identification because it is the most prominent technique that many organizations choose to scan their networks and vulnerabilities of each host. It consists of two factors: location and tools as shown in Figure 2. Location represents the network where several VD tools are implemented. Tools are types of vulnerability detection, e.g. NetClarity, Nessus and Retina. The main purpose of this phase was to identify hosts and their vulnerabilities.
203 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
NRE Phase 2: Cyber Risk Analysis
In this phase, scanning results from phase 1, including the number of found hosts and vulnerabilities of each host, were graded through a mathematical algorithm called “Network Risk Metric (NRM). NRM was proposed for non- biased network risk evaluation of the overall network from various VD tools. The outcomes of the NRM were inputs for NRE in the cyber risk evaluation phase. Note that, from our perspective, types of network equipment have different levels of attraction to attackers. In this article, only generic ideas and algorithms are addressed by the following Eq. (1-5). Full explanation and examples of NRM can be found in our previous article at IEEE ACDT 2015 publication (Hemanidhi et al., 2014).
Differentiate Server-Client Risk L n There were 5 steps in this phase. We differentiated computers off the networki s,c l 1 i,l (1) L n s,c is,c l1 iinto,l two groups: server (s) and client (c). More groups are possible dependingLHs ,c L fs,c L (1) LH n L LL is,c l1 ni,l i s,c s,lc1 i,l n nn f f s,c on classification i (is1 i,c)sof s, c, clthe1l l 1i1,networkli,il,l administrator.(1) The “Cut-off” value f to limit s,c fs,fcfs,c (1()(1 1 )) LHs,c LHs,c s,c where L is the number of risk level, { ( ), ( )}, and ni,l is number (value) of detected diffusion of data LHwasLHLHs, ccalculatess,c,c from Eq. (1). where L is the number of risk level, { ( ), ( )}, and n is number (value) of detected L i,l 𝑖𝑖 ∈ 𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 𝑠𝑠 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝑐𝑐 i{s,c L l1(n)i,,l ( )} vulnerabilities in each risk level l. Four risk levels identified by NetClarity were applied including where L is the numberw ofhere risk L level,is the number { of ( risk ) , level, f ( )},i ands ,c ni,l nisi ,l number (value, and {) ofni,l detectedis( number )(, ) (( value)} ) of ( 1 (1)detected) wwherew herehere L fLLis s is ,cist he t𝑖𝑖thehe ∈number numbernumber𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆l 1 of 𝑠𝑠 of ofrisk 𝐶𝐶𝐶𝐶 riskrisk𝐶𝐶𝐶𝐶 𝐶𝐶𝐶𝐶level, level,level,𝑐𝑐 {{ ( ),, (( ),) }(}and,1 , and)and n i,l nn i,lisi,l is isnumber numbernumber ( value ((valuevalue) )of) of ofdetected detecteddetected vulnerabilities in each risk level sl,.c Four riskLH levelss,c identified by NetClarity were applied including 𝑖𝑖 ∈ LH𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆s,c 𝑠𝑠 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝑐𝑐 vulnerabilities in𝑖𝑖 ∈each𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 risk 𝑠𝑠 level𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝐶𝐶𝐶𝐶l. Four𝑐𝑐 risk levels identified𝑖𝑖 by𝑖𝑖∈𝑖𝑖 ∈ ∈𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 NetClarity𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑠𝑠 𝑠𝑠𝑠𝑠𝐶𝐶𝐶𝐶 𝐶𝐶𝐶𝐶we𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶low,𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶re𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝑐𝑐 applied𝑐𝑐 medium,𝑐𝑐 including high and serious/critical. Definition of each risk level can be found in the NACwall vulnerabilities in each risk level l. Four risk levelsvulnerabilitiesvulnerabilities identified in by ineach each NetClarity risk risk level level we l.re Fourl . appliedFour risk risk including levels levels identified identified by by NetClarity NetClarity we were re applied applied including including low, medium, high and seriousvulnerabilities/critical. Definition in each risk of level each l risk. Four level risk can levels be found identified in the by NACwall NetClarity were applied including wwherehere LL is is the the number number of of risk risk level, { ( ) ( ) , ( ) }, and ni,l isis number (value) of detected low, medium, high andw serioushere L/ criticalis the .number Definition of risk of eachlevel, risk level{ can be, foundappliances( ) } in, and the user nNACwalli,l isguide i,lnumber (NetClarity, (value) of2011 detected). Then we normalized all detected vulnerabilities of each risk low, medium, high and serious/critical. Definitionlow,low, medium,of medium, each risk high high level and and can serious serious be / foundcritical/critical in. Definition.the Definition NACwall of of each each risk risk level level can can be be found found in inthe the NACwall NACwall appliances user guide (NetClarity,numberlow, medium, (value) 2011) .high ofThen detected and we seriousnormalize vulnerabilities/criticald all. detectedDefinition in each vulnerabilitiesrisk of level each l. riskFour of level riskeach levels can risk be found in the NACwall vulnerabilities in each risk level l. 𝑖𝑖Four∈𝑖𝑖 𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆∈ risk𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 levels𝑠𝑠 𝐶𝐶𝐶𝐶𝑠𝑠𝐶𝐶𝐶𝐶 𝐶𝐶𝐶𝐶 identified𝐶𝐶𝐶𝐶𝑐𝑐𝐶𝐶𝐶𝐶 𝑐𝑐 by NetClarity were applied including appliances user guide (NetClarity,vulnerabilitiesidentified 2011 by in)NetClarity. eachThen riskwe were normalize level applied l. Fourd includingall riskdetected levels low, vulnerabilities identifiedmedium,level by high by appropriate of NetClarityand each serious/ risk cut we-offre s. applied The new including “Cut-off Normalize Table” was then created from Eq. (2) as appliances user guide (NetClarity, 2011). Thenappliances weappliances normalize user userd guideall guide detected (NetClarity, (NetClarity, vulnerabilities 2011 2011). Then) .of Then each we we normalizerisk normalize d alld all detected detected vulnerabilities vulnerabilities of ofeach each risk risk level by appropriate cut-offcritical.appliancess. The Definition new user “Cut guide -offof (each NetClarity,Normalize risk level Table2011 can)” . beThenwas found then we in normalize createdthe NACwall fromd all Eqdetectedappliances. (2) as vulnerabilities of each risk level by appropriate cutlow,low,-offusers. medium, medium,guideThe new (NetClarity, high high“Cut and - andoff 2011). seriousNormalize serious Then/critical/critical Tablewe. normalizedDefinition.” Definitionwas then ofall created eachdetected offollows, each risk from vulnerabilities risk level Eq level. can (2) be canas found be found in the inNACwall the NACwall level by appropriate cut-offs. The new “Cut-offlevellevel levelNormalize by byby appropriate appropriateappropriate Table” cutwas cutcut-off -then-offoffs. s.s.The created TheThe new newnew from“ Cut ““CutCut -Eqoff--offoff. Normalize( 2 Normalize)Normalize as Table TableTable” ”was” waswas then thenthen created createdcreated from fromfrom Eq EqEq. (. .2 ()(2 2)as) as as follows, of each risk level by appropriate cut-offs. The new “Cut-off Normalize Table” follows, appliancesappliances user user guide guide (NetClarity, (NetClarity, 2011 2011). Then). Then we wenormalize normalized alld detected all detected vulnerabilities vulnerabilities of each of risk each risk follows, follows,wasfollows,follows, then created from Eq. (2) as follows, (2) levellevel byby appropriateappropriate cut cut-off-offs. s.The The new new “Cut “Cut-off- offNormalize Normalize Table Table” was” thenwas thencreated created from Eqfrom. (2 )Eq as. (2) as (2) (2) (s) (c) follows, (2) Then, n( 2i,l) and ni,l was weighted(2) by weighted value ( L ) in which L = {Serious(4), High(3), (s) (c) follows, ((22)) Then, ni,l and ni,l was weighted by weighted value (L ) in which L = {Serious(4), High(3), (s) (c) (s) (c) Then, n and n was weighted(s)(s(s)) by weighted(c)(c(c)) value ( ) in which L = {Serious(4), High(3), ( ) Then, ni,l and ni,l was weightedi,l by i weighted,l Then, value n (andL ) nin which was weightedL = {Serious L by weighted(4), High ( value3), Medium ( ) (in2) , whichLow(1 )L} . =The {Serious new weighted(4), High value(3), of vulnerability for each server host and client host Then,Then, in,lni,il,l andand in,lni,il,l waswas weightedweighted by by by weighted weighted weighted value value value ( ((LL)L )in) ininwhich whichwhich L =LL == {Serious{Serious((44)), , High High((33)), , , ( ) 𝑠𝑠 Medium(2), Low(1)}. The {Serious(4),n ew weighted High(3), value of vulnerabilityMedium(2), Low(1)}for each. serverThe newhost weighted, and client value host of (2) ( ) 𝑖𝑖 𝑙𝑙 ( ) ( ) 𝑠𝑠 ( ) (2) 𝑛𝑛́ Medium(2), Low(1)}. TheMedium new weighted(2), Low( value1)}. The of vulnerability nvulnerabilityew weighted for forvalue each each of server svulnerabilityerver host host for and each client server host host was,was and derivedderived client from fromhost Eq. (3) (as()) follows: MediumMediumMedium(2()(2,2 )Low), , LowLow(1()(1}1).)} }The. . TheThe n ew nnewew weighted weightedweighted , value valuevalue of of ofvulnerability vulnerabilityvulnerability, 𝑖𝑖 𝑙𝑙 for forfor each eacheach s erver sservererver host hosthost , and andand client clientclient host hosthost ( ) (s) (c) 𝑠𝑠 𝑐𝑐𝑛𝑛́ 𝑠𝑠 , , was derived from EqThen,. (3) asn follows: and n was weighted by weighted value ( ) in which L = {Serious𝑠𝑠 𝑠𝑠𝑠𝑠 (4), High(3), , Eq. (3)i ,asl(s) follows:i,l (c) 𝑖𝑖 𝑙𝑙 𝑖𝑖 𝑙𝑙 𝑖𝑖L𝑙𝑙 ( ) (𝑐𝑐 ) n and n 𝑛𝑛́ 𝑛𝑛́ 𝑛𝑛́ in 𝑖𝑖 𝑙𝑙𝑖𝑖𝑖𝑖𝑙𝑙𝑙𝑙 was derived from EqThen,(. )((3))) as follows:i,l i,l was weighted by weighted value ( L ) which L =𝑛𝑛́ 𝑛𝑛𝑛𝑛́{Seriouś (s,c) (4), High((s3,c), , was derived from Eq𝑖𝑖 𝑙𝑙, . (3) as follows: was derived from Eq. (3) as follows: n n (3) 𝑛𝑛́ 𝑐𝑐 , , , was was derived derived from from Eq Eq. .( (33)) as as follows: follows: i.l L i.l 𝑐𝑐 𝑐𝑐 (s,c) (s,c) ( ) 𝑖𝑖 𝑙𝑙 Medium 𝑐𝑐𝑐𝑐 n(2 ) , Low (1 )}. Then new weighted value of vulnerability for(3 )each (3) server host and client host 𝑖𝑖 𝑙𝑙 𝑛𝑛́ 𝑖𝑖 𝑙𝑙 i.l L i.l , ( ) 𝑛𝑛́ (s,c) 𝑛𝑛́ (𝑛𝑛𝑛𝑛ś 𝑖𝑖,́ c𝑖𝑖𝑙𝑙)𝑙𝑙 (s,c) (s,c) 𝑠𝑠 Mediumn(2 ), Low (1)}. nThe n ew weighted(s,(c(s)s,c,c)) value ( sof,(c(s)s, c,vulnerabilityc)) (3) for each server host , and client host ni.l L n i .l i .l L i. l n (3) n The outcome wa s the new𝑖𝑖 𝑙𝑙 weighted(3) value of vulnerability for each group. The new “Weighted ( ) in.lni.il.l LLLin.lni.il.l 𝑛𝑛́ ((3𝑠𝑠3)) The outcome was the new, was weighted derived value from of Eq vulnerability. (3) as follows: 204 for each group. The new “Weighted 𝑖𝑖 𝑙𝑙 (𝑐𝑐 ) 𝑛𝑛́ ( ) ( ) The outcome was theThe new outcome weighted wa values the of new , vulnerability was weighted derived value for from each of Eq vulnerability group. (3) .as The follows: new for each “Weighted group. NormalizedThe new “ Weighted Table” was then created. The normalized risk for server and client was 𝑛𝑛Thé 𝑖𝑖The𝑙𝑙The outcome outcome outcome wa wawas s thes the the new new new weighted weighted weighted value value value of of of vulnerability vulnerability vulnerability( ) for for for each each each( ) group group group. .The . TheThe new new new “ Weighted““WeightedWeighted Normalized Table” was then𝑐𝑐 created. The normalized ( risks,c) for server(s, c) and client was 𝑠𝑠 𝑐𝑐 n n (3) 𝑖𝑖 𝑖𝑖 𝑖𝑖 𝑙𝑙 ( ) i.l L i(.l) (𝑠𝑠 ) (𝑐𝑐 ) 𝑅𝑅 𝑅𝑅 Normalized Table” was𝑛𝑛́ then created. The normalized risk(s, c) for server (s,c) calculatedand client from Eq was. (4( )).( ()) ( )(( )) Normalized Table” was then created. The normalizedNormalized NormalizedNormalized risk Table Table Table for” ””was server waswas then then then created createdandncreated client. .The . TheThe normalized normalized normalizedn was𝑖𝑖 risk risk risk for for for server 𝑖𝑖 server server and andand client client client ( 3) was waswas 𝑠𝑠 i.l L 𝑐𝑐 i𝑅𝑅.l 𝑠𝑠 𝑅𝑅 𝑐𝑐 calculated from Eq. (4). 𝑠𝑠 𝑠𝑠𝑠𝑠 𝑐𝑐 𝑐𝑐𝑐𝑐 The outcome was the new weighted𝑖𝑖 value of𝑖𝑖 vulnerability𝑖𝑖 for each𝑖𝑖 group. The new “Weighted calculated from Eq. (4). 𝑅𝑅 𝑅𝑅 𝑅𝑅 𝑅𝑅 𝑅𝑅𝑖𝑖 𝑖𝑖𝑖𝑖 𝑅𝑅𝑖𝑖 𝑖𝑖𝑖𝑖 L n calculated from Eq. (4). calculatedcalculatedcalculated from from from Eq Eq Eq. (.4 .( )(4.4 )). . 𝑅𝑅𝑅𝑅 (s,c) 𝑅𝑅𝑅𝑅 l1 i.l The outcome wasL the new weighted value of vulnerability for each group . TheRi new “Weighted100 (4) (s,c) l1 ni.l ( ) ( ) L Normalized Table” was then created. The normalized risk for server and client wasl1l fi L Ri L 100 (4) n (s,c) Ll1 ni.l L LL 𝑠𝑠 𝑐𝑐 (s,c) l1 i.l l1l fi (s,c) ni.ln ( ) ( ) R 100Ri 100 ((ss,c,c)) (4)l 1ll11 ni.il.l (4) 𝑖𝑖 𝑖𝑖 i L Normalized Table L ” was thenR iRcreatedR . The normalized100100100The relative risk forrisk server for 𝑅𝑅 server group and(4()(4 4and) client) 𝑅𝑅 client group was ( Rs,c ) was estimated from Eq. (5). l calculated f from Eq.l (14l). fi ii L LL l1 i l llfiff 𝑠𝑠 𝑐𝑐 The relative risk for server group and client group ( Rs,c ) was estilmated1ll11 fromii Eq. (5). 𝑅𝑅𝑖𝑖 𝑅𝑅𝑖𝑖 R (s,c) The relative risk for serverThe relative group and risk client for server groupcalculated group ( Rs,c and)from was client Eqesti. mated (group4). from ( s,c Eq) was. (5 ).esti Lmated fromR Eq. (5). TheTheThe relative relative relative risk risk risk for for for server server server group group group( sand,c and )and client client clientl1 groupn i group.groupl ( ( (sR,Rcss,)c, cwas)) waswas esti estiestimatedmatedmated from from from Eq EqEq. (.5 .( ).(55 ).). is,c Ri (s,c ) Ri 100 (4R)s ,c (5) is,c R L i l L f Hc ( s , c ) Rs,c (s,c) l 1 in (5) R (s,c) (ls,(c1(s)s,c,c)i).l is,c Ri i sH,cc i R RRR 100 (4) R R s,c i i(5sii,)cs s,c,cLi i i These relative(5) risks were initial values to evaluate the mean of overall risk for each type of host. s,c The relative risk for H server group R sR ,Randc s,c client groupl f ( Rs ,c ) was esti mated from Eq . (5).( 5()(5 5)) Hc c s,c H l1 i These relative risks were initial values to evaluate the mean of overallHc Hriskcc for each type of host. These relative risks were initial values to evaluate the mean of overall risk for each type of host. These relative risks were initial values to evaluateTheseTheTheseThese the relative relativemean relative relative of riskrisks overall risks risks for we we we serverreriskre reinitial initial forinitial group each values values values type and to to oftoevaluate client evaluate evaluatehost(s,c. )group the the the mean mean mean( R sof,c of )ofoverall wasoverall overall esti risk risk riskmated for for for each each fromeach type type typeEq of .of of(host5 host ).host . .. is,c Ri Rs,c (5) H NRE Phase 3: Cyber Risk Evaluation c (s,c) NRE Phase 3: Cyber Risk Evaluation is,c Ri These relative risks we re initial values Rs,c to evaluate the mean of overall risk for each type of host(.5 ) NRE Phase 3: Cyber RiskNRE Evaluation Phase 3: Cyber RiskNRE Evaluation Phase 3: Cyber Risk Evaluation Hc NRENRE Phase Phase 3: 3: Cyber Cyber Risk Risk Evaluation Evaluation Finally, in the last phase of NRE, products from NRM were graded through Eq. (6-8). The neutral risk These relative risks were initial values to evaluate the mean of overall risk for each type of host. Finally, in the last phase of NRE, products from NRM were graded through Eq. (6-8). The neutral risk Finally, in the last phase of NRE, products from NRM were graded through Eq. evaluation(6-8). The neutralfrom various risk VD tools was invited. The first step of this phase was to find the “Probability Finally, in the last phase of NRE, products fromNREFinally, NRMFinally, Phase werein inthe 3: thegraded lastCyber last phase throughphase Risk of ofNREvaluation Eq NRE,. (E,products6- products8). The from neutral from NRM NRM risk were were graded graded through through Eq Eq. (6. -(86).-8 The). The neutral neutral risk risk evaluation from various VD Finally, tools wain thes invited. last phase The offirst NR stepE, products of this phase from waNRMs to werefind thegraded “Probability through Eq. (6-8). The neutral risk evaluation from variousevaluation VD tools fromwas invited.various TheVD toolsfirst step was of invited. this phase The wafirsts tostep find of thethis “ phaseProbability was to find the “Probability evaluationNREevaluationevaluation Phase from from from3: Cybervarious variousvarious RiskVD VDVD tools Evaluation toolstools wa wawas sinvited.s invited.invited. The TheThe first firstfirst step stepstep of of ofthis thisthis phase phasephase wa wawas stos to tofind findfind the thethe “ Probability ““ProbabilityProbability Finally, in the last phase of NRE, products from NRM were graded through Eq. (6-8). The neutral risk
evaluation from various VD tools was invited. The first step of this phase was to find the “Probability Finally, in the last phase of NRE, products from NRM were graded through Eq. (6-8). The neutral risk
evaluation from various VD tools was invited. The first step of this phase was to find the “Probability L is,c l1 ni,l L n fs,c L is,c l1 i,l (1) isLH,c l1 ni,l fs,c (1) L nL fs,c s,c LH (1) is,ics,cl1li1,lni,l LH s,c fs,cfs,c (1)(s ,1c) LHLHs,c s,c where L is the number of risk level, { ( ), ( )}, and ni,l is number (value) of detected where L is the number of risk level, { ( ), ( )}, and ni,l is number (value) of detected where L is the number of risk level, { ( ), ( )}, and ni,l is number (value) of detected ( ) 𝑖𝑖 ∈ 𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 𝑠𝑠 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝑐𝑐 wherewhere L isL tishe t henumber number of ofrisk risk level, level, { {vulnerabilities(, ), ( in)(} , each)and}, and n riski,l nis i,llevel numberis number l. Four (value ( value risk) of levels) ofdetected detected identified by 𝑖𝑖 NetClarity∈ 𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 we𝑠𝑠 re𝐶𝐶𝐶𝐶 𝐶𝐶𝐶𝐶 applied𝐶𝐶𝐶𝐶 𝑐𝑐 including vulnerabilities𝑖𝑖 ∈ 𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 in each𝑠𝑠 risk𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝐶𝐶𝐶𝐶 level𝑐𝑐 l. Four risk levels identified by NetClarity were applied including 𝑖𝑖 ∈ 𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆vulnerabilities𝑠𝑠 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝑐𝑐 in each risk level l. Four risk levels identified by NetClarity were applied including vulnerabilitiesvulnerabilities in ineach each risk risk level level l. Fourl. Four 𝑖𝑖 risk∈ risk𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 levels levels 𝑠𝑠 identified 𝐶𝐶𝐶𝐶 identified𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝑐𝑐 by by NetClarity NetClarity we were re applied applied including including low, medium, high and seriouslow,/critical medium,. Definition high and of serious each / riskcritical level. Definition can be found of each in the risk NACwall level can be found in the NACwall low, medium, high and serious/critical. Definition of each risk level can be found in the NACwall low,low, medium, medium, high high and and serious serious/critical/critical. Definition. Definition of of each each risk risk level level can can be be found found in inthe the NACwall NACwall appliances user guide (NetClarity,appliances 2011 )user. Then guide we (normalizeNetClarity,d all2011 detected). Then vulnerabilities we normalize dof all each detected risk vulnerabilities of each risk appliances user guide (NetClarity, 2011). Then we normalized all detected vulnerabilities of each risk appliancesappliances user user guide guide (NetClarity, (NetClarity, 2011 2011). Then). Then we we normalize normalized alld alldetected detected vulnerabilities vulnerabilities of ofeach each risk risk level by appropriate cut-offs.level The bynew appropriate “Cut-off Normalizecut-offs. The Table new” was“Cut then-off Normalizecreated from Table Eq.” ( 2was) as then created from Eq. (2) as level by appropriate cut-offs. The new “Cut-off Normalize Table” was then created from Eq. (2) as levellevel by byappropriate appropriate cut cut-off-offs. Thes. The new new “Cut “Cut-off-off Normalize Normalize Table Table” was” was then then created created from from Eq Eq. (2. )( 2as) as follows, follows, follows, follows,follows,
(2) (2) (2) (s) (c) (2)( 2) Then, ni,l and ni,l was weighted ( bys) weighted(c) value (L ) in which L = {Serious(4), High(3), (s) (c) Then, ni,l and ni,l was weighted by weighted value (L ) in which L = {Serious(4), High(3), Then, ni,l and ni,l was weighted by weighted value (L ) in which L = {Serious(4), High(3), (s) (s) (c) (c) Then,Then, n i,l ni ,land and n i,l ni ,lwas was weighted weighted by by weighted weighted value value ( (L) Lin) inwhich which L =L {Serious= {Serious(4)(,4 High), High(3)(, 3), ( ) Medium(2), Low(1)}. The new weighted value of vulnerability for each server host and client host ( ) Medium(2), Low(1)}. The new weighted value of vulnerability(, ) for each server host and client host 𝑠𝑠 , Medium(2), Low(1)}. The new weighted value of vulnerability for each server host , and client host 𝑠𝑠 ( ) ( ) 𝑖𝑖 𝑙𝑙 Medium(2), Low(1)}. TheThe new n ewweighted value of( ) vulnerability for each server host and client host 𝑛𝑛́ 𝑠𝑠 𝑖𝑖 𝑙𝑙 Medium(2), Low(1)}. weighted value of vulnerability for each server( ) host , , and client host 𝑛𝑛́ , was derived from Eq. (3) as follows:𝑠𝑠 𝑖𝑖 𝑙𝑙 ( ) , was derived𝑠𝑠 from Eq. (3) as follows: 𝑛𝑛́ 𝑐𝑐 was derived from Eq. (3) as follows:𝑖𝑖 𝑙𝑙 𝑖𝑖 𝑙𝑙 ( ) ( ) , 𝑐𝑐 𝑛𝑛́ 𝑛𝑛́ 𝑛𝑛́ 𝑖𝑖 𝑐𝑐𝑙𝑙 , ,was was derived derived from from Eq Eq. (3.) ( as3) follows:as follows: 𝑛𝑛́ 𝑖𝑖 𝑙𝑙 (s,c) (s,c) 𝑐𝑐 𝑐𝑐 𝑛𝑛 ́ 𝑖𝑖 𝑙𝑙 ni.l L ni.l ( s,c) (s,c ) (3) (s,c ) (s,c) ni.l L ni.l (3) 𝑛𝑛́ 𝑖𝑖 𝑙𝑙𝑛𝑛́ 𝑖𝑖 𝑙𝑙 n Journal n of ICT, 16, No. 2 (Dec) 2017, pp: 192 –222 (3) (s,c()s,c) (s,c()s,c) i.l L i.l ni.lni.l LLni.lni.l (3)( 3) The outcome was the new The weighted outcome value wa ofs the vulnerability new weighted for each value group of vulnerability. The new “ forWeighted each group. The new “Weighted The outcome was the new weighted value of vulnerability for each group. The new “Weighted The outcome was the new weighted value of vulnerability for eachThe group outcome. The was new the “ Weightednew weighted value of vulnerability( ) for each group.( ) The The outcome was the new weighted valueNormalized of vulnerability Table” forwas each then groupcreated. The. The new normalized “Weighted risk for server and client was ( ) ( ) Normalized Table” was then created. The normalized( ) risk for( ) server and client was new “Weighted Normalized Table” was then created.𝑠𝑠 The normalized 𝑐𝑐risk for Normalized Table” was then created. The normalized risk for server and client was 𝑠𝑠 𝑐𝑐 ( ) ( ) ( ) ( ) 𝑖𝑖 𝑖𝑖 NormalizedNormalized Table Table” was” was then then created created. The. Thecalculated normalized normalized from risk Eq risk . for ( 4 for). server server and and and clientclient client waswas wascalculated from Eq. 𝑅𝑅(4).𝑠𝑠 𝑅𝑅 𝑐𝑐 𝑅𝑅𝑖𝑖 𝑅𝑅𝑖𝑖 calculated𝑠𝑠 from Eq. (4𝑐𝑐). 𝑖𝑖 𝑖𝑖 calculated from Eq. (4). 𝑠𝑠 𝑐𝑐 𝑅𝑅 𝑅𝑅 𝑅𝑅𝑖𝑖 𝑅𝑅𝑖𝑖 𝑅𝑅𝑖𝑖 𝑅𝑅𝑖𝑖 calculatedcalculated from from Eq Eq. (4. )(. 4). L ( s , c ) l1 ni.l L n (4) Ri L 100 (s ,c) l1 i.l (4) ( s , c ) L l 1 ni.l Ri 100 (4) L L R l1l fi 100 L (4) (s,c()s,c) l1 nli1.lni.l i L l1l fi Ri R 100100 (l41)(l 4) fi i L L l1Thel1lf irelativefi risk for serverThe group relative and clientrisk for group server ( R sgroup,c ) was and esti clientmated group from Eq( . (5)). was estimated The relative risk for server group and client group ( R s , c ) was estimated from Eq. (5). The relative risk for serverfrom group Eq. and (5). client group ( Rs,c ) was estimated from Eq. (5). The relative risk for server group and client group ( R R) was estimated from Eq. (5). The relative risk for server group and client group (s,c s,c ) was estimated from Eq. (5). (s,c) is,c Ri R(s,c) Rs,c (s,c) is, c i (5) is , c R i R (5) (5) ( s , c () s ,c) R Hc s,c H (5) is,icRs,ic Ri s,c c R R (H5)c( 5) s,c s,c H These relative risks were initial values to evaluate the mean of overall risk for each type of host. cHc These relative risks were initial values to evaluate the mean of overall risk for each type of host. These relative risks were initialThese values relative to risksevaluate were the initial mean values of overall to evaluate risk for the each mean type of ofoverall host. risk for TheseThese relative relative risks risks we were initialre initial values values to evaluateto evaluate the the mean mean of overallof overall risk risk for for each each type type of ofhost host. . each type of host.
NRE Phase 3: Cyber RiskNRE EvaluationNRE Phase Phase 3: 3:Cyber Cyber Risk Risk Evaluation Evaluation NRE Phase 3: Cyber Risk Evaluation NRENRE Phase Phase 3: Cyber3: Cyber Risk Risk Evaluation Evaluation of Trust”, Pi, j (T) , which isFinally, related into the ratiolast phase of the of detected NRE, products host’s type from. Its NRM simple were equation graded is throughshown of Trust” , P (T) , which is related to the ratio of the detected host’s type. Its simple equation is shown Finally, i, j in the last phase ofEq. NRFinally, (6-8).E, products in The the neutral fromlast phase NRM risk of evaluationwere NR E,graded products from through variousfrom Eq NRM. VD(6- 8 were). tools The graded wasneutral invited. through risk Eq. (6-8). The neutral risk of Trust”of, PTrust(T)”,, whichPi, j (T )is, whichrelated is to related the ratio to theof theratio detected of the detectedhost’s type host. Its’s typesimple. Its equation simple equation is shown is shown inFinally, Eqi, j. (6 ).in the last phase ofThe NR firstE, products step fromof this NRM phasewere graded was throughto find Eq the. (6 -“Probability8). ofThe Trust neutral”, ofPi , riskj Trust”,(T) ,, which is related to the ratio of the detected host’s type. Its simple equation is shown Finally,Finally, in thein the last last phase phase of NRof NRE, E,products products from from NRM NRM were were graded graded through through Eq Eq. (6. -(86).-8 The). The neutral neutral risk risk in Eq. (6evaluation). from various VDwhich evaluationtools is wa relateds invited. from to thevarious The ratio first VD of step thetools detectedof wathiss invited.phase host’s wa Thetype.s to first Itsfind simplestep the of“Probability equationthis phase is was to find the “Probability inevaluation Eq. (6). from various VD tools was invited. The firstH step of this phase was to find the “Probability in Eq. (6). shown in Eq. (6).P(T) i in( 6Eq) . (6). evaluationevaluation from from various various VD VD tools tools wa was invited.s invited. The The first first step step of ofthis this phase phase wa was tos findto find the the H“i,Probabilityj “Probability H P(T) i i, j i, j (6) i, j H iH, j iHi, j i (6) H P(T) P(T)i, j ( 6) (6) i i, j P(T)i, j (6) ; i {s,c} Hj {NetClarityi, j Hi, j , Nessus,Ratina} andi, j i, j i, j Hi, j ; i {s,c} and j {NetClarity, Nessus,Ratina} Then we offered the “Possibility; i {s,c}; ofandi Risk{ s,jc}”{ ,and NetClarityP( Rj)i, j{,NetClarity which, Nessus detected,Ratina, Nessus} those ,Ratina vulnerabilit} ies that might be ; i {s,c} and j {NetClarity, Nessus,Ratina} Then we offered the “Possibility of Risk”, P(R)i, j , which detected those vulnerabilities that might be Then weThen offered we theoffered “Possibility the “Possibility ofThen Risk ” we,of P Risk( offeredR) ”,, whichP ( theR) i, “Possibilityj detected, which detectedthose of vulnerabilit Risk”, those P(R)vulnerabilities, that which mighties detectedthat be might those be exploited. This was made by applying thei, j “Probability of trust” to the relativei,j risk ofThen the serverwe offered and the “Possibility of Risk”, P(R)i, j , which detected those vulnerabilities that might be exploited. This was made by applyingvulnerabilities the “Probability that mightof trust be” to exploited. the relative This risk was of the made server by applyingand the the client as shown in Eq. (“Probability7). of trust” to the relative risk of the server and the client as shown exploitedexploited. This was. This made was by made applying by applying the “Probability the “Probability of trust” ofto trustthe ”relative to the riskrelative of the risk server ofexploited the and server . This and was made by applying the “Probability of trust” to the relative risk of the server and the client as shown in Eq. (7). in Eq. (7). the clientthe as clientshown as in shown Eq. (7 in). Eq. (7). P(R)i, j Ri, j Pi, j (T) the(7 )client as shown in Eq. (7). P( R)i, j R i, j Pi, j ( T) (7) (7) P(R) PR(R)i, jP R(Ti,)j Pi, j (T) ( 7) (7) Finally, the “Total estimated risk”, fori, j eachi, jtypei, jof host, in percentage, was calculated by adding all P(R)i, j Ri, j Pi, j (T) (7) Finally, the “Total estimated risk”,Finally, for each the type “Total of host, estimated in percentage risk”, for, waseach calc typeulated of host, by addingin percentage, all was possibilities of risk together as shown in Eq. (8). Finally, theFinally, “Total the estimated “Total estimated risk”,calculated for risk each”, fortype by eachadding of host,type all inof possibilities percentagehost, in percentage of, was risk calc together, wasulated calc as by shownulated addingFinally, inby Eq.all adding the (8). “ Totalall estimated risk”, for each type of host, in percentage, was calculated by adding all possibilities of risk together as shown in Eq. (8). possibilitiespossibilities of risk together of risk togetheras shown as in shown Eq. (8 in). Eq. (8). (s,c) Total estimated risk (%) P( R)i, j 100 possibilities(8) (8) of risk together as shown in Eq. (8). (s,c) Total estimated risk (%) P(R)i, j 100 (8) (s,c) (s,c) (s,c) Total estimatedTotal estimated risk (%) risk (%) P(R) 100P(R ) i , j 100 ( 8) (8) i, j205 Total estimated risk (%) P(R)i, j 100 (8)
Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
The total estimated risk represents the final overall risk for each type of host from our proposed “Network Risk Metric (NRM)”. This is our “Network Risk Evaluation (NRE)” which is not biased to any vendor or standard institution.
PART 2: MILITARY RISK EVALUATION (MRE)
To evaluate risk in the military perspective, it is important to understand the basic background of military operation and its related topics. In the Cyberwar and the NCW concept (DOD, 2003), there were 5 war-fighting domains including land, sea (maritime), air, space and cyberspace. The first four domains could be considered as physical domains since military objects could be specified by location, direction, distance, weight, size, and so on. However, the fifth domain, cyberspace, is a global domain within the information environment comprising the interdependent network of information technology infrastructures, including the Internet, telecommunication networks, computer systems and embedded processors and controllers (Andress & Winterfeld, 2011). This domain is very extensive covering both physical and logical factors. Theories, strategies, doctrines and tactics that shape the domain and cyberwar are really needed. The general concept of MRE is shown in Figure 3.
Figure 3. Military risk evaluation (MRE) concept.
206 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
MRE Phase 1: Cyber Risk Identification (Military Risk Factor: MRF)
In the first phase of MRE, Cyber Risk Identification, risk factors and their related consequences subjected to military operation must be identified. To obtain this information, in-depth interviewing with military professionals and information security specialists are motivated. The outcome is called “Military Risk Factors (MRF)” which could send significant affects to military cyber warfare. Contents of MRF are categorized and filled into an appropriate cell of the crossed table between NCW domains and criticality in security metric. Four criteria of criticality in security metric (Sun et al., 2010) including service, location, role and asset lie in rows. Three key domains of NCW (DOD, 2003), including physical, information and cognitive are in columns. The contents of MRF are shown in Table 3.
Table 3
Military Risk Factor (MRF) from Critical Security Metric and Network Centric Warfare (NCW) Integration
Physical Information Cognitive Service Government Protocol Intention, spirit, awareness, Private sector system health, concern, believe, Military Social media training, etc.
Location Land, maritime Network Goal, target, direction air, space, mobile Cyberspace surveillance, recon-naissance, etc.
Role Defensive Monitoring, Chain of command, Offensive collecting, creating, command and control, processing, storing, leadership, unity, sharing, exchanging process, defense, attack
Asset Personnel, Software Doctrine, tactics, knowledge, hardware, Intellectual properties experience, etc. network infrastructure
MRE Phase 2: Cyber Risk Analysis (Risk Environment: RE)
The second phase of MRE, from ISO 31000:2009 (ISO/IEC, 2009), each risk incident based on MRF from the first phase was scored based on their likelihood of occurrence and magnitude of impact. Firstly, the focus group, composed of military/NCW professionals and IT/Cyber specialists, was
207 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222 motivated. Secondly, each risk incident was rearranged into a 3x4 table called “Risk Environment” (RE) matrix as shown in Figure 4. Note that, the RE matrix has the same structure of the MRF table in which 4 criteria of criticality in security metric lie in rows while 3 domains of information environment in the NCW are in columns. Lastly, the focus group discussed each incident in details and quoted the score of each incident applied with the risk level in Table 5. For example, if we want to analyze risk environment of a military network affected by the public electric service infrastructure in a state of cyberwar, within the Location-Physical cell, the risk level would be analyzed from likelihood and impact if related the land location of electric plants is physically attacked. Risk Environment subjected to the MRF was considered under the likelihood of occurrence and the magnitude of impact. More explanations about RE Matrix and risk level are as follows.
Physical Information Cognitive Likelihood Likelihood Likelihood Likelihood
Intention, Spirit, Risk Service Government Protocol Awareness, Environment Private Sector System Health, Concern,
Impact Military Impact Social Media Impact Believe,
Impact (RE) Training, etc.
Likelihood Likelihood Likelihood
Goal, Target, Location Land, Maritime Network Direction Air, Space, Mobile Cyberspace Surveillance, Recon- Impact Impact Impact naissance, etc.
Likelihood Likelihood Likelihood Chain of Monitoring, Command, Collecting, Creating, Command and Role Defensive Processing, Storing, Control, Offensive
Impact Impact Sharing, Impact Leadership, Unity, Exchanging Process, Defense, Attack Likelihood Likelihood Likelihood
Personnel, Doctrine, Tactics, Software Asset Hardware, Knowledge, Intellectual Network Experience, etc.
Impact Impact Properties Impact Infrastructure
Figure 4. Risk environment (RE) matrix subjected to likelihood of occurrence and magnitude of impact.
For each incident, relevant vulnerabilities and their corresponding threats were considered. The appropriate row was identified by the risk environment impact while the column was identified by the likelihood of the threat incident. Table 4 is for mapping MRF with the likelihood of occurrence and the magnitude of impact against RE.
208 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Table 4
Likelihood and Impact on Risk Environment (RE)
Likelihood of incident Likelihood and Impact on Risk Environment Normal Low Medium High Very High (0) (1) (2) (3) (4) Normal (0) 0 1 2 3 4 Risk Low (1) 1 2 3 4 5 Environment Medium (2) 2 3 4 5 6 Impact High (3) 3 4 5 6 7 Very High (4) 4 5 6 7 8
Each risk result was measured on a scale of 0 to 8 that was evaluated against the risk acceptance criteria. It was mapped to the overall risk rating as described in Table 5.
Table 5
Risk Level of Risk Environment (RE) for Network Centric Warfare (NCW)
Risk Level Description Normal Less important impacted environment – no unusual activity exists beyond (0-1) the normal concern or no damage to the network centric domain, i.e. normal probing of the network, low risk viruses. Low Slightly more important than a low-level impacted environment. The potential (2) exists for malicious cyber activities. No significant impact has occurred. Medium Significant risk due to increased hacking, virus, or other malicious activity in (3-5) cyber environment which compromises systems or diminishes service. For example, important vulnerability that may be easy to exploit and allow an attacker to cause serious damage to the network. Significant impacts could happen within the cyber environment of NCW. High High risk of increased hacking, virus or other malicious cyber activity which (6) targets or compromises core infrastructure, causes multiple service outages, multiple system compromises or compromises critical infrastructure. High level of damage or disruption or potential for severe damage within the cyber environment of NCW Severe/ Severe risk of hacking, virus or other malicious activity resulting in wide- Critical spread outages and/or significantly destructive compromises to systems (7-8) with no known remedy or debilitates one or more critical infrastructure sectors. Severe level or wide spread level of damage or disruption of critical infrastructure assets. Severe impacts to the cyber environment of NCW.
209 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
MRE Phase 3: Cyber Risk Evaluation
From the previous cyber risk analysis phase, scoring of risk incidents in RE Matrix was evaluated in 2 steps. The first one was to find the average of all available REs from each domain (column) of the NCW. Was possible that the scoring value of some cells in the RE matrix remain “NIL” rather than “Zero”. The second step was to find the mean of all three results from the first step. Let RE be an m x n matrix in which m represents 4 members of the critical security metrics and n represents 3 members of the NCW. Therefore, RE is a of RE matrix is ofdefined RE matrix with isEq defined. (39 ).x 4 withmatrix Eq by. ( 9nature.). The definition of RE matrix is defined with Eq. (9). ofof RERE matrixmatrix isis defineddefined withwith EqEq.. ((99).). (9) of RE matrix is defined with =Eq. (9)., = , (9) (9)
𝑖𝑖 𝑗𝑗 = 𝑖𝑖,𝑗𝑗 (9) 𝑅𝑅𝑅𝑅 (𝑟𝑟𝑟𝑟 )𝑚𝑚∗𝑅𝑅𝑅𝑅𝑛𝑛 =(𝑟𝑟𝑟𝑟 , )𝑚𝑚∗𝑛𝑛 (9) ; rei,j is the entry, ;the rei,j i -isth the row entry j-th, columnthe i-th ofrow the j- thRE column matrix of the RE matrix = 𝑖𝑖,𝑗𝑗 (9) 𝑅𝑅𝑅𝑅 (𝑟𝑟𝑟𝑟 𝑖𝑖 𝑗𝑗)𝑚𝑚∗𝑛𝑛 ; rei,j is the entry, the𝑅𝑅𝑅𝑅 i-th (row𝑟𝑟𝑟𝑟 j-)th𝑚𝑚 column∗𝑛𝑛 of the RE matrix = |{ , ; rei,j is the, entry,, the i-}th| =row j-th column of the RE matrix ; ; = |{ ,𝑅𝑅𝑅𝑅 (𝑟𝑟𝑟𝑟, 𝑖𝑖4𝑗𝑗 )𝑚𝑚,∗𝑛𝑛 }| = 4 ; rei,j is the entry, the i-th row j-th column of the RE matrix ; = |{ , , , }| = 4 ; 𝑚𝑚and =𝑆𝑆𝑆𝑆𝑆𝑆|{𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆; 𝐿𝐿𝐿𝐿;𝑚𝑚and 𝐿𝐿𝐿𝐿𝐿𝐿,= 𝐿𝐿|𝐿𝐿𝐿𝐿={𝑆𝑆𝑆𝑆𝑆𝑆|{𝑅𝑅𝑆𝑆𝑆𝑆𝑆𝑆𝑅𝑅𝑅𝑅𝑅𝑅𝑆𝑆 𝐴𝐴𝐴𝐴𝐴𝐴,𝐿𝐿𝐿𝐿,𝐿𝐿𝐴𝐴𝐴𝐴𝐿𝐿𝐿𝐿, 𝐿𝐿𝐿𝐿𝐿𝐿 ,𝑅𝑅𝑅𝑅}𝑅𝑅𝑅𝑅| =,𝐴𝐴𝐴𝐴𝐴𝐴 3, 𝐴𝐴𝐴𝐴 }| = 4 }| = 3 ; = |{ , , , }| = 4 ; 𝑚𝑚and =𝑆𝑆𝑆𝑆𝑆𝑆|{𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿, 𝐿𝐿𝐿𝐿𝐿𝐿 𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 𝐴𝐴𝐴𝐴𝐴𝐴, 𝐴𝐴𝐴𝐴 }| = 3 𝑛𝑛 𝑝𝑝ℎ𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦; 𝑚𝑚and𝑖𝑖𝑖𝑖 𝑖𝑖=𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑆𝑆𝑆𝑆𝑆𝑆|{𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 𝐿𝐿𝐿𝐿𝑐𝑐𝑐𝑐𝐿𝐿𝐿𝐿𝐿𝐿,𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝐿𝐿𝐿𝐿𝐿𝐿 𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 𝐴𝐴𝐴𝐴𝐴𝐴, 𝐴𝐴𝐴𝐴 }| = 3 In the first stage,In t thehe average first stage, of ea thech average NCW domains of𝑛𝑛 each𝑝𝑝ℎ NCW(𝑦𝑦av𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦j) was domains𝑖𝑖𝑖𝑖 𝑖𝑖calculated𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖 (avj) fromwas𝑐𝑐𝑐𝑐𝑐𝑐 𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐calculated Eq. (10). from Eq. (10). ; 𝑚𝑚and =𝑆𝑆𝑆𝑆𝑆𝑆|{𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿, 𝐿𝐿𝐿𝐿𝐿𝐿 𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 𝐴𝐴𝐴𝐴𝐴𝐴, 𝐴𝐴𝐴𝐴 }| = 3 In the first 𝑛𝑛stage, 𝑝𝑝theℎ𝑦𝑦 𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦average𝑖𝑖𝑖𝑖𝑖𝑖 𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖of each NCW𝑐𝑐𝑐𝑐𝑐𝑐 𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐domains (avj) was calculated from InIn thethe firstfirst stage,stage, tthehe averageaverage ofof𝑛𝑛 eaeachch𝑝𝑝 ℎ NCWNCW𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 domainsdomains𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖 ((avavj)) waswas𝑐𝑐𝑐𝑐𝑐𝑐 calculated𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐calculated fromfrom EqEq.. ((1010).). = Eq. (10). j In the first stage, the average= of𝑛𝑛, ea wherech𝑝𝑝ℎ NCW𝑦𝑦 𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦, domains𝑖𝑖𝑖𝑖, 𝑖𝑖 𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖where (av j) , was𝑐𝑐𝑐𝑐𝑐𝑐 𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐calculated (from10) Eq . (10). (10) 1 𝑚𝑚= 1 𝑚𝑚= = where (10) 𝑗𝑗 (𝑙𝑙) ∑ (𝑗𝑗 𝑖𝑖 𝑗𝑗) 𝑖𝑖 𝑗𝑗 𝑖𝑖,𝑗𝑗 𝑖𝑖,𝑗𝑗 𝑎𝑎𝑎𝑎 ∗ 𝑖𝑖𝑎𝑎𝑎𝑎1 𝑟𝑟𝑟𝑟=(𝑙𝑙1) ∗ ∑𝑟𝑟𝑟𝑟𝑚𝑚=1(𝑟𝑟𝑟𝑟 ≠ 𝑁𝑁𝑁𝑁,) where𝑁𝑁 𝑟𝑟𝑟𝑟 , ≠ 𝑁𝑁𝑁𝑁𝑁𝑁 (10)(10) 𝑖𝑖𝑚𝑚= ; l = | , | where; l = =|, ,1| where , where (10) 𝑗𝑗 ( ) ∑ ( 𝑖𝑖,𝑗𝑗) 𝑖𝑖,𝑗𝑗 𝑎𝑎𝑎𝑎 𝑗𝑗 (1𝑙𝑙 )∗ ∑𝑚𝑚𝑖𝑖=1 (𝑟𝑟𝑟𝑟 𝑖𝑖 𝑗𝑗) 𝑟𝑟𝑟𝑟 𝑖𝑖 𝑗𝑗≠ 𝑁𝑁𝑁𝑁𝑁𝑁 ;𝑎𝑎𝑎𝑎 l = | 𝑙𝑙 | where∗ 𝑖𝑖 1 𝑟𝑟𝑟𝑟 𝑟𝑟𝑟𝑟 ≠ 𝑁𝑁𝑁𝑁𝑁𝑁 𝑖𝑖 𝑗𝑗 ; l 𝑗𝑗=𝑖𝑖 𝑗𝑗| 𝑖𝑖,𝑗𝑗 | where 𝑖𝑖,𝑗𝑗𝑖𝑖 𝑗𝑗 𝑖𝑖 𝑗𝑗 MRE is the meanMRE of the is the three mean𝑟𝑟𝑟𝑟 NCW of thedomains 𝑎𝑎𝑎𝑎three𝑟𝑟𝑟𝑟 𝑟𝑟𝑟𝑟 NCWfrom≠(𝑙𝑙),𝑁𝑁𝑁𝑁∗ the𝑁𝑁 ∑domains 𝑖𝑖second1𝑟𝑟𝑟𝑟(𝑟𝑟𝑟𝑟, from≠ stage) 𝑁𝑁𝑁𝑁 the𝑁𝑁 as 𝑟𝑟𝑟𝑟 secondshown≠ 𝑁𝑁𝑁𝑁 stagein𝑁𝑁 Eq .as (11 shown). in Eq. (11). ; l = | 𝑖𝑖,𝑗𝑗| where 𝑖𝑖,𝑗𝑗 MRE is the mean of the three𝑟𝑟𝑟𝑟 𝑟𝑟𝑟𝑟NCW𝑖𝑖 𝑗𝑗 domains𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑖𝑖 𝑗𝑗from≠≠𝑁𝑁𝑁𝑁𝑁𝑁𝑁𝑁 the𝑁𝑁𝑁𝑁 second stage as shown in Eq. (11). MRE is the mean MREof the isthree the meanNCW𝑖𝑖 𝑗𝑗 ofdomains the three𝑖𝑖 𝑗𝑗 from NCW the domainssecond stage from as the shown second in stageEq. ( 11as). shown ( 𝑟𝑟𝑟𝑟) 𝑟𝑟𝑟𝑟 ≠ 𝑁𝑁𝑁𝑁𝑁𝑁 MRE is theMRE mean= ofin theEq. three MRE=(11). =NCW domains= ( from) the second stage as shown in Eq(11. )( 11). (11) 1 𝑛𝑛 1 𝑛𝑛 MRE1 = ( ) (11) (𝑛𝑛) ∑𝑘𝑘 MRE =𝑘𝑘 ( ) ∑𝑘𝑘=1 ( 𝑘𝑘 ) (11) ; { ∗ , 𝑎𝑎𝑎𝑎{ 𝑛𝑛1 ∗, , = 𝑎𝑎𝑎𝑎 } , } MRE; 1 𝑛𝑛 ( ) (11) = 𝑘𝑘𝑛𝑛=1 𝑘𝑘 (11) (𝑛𝑛) ∗ ∑ 1 𝑎𝑎𝑎𝑎 𝑘𝑘 ; { (1𝑛𝑛) ∗ ∑𝑛𝑛,𝑘𝑘 𝑎𝑎𝑎𝑎 , } 𝑘𝑘 ∈ 𝑝𝑝ℎ𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 𝑖𝑖𝑖𝑖;𝑘𝑘 𝑖𝑖∈𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖{𝑝𝑝ℎ𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑐𝑐𝑐𝑐,𝑖𝑖𝑖𝑖𝑐𝑐1𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖 ,𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐 } (𝑛𝑛) ∑𝑘𝑘 𝑘𝑘 ; { ∗ , 𝑎𝑎𝑎𝑎 , } 𝑘𝑘 ∈ 𝑝𝑝ℎ𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐 𝑘𝑘 ∈ 𝑝𝑝ℎ𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐 𝑘𝑘 ∈ 𝑝𝑝ℎ𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖 𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐 Finally, the Cyber Risk Evaluation (CRE) is the mean between the NRE and MRE. It should be noted that, although NRM and RE were evaluated separately, their outcomes were integrated in the CRE phase for the concluding result. NRM was evaluated by a mathematical equation called NRE. RE was evaluated from the average of risk levels from the likelihood of occurrence and magnitude of impact from the cyber risk analysis phase.
210 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
METHODOLOGY
This research used the mixed-method approaches by procedures of the overall purposed framework. It is the integration of quantitative data using the Vulnerability Assessment (VA) from NRE (previous proposed study) and quantitative data using the focus group from MRE which is the proposed method in this article. Three methods were used to gather the outcome of each major step: (a) experiment, (b) in-depth interview, and (c) focus groups.
Quantitative Methodology: Experiment
In our previous work, NRE was collected from two former phases, identification and analysis. These was done by applying a real experiment to the target networks. In NIST SP 800-115 (NIST, 2008), there are three types of information security assessment methods including testing, examination and interviewing. In the identification phase, VD tools were connected to test all target networks for hosts and vulnerabilities scanning. In the analysis phase, testing outcome from the first phase was examined by NRM and a series of mathematical equations which were already notified in our previous work. In short, quantitative methodology from experimental designs (Creswell, 2014, P.41) were used to evaluate network risk by applying network testing and the examination approach (NIST, 2008).
Qualitative Methodology: Best Practice with In-Depth Interviewing and Focus Group
To evaluate military risk in cyber warfare, the qualitative method is more suitable for data inquiry. Two approaches of qualitative methodologies were selected.
Standard and Best Practice Review with In-Depth Interviewing
Many standards, best practices, and military publications related to information and cyber security were reviewed. The initial framework was designed with the integration of the NCW concept. Afterwards, in-depth interviewing with groups of military specialists who have knowledge in Information/Cyber System Security, NCW, and CW were employed. The interview session took place at the Royal Thai Army HQ, Bangkok, Thailand, in September 2014. It took three hours approximately. The moderator scoped topics to match the research objectives in NCW and CW. The participants quoted comments and discussed in detail openly. The summary of the knowledge from in-depth
211 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222 interviewing was used to update the major contents in the initial framework, as shown in Table 6. The proposed framework is the outcome of the review of the articles and the in-depth interview.
Table 6
Phases, Questions, Quoted Comments and Topics
Phases Questions Quoted comments Topics Military risk How could we From many factors that depended on Military risk identification identify cyber sources and events, e.g. Critical Security factors (MRF) (MRI) threats? Metrics, NCW, CW, military factors, etc.
What are the Any figure and action that could affect Lists of military risks in military operations in cyberspace (every military risks cyberspace? level: strategic, operational, and tactical). in cyberspace
Military risk How could we Concentrate on analyzing military risks Risk analysis integrate these in Network Centric Warfare (NCW) Environment complex data for domains that crossed with critical risk Matrix (RE analyzing? metrics. Matrix)
What should Some ideas of risk management standard Risk Level be the most would do. Here is ISO 31000:2009. Estimation appropriate way Likelihood/Impact for each military risk to analyze these in RE matrix will be scored by related contents? specialists and professionals.
Military risk How could we Total score of each cell in RE Matrix will MRE evaluation evaluate results be calculated mathematically with the Equations. from the analysis? proposed equations.
In the identification phase, threat sources and related environment, known as Military Risk Factors (MRF), were defined. Afterwards, they were rearranged and placed in the most appropriate cell of the RE matrix for analyzing. Significant contents on the corresponding risk acceptance criteria were initiated as shown in Table 3 of the proposed framework section. In the analysis phase, the likelihood of occurrence and the magnitude of impact for the corresponding contents in RE Metric were voted on a scale as explained in Figure 4. In this in-depth interviewing, the specialists agreed to measure the likelihood of occurrence and the magnitude of impact from 0 to 4 (normal to very high) as specified in Table 4. Then, the risk level was scaled from 0 to 8 as described in Table 5. Note that, the likelihood of occurrence, the magnitude of impact, and the risk level, could be defined as appropriate to the state of the
212 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222 cyber environment concerned. Finally, in the evaluation phase, each domain of the NCW (Physical, Information, and Cognitive), subsequent to the critical risk metrics, was calculated through Eq. (9-11). The outcome of the military evaluation phase the Military Risk Evaluation (MRE). Hence, MRE and NRE from the network risk evaluation can be merged together mathematically. The mean value between MRE and NRE is Cyber Risk Evaluation (CRE) as explained in the previous section.
Focus Group
To implement this framework, two case studies were demonstrated: (a) affected from social network in Thailand and (b) affected from SCADA attack (Electricity) in Thailand. Quantitative methodology the was applied to the target network for the NRE. Then qualitative methodology using the focus group was deployed for the MRE. Experimental results are explained in the next section.
PARTICIPATION AND SAMPLING
9 specialists from government and non-government organizations participated in this study as shown in Figure 5. All of them had good background in IT/ Cyber Security, and strong knowledge in specific areas related to the research objectives as listed in Table 7.
Table 7
Participations in Specific Domain for the Focus Group Study of Cyber Risk Assessment (CRA) Conceptual Framework
Participants*** Experience/Knowledge in Specific Domain* IT/Cyber Cyber Military/ SCADA Social security crime NCW network Year Skill** Year Skill** Year Skill** Year Skill** Year Skill** Military Officials P1 5 2 5 2 10 3 2 2 5 3 P2 5 2 5 3 10 4 3 3 5 4 P3 10 4 7 3 10 5 4 3 10 4 P4 5 3 5 2 7 3 2 2 7 4 P5 10 3 5 3 7 3 3 3 7 3 (continued)
213 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Participants*** Experience/Knowledge in Specific Domain* IT/Cyber Cyber Military/ SCADA Social security crime NCW network Year Skill** Year Skill** Year Skill** Year Skill** Year Skill** Police Officials P6 5 3 7 5 2 2 2 2 5 4 P7 3 3 5 5 2 2 2 2 5 4
Civilians P8 15 4 2 3 4 3 3 5 10 4 P9 20 4 10 2 2 2 20 5 10 3 Note. * In this paper, specific domains are SCADA and Social network. ** Skill: 5 = Excellent, 4 = Good, 3 = Median, 2 = Satisfactory, and 1 = Poor. *** P = Participant
Developing Questions
Well-known standards and best practices in information security and Enterprise Risk Management (ERM), e.g. ISO/IEC Series, NIST Series, COBIT 5 (ISACA, 2012), and COSO (Steinberg, Everson, Marten, & Nottingham, 2004), were seen to obtain questions for critical risk metrics. Military publications related to NCW and CW, e.g. Field Manual (FM) and Joint Publications (JP), were used to shape the general information security into military-based cyber security. The aims of developing questions were to guide and implicate the focus group with the research objective, and to stimulate discussion among them. Two significant outcomes from the questionnaire were then (a) to identify risks in cyberspace from multi dimensions and (b) to analyze cyber risks (likelihood and impact) and how they could affect national security in the military perspective. Examples of questions are shown in Table 8.
Table 8
Examples of Focus Group Session Questions (SCADA - Electricity)
Session Quote Comments Risks Risk Description Code** Questions (to target network*) What are the (Physical) Control Military’s IT unit Without public RS01 critical risks center of the SCADA cannot maintain its electricity, the power to the SCADA network cannot Data Center (DC) and supply of the DC could system, in terms maintain regular network service to the prolong just for system of service, that connection with its end- corresponding units. backup and shut down could affect points, i.e. PLC, IED, Likelihood: 4 safely. national security? RTU, etc. Impact: 4 (continued)
214 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Session Quote Comments Risks Risk Description Code** Questions (to target network*) What are the (Information) Military units in The military C4I RL02 critical risks Telecommunication coincidental areas system is not in full to the SCADA fraud. Endpoints of could not connect to control. Nevertheless, system, in terms some SCADA sites the military DC. the core system is still of location, that might be tapped from Likelihood: 3 functioning. Another could affect attackers and could not Impact: 3 communication network national security? communicate properly could compensate this with the Distributed risk in a level. Control Server (DCS).
What are the (Cognitive) Military network Command and control RR03 critical risks Significant effect could not support play important roles in to the SCADA on the on-going command and control supporting commanders system, in terms military operation, e.g. system functionally. for decision-making. of role, that could command and control Likelihood: 3 Unstable communication affect national system. Impact: 4 between the HQ and security? front-line base is a crucial damage. Note. * The Military Technology Center Network ** Code: RS = Risk of Service, RL = Risk of Location, RR = Risk of Role, RA = Risk of Assets
Moderating
The focus group session was held in Bangkok, Thailand, in October 2015. A short briefing about cyber/information security, Network Centric Warfare (NCW), and Cyber Warfare (CW) was introduced in the beginning, followed by the significance of risk analysis and the proposed CRA conceptual framework. Two case studies, including Social Network and SCADA, were raised for cyber risk assessment. Risk incidents from the Cyber Risk Identification phase were investigated and amended. All risk incidents were scored based on their likelihood of occurrence and the magnitude of impact. Military Risk Evaluation (MRE) of both case studies were finally evaluated and integrated with Network Risk Evaluation (NRE) as designed by the proposed Cyber Risk Assessment (CRA) framework. This focus group interviewing was recorded on audio tape recorder to be transcribed later. The authors of this article are moderators and note takers of the focus group. Details of the case studies in SCADA and OSNs are way beyond this article. Therefore, they will be discoursed in future work.
215 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Figure 5. Focus group on military based cyber risk assessment (CRA) framework for supporting cyber warfare in Thailand.
DISCUSSION ON FRAMEWORK
This article has demonstrated and proved that the proposed framework is suitable and covers all three domains of the Network Centric Warfare, namely physical, information and cognitive. Additionally, it is beneficial to the military strategy and systematic to all three levels of war in joint operations as described in Joint Publication 3-0 (DOD, 2011), including the Strategic, Operational and Tactical levels.
In the strategic level, the national cyber security community could utilize this framework as an innovative cyber risk assessment for full-scale national cyber risk management standard without lack of ICT perspectives from military services. The Royal Thai Ministry of Defense has recognized cyberspace as a military battlefield since 2015. This is the first cyber risk assessment framework proposed for national cyber security in the military perspective. In the operational level, ICT professionals, military experts and research communities can jointly learn about national cyber risks. Focus group discussion to identify and analyze cyber risks is an example of this collaboration. The outcome is best practices to secure ICT and cyber operation. This could be a great step to
216 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222 enhance the cyber security rules and regulations of intermediate organizations responsible to the national cyber security globally. In the tactical/social level, subordinators and individuals will be aware of these dreadful threats through cyber security rules and regulation. ICT security baselines and/or guidelines should be provided to all members at this stage. They will learn how to use their ICT equipment properly and securely. Note that, military equipment, including vehicles, radars, and weapon systems, are commanded and controlled via ICT network infrastructure. Unlike basic ICT equipment in the data center, they are abandoned from famous ISMS standards because of their indirect impact on the business continuity. With the coming stream of cyber warfare, ISMS standards with military concerns must be seriously operated with respect to the NCW concept. This is a real critical circumstance for overall national cyber security which this proposed framework is designed with military concerns based on NCW.
CONCLUSION
IT security is very significant nowadays. Information is one of the most valuable properties that needs to be managed securely and effectively. Many information security and risk management standards are offered to provide procedures for the information system security of the organization. Risk assessment plays its crucial role as a core process in risk management. However, the thrill of dangerous cyber operation is growing continuously. Cyberspace was recognized as a new military battlefield in 2014. Cyberwar has become a new influential threat to national security. Unfortunately, current IT security and risk management standards are desired for general perspectives, especially for business continuity, rather than national security. Not only specific IT risk management standard, but also IT risk assessment methodology, is directly scoped for military operation. Therefore, this paper proposed an innovative idea of cyber risk assessment to improve national cyber security with specific intention to deliberate cyber warfare that could affect military operations. Activities on this logical domain can send significant impacts to actual the physical domain. The threat spectrum has also expanded from the basic concept to the most complicated operation. Network risk evaluation from primary standards does not fit well fit with cyber risk in military terms, hence, some risk management standards are developed for non-profit organization requirement but they do not yet consider the cyberwar environment.
In this article, we proposed a novel conceptual framework for Cyber Risk Assessment (CRA) which is well harmonized with NCW in the cyber warfare concept. With this framework, abstract notation from military risk environment
217 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222 is parsed into a mathematical form that could be integrated with the technical notation from the network risk metric. The last outcome is called Cyber Risk Evaluation (CRE) subjected to a specific military environment. Our proposed CRA is now fulfilled from both quantitative and qualitative assessment. It is suitable for cyber risk assessment of both the common situation (e.g. normal activities) and uncommon condition (e.g. cyber terror and cyberwar). Risks that could significantly affect national cyber security are then investigated in- depth for the best preparation to countermeasure these terrifying threats in the future. All communities related to IT security could take the benefits of this finding from the planning processes to action. Details of both case studies in SCADA and OSNs will be elaborated in future work.
REFERENCES
Andress, J., & Winterfeld, S. (2011). Cyber warfare: Techniques, tactics and tools for security practitioners. USA: Syngress.
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & Security on ScienceDirect, 1-27.
Chimmanee, S., Veeraprasit, T., Sriphrew, K., & Hemanidhi, A. (2012). A performance comparison of vulnerability detection between NetClarity Auditor and Open Source Nessus. Proceeding of the 3rd European Conference of Communications (ECCOM ’12), (pp. 280-285). Paris, France.
Cho, Y., Won, Y., & Cho, B. (2005). ITU-T X.805 based vulnerability analysis method for security framework of end-to-end network services. Proceedings of the 4th WSEAS Int. Conf. on Information Security, Communications and Computers, (pp. 228-292). Tenerife, Spain.
Creswell, J. W. (2014). Research design: Qualitative, quantitative, and mixed methods approaches (4th ed.). Thousand Oaks, CA: SAGE Publications, Inc.
Department of the Army (DOA). (2013). FM 3-13. Inform and influence activities. Washington DC, USA.
Department of the Army (DOA). (2012). ADRP 3-0. Unified land operations. Washington DC, USA.
218 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Department of the Army (DOA). (1994). FM 34-130. Intelligence preparation of the battlefield. Washington DC, USA.
Department of Defense (DOD). (2003). Network-centric warfare. Washington DC, USA.: Office of the Secretary of Defense.
Department of Defense (DOD). (2006). Joint publication 3-13. Information operations. USA: DOD Publications.
Department of Defense (DOD). (2011). Joint publication 3-0. Joint operations. USA: DOD Publications.
Department of Defense (DOD) (2014). Joint publication 3-13. Information operations. (27 November 2012 Incorporating Change 1). USA: DOD Publications.
Electronic Transactions Development Agency (ETDA) (2015). Thailand Internet user profile 2015.Bangkok, Thailand: Ministry of Information and Communication Technology.
Hemanidhi, A., Chimmanee, S., & Kimpan, C. (2015). Cyber risk evaluation framework based on risk environment of military operation. Asian Conference on Defence Technology (ACDT 2015) 2015. (pp. 42-47). Hua Hin: doi: 10.1109/ACDT.2015.7111581
Hemanidhi, A., Chimmanee, S., & Sanguansat, P. (2012). Risk evaluation by vulnerability detection tools for IT department of the Royal Thai Army. Proceeding of the 3rd European Conference of Communications (ECCOM ’12) (pp. 286-292). Paris, France: WSEAS Press.
Hemanidhi, A., Chimmanee, S., & Sanguansat, P. (2014). Network risk evaluation from security metric of vulnerability detection tools. TENCON 2014 - 2014 IEEE Region 10 Conference (pp. 1-6). Bangkok: doi:10.1109/TENCON.2014.7022358
Hemanidhi, A., Chimmanee, S., Sanguansat, P., & Nuchampun, W. (2015, November). Cyber risk evaluation framework for network centric warfare. Journal of Converfence Information Technology (JCIT), 1-13.
Herzog, S. (2011). Revisiting the Estonian cyber attacks: Digital threats and multinational. Journal of Strategic Security, 49-60.
219 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Information Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) (2014, January 1). ISO/IEC 27000 (Information technology - Security techniques - Information security management systems - Overview and vocabulary) (3rd ed.). Geneva: ISO/IEC.
Information Systems Audit and Control Association. (ISACA). (2012). COBIT 5 (A business framework for the governance and management of enterprise IT). Rolling Meadows, IL: ISACA.
International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC). (2013). ISO/IEC 27001:2013 Information security standard. Information security management system (ISMS). UK: British Standard (BSi).
International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC). (2011). ISO/IEC 27005:2011 Information technology – Security techniques – Information security risk management (2nd ed.). Geneva: ISO/IEC
International Organization for Standardization (ISO). (2016, Jul 1). ISO 27799:2016 Health informatics - Information security management in health using ISO/IEC 27002 (2nd ed.). Geneva: ISO
International Organization for Standardization (ISO). (2009). ISO 31000:2009 Risk management – Principles and guidelines. Geneva: ISO.
Karnouskos, S. (2011). Stuxnet worm impact on industrial cyber-physical system security. IEEE Proceeding of the 37th Annual Conference on IEEE Industrial Electronics Society (IECON 2011), (pp. 280-285). Melbourne, Australia.
Kushner, D. (2013). IEEE SPECTRUM. The Real Story of Stuxnet [Online]. Retrieved from http://spectrum.ieee.org/telecom/security/the-real- story-of-stuxnet
Kwaak, J. S. (2014). The Wall Street Journal. South Korea nuclear plant operator hacked [Online]. Retrieved from http://www.wsj.com/articles/ south-korea-nuclear-plant-operator-hacked-1419237333
220 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Loh, P. K. K., & Subramanian, D. (2010). Fuzzy classification metrics for scanner assessment and vulnerability reporting. IEEE Transaction on Information Forensics and Security, 5(4).
Mell, P., Scarfone, K., & Romanosky, S. (2007, June). CVSS: A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Retrieved from The Forum of Incident Response and Security Teams (FIRST): https://www.first.org/cvss/v2/guide
National Institute of Standards and Technology (NIST) (2008). NIST SPECIAL PUBLICATION 800-115 (Technical guide to information security testing and assessment). Geithersburg, MD: Computer Security Division, Information Technology Laboratory.
National Institute of Standard and Technology (NIST) (2012). NIST SPECIAL PUBLICATION 800-30rev1 (Information security guide for conducting risk assessments). Gaithersburg, MD, US: Computer Security Division, Information Technology Laboratory.
National Institute of Standards and Technology (NIST) (2015). NIST SPECIAL PUBLICATION 800-82r2 (Guide to industrial control systems (ICS) Security). Gaithersburg, MD: Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., & Hahn, A.
NetClarity, Inc. (2011). NACwall appliances user guide. Bedford, MA, USA.
Ophardt, J. A. (2010). Cyber warfare and the crime of aggression: The need for individual accountability on tomorrow’s battlefield. Duck Law & Technology Review, 1-28.
Singer, P., & Brooking, E. (2015, December 15). Terror on twitter : How ISIS is taking war to social media—and social media is fighting back. Retrieved from popular Science: http://www.popsci.com/terror-on- twitter-how-isis-is-taking-war-to-social-media
Steinberg, R.M., Everson, M. E. A., Martens, F. J., & Nottingham, L. E. (2004). Enterprise risk management integrated framework. USA: Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Subramanian, D., Le, H. T., & Loh, P. K. K. (2009, May 24-28). Fuzzy heuristic design for diagnosis of web-based vulnerabilities. Fourth International Conference on internet monitoring and protection (ICIMP ‘09) (pp. 103-108). Venice/Mestre: doi: 10.1109/ICIMP.2009.25.
221 Journal of ICT, 16, No. 2 (Dec) 2017, pp: 192–222
Sun, K., Jajodia, S., Li, J., Cheng, W., Tang, W., & Singhal, A. (2010). Automatic security analysis using security metrics. The 2011 Military Communications Conference – Track 3 – Cyber Security and Network Operations, IEEE.
The MITRE Corporation. (1997-2017). Common vulnerabilities and exposures. Retrieved from Common Vulnerabilities and Exposures: https://cve.mitre.org/
Vitel, P. (2014, November 23). Cyber space and Euro-Atlantic security. France: Science and Technology Committee, NATO Parliamentary Assembly.
222