{"title":"Goal-based assessment for the cybersecurity of critical infrastructure","authors":"Samuel A. Merrell, A. Moore, James F. Stevens","doi":"10.1109/THS.2010.5655090","DOIUrl":null,"url":null,"abstract":"Undertaking a comprehensive cybersecurity risk assessment of the networks and systems of a single infrastructure, or even a single organization of moderate size, requires significant resources. Efforts to simplify the assessment instrument usually obscure the ultimate goal of the assessment and the motivations for the assessment questions. This can make it difficult for assessors to justify the questions and can undermine the credibility of the assessment in the eyes of the organizations assessed. This paper describes the use of assurance cases to help address these problems. Viewing an assessment approach in terms of an assurance case clarifies the underlying motivation for the assessment and supports more rigorous analysis. The paper also shows how the assurance case method has been used to guide the development of an assessment approach called the Cyber Resilience Review (CRR), developed for the U.S. Department of Homeland Security.","PeriodicalId":106557,"journal":{"name":"2010 IEEE International Conference on Technologies for Homeland Security (HST)","volume":"125 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 IEEE International Conference on Technologies for Homeland Security (HST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/THS.2010.5655090","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 8
Abstract
Undertaking a comprehensive cybersecurity risk assessment of the networks and systems of a single infrastructure, or even a single organization of moderate size, requires significant resources. Efforts to simplify the assessment instrument usually obscure the ultimate goal of the assessment and the motivations for the assessment questions. This can make it difficult for assessors to justify the questions and can undermine the credibility of the assessment in the eyes of the organizations assessed. This paper describes the use of assurance cases to help address these problems. Viewing an assessment approach in terms of an assurance case clarifies the underlying motivation for the assessment and supports more rigorous analysis. The paper also shows how the assurance case method has been used to guide the development of an assessment approach called the Cyber Resilience Review (CRR), developed for the U.S. Department of Homeland Security.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
