迷失在中间——ERP管理人员通过应用分类和回归树(CART)来确定已知漏洞的优先级的实用方法

IF 1.6 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
Richard G. Mathieu, Alan E. Turovlin
{"title":"迷失在中间——ERP管理人员通过应用分类和回归树(CART)来确定已知漏洞的优先级的实用方法","authors":"Richard G. Mathieu, Alan E. Turovlin","doi":"10.1108/ics-02-2023-0027","DOIUrl":null,"url":null,"abstract":"Purpose Cyber risk has significantly increased over the past twenty years. In many organizations, data and operations are managed through a complex technology stack underpinned by an Enterprise Resource Planning (ERP) system such as systemanalyse programmentwicklung (SAP). The ERP environment by itself can be overwhelming for a typical ERP Manager, coupled with increasing cybersecurity issues that arise creating periods of intense time pressure, stress and workload, increasing risk to the organization. This paper aims to identify a pragmatic approach to prioritize vulnerabilities for the ERP Manager. Design/methodology/approach Applying attention-based theory, a pragmatic approach is developed to prioritize an organization’s response to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) vulnerabilities using a Classification and Regression Tree (CART). Findings The application of classification and regression tree (CART) to the National Institute of Standards and Technology’s National Vulnerability Database identifies prioritization unavailable within the NIST’s categorization. Practical implications The ERP Manager is a role between technology, functionality, centralized control and organization data. Without CART, vulnerabilities are left to a reactive approach, subject to overwhelming situations due to intense time pressure, stress and workload. Originality/value To the best of the authors’ knowledge, this work is original and has not been published elsewhere, nor is it currently under consideration for publication elsewhere. CART has previously not been applied to the prioritizing cybersecurity vulnerabilities.","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"6 1","pages":"0"},"PeriodicalIF":1.6000,"publicationDate":"2023-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Lost in the middle – a pragmatic approach for ERP managers to prioritize known vulnerabilities by applying classification and regression trees (CART)\",\"authors\":\"Richard G. Mathieu, Alan E. Turovlin\",\"doi\":\"10.1108/ics-02-2023-0027\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Purpose Cyber risk has significantly increased over the past twenty years. In many organizations, data and operations are managed through a complex technology stack underpinned by an Enterprise Resource Planning (ERP) system such as systemanalyse programmentwicklung (SAP). The ERP environment by itself can be overwhelming for a typical ERP Manager, coupled with increasing cybersecurity issues that arise creating periods of intense time pressure, stress and workload, increasing risk to the organization. This paper aims to identify a pragmatic approach to prioritize vulnerabilities for the ERP Manager. Design/methodology/approach Applying attention-based theory, a pragmatic approach is developed to prioritize an organization’s response to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) vulnerabilities using a Classification and Regression Tree (CART). Findings The application of classification and regression tree (CART) to the National Institute of Standards and Technology’s National Vulnerability Database identifies prioritization unavailable within the NIST’s categorization. Practical implications The ERP Manager is a role between technology, functionality, centralized control and organization data. Without CART, vulnerabilities are left to a reactive approach, subject to overwhelming situations due to intense time pressure, stress and workload. Originality/value To the best of the authors’ knowledge, this work is original and has not been published elsewhere, nor is it currently under consideration for publication elsewhere. CART has previously not been applied to the prioritizing cybersecurity vulnerabilities.\",\"PeriodicalId\":45298,\"journal\":{\"name\":\"Information and Computer Security\",\"volume\":\"6 1\",\"pages\":\"0\"},\"PeriodicalIF\":1.6000,\"publicationDate\":\"2023-09-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information and Computer Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1108/ics-02-2023-0027\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Computer Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/ics-02-2023-0027","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

在过去的二十年中,网络风险显著增加。在许多组织中,数据和操作是通过企业资源规划(ERP)系统(如系统分析程序管理系统(SAP))支持的复杂技术堆栈来管理的。对于一个典型的ERP经理来说,ERP环境本身可能是压倒性的,再加上日益增加的网络安全问题,产生了巨大的时间压力、压力和工作量,增加了组织的风险。本文旨在确定一种实用的方法来优先考虑ERP管理器的漏洞。设计/方法/方法应用基于注意力的理论,开发了一种实用的方法,使用分类和回归树(CART)来优先考虑组织对国家标准与技术研究所(NIST)国家漏洞数据库(NVD)漏洞的响应。将分类和回归树(CART)应用于美国国家标准与技术研究所的国家漏洞数据库,确定了NIST分类中不可用的优先级。ERP经理是一个介于技术、功能、集中控制和组织数据之间的角色。如果没有CART,漏洞就会留给被动的方法,由于时间压力、压力和工作量大,漏洞会受到压倒性的影响。原创性/价值据作者所知,本作品是原创的,没有在其他地方发表过,目前也没有考虑在其他地方发表。CART以前没有应用于优先级网络安全漏洞。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Lost in the middle – a pragmatic approach for ERP managers to prioritize known vulnerabilities by applying classification and regression trees (CART)
Purpose Cyber risk has significantly increased over the past twenty years. In many organizations, data and operations are managed through a complex technology stack underpinned by an Enterprise Resource Planning (ERP) system such as systemanalyse programmentwicklung (SAP). The ERP environment by itself can be overwhelming for a typical ERP Manager, coupled with increasing cybersecurity issues that arise creating periods of intense time pressure, stress and workload, increasing risk to the organization. This paper aims to identify a pragmatic approach to prioritize vulnerabilities for the ERP Manager. Design/methodology/approach Applying attention-based theory, a pragmatic approach is developed to prioritize an organization’s response to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) vulnerabilities using a Classification and Regression Tree (CART). Findings The application of classification and regression tree (CART) to the National Institute of Standards and Technology’s National Vulnerability Database identifies prioritization unavailable within the NIST’s categorization. Practical implications The ERP Manager is a role between technology, functionality, centralized control and organization data. Without CART, vulnerabilities are left to a reactive approach, subject to overwhelming situations due to intense time pressure, stress and workload. Originality/value To the best of the authors’ knowledge, this work is original and has not been published elsewhere, nor is it currently under consideration for publication elsewhere. CART has previously not been applied to the prioritizing cybersecurity vulnerabilities.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Information and Computer Security
Information and Computer Security COMPUTER SCIENCE, INFORMATION SYSTEMS-
CiteScore
4.60
自引率
7.10%
发文量
23
期刊介绍: Information and Computer Security (ICS) contributes to the advance of knowledge directly related to the theory and practice of the management and security of information and information systems. It publishes research and case study papers relating to new technologies, methodological developments, empirical studies and practical applications. The journal welcomes papers addressing research and case studies in relation to many aspects of information and computer security. Topics of interest include, but are not limited to, the following: Information security management, standards and policies Security governance and compliance Risk assessment and modelling Security awareness, education and culture User perceptions and understanding of security Misuse and abuse of computer systems User-facing security technologies Internet security and privacy The journal is particularly interested in receiving submissions that consider the business and organisational aspects of security, and welcomes papers from both human and technical perspective on the topic. However, please note we do not look to solicit papers relating to the underlying mechanisms and functions of security methods such as cryptography (although relevant applications of the technology may be considered).
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信