MARISMA：评估和管理信息网络安全风险的现代背景感知框架

IF 4.1 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Standards & Interfaces Pub Date : 2024-10-10 DOI:10.1016/j.csi.2024.103935

Luis E. Sánchez , Antonio Santos-Olmo , David G. Rosado , Carlos Blanco , Manuel A. Serrano , Haralambos Mouratidis , Eduardo Fernández-Medina

{"title":"MARISMA：评估和管理信息网络安全风险的现代背景感知框架","authors":"Luis E. Sánchez , Antonio Santos-Olmo , David G. Rosado , Carlos Blanco , Manuel A. Serrano , Haralambos Mouratidis , Eduardo Fernández-Medina","doi":"10.1016/j.csi.2024.103935","DOIUrl":null,"url":null,"abstract":"<div><div>In a globalised world dependent on information technology, ensuring adequate protection of an organisation’s information assets has become a decisive factor for the longevity of the organisation’s operation. This is especially important when these organisations are critical infrastructures that provide essential services to nations and their citizens. However, to protect these assets, we must first be able to understand the risks to which they are subject and how to manage them properly. To understand and manage such the risks, we need first to acknowledge that organisations have changed, and they now have an increasing reliance on information assets, which in many cases are shared with other organisations. Such reliance and interconnectivity means that risks are constantly changing, they are dynamic, and potential mitigation does not just rely on the organisation’s own controls, but also on the controls put in place by the organisations with which it shares those assets. Taking the above requirements as essential, we have reviewed the state of the art, and we have concluded that current risk analysis and management systems are unable to meet all the needs inherent in this dynamic and evolving risk environment. This gap in the state of the art requires novel approaches that draw on the foundations of risk management, but they are adapted to the new challenges.</div><div>This article fulfils this gap in the literature with the introduction of MARISMA, a novel security risk analysis and management framework. MARISMA is oriented towards dynamic and adaptive risk management, considering external factors such as associative risks between organisations. MARISMA also contributes to the state of the art through newly developed mechanisms for knowledge reuse and dynamic learning. An important advantage of MARISMA is the connections between its elements that make it possible to reduce the subjectivity inherent in classical risk analysis systems, thereby generating suggestions that allow the translation of perceived security risks into real security risks. The framework comprises a reusable meta-pattern comprising different elements and their interdependencies, a supporting method that guides the entire process, and a cloud-based tool that automates data management and risk methods. MARISMA has been applied to many companies from different countries and sectors (government, maritime, energy, and pharmaceutical). In this paper, we demonstrate its applicability through its application to a real world case study involving a company in the technology sector.</div></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"92 ","pages":"Article 103935"},"PeriodicalIF":4.1000,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"MARISMA: A modern and context-aware framework for assessing and managing information cybersecurity risks\",\"authors\":\"Luis E. Sánchez , Antonio Santos-Olmo , David G. Rosado , Carlos Blanco , Manuel A. Serrano , Haralambos Mouratidis , Eduardo Fernández-Medina\",\"doi\":\"10.1016/j.csi.2024.103935\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>In a globalised world dependent on information technology, ensuring adequate protection of an organisation’s information assets has become a decisive factor for the longevity of the organisation’s operation. This is especially important when these organisations are critical infrastructures that provide essential services to nations and their citizens. However, to protect these assets, we must first be able to understand the risks to which they are subject and how to manage them properly. To understand and manage such the risks, we need first to acknowledge that organisations have changed, and they now have an increasing reliance on information assets, which in many cases are shared with other organisations. Such reliance and interconnectivity means that risks are constantly changing, they are dynamic, and potential mitigation does not just rely on the organisation’s own controls, but also on the controls put in place by the organisations with which it shares those assets. Taking the above requirements as essential, we have reviewed the state of the art, and we have concluded that current risk analysis and management systems are unable to meet all the needs inherent in this dynamic and evolving risk environment. This gap in the state of the art requires novel approaches that draw on the foundations of risk management, but they are adapted to the new challenges.</div><div>This article fulfils this gap in the literature with the introduction of MARISMA, a novel security risk analysis and management framework. MARISMA is oriented towards dynamic and adaptive risk management, considering external factors such as associative risks between organisations. MARISMA also contributes to the state of the art through newly developed mechanisms for knowledge reuse and dynamic learning. An important advantage of MARISMA is the connections between its elements that make it possible to reduce the subjectivity inherent in classical risk analysis systems, thereby generating suggestions that allow the translation of perceived security risks into real security risks. The framework comprises a reusable meta-pattern comprising different elements and their interdependencies, a supporting method that guides the entire process, and a cloud-based tool that automates data management and risk methods. MARISMA has been applied to many companies from different countries and sectors (government, maritime, energy, and pharmaceutical). In this paper, we demonstrate its applicability through its application to a real world case study involving a company in the technology sector.</div></div>\",\"PeriodicalId\":50635,\"journal\":{\"name\":\"Computer Standards & Interfaces\",\"volume\":\"92 \",\"pages\":\"Article 103935\"},\"PeriodicalIF\":4.1000,\"publicationDate\":\"2024-10-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Standards & Interfaces\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0920548924001041\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548924001041","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

在依赖信息技术的全球化世界中，确保对组织的信息资产提供充分保护已成为组织能否长久运营的决定性因素。当这些组织是为国家及其公民提供重要服务的关键基础设施时，这一点尤为重要。然而，要保护这些资产，我们必须首先了解它们所面临的风险以及如何妥善管理这些风险。要了解和管理这些风险，我们首先需要认识到组织已经发生了变化，它们现在越来越依赖于信息资产，而在许多情况下，信息资产是与其他组织共享的。这种依赖性和相互关联性意味着风险是不断变化的，是动态的，潜在的风险缓解不仅依赖于组织自身的控制，也依赖于与之共享这些资产的组织所实施的控制。以上述要求为基本条件，我们对最新技术进行了审查，得出的结论是，目前的风险分析和管理系统无法满足这种动态和不断变化的风险环境中固有的所有需求。本文介绍的 MARISMA 是一种新型安全风险分析和管理框架，弥补了文献中的这一空白。MARISMA 以动态和适应性风险管理为导向，考虑了组织间关联风险等外部因素。MARISMA 还通过新开发的知识再利用和动态学习机制，为技术发展做出了贡献。MARISMA 的一个重要优势在于其各要素之间的联系，这种联系可以减少传统风险分析系统固有的主观性，从而提出建议，将感知到的安全风险转化为真正的安全风险。该框架包括一个由不同要素及其相互依存关系组成的可重复使用的元模式、一个指导整个流程的辅助方法，以及一个可实现数据管理和风险方法自动化的云工具。MARISMA 已应用于不同国家和行业（政府、海事、能源和制药）的许多公司。在本文中，我们将通过一个涉及科技行业公司的真实案例研究来展示其适用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

MARISMA: A modern and context-aware framework for assessing and managing information cybersecurity risks

In a globalised world dependent on information technology, ensuring adequate protection of an organisation’s information assets has become a decisive factor for the longevity of the organisation’s operation. This is especially important when these organisations are critical infrastructures that provide essential services to nations and their citizens. However, to protect these assets, we must first be able to understand the risks to which they are subject and how to manage them properly. To understand and manage such the risks, we need first to acknowledge that organisations have changed, and they now have an increasing reliance on information assets, which in many cases are shared with other organisations. Such reliance and interconnectivity means that risks are constantly changing, they are dynamic, and potential mitigation does not just rely on the organisation’s own controls, but also on the controls put in place by the organisations with which it shares those assets. Taking the above requirements as essential, we have reviewed the state of the art, and we have concluded that current risk analysis and management systems are unable to meet all the needs inherent in this dynamic and evolving risk environment. This gap in the state of the art requires novel approaches that draw on the foundations of risk management, but they are adapted to the new challenges.

This article fulfils this gap in the literature with the introduction of MARISMA, a novel security risk analysis and management framework. MARISMA is oriented towards dynamic and adaptive risk management, considering external factors such as associative risks between organisations. MARISMA also contributes to the state of the art through newly developed mechanisms for knowledge reuse and dynamic learning. An important advantage of MARISMA is the connections between its elements that make it possible to reduce the subjectivity inherent in classical risk analysis systems, thereby generating suggestions that allow the translation of perceived security risks into real security risks. The framework comprises a reusable meta-pattern comprising different elements and their interdependencies, a supporting method that guides the entire process, and a cloud-based tool that automates data management and risk methods. MARISMA has been applied to many companies from different countries and sectors (government, maritime, energy, and pharmaceutical). In this paper, we demonstrate its applicability through its application to a real world case study involving a company in the technology sector.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computer Standards & Interfaces 工程技术-计算机：软件工程

CiteScore

11.90

自引率

16.00%

发文量

审稿时长

6 months

期刊介绍： The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking. Computer Standards & Interfaces is an international journal dealing specifically with these topics. The journal • Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels • Publishes critical comments on standards and standards activities • Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods • Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts • Stimulates relevant research by providing a specialised refereed medium.