Methods For Identification Of Information Security Management System Metrics – A Research Proposal

Notes: I wrote this article during my study in 2024

Turnitin rate: 5%

1.???? Introduction

Information security is a crucial aspect of modern organizations, as stated on the frequent news and reports about information security incidents threatening the confidentiality, integrity, and availability of information. As technology and digital economy continues to evolve, so does the associated risks with cyber security (Cadena et al., 2020; Calvo & Beltrán, 2023).

Risk management is a crucial step in managing information risks, cybersecurity risks and related incidents. However, there are challenges in developing and applying efficient and impactful information and cybersecurity metrics. Metrics, if well placed into the right risk management processes (Michael & Sema, 2023), such as risk identification, key risk indication, etc., will enable organizations to make informed decisions about where to allocate resources, when and even how to implement changes to the information security management system.

This research paper aims to develop a new methodology that integrates well-established industry standards to enhance the efficacy and robustness of information security risk assessments. By focusing specifically on network communication-related risks, this paper shows how to address a critical and often vulnerable aspect of information security, which is referred to as OMMA. The creation of a novel framework, OMMA, synergizes the OSI Model and the MITRE ATT&CK framework. This integration is aimed at augmenting the current ISO/IEC 27001 international standards for information security, specifically targeting improvements in the information security risk assessment processes. The suggested enhancements include the incorporation of a new requirement to compare identified network communication-related risks with those catalogued within the MITRE ATT&CK framework, position them within the appropriate layer of the OSI Model, and ensure comprehensive risk coverage.

Furthermore, this research advocates for the application of the Goal Question Metric (GQM) approach to articulate and measure the identified risks, enhancing the clarity and relevance of security metrics. By employing GQM, we aim to bridge the gap between strategic objectives and operational outcomes, providing a structured method to quantify and address security vulnerabilities effectively.

By concentrating on these elements, the research intends to forge a robust pathway for enhancing existing standards and methodologies in information security risk assessment, making a significant contribution to the field, and potentially setting a new benchmark for industry practices.

?

2.???? Research Aims and Objectives

The primary aim of this research is to enhance the robustness and effectiveness of information security risk assessments by developing a new methodology that integrates two well-established models and frameworks: the OSI Model and the MITRE ATT&CK framework. This integrated approach, termed OMMA (OSI Model and MITRE ATT&CK), is designed to refine the existing standards specified in the ISO/IEC 27001 international standard for information security.

There are several specific objectives to achieve the aim as follows.

Integration of OSI and MITRE ATT&CK Frameworks: Develop and formalize the OMMA framework that synergistically combines the OSI Model's layered communication systems approach with the detailed, actionable intelligence of the MITRE ATT&CK framework to cover network communication-related risks comprehensively.

?

Excellent description of research aims objectives and intent of the project. Focused achievable and measurable outcomes

This research paper will only focus on the network communication-related risks, not the non-network communication risks such as for data at rest (Data-at-Rest Encryption Capabilities, n.d.) yet. A simple illustration of the scoping is illustrated below Figure 1 - Scope Of This Research Paper.(Rainer Diesch et al., 2018)

We propose developing a new method that integrates industry standards including two well-known models and frameworks named OSI Model and MITRE ATT&CK framework (or OMMA in short) and then, enhance the existing ISO/IEC 27001 international standard for information security.

Specially, we are making suggestion to the ISO 27001’s information security risk assessment process at article 6.1.2 Information security risk assessment (ISO/IEC 27001:2022(En), Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements, n.d.) to add the new requirement into this section, which is to “compare the Network communication-related risks identified by the organization with those in MITRE ATT@CK framework, place them in the right layer of OSI Model and verify that no necessary risks have been omitted”.

The identified risk later can optionally be presented using the Goal Question Metric (GQM) approach (Hajdarevic & Allen, 2013).

Also, we would like to give an example to illustrate how this method can be used to produce a new risk assessment result with more relevant quality.

3.???? Background

Critically reviews existing work, and synthesizes relevant research areas and opposing views. Clearly links the proposal to the research gaps identified.

Cites relevant information accurately in APA format.

This paper critically examines current methodologies for developing metrics in information security management systems, focusing particularly on the Goal Question Metric (GQM) approach. The increasing complexity and frequency of cyber threats necessitate effective and adaptive security measures within organizations, guided by robust metrics that can preemptively identify and mitigate potential risks.

The management of information security risks is paramount for any organization aiming to protect its data from cyber threats. Standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework are instrumental in guiding these efforts, providing a structured approach to security that includes detailed risk assessment and management strategies. This review considers how such standards are utilized to construct relevant security metrics that are not only comprehensive but also tailored to specific organizational needs. The GQM approach emerges as a significant method in the literature for formulating security metrics. Originally applied within the domain of software quality, its adaptability allows for effective application in the security sector. The GQM methodology starts with defining specific security goals, followed by formulating questions that address these goals, and finally developing metrics that provide quantifiable data to evaluate the security posture. This structured approach helps in linking strategic objectives to measurable outcomes, facilitating proactive security management.

In particular, when reviewing the relevant articles, it is noted that the term “PDP - Proactive Defense Points” mentioned in the article could be one of the potentials knowledge gaps. There is no specific guideline about how each of the PDP points is determined. We agreed with the author that we should identify those points, but it is not mentioned specifically in this paper about how these points can be created. Also, when reviewing the examples listed by the authors, such as an example named “E. Administrator and operator logs (10.10.4) MM10104”, they mentioned the following PDP - Proactive Defence Points “(3) Using correlated events it is noticed that system has failed after administrator intervention”. However, it is not clear yet about what are the specific metrics, specific data can be utilized to measure those PDP, and what are the possible source data information can be used to calculate those metrics. There is another possible knowledge gap as follows: we also noticed that there is no specific guideline to make sure no important key risk indicators or proactive information security metrics is overlooked, as there is a risk that such important metrics or indicators might be (un)intentionally omitted from organization’s risk library. Therefore, we would like to propose a new framework in this article to address the above knowledge gaps.

We conducted a literature review that included a detailed evaluation of two relevant articles. The first article, “A new method for the identification of proactive information security management system metrics” (Hajdarevic & Allen, 2013) discusses a new method for identifying proactive information security management system metrics, emphasizing the early phase of risk identification using the GQM method. The second article, “Applying the Goal, Question, Metric method to derive tailored dynamic cyber risk metrics” (Calvo & Beltrán, 2023) elaborates on tailoring cyber risk metrics using the GQM method, validated in different scenarios such as smart farms and web application firewalls. Both articles highlight the flexibility and adaptability of the GQM approach across diverse organizational contexts. The analysis of the articles shows that both are well-organized and offer logical structures that ease the understanding of complex methodologies. However, the first article, despite its relevance, is somewhat dated and lacks detailed discussion on the development of 'Proactive Defense Points', a crucial aspect in proactive risk management. The second article is more up-to-date and provides extensive details on the application of the GQM method, making it highly relevant for contemporary security challenges.

?

4.???? Research Significance and Innovation

In the evolving landscape of the digital economy, the role of information security has emerged as a critical topic for organizations across industries. As businesses are increasingly adopting digital transformation, cybersecurity risk has been introduced, highlighting the need for a comprehensive information security management system (ISMS) and its management activities. The identification of meaningful metrics in any ISMS is essential to ensure effective risk management.

5.1? The significance of this research proposal

It has the potential to establish a baseline for information security risk identification activities. In this context, without having a comprehensive baseline, this activity often results in ununified risk assessment and lacks many important relevance to the dynamic threat landscape. As a result, organizations then struggle to realise meaningful action plans, hindering effective decision-making and risk mitigation plans. By focusing on the development of systematic methods for identifying ISMS metrics, this research aims to enhance accuracy, comprehensiveness, and the application of security measurement frameworks.

?

Moreover, the importance of this topic is highlighted in the context that cyber threats are evolving constantly nowadays. Any effective ISMS metrics should have a way to receive timely updates from the industry so that their derived early warning indicators can be practical and meaningful, enabling organizations to be more prepared against those attacks. This implication, in turn, can help organizations to prepare a proper resource allocation plan throughout the whole risk management program and provide better surveillant capability of unexpected attacks. This research aims to significantly impact ongoing cybersecurity management issues, benefiting both the academic community and providing practical solutions for a resilient digital economy.

5.2? Secondly, the benefits to society and industry from this research proposal.

This paper proposes combining the existing frameworks to create a new framework. It means that we try to inherit the already well-proven frameworks to not only make sure it is a complete overview (avoiding the risks of not including any necessary risk) but not too strict as we will only set the minimum requirements. As a result, the application of these research outcomes could significantly enhance the efficiency and robustness of industry practices, ensuring to improvement of their operation, and reduce of overhead costs, thereby contributing to a more adaptive economy environment.

?

The innovation integrated within this proposed research project is its holistic and systematic approach to ISMS metric identification method. Rather than relying on any siloed methodologies, this research targets to develop a comprehensive framework that integrates industry standards including two well-known models and frameworks named OSI Model and MITRE ATT&CK framework to create a new framework called OMMA and then, enhance the existing ISO/IEC 27001 international standard for information security.

?

From the human resources management perspective, this paper aims to set an additional skillset baseline for those working in the information security risk management roles. At least people working on this role must be able to work with the framework and relevant attacks and be familiar with the globally-accessible knowledge base of adversary tactics and techniques that MITRE (MITRE ATT&CK?, n.d.) making it available publicly now. The attackers are aware of that knowledge so we should never miss them out. We strongly agree that more intelligent information sources should be included in our method but at least, of being attacked using the commonly known attacks. Please note that we could also suggest an upgrade to the MITRE framework itself to make it even more updated.

?

Furthermore, the research embraces a multidisciplinary perspective, drawing insights from fields such as information science, risk management, and organizational behavior. By transcending siloed approaches and fostering collaboration across domains, the project fosters innovation and cross-pollination of ideas. Moreover, the emphasis on stakeholder engagement and co-creation ensures that the resulting metrics resonate with diverse organizational contexts and stakeholder interests, fostering buy-in and sustainability.

?

5.3? Thirdly, the innovation of proposed research project

We proposed combining the existing frameworks to create a new framework. It means that we try to inherit the already well-proven frameworks to not only make sure it is a complete overview (avoiding the risks of not including any necessary risk) but not too strict as we will only set the minimum requirements.

Also, as MITRE continuously updates the framework based on community knowledge, and real-world intelligence updates, this special property allows our OMMA method to remain consistently relevant and reflective of the evolving cybersecurity threats. In short, this method will never produce any fixed outcomes. The results of this method will vary based on the current status of MITRE ATT@CK database, which is an ongoing journey based on the daily observations from the community.

?

The innovation integrated within this proposed research project is its holistic and systematic approach to ISMS metric identification. Rather than relying on ad-hoc or disparate methodologies, this research targets to develop a comprehensive framework that integrates industry standards including two well-known ones named MITRE ATT&CK and OSI Model to create a new framework. Leveraging advances in data analytics, machine learning, and cybersecurity, the proposed framework seeks to automate the process of metric identification, thereby enhancing scalability, accuracy, and efficiency.

?

Furthermore, the research embraces a multidisciplinary perspective, drawing insights from fields such as information science, risk management, and organizational behaviour. By transcending siloed approaches and fostering collaboration across domains, the project fosters innovation and cross-pollination of ideas. Moreover, the emphasis on stakeholder engagement and co-creation ensures that the resulting metrics resonate with diverse organizational contexts and stakeholder interests, fostering buy-in and sustainability.

?

By leveraging the existing research in data analytics, machine learning, and cybersecurity, the proposed framework can suggest future works to automate the process of metric identification, thereby enhancing its efficiency.

?

?

6????? Research Methods

?

6.1 Research Method

?

There are exemplar research articles that have research activities (Hajdarevic & Allen, 2013; Philippou et al., 2020) relevant to my chosen topic. In those papers, authors adopted the qualitative method and provided a case study to evaluate their research outcome. This paper presents the relatively equivalent approach, which is to use the qualitative method with a case study illustrated accordingly.

As noted previously, this paper focuses primarily on Network communication-related risks. The OMMA methodology basically combines MITRE ATT&CK? Framework (Roy et al., 2023) with the OSI Model. To be more specific, we are making suggestion to the ISO 27001’s information security risk assessment process (ISO/IEC 27001:2022(En), Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements, n.d.) to add the new requirement into this section, which is to “compare the risks identified by the organization with those in MITRE ATT@CK framework and verify that no necessary risks have been omitted.” The illustration is done in Figure 2-proposal to combine MITRE Att&ck? framework with the OSI model. The results are optionally presented partially using the Goal Question Metric approach in later phase.

Technically, in ISO 27001 latest update (ISO 27001:2022) (ISO/IEC 27001:2022(En), Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements, n.d.), the risk identification process does not specify the minimum requirements for risk identification outcomes as illustrated in the figure 3 below.

?

6.2 R&D activities including teamwork breakdown.

?6.2.1 Data Collection Techniques

Our developing data collection methods will include a method named observation to record detailed information about what we have encountered and experienced in previous work experiences.

Also, we will use the method named Focus groups via which we will be asking questions and generating discussion among a group of people working in cybersecurity fields. All those methods will be prioritized for audiences working in the banking industry.

?

6.2.2 Design approach

The design approach in this paper involves making key decisions to ensure that the research methods align with the proposed research objectives and that the right kind of analysis is used for the evaluation phase. Our approach includes setting the aims and approach, choosing the research method which already used by relevant published articles, data collection methods and collection procedures, and evaluating and validating of proposal.

6.2.3 Evaluation

Please refer to section 6.3 for detailed information.

6.2.4 Training and knowledge transfer

To facilitate the knowledge transfer from the proposed research outcome to operational teams, the training activities aims to. As the proposed method is based on the existing popular frameworks and models such as OSI Model, MITRE ATT@CK, ISO 27001, etc., it is expected to have very limited number new technical jargons or terminologies introduced to the organization. As a result, it can help the org. to deploy the changes more efficiently to the organization.

?

6.3 Evaluation methods

This section provides an evaluation of the proposed method OMMA for a sample educational organization as illustrated in Figure 4 - Network Topology of A Typical Organization. For demonstration purposes, this paper will discuss how the information security risks of this simple case study are identified and organized into relevant schemes using a proposed method named OMMA. We consider this as an essential 24/7 education service that allows international customers to connect through the ISP router to get the services from the web server (PC3). Within the organization, there are many departments and students accessing the services there also. The information security objectives of this organization do include but are not limited to the protection of users (students) and staff information.

Figure 4 - Network topology of a typical organization

Please note that the MITRE ATT&CK framework is a comprehensive matrix that includes existing popular information security attack techniques and tactics. Its origin is not designed to align completely with the OSI model, which is a conceptual framework that describes the specific functions of a computer network system. However, in the scope of this research paper, since we only focus on the scope of Network communication-related risks, we can attempt to categorize some of the MITRE ATT&CK techniques into corresponding OSI model layers based on where they might normally operate. Adversaries may insert themselves into a system or network and later use them to gain access.

?

So, in this example, you can see the list of assets that are categorized into 7 layers of the OSI model. In each layer, you can find the relevant attacks as introduced in the MITRE ATT&CK framework. In the last column, you will be able to see the relevant risk statements.

In this context, for the risk treatment plan, you may find it easier to allocate the right expertise into the right positions. For instance, the network administrators should be more relevant to provide the risk treatment proposal to the risks listed in layer 1, layer 2, etc. but not layer 7. The risk treatment proposal in layer 7, in turn, should be done by the web application developers or operators instead. By separating the risks into OSI layers, combining with the MITRE framework, it’s more efficient to identify and isolate problems, leading to more effective problem-solving approaches.

Also, it sets the baseline for the information security risk identification activities as each of the layers are already laid out for them to fill in the gaps. It is correct that this method does not specify the boundaries for the risks to be identified (e.g. how many are maximum) but it does indeed set the minimum level for the risks to be elaborated.

From the expertise management perspective, in this specific example, the authors play the role as the risk manager. For the risk manager to produce the risk statement in the last column, he is assumed to have profound understanding about all the relevant frameworks and its terminologies as well as the industry updates on the MITRE database as of the report date. Therefore, it is vital for the organization to adjust their job qualification description for the relevant roles throughout the risk management lifecycle accordingly.

?

?

?

?

7????? Conclusion

This paper suggests several areas for future research, particularly the automation of data collection and analysis processes to enhance the real-time capabilities of security metrics. Other suggestion includes research work to the rest of the scope - non-network communication risks. There should be another research on the conceptual model for the whole lifecycle of data in the non-network communication form. Furthermore, there should be a kind of framework that consolidates zero-day attacks so that we can get a comprehensive timely update toward it. Another significant area is the development of a systematic playbook for the approach to ensure no critical aspects are overlooked in security assessments.

?

?

8????? Reference List

?

Adversary-in-the-Middle: ARP Cache Poisoning, Sub-technique T1557.002—Enterprise | MITRE ATT&CK?. (n.d.). Retrieved May 16, 2024, from https://attack.mitre.org/techniques/T1557/002/

Adversary-in-the-Middle, Technique T1557—Enterprise | MITRE ATT&CK?. (n.d.). Retrieved May 16, 2024, from https://attack.mitre.org/techniques/T1557/

Cadena, A., Gualoto, F., Fuertes, W., Tello-Oquendo, L., Andrade, R., Tapia, F., & Torres, J. (2020). Metrics and Indicators of Information Security Incident Management: A Systematic Mapping Study. In á. Rocha & R. P. Pereira (Eds.), Developments and Advances in Defense and Security (pp. 507–519). Springer. https://doi.org/10.1007/978-981-13-9155-2_40

Calvo, M., & Beltrán, M. (2023). Applying the Goal, Question, Metric method to derive tailored dynamic cyber risk metrics. Information & Computer Security, ahead-of-print(ahead-of-print). https://doi.org/10.1108/ICS-03-2023-0043

Command and Scripting Interpreter, Technique T1059—Enterprise | MITRE ATT&CK?. (n.d.). Retrieved May 16, 2024, from https://attack.mitre.org/techniques/T1059/

Data-at-rest Encryption Capabilities. (n.d.). Gartner. Retrieved May 15, 2024, from https://www.gartner.com/en/documents/3975899

Hajdarevic, K., & Allen, P. (2013). A new method for the identification of proactive information security management system metrics. 2013 36th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 1121–1126. https://ieeexplore.ieee.org/document/6596425/references#references

Hardware Additions, Technique T1200—Enterprise | MITRE ATT&CK?. (n.d.). Retrieved May 16, 2024, from https://attack.mitre.org/techniques/T1200/

ISO/IEC 27001:2022(en), Information security, cybersecurity and privacy protection—Information security management systems—Requirements. (n.d.). Retrieved April 8, 2024, from https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27001:ed-3:v1:en

Michael, K., & Sema, Y. (2023, June 28). Best Practices for the Cyber-Risk Management: Plan, Secure and Monitor the Life Cycle.

MITRE ATT&CK?. (n.d.). Retrieved May 15, 2024, from https://attack.mitre.org/

Philippou, E., Frey, S., & Rashid, A. (2020). Contextualising and aligning security metrics and business objectives: A GQM-based methodology. Computers & Security, 88, 101634. https://doi.org/10.1016/j.cose.2019.101634

Protocol Tunneling, Technique T1572—Enterprise | MITRE ATT&CK?. (n.d.). Retrieved May 16, 2024, from https://attack.mitre.org/techniques/T1572/

Rainer Diesch, Diesch, R., Rainer Diesch, Matthias Pfaff, Pfaff, M., Helmut Krcmar, & Krcmar, H. (2018). Prerequisite to Measure Information Security—A State of the Art Literature Review. International Conference on Information Systems Security and Privacy, 207–215. https://doi.org/10.5220/0006545602070215

Remote System Discovery, Technique T1018—Enterprise | MITRE ATT&CK?. (n.d.). Retrieved May 16, 2024, from https://attack.mitre.org/techniques/T1018/

Roy, S., Panaousis, E., Noakes, C., Laszka, A., Panda, S., & Loukas, G. (2023). SoK: The MITRE ATT&CK Framework in Research and Practice (arXiv:2304.07411; Version 1). arXiv. https://arxiv.org/abs/2304.07411

Server Software Component: Web Shell, Sub-technique T1505.003—Enterprise | MITRE ATT&CK?. (n.d.). Retrieved May 16, 2024, from https://attack.mitre.org/techniques/T1505/003/

?