Neural Computing and Applications (2022) 34:15241–15271

https://doi.org/10.1007/s00521-022-06959-2 (0123456789().,-volV)(0123456789().
,- volV)

S.I. : LSNC & OUAI

An integrated cyber security risk management framework and risk

predication for the critical infrastructure protection
Halima Ibrahim Kure1 • Shareeful Islam2 • Haralambos Mouratidis3

Received: 21 July 2021 / Accepted: 14 January 2022 / Published online: 2 February 2022
 The Author(s), under exclusive licence to Springer-Verlag London Ltd., part of Springer Nature 2022

Abstract
Cyber security risk management plays an important role for today’s businesses due to the rapidly changing threat landscape
and the existence of evolving sophisticated cyber attacks. It is necessary for organisations, of any size, but in particular
those that are associated with a critical infrastructure, to understand the risks, so that suitable controls can be taken for the
overall business continuity and critical service delivery. There are a number of works that aim to develop systematic
processes for risk assessment and management. However, the existing works have limited input from threat intelligence
properties and evolving attack trends, resulting in limited contextual information related to cyber security risks. This
creates a challenge, especially in the context of critical infrastructures, since attacks have evolved from technical to socio-
technical and protecting against them requires such contextual information. This research proposes a novel integrated cyber
security risk management (i-CSRM) framework that responds to that challenge by supporting systematic identification of
critical assets through the use of a decision support mechanism built on fuzzy set theory, by predicting risk types through
machine learning techniques, and by assessing the effectiveness of existing controls. The framework is composed of a
language, a process, and it is supported by an automated tool. The paper also reports on the evaluation of our work to a real
case study of a critical infrastructure. The results reveal that using the fuzzy set theory in assessing assets’ criticality, our
work supports stakeholders towards an effective risk management by assessing each asset’s criticality. Furthermore, the
results have demonstrated the machine learning classifiers’ exemplary performance to predict different risk types including
denial of service, cyber espionage and crimeware.

Keywords Cyber security risk management  Threat intelligence  Fuzzy theory  Control effectiveness  Risk prediction 
Machine learning  Case study

1 Introduction

Critical infrastructures (CIs), such as energy and health-

care, heavily rely on Information and Communication
Technology (ICT) to support reliable service delivery.
& Shareeful Islam
[email protected] Such integration of ICT to CIs introduces a number of
advantages, such as higher degree of flexibility, scalability
Halima Ibrahim Kure
[email protected] and efficiency in the communication and coordination of
advanced services and processes. On the other hand, the
Haralambos Mouratidis
[email protected] increase usage of ICT in CIs creates new opportunities for
cyber attacks and increases the vulnerability of those sys-
1
School of Architecture, Computing and Engineering, tems. Due to the importance of critical infrastructures,
University of East London, London, UK there are recently an increased number of attacks that are
2
School of Computing and Information Science, Anglia evolving in terms of sophistication, persistence and the
Ruskin University, Cambridge, UK resources that attackers have available. Such attacks con-
3
Institute for Analytics and Data Science, University of Essex, sider not just the technical limitations of the relevant
Colchester, UK

123
15242 Neural Computing and Applications (2022) 34:15241–15271

technologies but also the contextual information related to 2 Related works

the critical infrastructure.
Despite of several existing works on cybersecurity risk This section provides an overview of existing works which
management, the literature fails to present works that are relevant to the proposed i-CSRM. We focus on four
consider such contextual information when performing risk main areas: cyber threat intelligence, risk management, risk
management for critical infrastructures. Moreover, existing predictions using machine learning techniques and risk
works focus more on the prediction of risks and do not management standards.
consider—as part of the same process—necessary controls
that mitigate those risks. Our work advances the state of the 2.1 Cyber threat intelligence (CTI)
art through the integration of cyber threat intelligence
(CTI) to the risk management process, to understand con- (Conti, Dargahi and Dehghantanha, 2018) elucidates the
textual information related to the threat actor’s behaviour, increasing number of cyber attacks that requires cyberse-
tactics, techniques and procedures (TTP) and indicators. curity and forensic specialists to detect, analyse and defend
Moreover, it provides a unified process that integrates both against cyber threats in almost real-time. In practice, timely
risk prediction and risk mitigation with the aid of machine dealing with such a large number of attacks is impossible
learning. without intensely perusing the attack features and taking
This paper presents an integrated cyber security risk similar intelligent defensive actions; this, in essence,
management framework(i-CSRM) for the effective security defines cyber threat intelligence notion. [24] targeted to
risk management of critical infrastructures, which brings progress the appreciation of the perception of CTI by
together the above contributions of our work. The proposed awarding a much-needed definition of CTI and producing
i-CSRM includes three main components: a conceptual an idea of the intelligence creation method. In their paper,
view, a process and a tool. It also makes use of the latest Abu et al. [1] identify challenges related to CTI, such as
relevant threat, attack and vulnerability repositories and threat data being overloaded, quality of threat data that is
standards such as the common weakness enumeration shared amongst community members, privacy and legal
(CWE), the common attack pattern enumeration and clas- issues, which governs the lawful sharing of data and the
sification (CAPEC), the CIS critical security control (CSC) interoperability issues faced by threat sharing platforms
and CTI methods for risk management activities. and standards used by the platforms. However, with all
The i-CSRM framework introduces three main novel these challenges, adopting CTI by organisations to help
elements: (a) At conceptual level, it combines concepts them minimise future threats still outweighs its lack of
from the risk management and the cyber threat intelligence adoption.
areas and through those defines a unique process that
consists of a systematic collection of activities and steps for 2.2 Risk management
effective risk management of CIs; (b) It adopts machine
learning (ML) models such as K-nearest neighbours [32] presents an approach on how risk management stan-
(KNN), Naı̈ve Bayes (NB), and neural network (NN) to dards can be extended to a critical infrastructure resilience
predicate possible risk types, empowering organisations management framework. Focusing in particular on the
with early warnings that allow them to plan ahead and organisational and technological resilience domains, which
prevent potential attacks; (c) It introduces a software tool are considered those that can most readily be controlled by
(i-CSRMT) to automate the risk management activities. critical infrastructure operators, the article presents one of
The tool provides a comprehensive workflow to guide users the resilience assessment techniques in some detail to
through individual activities, starting with defining the risk operationalise the overall management framework. [21]
analysis context and applying risk controls. i-CSRMT suggested a novel approach for assessing critical infras-
serves as an additional component of the proposed frame- tructure asset identification using a multi-criteria decision
work that enables asset criticality, risk and control effec- theory to address the difficulties of identifying crucial
tiveness calculation for a continuous risk assessment. assets. The current methodology stops short of providing a
The paper also describes the application of i-CRSM and systematic framework for making important decisions
i-CSRMT to a real case study to demonstrate the overall [4].proposed a novel formal risk assessment approach for
applicability of the framework. The result shows that ML dealing with dangerous accidents’ internal and external
classifiers are able to predicate the risk types with high effects in sensitive infrastructure. This study did not con-
accuracy and i-CSRM is effective to management the risk sider interdependencies, and it also did not have a frame-
on the studied context. To the best of our knowledge, this is work for determining risk level and control mitigations. [8]
the first time that such application and results are reported conducted a study of the current state of cybersecurity risk
on the literature.

123
Neural Computing and Applications (2022) 34:15241–15271 15243

management utilising SCADA systems. The study looked case. The research finds that indications and warning
at the plurality of risk management methods that evolve or frameworks effectively detect cyber threats and risks even
contribute in the framework of the SCADA method. They before they occur in the private sector infrastructure net-
were evaluated and tool-supported in terms of their goals, works. Future research should close the gap and increase
implementation domain, risk management principles, understanding of how governments can apply this frame-
effect assessment, and sources of probabilistic evidence. work and integrate it within the existing processes [34].
Regardless of the various risk reduction methods for describe that machine learning techniques are used to
SCADA structures, the requirement for a holistic solution understand 5G network infrastructures with the emerging
that includes all risk management processes remains IoT and 5G infrastructures. The researchers find that it is
unmet.(Sapori E, Sciutto M and Sciutto G, 2014) proposes possible to deploy power-optimised technology in a way
a risk-based methodology assess security management that promotes the network’s long-term sustainability. They
systems that were applied to railway infrastructure. The propose a machine learning-based network sub-slicing
methodology analysed the system, integrates technological, framework in a sustainable 5G environment to optimise the
human and procedural aspects by using flow charts. network load balancing issues. Future research should
However, identifying critical assets was not the main focus focus on using machine learning to enhance the stability
of this paper. In [20], there is an illustration of a risk and sustainability of network infrastructures. [38] make use
management framework that helps users with cloud of blockchain technology and machine learning to improve
migration decisions, following the necessary risk man- a system’s accuracy and provide precise network results
agement principles. This framework is essential as it and resilience against attacks. The researchers find that
enables users in identifying risks based on the relative machine learning and blockchain technology can be used in
importance of migration objectives and risk analysis with intelligent applications such as unmanned aerial vehicle
the semi-quantitative approach. (UAV) and smart cities. Future research should consider
the issues and challenges in risk management and assess-
2.3 Machine learning for risk prediction ment in blockchain technology.

The literature has also presented work on fundamental 2.4 Risk management standards
concepts and principles of machine learning and their
application to critical infrastructure systems. [18] explored There are a number of standards that provide a compre-
machine learning and deep learning models to make hensive guideline for performing risk management activi-
intelligent decisions concerning attack identification and ties. ISO 31000 (ISO 31000) emphasises on understanding
mitigation. They proposed ML-based secure data analytics organisational internal and external context before per-
architecture (SDA) to help classify attack input data. Their forming any risk management activities. It includes a
threat model addresses research challenges in SDA using systematic process which can be applied to different risk
different parameters such as reliability, accuracy and type including project, financial and safety and used by any
latency. [19] provides a survey of prediction and fore- organisation type. Additionally, the standard provides a list
casting methods applied in cybersecurity. They discuss of definitions and set of principles for risk management.
four main tasks: attack projection, recognition of intention, ISO 27005 (ISO 27005) provides guidelines for a system-
the prediction of next moves, and intrusion prediction. atic and process-oriented information security risk man-
They further discussed the application of machine learning agement approach. A process is described for the
and data mining in threat detection. The results indicate systematic identification, assessment and treatment of
that suitability for machine learning is needed to under- risks, the result of which is a prioritised list that is then to
stand risk and intrusion predictions. Future research needs be continuously tracked. The assessment of risk is based on
to focus more on improvements in attack prediction and its various influencing variables, such as criticality of com-
utilisation in practice. pany assets, extent of vulnerabilities, or impact of known
[26] argued that despite significant advancements in security incidents. ISO 27001 (ISO 27001)provides a list of
identifying, deterring, and mitigating cyber incidents, requirements for the information security management
NATO agencies are discontented, along with the intelli- system. ISO 27005 satisfies the requirements related risk
gence agencies whose strategy against cyber incidents is management defined by ISO 27001. ISO 27001 considers
primarily reactive and implemented rather than being risk management as a core component for the overall
executed before attacks. They proposed an indications and security management. The National Institute of Standards
warning (I&W) framework for the cyber-domain. They and Technology SP 800–39 (NIST 800 -39) provides
have applied that framework and examining its effective- guidelines for managing risk to organisational operations
ness in the private sector and also deployed it on an actual and assets. Risk management is considered as a holistically

123
15244 Neural Computing and Applications (2022) 34:15241–15271

from every aspect of the organisation including organisa- In particular, CTI provides a detailed understanding of
tion, mission, process and information system level. NIST existing threats in terms of threat actor properties, indicator
cyber security improvement framework(NIST -CSF) aims of compromise and TTP. CTI reviews the context of threats
to improve security for the critical infrastructure (CI) using that impact on the organisation and supports the risk
four implementation tiers (i.e. partial, risk informed, management activities to determine the risk level and rel-
repeatable, adaptive) to demonstrate the organisation view evant controls. Therefore, CTI provides a number of ben-
about cyber-security risks and the processes in place to efits in terms of detecting the relevant threats, possible
manage those risks. The tiers includes three main compo- IoCs and TTPs to guide which vulnerabilities are more
nents. i.e. risk management process, program and external exploitable within a specific context. i-CSRM also inte-
participation. It considers profiling to move from current grates the CWE and CAPEC to identify the weakness and
state to target state based on the achievement of cyber relevant threats within the systems. It also includes the CIS
security risk management goals. The Centre for Internet controls to determine the relevant controls for the risk
Security Critical Security Controls (CIS) provides a pri- mitigation. These standards and proactive provide identi-
oritised set of actions that alleviate the most coordinated fication of vulnerabilities and controls for any specific
attacks against systems and systems and can be applied for context. Finally, a number of machine learning models are
critical infrastructure sectors. CIS provides an effective considered for the risk predication including K-nearest
security defence based on 20 critical high level controls neighbours (KNN), Naı̈ve Bayes (NB), and neural network
which are classified as basic, foundational and organisa- (NN). The adoption of standards and techniques provide a
tional. Each control includes a number of sub-controls; wider applicability of the i-CSRM and improve an efficient
hence, there are total 148 sub-controls that map with the risk management practice. i-CSRM consists of three
other relevant standards. components, i.e. conceptual view, process and tool. The
The above-mentioned works are important and con- conceptual view includes a necessary concepts for the risk
tribute to the improvement of the cyber security risk management activities. The process provides a systematic
management domain. However, little effort is taken relat- list of activities that helps organisations to understand the
ing to integrating the threat intelligence data and risk associated risks and the necessary control measures to align
prediction for the overall risk management activities. The with the business goal. This section provides an overview
existing standards provide a generic guideline for risk of these components.
management activities. For instance, ISO 31000 is generic
and lack of guideline how to manage specific risk, whereas 3.1 i-CSRM conceptual language
ISO 27005 does not include any specific information or
details on the implementation of the risk management An important part of understanding the context of the risk
process. NIST CSF also provides limited detailed to mea- analysis depends on clear conceptual elements to represent
sure a specific implementation tier for risk management. and model that context. It basically requires a straightfor-
Our work contributes to address these limitations by ward understanding and precise reinterpretation of abstract
proposing an integrated cyber security risk management (i- ideas or principles to understand what a the system, ser-
CSRM) framework and relevant tool support. i-CSRM vice, etc. are, what they do, how they achieve clear
integrates threat intelligence, risk predication and effec- objectives, and how they can be implemented [7]. To
tiveness of controls within an automated risk assessment support this, i-CSRM includes a conceptual language with
and management process for the critical infrastructure concepts that supports risk assessment and management
protection. activities as well as contextual information. The concepts
of the language are given below:
• Actor An actor represents an individual, such as an
3 Integrated cybersecurity risk
organisation or a human user, that has a strategic goal
management (i-CSRM)
within its organisational context and performs specific
activities [6]. In other words, actors could be an
The proposed integrated cybersecurity risk management (i-
organisation, functional department or set of people
CSRM) framework makes use of a number of open secu-
involved in providing, requesting or receiving critical
rity, vulnerability and control repositories (such as the
services through many forms of information exchange.
common weakness enumeration (CWE), the common
Actor can be internal or external. The internal Actor is
attack pattern enumeration and classification (CAPEC), the
the critical infrastructure organisation that supplies
CIS critical security control (CSC)) and widely used
infrastructure and other services needed to run its
techniques such as CTI and machine learning models for
operations and has skilled personnel who play different
the risk assessment, predication and management activities.

123
Neural Computing and Applications (2022) 34:15241–15271 15245

roles such as risk manager, information technology by a threat actor to gain unauthorised access to an asset
security analyst, senior engineer. External actors are (system or network) using TTP. There are several ways
mainly users outside the organisation who make use of an attacker can exploit vulnerabilities in critical infras-
the services provided by the organisation. tructures, thereby causing severe damage. This could be
• Assets Assets are necessary and have values to the from a threat actor only being able to view information
organisation, such as an organisation’s application or and to a worst-case scenario.
software. The asset concept consists of sub-classes such • Threat The threat is the possibility of a malicious
as asset types, criticality and asset goal. Asset profile attempt to damage or disrupt an organisations asset
describes the necessary descriptive information about (systems or networks), access files and infiltrate or steal
the many components of all the organisation’s asset data. The threat is identified as an individual or group of
types. people attempting to gain access or exploit a vulner-
• Goals The goal of any critical infrastructure includes; ability of an organisation’s asset or the damage caused
the concealment of sensitive data against unauthorised to hinder the organisation’s ability to provide its
users, ensuring the organisation’s assets are made services. Threats such as denial of service or malware
available and accessible to the end-users, and the attacks are famous threats to critical infrastructures,
assets’ ability to perform their required functions causing security challenges to the interconnected
effectively and efficiently without any disruption or devices [2].
loss of service. The asset goals include; availability (A), • Risk Risk is defined as the probable exposure of a threat
integrity (I), confidentiality (C), accountability (ACC) due to the exploitation of the relevant vulnerabilities
and conformance (CON). which impact on the confidentiality, integrity and
• Threat actor Threat actors are individual, groups or availability of the assets. Organisations cannot wholly
organisations with malicious intents to execute a cyber avoid the Risk; however, it is the actors’ role to ensure
attack. It is necessary to identify and characterise that risks are kept to a minimum level to achieve their
possible threat actors for the organisation. It includes a goals. The risk can pose any potential consequences
number of properties to under the threat actors such as relating to financial loss, reputational damage, privacy
skill, motivation, location, resources, size, and oppor- violation non-compliance consequences, disruption of
tunity for intelligence analysis of the threat. any service delivery. To understand a cyber attack, we
• TTP This concept describes the specific adversary have to study the nature of the attack and its motivation
behaviour that a threat actor exploit for an attack. TTP [15]. The severity of risk is estimated based on the
needs a number of resources such as tools, infrastruc- information about the threat actor, vulnerability factors
tures, capabilities and right skill for a threat actor. TTP and the impact of a successful exploit affecting the
is one of the core properties for the cyber threat security goals of the assets to be gathered.
intelligence analysis. A threat actor uses TTP to plan • Controls These are the security mechanism to tackle the
and manage an attack by following a specific technique identified risks for the overall business continuity.
and procedure. They involve the pattern of activities or Generally, the controls are modelled based on its
methods associated with a particular threat actor and functions such as corrective, detective and preventive.
consist of the threat actor’s typical behaviour (attack Preventative controls aims to stop unwanted or unau-
pattern) and specific software tools that can be used to thorised activity from occurring and are designed to be
perform an attack. implemented prior to a threat can materialised; Detec-
• Indicator of Compromise This concept contains a tive controls detect errors and irregularities, which have
pattern that can be used to detect suspicious or already occurred and ensured their immediate correc-
malicious cyber activities. IOC is detective in nature tion. Corrective controls help to mitigate damage once a
and are for specifying conditions that may exist to risk has materialised. This means that the level of attack
indicate the presence of a threat along with relevant determines the type of control used, and the effective-
contextual information. Organisations should be aware ness of the existing controls is evaluated. The CIS_CSC
of the data associated with cyber attacks, known as recommended a list of controls that we adopt for the
indicators of compromise (IOC) as a part of CTI proposed framework. This means that the level of attack
analysis. The sub-classes includes network indicator, determines the type of control to be used and the
host-based indicator and email indicator to detect the effectiveness of the existing controls. To evaluate the
pattern. effectiveness of the existing controls, an assessment of
• Vulnerability Vulnerability is the weakness or mistake each control objective is carried out. We apply a set of
in an organisation’s security program, software, sys- criteria: relevance—the level to which the control
tems, networks, or configurations targeted and exploited addresses the relevant control objectives under analysis;

123
15246 Neural Computing and Applications (2022) 34:15241–15271

strength—the strength of the control is determined by a characterised by their identity, suspected motivation, goals,
series of factors. Coverage means the levels at which all skills, resources available for them to carry out a successful
significant risks are addressed. Integration—the degree attack, past activities, TTP used to generate a cyber attack
and manner in which the control reinforces other and their location within the organisation’s network. A
control processes for the same objective; traceability— threat actor uses TTP to plan and manage an attack by
how traceable the control is, which allows it to be following a specific technique and procedure. The CTI
verified subsequently in all respects. The sub-class is information such as TTP and threat actor properties is used
control type and control effectiveness. for the risk assessment activities. They involve the pattern
of activities or methods associated with a specific threat
The relationships between those concepts are shown in
actor and consist of the threat actor’s specific behaviour
Fig. 1. An actor represents an entity, an organisation or a
(attack pattern) and specific software tools that threat actors
human user that generates strategic, operational and tacti-
can use to perform an attack leaving behind the attack’s
cal plans within its organisational setting. An actor owns a
incident. The incident is the type of event that represents
wide range of assets that require several security goals for
information about an attack on the organisation. Some
supporting the business process. In the context of our
specific components determine the type of incident, such as
framework, an actor is represented as having an interest in
threat types, threat actor’s skill, capability and location,
the organisation’s assets. These assets have security goals
assets affected, parties involved, and time. With a specific
such as confidentiality, integrity and availability for the
attack pattern, the organisation tends to think broadly by
business’s continuation and reputation, and the attainment
developing a range of possible outcomes to increase their
of one or more of the goals is always their focus. Vulner-
readiness for a range of possibilities in the future. With
ability is a weakness in an organisation’s security program,
Indicators, a pattern that can be used to detect suspicious or
software, systems, networks, or configurations targeted and
malicious cyber activity is gathered.
exploited by a threat actor to gain unauthorised access to an
asset (system or network) using TTP. Risk is the failure of
3.2 Process
an organisation or individual to achieve its goals due to the
malicious attempt to disrupt its critical services by a threat.
The i-CSRM considers a systematic process for risk
The threat actor is a type of actor with malicious intent
assessment, predication, and control as presented in Fig. 2.

Fig. 1 A meta-model for i-CSRM at an organisational level

123
Neural Computing and Applications (2022) 34:15241–15271 15247

Fig. 2 i-CSRM process

The process establishes a solid relationship between mul- the effectiveness of the existing controls. Each activity
tiple steps using the concepts for the effective delivery of specifies the steps that need to be followed, and each step
an expected outcome. An activity deals with linked tasks identifies the needful inputs, participating actors and final
that are interdependent that receive and convert one or output. Primarily, the output of each activity serves as the
more input into an output artefact [23]. The i-CSRM pro- input to the next activity that follows it. The effectiveness
cess is decomposed into activities and steps that provide a of the whole process is mainly achieved when conducted
lower level of detail. Activities 1 and 2 focus on the context with the support of security experts delegated by an
of the risk assessment and in particular an organisation’s organisation to oversee the i-CSRM analysis. Hence, an
scope. This helps to gain a comprehensive understanding of organisation must delegate suitable actors to participate
supported assets, functions, goals and essential security and supervise the implementation of the process. In the
requirements. Activity 3 gathers vulnerability and threat next few sections, we provide more information for each of
information from multiple sources through various means, the activities.
to address vulnerabilities protect assets and respond to
threats. Activity 4 determines the risk level and provides a 3.2.1 Activity 1: organisational context
risk register with the previous activities’ data. Activity 5
implements control measures and evaluate the effective- Every organisation exclusively operates within a defined
ness of the existing control. The effectiveness of one scope and available resources. The organisational context
activity determines the essential elements of information activity aims to better define the risk assessment organi-
needed for the next activity. Therefore, activity 5 evaluates sational context by identifying relevant stakeholders,

123
15248 Neural Computing and Applications (2022) 34:15241–15271

critical assets, security goals and how they impact risk incurring complexity within the risk management process.
management and viability. A stakeholder is any entity with This activity includes three steps; identify assets and their
a conceivable interest or stake in an activity [16]. A goals, determining asset criticality, and identifying the
stakeholder can be an individual, group of individuals, or business process. The resulting critical asset list is then
an institution affected by or influences an activity’s impact, used to assess vulnerability and threat identification in
for example manager or administrator. In i-CRSM a Activity 3.
stakeholder is modelled as an actor. To successfully exe-
• Step 1: Asset Profile This step’s basis is to profile assets
cute the process and achieve this activity, it is essential to
in terms of their components, boundaries and assigning
obtain a comprehensive picture of actors and their roles in
weight to the assets based on assets vital to the
meeting requirements. This becomes important in identi-
organisation. Assets are specific units such as a
fying and avoiding potential conflict of interests and other
database, application, or program that support the
issues such as the actors responsible for the security and
delivery and usage of an organisation’s services. To
maintenance of organisational assets.
create asset profiles, a security analyst is involved in
Step 1: identification of actors and their roles this step
identifying assets by considering the core functions of
aims to identify and list the relevant actors. As described in
the assets, alongside other subcomponents essential to
the previous section, an actor represents an entity such as
achieving and maintaining crucial functions. Important
an organisation or human user with a strategic goal within
asset information can be gathered by reviewing back-
its organisational setting, who carries out specific activities
ground materials, including independent audit/analyti-
and makes informed decisions. Actors interact with the
cal reports, interviewing the critical infrastructure users,
organisation’s systems or relationships by providing tech-
and physical observation of organisational assets.
nical and non-technical support or services to the organi-
Besides, asset specification and management documen-
sation. The nature of communications between actors needs
tation provide essential details about the organisational
to be clearly balanced, reconciled, interpreted and managed
asset.
accordingly. The organisation’s activities require an active
• Step 2: Identify Asset Security Goals Identifying assets
set of actors to carry out various tasks to guide and lead the
security goals is vital for an organisation to determine
organisation in achieving its goals and ensuring its suc-
what critical views of security must be ensured by each
cessful operations. In this case, actors can be identified as
asset during processing, storage, or transmission by
internal and external actors. The internal actor is the
authorised systems, applications, or individuals. It also
organisation itself that supply infrastructure, network
supports determining the impact that may result from
facilities and other services needed to run its operations and
accessing assets in an unauthorised manner for use,
has skilled personnel who play different roles such as
interruption, change, disclosure. Therefore, a Security
information technology security analyst, risk manager and
Analyst considers a set of security goals that each asset
senior engineer. External actors mainly include users who
aims to achieve. The consequential impact that may
use the organisation’s services and third-party vendors who
ensure the compromise of the security goals and the
provide other services such as internet services.
level of protection needed can be easily determined.
There are different asset categories we consider for
3.2.2 Activity 2: asset identification and criticality
asset criticality. They include software, data, hardware,
information communications and network and people.
This activity aims to identify and prioritise assets in terms
To better support this step, we have also defined a set of
of their boundary, components and assigning weights to the
asset security goals every asset must aim to achieve.
assets based on the importance they hold for the organi-
These are:
sation. Assets are specific units such as hardware, a data-
base, application, or program that support the delivery and • Asset Availability (A) Availability refers to ensuring
usage of an organisation’s services. Furthermore, to sup- that an asset is made available and accessible to
port organisations in assessing each asset’s criticality, a authorised users when and where they need it.
decision support system using fuzzy set theory is provided. • Asset Integrity (I) Asset integrity refers to an asset’s
A fuzzy set theory provides a way of absorbing the ability to perform its required functions effectively
uncertainty inherent to phenomena whose information is and efficiently without disrupting or losing its
unclear and uses a strict mathematical framework to ensure services.
precision and accuracy and the flexibility to deal with both • Asset Confidentiality (C) Asset confidentiality refers
quantitative and qualitative variables (Zimmermann, to assets staying secured and trusted and preventing
2011). It can be used for approximate reasoning, easy to unauthorised disclosure of sensitive data.
implement and adopt individual perception without

123
Neural Computing and Applications (2022) 34:15241–15271 15249

• Accountability (ACC) This asset goal requires that are depicted on a scale of 1 to 5. Figure 3 shows the
attack or incident actions that occur on an asset are structure of the FACS.
tractable to the responsible system or actor.
Phase 2: Rules There are many fuzzy inference meth-
• Conformance (CON) This asset goal ensures that the
ods; however, this research uses the min–max fuzzy
assets such as services meet the specified standard.
inference method proposed by Mamdani [12]. This
• Step 3: Determine Asset Criticality This step aims to research employs Mamdani’s method due to several
identify and prioritise an organisation’s critical asset by advantages [11]:
assessing those assets’ primary security goals. In other
• It is suitable for engineering systems because its inputs
words, the criticality of each asset is based on its
and outputs are real-valued variables
relative importance. Asset criticality is imperative for
• It provides a natural framework to incorporate fuzzy
prioritising and developing actions that will reduce risks
IF–THEN rules from human experts
to the asset, improve asset reliability, and define
• It allows for a high degree of freedom in the choices of
strategies for implementing the appropriate controls.
fuzzifier, fuzzy inference engine, and defuzzifier so that
To ensure validity, consistency, and support stakehold-
the most suitable fuzzy logic system for a particular
ers in assessing each asset’s criticality, a decision
problem is obtained. It provides a natural framework to
support system using fuzzy set theory is provided.
include expert knowledge in the form of linguistic rules.
Fuzzy set theory plays a vital role in the decision
process enhancement. It helps to deal with or represent We used 125 IF–THEN rules to provide a database by
the meaning of vague concepts, usually in situation mapping five input parameters (C, A, I, CON and ACC)
characterisation such as linguistic expressions like and AC value. The rules are designed to follow the logic of
‘‘very critical’’. Fuzzy logic, introduced by [41], is the asset criticality evaluator. A number of the IF–THEN
one of the best ways to deal with all types of rules of the developed system are shown in Fig. 4.
uncertainty, including lack of knowledge or vagueness Phase 3: Inference Engine An inference engine attempts
[28]. This system provides a methodology for comput- to create solutions from the database. In this paper, the
ing directly with the word. Fuzzy set theory is a inference engine maps fuzzy input sets (C, A, I, ACC and
generalisation of classical set theory that provides a CON) into fuzzy output set (AC). Figure 5 shows several
way to absorb the uncertainty inherent to phenomena IF–THEN rules to provide a more understanding of the
whose information is vague and supply a strict math- proposed FACS model.
ematical framework to ensure precision and accuracy, Phase 4: Defuzzification Different methods for con-
as well as the flexibility to deal with both quantitative verting the fuzzy values into crisp values such as centre of
and qualitative variables. gravity (COG), maximum defuzzification technique and
weighted average defuzzification Technique. One of the
Phase 1: Development of a Fuzzy Asset Criticality
most commonly used defuzzification methods is COG. The
System (FACS) Criticality is the primary indicator used to
COG technique can be expressed as follows:
determine the importance of assets to an organisation. After R
the different assets have been identified, we determine the li ð xÞxdx
X ¼R

ð1Þ
criticality based on their relative importance using the li ð xÞdx

fuzzy asset criticality system (FACS).

where x* is defuzzified output, li(x) is aggregated mem-
• Fuzzification FACS determines asset criticality by using bership function, and x is the output variable.
(C, I, A, CON and ACC) as the five fuzzy inputs for Table 2 displays the asset inventory showing the critical
assessing the criticality of individual assets and assign- level for each asset.
ing a level of criticality. Each input is assigned five
fuzzy labels very low (VL), low (L), medium (M), high 3.2.3 Activity 3: threat modelling
(H) and very high (VH), for assessing the level of the
fuzzy output Asset criticality (AC) value which is The threat modelling activity focuses on identifying and
assigned five fuzzy labels very low critical (VLC), low measuring vulnerabilities and threats related to the assets.
critical (LC), medium critical (MC), high critical (HC) It is expected that this activity is performed by a security
and very high critical (VHC) of individual assets. The analyst or someone with similar knowledge. Based on the
details of fuzzy sets applied in the first step of the fuzzy previous activity’s assets, all possible threats that could
inference system are presented in Table 1, which shows impact the assets negatively are profiled in a register.
the numerical ranges in which fuzzy sets are selected However, effective identification and control of threats
based on them. The membership functions for AC also require an understanding of threat sources, threat actor

123
15250 Neural Computing and Applications (2022) 34:15241–15271

Table 1 Fuzzy ratings

Features Asset factors Description Linguistic Crisp Interpretation
terms rating

Input Confidentiality(C) How much data could be disclosed, and Very High 5 All data disclosed
how sensitive is it? (VH)
High (H) 4 Extensive critical data disclosed
Medium (M) 3 Extensive non-sensitive data disclosed
Low (L) 2 Minimal critical data disclosed
Very Low 1 Minimal non-sensitive data disclosed
(VL)
Availability (A) How many services could be lost, and Very High 5 All services completely lost
how vital is it? (VH)
High (H) 4 Extensive primary services interrupted
Medium (M) 3 Extensive secondary services interrupted
Low (L) 2 Minimal primary services interrupted
Very Low 1 Minimal secondary services interrupted
(VL)
Integrity (I) How much data could be corrupted, and Very High 5 All data corrupt
how damaged is it? (VH)
High (H) 4 Extensive seriously corrupt data
Medium (M) 3 Extensive slightly corrupt data
Low (L) 2 Minimal seriously corrupt data
Very Low 1 Minimal slightly corrupt data
(VL)
Accountability Are the threat actors traceable to an Very High 5 Completely anonymous
(ACC) individual? (VH)
High (H) 4 Fully traceable
Medium (M) 3 Highly traceable
Low (L) 2 Possibly Traceable
Very Low 1 Minimal Traceable
(VL)
Conformance How much deviation from specified Very High 5 Full variation
(CON) behaviour constitutes conformance? (VH)
High (H) 4 High profile variation
Medium (M) 3 Clear variation
Low (L) 2 Low variation
Very Low 1 Very low variation
(VL)
Output Asset Criticality How critical is the asset to the Very Critical 5 Extremely critical and is of high value to the CI
(AC) organisation? (VC) organisation, it requires an extreme level of protection
Highly 4 High importance to the organisation and requires a high
Critical level of protection
(HC)
Medium 3 The asset is moderately important to the organisation and
Critical requires moderate protection
(MC)
Low Critical 2 The asset is of minimal importance and does not require
(LC) many levels of protection
Very Low 1 The asset non-critical and requires a very low level of
Critical protection
(VLC)

123
Neural Computing and Applications (2022) 34:15241–15271 15251

exploit vulnerabilities are known to allow an organisation

to understand and create a threat profile expansively.
Because of these considerations, this activity is split into
two steps for threat modelling: (i) the determination of
vulnerability profile; and (ii) the determination of threat
profile.
• Step 1: Determine the vulnerability profile Determining
the vulnerability profile is vital because it allows for
identifying and assessing vulnerabilities associated with
critical assets. This step aims to identify potential asset
Fig. 3 Structure of the fuzzy asset criticality system (FACS) vulnerabilities that a threat actor may leverage to
exploit an asset. It is an essential and delicate task that
behaviour, capability and intent [40]. This is possible when has an impact on the successful operation of critical
known attack patterns employed by the threat actor to infrastructures. The common weakness enumerator

Fig. 4 Rules set for FACS

Fig. 5 Sample of Rules

123
15252 Neural Computing and Applications (2022) 34:15241–15271

Table 2 Vulnerability factor rating

Vulnerability factors Vulnerability ID Description Likelihood rating
Weight Value

Ease of discovery EoD How easy is it for vulnerability to be discovered? 1 Practically impossible
3 Difficult
7 Easy
9 Automated tools available
Ease of exploit EoE How easy is it for vulnerability to be exploited? 1 Theoretical
3 Difficult
5 Easy
9 Automated tools available
Awareness Awa How well known is this vulnerability to the threat actors? 1 Unknown
4 Hidden
6 Obvious
9 Public knowledge
Intrusion detection I_D How likely is an exploit to be detected? 1 Active detection in application
3 Logged and reviewed
8 Logged without review
9 Not logged

(CWE) methodology [29] is used to determine the identification and understanding of threat characteris-
vulnerability factors as a publicly known vulnerability tics. To determine threats, a structured representation of
source. Therefore, to estimate the likelihood of risk, it is threat information is required that is expressive and all-
necessary to estimate how a particular vulnerability is encompassing due to the dynamic and complex nature
discovered and exploited. We adopt CWE, which of a CPS. Therefore, this step effectively identifies the
allows for weaknesses to be characterised, allowing threat types, target assets, threat actor factors, TTP, and
stakeholders to make informed decisions when miti- compromise indicators likely to affect a critical infras-
gating risks caused by those weaknesses. Each related tructure’s ability to deliver its services. As in previous
weakness is mapped to CAPEC and identified by a steps, our work does not bound to a specific repository.
CWE identifier and the name of the vulnerability type. Although we recommend using CAPEC (Common
The CWE gives a general description, behaviour, Attack Pattern Enumeration and Classification) [3]
likelihood of exploit, consequences of exploit, potential and WASC (Web Application Security Consortium)
mitigation and related vulnerabilities. To apply the (Consortium, 2009) to define the potential threat,
CWE methodology, a rating table is presented in provide context for architectural risk analysis, and
Table 2 with corresponding values assigned to the understand trends and attacks to monitor, a security
different factors that can help organisations determine analyst could explore other available sources of threat
the likelihood of risk. Each option has a likelihood information.
rating from 0 to 9, and the overall likelihood falls
Moreover, to better support this step, we propose the
within high, medium and low, which is sufficient for the
following procedures to support the creation of a compre-
overall risk level. Although our work is based on these
hensive threat profile:
repositories, it is not bounded by them. A security
analyst could explore other publicly available sources • Threat type To create a comprehensive threat profile,
of vulnerability information, including internal experi- organisations need to identify the potential threats of
ence, penetration test, catalogues of vulnerabilities assets that a threat actor may leverage to attack. The
available from industry bodies, national government, Security Analyst needs to back up his claim with a solid
and legal bodies. The questions can also be extended to foundation of Information sources.
meet the organisation’s need. • Threat actor factors Effective identification and control
• Step 2: Determine threat profile Determining the threat of threats require an understanding of threat sources,
profile is essential because it allows for the threat actor behaviour, skill, resources required,

123
Neural Computing and Applications (2022) 34:15241–15271 15253

Table 3 Threat actor factors rating

Threat actor Description Likelihood rating
factors
Weight Value

Skill level How technically skilled is the threat actor? 1 No technical skills
3 Some technical skills
5 Advanced computer user
6 Network and programming
skills
9 Security penetration skills
Location Through what channel did the threat actor communicate to reach the 1 Internet
vulnerability? 8 Intranet
8 Private network
7 Adjacent Network
5 Local Network
2 Physical
Motive How motivated is the threat actor to find and exploit the vulnerability? 1 Low or no reward
4 Possible reward
9 High reward
Resources What resources are required for the threat actor to find and exploit the 0 Expensive resources required
vulnerability? 4 Special resources required
7 Some resources required
9 No resources required
Opportunity What opportunities are required for the threat actor to find and exploit the 0 Full access required
vulnerability? 4 Special access required
7 Some access required
9 No access required
Size How large is the group of the threat actor? 2 Developers
2 Systems administrators
4 Intranet users
5 Partners
6 Authenticated users
9 Anonymous internet users

capability and intent [40]. Therefore, we adopt the privileged escalation, defence evasion, collection, lat-
OWASP methodology that considers various threat eral movement, exfiltration and command and control.
actor factors such as skill level, size, motivation, The different IOC include network indicators, email
location, resources, and opportunity to understand the indicators and host indicators. Therefore, we adopt the
attack and its trend. Using these threat actor factors, a ATT&CK (adversarial tactic, techniques and common
Security Analyst can determine the likelihood of an knowledge) framework developed by MITRE to doc-
attack and the severity of the threat. This will provide ument standard TTP used to target, compromise and
the ability to create an impact rating for threats. We operate in an enterprise network. Using such framework
have developed a set of threat actor factors, and makes our approach easier to adopt due to the wide
corresponding options of like hood rating as presented usage of the ATT&CK framework. To calculate the risk
in Table 3. level and know the appropriate controls to protect the
• Determine tactics, techniques and procedures (TTP) organisation’s assets, information about TTP must be
and indicator of compromise (IOC) TTP and IOC known. We have defined possible TTP and IOC that are
involve the pattern of activities used by a threat actor to frequently employed when exploiting a vulnerability as
plan and manage a cyber attack, thereby compromising shown in Table 4.
critical assets. The different TTP types include initial
access, execution, credential access, persistence,

123
15254 Neural Computing and Applications (2022) 34:15241–15271

Table 4 TTP and IOC [37]

Tactics type Techniques Procedure IOC

Initial access Spear-phishing link It employs links to download malware in an email by electronically delivering social Email,
engineering targeted at a specific individual or organisation Network
Drive-by compromise A threat actor gains access to a system by visiting a website over the ordinary browsing Network
course. The website is compromised where the threat actor has injected some
malicious code
Replication through The threat actor uses a tool to infect connected USB devices and transmit them to air- Host
removable media gapped computers when the infected USB device is inserted
Spear-phishing A threat actor attaches and sends a spear-phishing email with malicious Microsoft Email
attachment office attachment and requires user execution in other to execute
Execution Command-line The threat actor uses a command-line interface to interact with systems and execute Host
interface other software during operation
Dynamic data Threat actor sends a spear-phishing containing malicious word document with DDE Host,
exchange (DDE) execution Network
Execution through The threat actor uses this functionality to create a backdoor through which it can Host
module load remotely load and call dynamic link library (DLL) functions
Exploitation for client Threat actor exploits a vulnerability in office applications, web browsers or typical Network
execution third party applications to execute the implant into the victim’s machines
Persistence Account manipulation Threat actor adds a created account to the local administrator’s group to maintain Host,
elevated access Network
Accessibility features The threat actor uses a combination of keys known as the sticky keys to bypass a user’s Host,
windows login screen on remote systems during the intrusion Network
Component firmware Threat actor overwrites the firmware on a hard drive by compromising computer Host,
components Network
Privilege External remote Threat actors leverage legitimate credentials to log into external remote services Host,
escalation services Network
Defence Disabling security Threat actor disables the windows firewalls and routing before binding to a port Host,
evasion tools Network
Credential Brute force Threat actor brute forces password hashes to be able to leverage plain text credentials Host,
access Network
Discovery Network sniffing The threat actor uses a tool to capture hashes and credentials sent to the system after the Host,
name services have been poisoned Network
Network service Threat actor used BlackEnergy malware to conduct port scans on a host Host
scanning
System information The threat actor uses tools such as systeminfo that obtains information about the local Host
discovery system
Lateral Remote services The threat actor uses putty secure copy client (PSCP) to transfer data or access Host
movement compromised systems
Third-party software Threat actor distributes malware by using a victim’s endpoint management platform Host
Collection Data from information Threat actor collects information from Microsoft SharePoint services using a Host,
repositories SharePoint enumeration and data dumping tool within target networks Network
Email collection The threat actor uses utilities to steal email from archived outlook files and exchange Email, Host,
servers that have not yet been archived Network
Man in the browser The threat actor uses a Trojan spyware program to perform browser pivot and inject Network
into a user’s browser and trick the user into providing their login credentials on a fake
or modified web page
Exfiltration Data encrypted The threat actor uses malware such duqu to push and execute modules that copy data to Host
a staging area, compress it, and XOR encrypts it
Command Commonly used port The threat actor uses duqu, which uses a custom command and control protocol that Network
and control communicates over commonly used ports and is frequently encapsulated by
application layer protocols
Remote file copy The threat actor used Shamoon malware to download an executable to run on the Network
victim

123
Neural Computing and Applications (2022) 34:15241–15271 15255

Fig. 6 Classification process about the primary analysis

Table 5 Overall likelihood for establishing the risk assessment context by following
Likelihood Rating
rating the threat register and formally approves the risk man-
Low 0.00–2.99 agement activities within the organisation. The activity
Medium 3.00–5.99 provides various additional estimations required for the
High 6.00–9.00 risk evaluation by enabling the determination of risks that
are likely to occur, the severity of the risks, and the steps to
control or manage the risks. This activity prioritises the risk
3.2.4 Activity 4: risk assessment as high, medium and low.
Step 1: Predict Risk Types This step proposes using
The output of threat modelling provides a list of vulnera- machine learning techniques for predicting risk type, so
bilities, related vulnerabilities, potential security threats, that appropriate mitigation processes can be implemented.
and assets’ impact. The threat register serves as a help to In this context, risk type prediction relies on a pioneering
the security analyst to orchestrate a risk register’s creation mathematical model such as machine learning for
and focus on the most potent threats. This activity allows

Table 6 Impact factors

Impact factors 0 to \ 3 (Low) 3 to \ 6 (Medium) 6 to 9 (High)

Loss of Minor disclosure of critical assets Critical assets are significantly affected Highly critical assets are extensively
confidentiality affected
Loss of integrity Minor compromise of critical assets Critical assets significantly compromised All highly critical asset extensively
compromised
Loss of Minor interruption of critical assets Critical assets significantly interrupted All critical assets extensively lost
availability
Loss of Threats are fully traceable Threats are possibly traceable Threats are completely untreatable
accountability
Loss of A minor breach of compliance A significant breach of compliance All compliance requirements
conformance requirements requirements significant breached

123
15256 Neural Computing and Applications (2022) 34:15241–15271

analysing, compiling, combining and correlating all inci- • Phase 1 To estimate the overall (L) likelihood of the
dent-related information and data acquired from previous risk, threat actor factors and vulnerability factors are
activities. The machine learning (ML) techniques auto- put into consideration, as shown in Eq. 1. Each
matically find valuable underlying patterns within i-CSRM option has a likelihood rating from 0 to 9, as shown
concepts used as features, and then the patterns predict risk in Tables 3 and 4. The overall likelihood falls within
types. The i-CSRM features are considered input for the high, medium and low, sufficient for the overall risk
ML classifiers and ML classifiers to predicate the risk type. score. Table 5 shows the overall likelihood level.
Therefore, we used well-known classifiers such as TAF þ VF
K-nearest neighbours (KNN), Naı̈ve Bayes (NB), the Naı̈ve L¼ ð2Þ
2
Bayes multinomial (NB-Multi), neural network (NN) with
Ralu activation function at activation layers and sigmoid
where L= likelihood, TAF = threat actor factors, VF =
function at the output layer, decision tree (DT), random
vulnerability factors
forest (RF), and logistic regression (LR) for risk type
prediction. TAF ¼ SL þ L þ M þ Res þ Opp þ S=n ð3Þ
We present data extraction to generate a feature set, where SL = skill level, L = location, M = motivation, Res =
which is then further used on the ML classifiers for training resource, Opp = opportunity, S = size, n = total number of
purposes. Finally, the test data are used to check the TAF factors (6)
accuracy of the prediction. Figure 6 shows how these
features are used to train the classifiers and the step-by-step VF ¼ EoE þ EoD þ Aw þ ID=n ð4Þ
process of the risk prediction, i.e. the experiment in gen- where EoE = ease of exploit, EoD = ease of discovery, Aw
eral. Data collection and extraction were considered from = awareness, ID = intrusion detection, n = total number of
the dataset; feature extraction was carried out on those data VF factors (4)
and used to train the ML classifiers (NN, RF, LR, NB- Phase 2 To estimate the overall (ImpactF) impact of a
Multi DT, KNN and NB). The data were further partitioned successful attack, we consider the total loss of the asset’s
into 80% training and 20% testing. We used the widely goals, as shown in Eq. 5. Each factor has a set of options
known tenfold cross-validation scheme to split the given with an impact rating from 0 to 9, as shown in Table 6.
data into testing and training set and reported the average
results obtained over the ten folds. Predictions are carried ImpactF ¼ AF=n ð5Þ
out on the testing dataset, and accuracy measures the pre- where ImpactF = impact factor, AF = asset factors
diction. Also, risks types from multiple industry bodies can (L_C ? L_A ? L_I ? L_ACC ? L_CON), L_C = loss of
be considered because they maintain a regularly updated confidentiality, L_A = loss of availability, L_I = loss of
list of most pressing security risks. For example, the integrity, L_ACC = loss of accountability, L_CON = loss
common attack pattern enumeration and classification of conformance, n = total number of the technical factors
(CAPEC) provides a comprehensive list of risks that can be (5).
used for understanding and enhancing defence. All these The overall impact level rating is three scales: low
sources can be used. (0.00–2.99), medium (3.00–5.99) and high (6.00–9.00).
• Step 2: Determine Risk Level After information about Phase 3: Determine Risk Severity To determine the risk
the potential risk types, threat, vulnerabilities and assets level, we estimate the likelihood and impact are combined
have been identified and gathered, the next step is to to calculate the overall severity of risk using Eq. 6.
determine the risk level of all the possible risk types RLevel ¼ L  ImpactF ð6Þ
predicted. The risk level is usually not known and not
where RLevel = the risk level, I = the impact of the asset
estimated correctly. In essence, organisations need to
goals, L = the likelihood of the attack occurring within a
rate security risks that have been identified. Therefore,
given time-frame.
for the risk level to be estimated, we used the technical
Overall risk severity is rated as high (00–20), medium
impact factors. The technical impacts factors are
(21–45), high (46–65), and critical (66–81).
inclined towards an asset’s security goals that include;
confidentiality, integrity, availability, accountability,
3.2.5 Activity 5: risk controls
and conformance. Also, information about the threat
actor and vulnerability factors needs to be gathered. The
This final activity determines the control necessary to
aim is to provide a rough estimate of the risk level’s
tackle the identified risk. This activity advocates to adopt
magnitude if a risk occurs.
CIS CSC that guides to identify the necessary control. The
standard provides 20 control types which are categorised

123
Neural Computing and Applications (2022) 34:15241–15271 15257

into three different classes. The primary objective of this OE ¼ R þ S þ C þ I þ T ð7Þ

activity is to specify relevant controls and evaluates the
effectiveness of the existing control to determine whether where OCE = overall control effectiveness, R = relevance,
new controls are required to tackle the identified risks. The S = strength, C = coverage, I = integration,
activity consists of four steps to identify the controls and T = traceability.
determine the effectiveness of existing controls. • Step 3: Implement Control Measures to Determine New
• Step 1: Identification of Existing Control Types This Risk Status This step involves performing appropriate
first step identifies the existing controls and categorises analysis to measure the status of the risk by imple-
them based on the functionalities, i.e. corrective, menting the control. Each criterion helps the assess-
detective and preventive, to mitigate the risk. The ment; a rating score from 0 to 9 is given to measure
control categorisation supports the organisation to which control addresses the specific control objective. It
understand which control types are more implemented helps to further displays the current risk status for each
within the context. Once the controls are identified, it is risk type. It presents the risk events and their calculated
necessary to determine the effectiveness of the existing risk values, and the control measures that can be used to
controls. mitigate the risk.
• Step 2: Evaluating the Effectiveness of Existing Con- • Create a Risk Register This final step produces a risk
trols This step involves assessing the effectiveness of register as one of the main output of i-CSRM. The risk
existing controls and determines the level of effective- register provides a detailed about the risk, vulnerability
ness using criteria rating presented in Table 7. This step and threat profile, assets and security goals. It displays
also evaluates if existing controls are not adequate, then the results of the risk calculation in terms of risk level
new controls would be recommended for the risk and suitable controls to address the risks.
mitigation. If a control does not work as expected, this
may cause vulnerabilities leading to risks. Considera-
tion should be given to the situation where a selected 4 Integrated cyber security risk
control fails in operation, and therefore complementary management tool (i-CSRMT)
controls are required to address the identified risk
effectively. The controls are evaluated in terms of The i-CSRM tool is an implementation of the i-CSRM
relevance, strength, coverage, integration, and trace- process. An automated tool designed to support i-CSRM
ability according to ISO 27005:2011 standard (GOST, activities that an organisation uses to perform security risk
2009). For each criterion, a rating score from 1 to 5 is analysis and control for critical infrastructures. It provides
given to measure the effectiveness. Table 7 shows the a comprehensive workflow to guide the user through the
five different criteria rating. individual activities, starting with identifying the actors
The overall effectiveness of the controls is ranked into and their roles within the organisation, identifying critical
five scales: insignificant (0–5), minor (6–10), moderate assets, revealing the particularly dangerous threats, risk
(11–15), major (16–20), and critical (21–25). calculation and finishing with control evaluation. This
To find the overall evaluation of each control, Eq. 7 is helps to minimise the efforts required to perform the risk
given: management activities and provide accurate information
about the risk level based on the CTI context to implement

Table 7 Criteria rating

Rating Description

5 Adequate control The control achieves the objectives intended to mitigate the risks
4 Adequate control with some areas of The control achieves the objectives intended to mitigate the risks with evidence of some areas,
improvement though not critical, subject to improvement to meet sound controls’ requisites
3 Generally adequate control, with The control mostly mitigates the risks intended to mitigate the risks. However, the characteristics of
some critical areas some of the controls are not entirely consistent with basic sound controls
2 Inadequate control, subject to The control partially achieves the control objectives intended to mitigate the risks
significant improvement
1 Insufficient control The control is not sufficient to achieve the control objectives intended to mitigate the risks

123
15258 Neural Computing and Applications (2022) 34:15241–15271

the proper controls. It is also designed to enable organi- layer provides the technical deal with dynamic content and
sations to use threat intelligence report to predict a certain streamlines the database’s faster access to extract results.
risk level. Another critical aspect of i-CSRMT is that it is
formed based on the principles of renowned industry-s- 4.1.3 Database layer
tandard. Also, the tool can be simultaneously accessed and
used by multiple users and different organisations and The database provides a centralised place where data
allows managing multiple different projects simultane- captured in the tool are stored, manipulated and accessed.
ously. The tool also provides a separate web interface for The layer comprises database management systems
the different actors within the organisation (application (DBMS) and the database, which is built using MySQL.
administrators), giving them access to the user and project The database layer’s rationale is to centralise all data
management. storage, store and retrieve the application data. In other
words, it contains the methods for accessing the underlying
4.1 i-CSMT architecture database data. Fundamentally, the database layer is
responsible for storing numerous types of data the tool will
i-CSRMT is a three-tier web-based system comprising of a take as an input, generate as output and other external
presentation layer, application layer and data layer. From a services that the tool may use. The database is accessible to
logical point of view, three-tier architecture is used to the system administrators and employees as shown in
improve the tool’s modularity and mainly allow for easy Fig. 7.
extension of features. Using client–server architecture,
users can use any web browser to connect to the many 4.2 i-CSRMT features
services supported by the tool, such as initiating audit
assessments. On the server-side, the webserver receives This section provides an overview of i-CSRMT features as
requests from the client, handles the request and generates shown in Fig. 8. These features follow the main activities
an appropriate response to the client. The three-tier archi- of the i-CSRM process mainly asset identification and
tecture role of three-tier architecture is explained as: criticality, threat modelling, risk assessment and reporting.
Therefore, the output of each activity is considered as a
4.1.1 Presentation layer feature of i-CSRM. The features support interaction among
multiple users and allows the users to split their work and
This layer manages the communication with the Web delegate responsibilities. The application administrators
browser, renders the application Web pages, and controls can define dynamic user roles and assign them to the users
the user access. The layer consists of a single module that to restrict their access to specific application parts. The
represents the user interface. It is implemented using the primary purpose is to provide a general understanding of
Java Play Framework [25] and follows the Model-View- how the tool is decomposed and how the individual com-
Controller [13] architectural pattern. The Views represent ponents work together to provide the desired functionali-
the contents of the application Web pages and are built ties. In general, the tool focuses on minimising the efforts
using HTML, PHP, CSS and JavaScript. Some Views required to perform the risk management activities and
contain only parts of the user interface; either embedded provide accurate information about the risks. The tool’s
into the Web pages or loaded dynamically using AJAX. main features include a main dashboard consisting of
The server’s communication is managed using Controllers, essential functions that can be performed. Each function-
which handle the HTTP requests and return responses ality contains essential components of a risk management
Views. process. The main features include actor identification,
asset criticality, threat modelling, risk assessment, control
4.1.2 Application layer effectiveness, and report dashboard.

The application layer is built using PHP, and it plays the

role of linking together all the three layers by technically 5 Evaluation of i-CSRM
processing the various inputs and selections received at the
presentation layer and interacting with the vast database in The primary purpose of the evaluation is to determine the
the third layer. Also, the layer houses the web server, applicability of the i-CSRM Framework in a real-world
scripting language and the scripting language engine of the scenario. The evaluation comprises a set of associated
tool. The Web server enables the processing of HTTP methodologies and techniques with a distinct purpose of
requests for initiating the activity process. The application providing the means to establish the value, quality and
relevance of research, and in some cases, provides

123
Neural Computing and Applications (2022) 34:15241–15271 15259

Fig. 7 Admin dashboard for managing companies

Fig. 8 Features and components of i-CSRMT

feedback necessary for improvement (Boudreau, Gefen and 5.1 Case study: implementation of i-CSRM
Straub, 2001). There are many empirical evaluation framework
methods and techniques that could be adopted, such as
action research, experimental methods and descriptive This presents the implementation of the i-CSRM frame-
methods. work process as well as i-CSRMT using the case-study. By

123
15260 Neural Computing and Applications (2022) 34:15241–15271

following the i-CSRM process from start to end over some 5.1.3 Recent cyber incident
time, we systematically applied all the activities and steps
within the i-CSRM process using i-CSRMT and the DisCos is an official body with branches geographically
opportunity to collect feedback towards evaluating its split [31]; each has its workstations networked to allow
validity. Therefore, a detailed description of the case study personnel to perform their tasks. All branches deployed a
is provided by first presenting background information and new SCADA system to improve power reliability, cyber-
implementing the existing system. security, and resilience to disruption. They use a SCADA
consisting of 5 generic machine types connected to a local
5.1.1 Study context Ethernet LAN to support their services. In a recent event,
an employee monitoring the SCADA system in one of the
DisCos power holding company in Nigeria distributes branches received a carefully crafted spear-phishing e-mail
electricity [22] across the country, which serves at least message from a highly skilled anonymous organisation that
30,000 customers within a geographical area, with several contained a malicious Microsoft Word attachment and
branches and employees located in different states in disguised as a medical report of his sick son. The employee
Nigeria. The company is structured based on functional clicked and opened the document, and malware was dis-
divisions, which include administration, support and IT. covered to have spread across the network, operating sys-
The company’s first services are to provide last-mile ser- tems, and targeting the SCADA system, which led to the
vices in the electricity supply value chain, transforming or unstable power system operation in the branch. The
stepping down electricity from the high voltage at the anonymous organisation gathered hashed credentials over a
transmission level to lower voltage depending on the cus- server message block (SMB) to identify information by
tomer’s category. They are responsible for the marketing downloading the word document. The anonymous organi-
and sale of electricity to customers, providing a tax to the sation accessed workstations and servers on the corporate
government, collecting bills, handling electronic payments, network that contained data output from control systems,
exchanging information and providing customer care accessed files about the SCADA systems, leaked network
functions in its geographical area. In improving the conti- credentials, organisational design and control system
nuity of service, timely recognition of faults, continuous information to a command-and-control server outside
monitoring and protection of the power systems, the Discos organisation, and accessed e-mail accounts using
company recently implemented a supervisory control sys- outlook web access (OWA).
tem in all of its branches for sustainable service delivery. The anonymous organisation used a virtual private
network (VPN) to maintain access to networks even with
5.1.2 The workflow network proxies, gateways and firewalls. After the
employee visited one of the compromised servers, a
The power distribution happens through a power distribu- backdoor was installed on the machine, providing the
tion substation that comprises other components such as anonymous organisation with remote access to the envi-
circuit transformers, breakers, and a bus bar. The bus bar ronment (networks, systems, databases). The anonymous
splits and distributes power to distribution lines for organisation having available resources, disabled the host-
reaching out to customers. The substation’s whole distri- based firewalls, obtained a foothold and the exploration
bution process and components are managed by a cyber- activity primarily cantered on identifying the central host
physical control system, consisting of a Supervisory Con- computer server with the highest volume of personally
trol and Data Acquisition (SCADA) system. In other identifiable information (PII) script folder and file names
words, the SCADA system monitors the entire power from hosts. The anonymous organisation gained access to
control system in real-time by performing automatic the database host computer server by leveraging its active
monitoring and controlling of various equipment within the directory information to identify database administrators
distribution lines. It also maintains the desired operation and their computers. Passwords were cracked using pass-
conditions, interrupts and restores power service during word-cracking techniques, allowing the anonymous
fault conditions. SCADA system also checks the status of organisation to gain full access to those systems. This
various equipment continuously and sends control signals caused a loss of data and operational disruption as a result
to the remote control unit accordingly. Further, it also of network and computer security failure. This particular
performs operations such as bus voltage control, load bal- incident has resulted in an electrical power blackout that
ancing, circulating current control, overload control, and remained for up to 2 weeks, affecting around 30,000 cus-
transformer fault protection. tomers and their businesses. As a result, DisCos has deci-
ded to use i-CSRM framework to assess future impact and
control measures for similar incidents in the other

123
Neural Computing and Applications (2022) 34:15241–15271 15261

Table 8 List of actors and their roles

Type Actors Role

Internal Senior management Comprises high ranking personnel of the company whose responsibility is to coordinate, plan, oversee and
representatives direct the overall project
IT Managers In charge of the company’s technology strategy and responsible for coordinating and leading the
company’s IT experts/IT department in implementing the Framework’s process
System Analyst Responsible for coordinating the development of systems, asset requirements, and control measures for
ensuring the security of all assets
System Administrator Responsible for the technical oversight of the entire content management system. He was also charged
with installing, supporting and maintaining servers, responding to service outages and other problems
Security Analyst Responsible for identifying cyber threats and establishing plans and controls to protect assets. Also
responsible for performing vulnerability testing, risk analysis and security assessment activities
Risk Manager Risk Manager communicates risk policies and processes for an organisation. They ensure controls are
operating effectively, provide hands-on development of risk models involving market, credit and
operational risk and provide research and analytical support
Registered Users Registered users who have permission to use the system

Table 9 Assets Identification

Asset category Sub-asset category

Software assets Microsoft office, Master boot record/files, Mail server, Service Manager, Windows/Android operating
systems, UPS remote management interface, Computer security protection, Virtual machines, User identity
access management
Hardware assets Computer systems, Remote login systems, Windows machines, Keystroke Logger, Hard drives
Data assets Skype messages, Internal domain names, Network/system information, Sensitive information, Admin
credentials
SCADA systems Industrial control systems (ICS), HMI computers, Remote terminal unit (RTU), Substations, ICS providers,
SCADA database software, Programmable logic controllers (PLC), Firmware, Substations Ethernet
devices, SCADA database software, Workstation, ICS software application and windows
Information and Communication Company’s computer network, Virtual private network, Router/modem/ switches/proxy/gateways, Firewall
Networks UPS server, Network Internal server, Public-facing services, Command and control servers, Website,
Remote access services, Operational network, Remote access services, URL, Bluetooth

branches. A brief description of a scenario allows us to setting was decided, a project team was developed, and a
exemplify how the DisCos could benefit from our proposed first step was taken towards starting the activities. The
Framework. project team comprised of representatives from senior
management, the IT department and other stakeholders
5.2 Implementation of i-CSRM for the study within the company.
context
5.2.1 Activity 1: organisational context
In the context of DisCos, we had the opportunity to
determine i-CSRM relevance to a real-life context. As part We started the activities defined in the proposed i-CSRM
of managing the entire evaluation process, the company framework with the organisational context, which allowed
assigned a team of professional stakeholders to guide the us to identify the organisation’s key objectives and
entire evaluation process and ensure necessary support to understand the key actors and their roles within the
ensure evaluation is achieved in an ideal manner. This organisation. This enabled us to interact more effectively
section provides a detailed description how the framework with key actors to gather information and implement the
is applied to the case study. Before starting the activities, a proposed i-CSRM framework.
meeting was organised where the evaluation plan’s overall

123
15262 Neural Computing and Applications (2022) 34:15241–15271

Table 10 Asset criticality results

Asset name Asset description Asset goals Fuzzy Asset
output criticality
Fuzzy input level
C A I CON ACC

Routers, firewalls, Monitor, analyse and filter any harmful signs, while being connected 1 3 4 4 1 2.5 Medium
intrusion detection to the corporate network critical
systems
Databases Stores sensitive information about its customers, personnel, 4 4 3 4 5 4 Highly
marketing, landlords, tenants, transactions, assets, finances, and critical
other information about the company’s business process
Company and Represent sensitive and private information about employees, 3 3 3 4 4 3.5 Medium
customer data finances, assets critical
Web and application Provides processes and delivers web contents such as images and 1 3 3 1 1 2 Low
Servers assets information to employees and customers. The application critical
server provides the platform for hosting frontend applications used
by the company
SCADA systems Provides the user interface that allows employees and customers to 2 5 5 1 4 3 Medium
visualise, access, and patronise the company’s services critical

Fig. 9 Asset criticality result

• Step 1: Identification of Actors and their roles During interact more effectively with the key actors to gather
the initial meeting and interaction with the implemen- information and implement the proposed i-CSRM
tation team, we were able to identify the key actors that framework. Table 8 provides a list of different actors
support and influence the project and the different roles and their roles.
they play within the organisation. This enabled us to

123
Neural Computing and Applications (2022) 34:15241–15271 15263

5.2.2 Activity 2: asset identification and criticality security analyst conducted a high-level brainstorming
exercise with the help of other team members to
The project team embarked upon initial knowledge identify the most critical security goals for the assets
extraction through senior management support, and active identified in the previous step. At first, some represen-
involvements were initial information that facilitated the tatives of DisCos emphasised that they are particularly
identification of the organisation’s critical assets. This worried about the privacy of data held by the CPS and
enabled us to understand how things are done in the availability of the services. However, the security
organisation regarding its activities, followed by identify- analyst explained that the team had reviewed the
ing the security goals that are part of an essential compo- information collected during the previous step and
nent of the organisation’s assets and identifying the most examined every functional requirement for the system
critical assets. through less important security goals such as confiden-
tiality, integrity, and availability.
• Step 1: Asset Profile The IT manager was involved in
• Step 3: Determine Asset Criticality Having identified
explaining and documenting the system and its com-
the system’s assets and its related security goals, the
ponents, which provided the basis to identify the
project team embarked on the next step of determining
organisation’s critical assets and their security, needs
asset criticality on the identified assets in the previous
to create a consistent asset profile. The IT manager also
step. The criticality level is determined and assessed in
presented a comprehensive overview of the organisa-
greater detail as part of the asset identification and
tion’s assets which are the target of analysis, from
criticality activity. An assessor team consisting of the
where we observed that the system comprises many
security analyst and other experts prioritised assets in
different components as shown in Table 9.
terms of the security goals by applying a novel asset
• Step 2: Identify Asset Security Goals After the asset
criticality system using fuzzy logic proposed in
inventory had been agreed and completed by the team,
i-CSRM process so that the most critical assets can be
the next step was to identify each asset’s goals. The

Fig. 10 Threat and vulnerability profile

123
15264 Neural Computing and Applications (2022) 34:15241–15271

connected with top priorities. This step was conducted and the methods to exploit those weaknesses such that
as a separate brainstorming exercise, and the primary two or more people know they are talking about the
goal was to determine the criticality of the assets same thing. By identifying the weak points, the security
formally approved by all project team members. The analyst documents the meeting’s result by filling a
FACS allows experts to express their differences in the vulnerability profile for the study context, which
inference process with less bias and higher reliability. affected critical assets and caused a threat that led to
Therefore, asset criticality was determined using the risk.
method proposed in the process and each asset is • Step 2: Determine Threat profile Having completed the
assigned a level of criticality using fuzzy inputs and the asset inventory and identified vulnerabilities, the anal-
crisp rating values. The result is shown in Table 10 and ysis team created a threat profile that identified the
Fig. 9. threats that can potentially affect the assets and
compromise sensitive information. To direct this pro-
cess, the project’s team members, a security analyst and
5.2.3 Activity 3: threat modelling
system administrator were brought together to conduct
an informed brainstorming session to identify a detailed
This activity aimed to identify the possible threats and
list of threats, threat actor factors, TTP and IOC. A list
vulnerabilities for the Discos. The activity was organised as
of security threats compiled by CAPEC and WASC was
a workshop, drawn from actors with expertise in risk
presented to the team. Firstly, the team started with
management. The actors involved in this activity included
identifying a combined list of 10 security threats that
the security analyst and a member of senior management.
they perceived to be important to the organisation’s
Also, various methodologies and standards were employed
assets. After a brief reconsideration, the list was
at different steps of performing the threat modelling
updated with three additional threats. Secondly, the
activity. All participating actors were briefed about the
adoption of these two threat classification models
parts of the standard/methodologies used and its benefit.
proved helpful and straightforward in identifying,
• Step 1: Determine the Vulnerability profile The first categorising and determining the impact of potential
step focused on identification of vulnerabilities and threats, and it led to the participants having a better
weaknesses by examining the attack surface and the understanding of threat elements. With the adoption of
relevant threat models. The analysis team moved on to CTI, a better understanding of threat actors, attack
create a vulnerability profile that contains the vulner- patterns, and TTP use is understood by the team. In this
abilities that are exploited and affect assets. To direct regard, the team considered all potential threats to
this process, the project’s team members, a security document the threats, vulnerabilities, IOC and TTP
analyst and system administrator were brought together associated with the assets; a template that shows several
to conduct an informed brainstorming session to threat attributes is used. Figure 10 shows the threat
identify a detailed list of potential vulnerabilities. modelling displays the threat actor factors, indicators of
Secondly, a list of vulnerabilities compiled by CWE compromise (IOC), TTP, related attack patterns, exe-
and CAPEC was presented to the team to understand by cution flow and possible vulnerabilities.
providing a standardised list of software weaknesses
5.2.4 Activity 4: risk assessment
Table 11 Performance of the features on each of the classifiers for
predicting risk types The next activity involved a risk management process
Accuracy Risk type prediction features
whose goal was to identify as many potential threats,
vulnerabilities and risks as possible. The activity was
Asset (%) TTP (%) Threat actor (%) Control (%) organised as a workshop drawn from stakeholders with
LR 95 80 79 39 expertise in risk management. The stakeholders involved in
DT 93 80 76 39 this activity include the security analyst, information
NB-Multi 92 80 79 39 security officer and senior management member. Also,
RF 87 72 79 39 various methodologies, machine learning techniques and
KNN 86 80 76 40 standards were employed at different steps of performing
NB 71 56 63 5 risk management. All participating actors were briefed
NN 4 4 3 3 about the parts of the standard/methodologies used and its
benefit.

123
Neural Computing and Applications (2022) 34:15241–15271 15265

Asset
Risk Type Predicon Features
TTP
95% 93% 92% Threat Actor
87% 86%
80% 80% 79%
80% 80% Control
79% 79%
76% 76%
72% 71%
63%
56%

39% 39% 39% 39% 40%

4%
5% 3%
4% 3%

LR DT NB-Mul RF KNN NB NN

Fig. 11 Performance of the features on each of the classifiers for predicting risk types

• Step 1: Predict Risk Types In this step, a workshop was achieved 95%, 93% and 92%, respectively, for predict-
organised for the identification of risks types. The ing risk type ‘‘Lost and Stolen Assets’’, ‘‘Everything
participants were presented with multiple risk types, Else’’, ‘‘Crimeware’’, ‘‘Cyber Espionage’’ and ‘‘Denial
usually associated with critical infrastructure and assets of Service’’. They failed to identify risk types ‘‘Point of
of all kinds. The risk sources are provided by industry Sale’’ and ‘‘Web Application’’. RF, KNN and NB
bodies and are updated regularly, which means that they achieved 87%, 86% and 71%, respectively, for predict-
provide up-to-date information about the most pressing ing risk type ‘‘Crimeware’’, ‘‘Cyber Espionage’’, and
security issues in information systems and web appli- ‘‘Lost and Stolen Assets’’. NN failed to predict any risk
cations. In particular, a list of risks provided by the type and achieved 4%. Based on the TTP features,
VCDB dataset was presented in the workshop, and the KNN, LR, NB-Multi, and DT achieved an accuracy of
participants were challenged to select those they 80% for predicting risk type ‘‘Denial of Service’’,
perceive to be relevant threats previously identified. ‘‘Cyber Espionage’’ and ‘‘Everything Else’’. RF
We have used ten output categories of risks, and the achieved an accuracy of 72% for predicting risk type
value range for the features is from (R1 =crimeware, ‘‘cyber espionage’’ and ‘‘Everything Else’’ NN failed to
R2 = cyber espionage, R3 = denial of service, predict any risk type and achieved 4%.
R4 = everything else, R5 = lost and stolen assets,
Based on the Threat Actor features, LR, NB-Multi and
R6 = miscellaneous errors, R7 = payment card skim-
RF achieved 79% accuracy for predicting risk type
mers, R8 = point of sale, R9 = privilege misuse and
‘‘Everything Else’’, ‘‘Cyber Espionage’’ ‘‘Privilege Mis-
R10 = web applications) with possible classes. This is a
use’’, and ‘‘Crimeware’’. KNN could predict risk type
multi-class problem, and we have the following risk
‘‘Everything Else’’, ‘‘Cyber Espionage’’, and ‘‘Privilege
types as output features. A list of risks is therefore
Misuse’’ while DT could predict risk type ‘‘Everything
identified.
Else’’, ‘‘Cyber Espionage’’, and ‘‘Crimeware’’ both clas-
• Phase 1: Prediction Result Table 11 presents the six
sifiers with 76% accuracy. The NB achieved 63% accuracy
classifiers’ accuracy performance details in predicting
for predicting risk types ‘‘’’ Cyber Espionage’’ and ‘‘Priv-
the different risk types based on the given CSRM
ileged Misuse’’. NN achieved 3% accuracy and failed to
features (Assets, Controls, Threat Actor and TTP).
predict any risk type. Lastly, based on the control features,
Based on the asset features, LR, DT and NB-Multi

123
15266 Neural Computing and Applications (2022) 34:15241–15271

Fig. 12 The accuracy of different classifiers for various types of input binary features

Table 12 Performance measure for KNN classifier classifiers except NN. Comparing the performance of all
the features shows that NB failed to perform risk type
Output Precision Recall F1-score
prediction based on control features and NN achieved very
1 1.000 0.525 0.689 low risk type prediction based on all the features. There-
2 0.700 0.687 0.693 fore, for the risk types ‘‘Everything Else’’, ‘‘Privilege
3 0.729 0.501 0.694 Misuse’’, ‘‘Denial of Service’’ and ‘‘Cyber Espionage’’ all
4 0.766 0.578 0.659 the input features achieved high prediction. Table 11 shows
5 0.735 0.561 0.636 that Asset and TTP are the best features to predict risk
6 0.614 0.340 0.438 types presented in this work and associated graphical
7 0.820 0.432 0.566 chart in Fig. 11.
8 0.815 0.373 0.512 • Phase 2: Prediction Accuracy After predicting the
9 0.950 0.710 0.813 possible risk types by feeding the CSRM features from
10 0.264 0.711 0.385 VCDB dataset into our classifiers, the next step was to
Accuracy 0.576 0.576 0.576 interpret the different classifiers’ accuracy for various
types of input features. Therefore, the predictive
accuracy percentage of six different machine learning
classifiers based on CSRM features was presented.
KNN achieved the highest accuracy of 40% in predicting However, each feature performed differently within
risk type ‘‘Everything Else’’. LR, DT, NB-Multi and RF classifiers. The best overall predictive accuracy includ-
achieved 39% for predicting risk type ‘‘Everything Else’’. ing all input features was recorded with decision tree
NB and NN achieved an accuracy of 5% and 3%, respec- (DT) algorithm which is (92.92%) on asset features,
tively. Both classifiers failed to predict any risk type. Asset controls (79.26%), TTP (62.73%), threat actor
and TTP features performed well on all the different (61.32%), and full features was (39.12%). The second

123
Neural Computing and Applications (2022) 34:15241–15271 15267

Table 13 Existing control types

Control Attack techniques Control description
type

Preventive Brute force After a certain number of a failed login attempt to prevent passwords from being guessed, set
account lockout policies
Disabling security tools The proper process, registry, and file permission should be in place to prevent the anonymous
organisation from disabling or interfering with the Disco’s security services
Detective Account discovery Identify unnecessary system utilities or potentially malicious software that may be used to acquire
System network information or data about system and domain accounts, and block them by using whitelisting tool
configuration discovery or software restriction policies where appropriate
File and directory discovery
Data from the local system
Spear-phishing attachment Network intrusion prevention systems should be put in place to scan and remove malicious e-mail
attachments
Corrective External remote services Limit access to remote services through centrally managed VPNs, and other managed remote access
internal systems through network proxies, gateways and firewalls
Use strong two-factor or multi-factor authentication for remote service accounts to mitigate the
anonymous organisation’s ability to leverage stolen credentials
Credential dumping Ensure that administrator accounts have complex, unique passwords across all systems on the
network
E-mail collection Use of two-factor authentication for public-facing webmail servers is recommended as a best
practice to minimise the use of usernames and passwords to the anonymous organisation
Forced authentication Use strong passwords to increase the difficulty of credential hashes from being cracked if they are
obtained
User execution Training is required for the Disco employees to raise awareness on raising suspicion for potentially
malicious events
Spear-phishing attachment Antivirus can also be used as it automatically isolates suspicious files

best algorithm is NB-Multi which gave us (91.90%) on (78.74%) and KNN (67.96%). On the other hand,
asset features, control features (78.88%), threat actor neural networks (NN) and Naı̈ve Bayes (NB) did not
(61.33%), TTP (59.54%) and full features gave us make satisfactory prediction accuracy on all the
(39.05%). The third best algorithm is RF, it performed features. It can be noted that the most prominent
well on asset features with (87.36%), control (78.75%), features to detect risk types are Assets and control
TTP (62.03%), threat actor (61.01%) and full features features. The result clearly shows that DT outperformed
(38.93%). The fourth best algorithm is KNN, it other classifiers giving the highest satisfactory accuracy
performed well on almost all the input features, asset for the VCDB dataset for risk type prediction.
features (85.77%), Controls (67.96%), TTP (58.07%), • Phase 3: Results of the different classifier for the input
threat actor (56.80%) and the full features produced the features Fig. 12 shows the accuracy results of different
least accuracy with (29.99%). The fifth best algorithm is classifiers for the various kinds of input features. The
the NB algorithm that performed well on the asset most prominent features to detect the risk type are
features with (71.03%), controls (55.90%), threat actor Assets and Controls, where accuracy is above 70%.
(19.85%), TTP (18.38%) and full features with From left to right (top to bottom), the X-axis denotes
(05.42%). The sixth algorithm which is NN did not different classifiers and Y-axis denotes the correspond-
perform well on all the features, control features is ing accuracy for a given feature set. It can be seen from
(04.02%), asset features is (03.51%), Full feature is the descriptive result shown in Figure 12 based on the
(03.32%), TTP (03.13%) and threat actor (03.06%). asset features KNN, NB-Multi, RF and DT have
This shows that the asset features performed well with produced the most accurate predictions by giving the
DT (92.92%), NB-Multi (91.90%), RF (87.36%), KNN accuracy value of above 70% compared to NB and NN
(85.77%) and NB (71.03%). NN did not perform well classifiers.
with (03.51%). The control features also performed • Phase 4: Results of Confusion Matrix This section
well with DT (79.25%), NB-Multi (78.88%), RF describes the classifiers’ performance on the test data

123
15268 Neural Computing and Applications (2022) 34:15241–15271

Fig. 13 Control effectiveness result

Fig. 14 Control measure implementation

for which the true values are known. This allows for the with KNN which produced better results than other
visualisation of the performance of an algorithm. In this classifiers as shown in Table 12.
case, the best overall predictive accuracy was recorded • Step 2: Determine Risk Level After identifying the
various IOC, TTP, vulnerabilities, threats, and predicted

123
Neural Computing and Applications (2022) 34:15241–15271 15269

the risk types using dataset, we identified and assessed understand the potential risks. It provides a comprehensive
the risks by estimating the assets’ likelihood and and holistic analysis of the risk taken into account the asset,
impact. The Web pages allow the organisation to adapt threats and vulnerabilities so that suitable control actions
various aspects associated with risks and their relations. can be evaluated. The integration of existing standards and
This includes risk types, risk impact, risk likelihood and ML models certainly provides a wider adaption of
control measures. As stated previously the risk calcu- i-CSRM.
lation considers the risk likelihood and impact. The web The i-CSRM framework is a practical approach to assess
page displays the results of the risk calculation. Each and manage cyber security risk, specifically the activities
risk event is evaluated and presented separately with the under the process are operational. The integrated risk
elements used in the calculation and the calculated risk management framework lays out the basics for defining
value. critical assets, evaluating their weaknesses and risks for
determining the appropriate controls. This approach has
made stakeholders aware of the possible threats and pred-
5.2.5 Activity 5: risk controls
icate risk types that could impact their critical services and
business operations, therefore taking the necessary actions
The final activity involved identifying and evaluating
to control threats and risk events from occurring. Further-
existing controls using four seeps.
more, gaining a better view of Disco’s existing risk control
• Step 1: Identification of Existing Control Types We first practices, evaluating them, and suggesting changes raised
identified DisCos existing controls to ensure that the the overall visibility.
controls are working correctly. The organisation The outcomes of our case study were compared to those
detected the controls; some are shown in Table 13 to of other research reported in the literature. Compared to
address the identified risks. The outcome determines the other works in the literature, the applied cyber-security risk
security control budget for the organisation, and management framework is a systematic solution. A previ-
decisions are optimised. ous author [42]) identified a range of security risks and
events through different critical infrastructure domains.
Step 2: Evaluating the Effectiveness of Existing Controls
The work incorporates specific mitigation steps for critical
It was proposed that control effectiveness should be spec-
infrastructures, such as vulnerability assessments and
ified according to five fundamental categories namely:
penetration testing approaches; however, this paper’s
relevance of the control, strength of the control, coverage
emphasis was not just on vulnerability evaluation but also
of the control, integration of the control and traceability of
on how danger can be measured, mitigated, and managed.
the control. The participants became involved and based on
Because of the interdependency between properties, asset
their expert opinion; effectiveness of the existing controls
detection and cascading vulnerabilities were not taken into
is specified in Fig. 13.
consideration. Authors of a previous paper [43] suggested a
• Step 3 and 4: Implement Control Measures to Deter- risk and threat analysis approach for critical infrastructure
mine New Risk Status and risk register We first that focuses on severe incidents while emphasising critical
identified existing controls, to ensure that the controls infrastructure business dependencies. However, no sys-
are working correctly. The Web page allows the tematic study has been performed to define essential assets
organisation to define a list of available controls. The and weaknesses specific to such assets or identify the
user can select the control measure using the control specific chains of events (cascading vulnerabilities). The
rating: None, partial and full as shown in Fig. 14 to authors of a previous paper [8] stressed the need for a
address the identified risks. Finally, the step 4 creates holistic risk management system that includes all phases of
the risk register to record all identified risks and the risk management process, our work reflects this to
controls. enhance the CPS’s cyber-security. In comparison with the
writers of a previous paper (Sridhar, Hahn and Govin-
darasu, 2012a, who suggested a layered method for
assessing risks based on protection, our work evaluated
6 Discussion
risks cyber attacks databases, as well as risk level and
proper controls. Although the writers of a previous paper
The users of the studied context observed that the i-CSRM
(Cardenas et al. 2009) explored a framework for avoiding,
framework is very effectives in terms of performing the
detecting, and restoring attacks for protecting CPS, our
risk management activities. The approach provides a
study presented a mechanism for recognising sensitive
detailed about the assets and traces the vulnerabilities and
properties, evaluating cascading weaknesses, creating
threats based on the identified assets which makes it easy to
cyber attack scenarios, determining the effect of an attack

123
15270 Neural Computing and Applications (2022) 34:15241–15271

happening, and providing preventive controls to better control for the overall business continuity. The partici-
protect the CPS. pants’ observation is that i-CSRM is a practical approach
None of these works provides a structured risk assess- for the risk management, and integration of CTI makes the
ment mechanism that considers the asset criticality before risk management activities more effective. We believe that
evaluating vulnerabilities. Our research identifies and the proposed i-CSRM framework, its process and sup-
contrasts current risk reduction solutions for CPS in critical porting tool will significantly impact the cybersecurity
infrastructure, allowing critical infrastructure organisations domain and state of the art in general. The i-CSRM
to do an in-depth cyber-security study on CPS. There are framework focuses only on the supervised learning
certain similarities between our research and other works in method, which requires labelled dataset. As a part of our
terms of risk assessment and reduction. In a previous paper future research, we would like to deploy the i-CSRM in
(Bialas, 2016b), the authors discussed danger by addressing different CI context and implement different data sets for
interdependencies and risk monitoring. These results are the risk type predication. Additionally, it is necessary to
fully or partially close to what we observed in our study. develop a checklist to make the process easy to use for risk
However, specific threats found [44], such as energy waste assessment and management.
and deploying mobile cloud computing problems, are not
Acknowledgements This work was partially supported by the
strictly comparable to our studied background. Lack of
AI4HEALTHSEC EU project, funded from the European Union’s
contingency planning, emergency response, reporting sys- Horizon 2020 research and innovation programme under grant
tems, robust risk assessment, and the use of machine agreement No 883273 and Cybersane project with grant agreement
learning tools to assess the risk level and analyse the effi- No 833683.
cacy of current controls are some of the specific risk factors
not listed in other reports. We urged consumers and oper- Declarations
ators not to shirk their IT obligations, since the threats of
Conflict of interest The authors declare that they have no known
essential infrastructure vary depending on the organisa-
competing financial interests or personal relationships that could have
tion’s background. It is also important to raise knowledge appeared to influence the work reported in this paper.
of cyber security threats through the whole enterprise and
the supply chain climate, as well as to continue to improve
and use innovative cyber security capabilities to exercise References
risk assessment and risk evolution.
1. Abu MS et al (2018) Cyber threat intelligence–issue and chal-
lenges. Indones J Electr Eng Comput Sci 10(1):371–379
2. Baldoni R (2014) Critical infrastructure protection: threats,
7 Conclusion attacks, and counter-measures. Technical Report. Available
online: http://www.dis.uniroma1.it/*tenace
Risk management is a continuous process for maintaining 3. Barnum S (2008) ‘Common attack pattern enumeration and
classification (capec) schema description’, Cigital Inc, http://
the effective functioning of critical assets for any organi- capec.mitre.org/documents/documentation/CAPEC_Schema_
sational context. In particular, critical infrastructures need Description_v1.3.
resilience for the service delivery and risk management is 4. Bialas A (2016) Risk management in critical infrastructure—
an essential component to achieve this. The threat land- foundation for its sustainable work. Sustainability. https://doi.org/
10.3390/su8030240
scape is constantly evolving with new techniques and more 5. Boudreau M-C, Gefen D, Straub DW (2001) ‘Validation in
sophisticated organised attacks. Therefore, it is necessary information systems research: A state-of-the-art assessment’,
for the risk management activities to consider the threat MIS quarterly, pp 1–16
context to assess and manage the risks. This research 6. Castro J, Kolp M, Mylopoulos J (2002) Towards requirements-
driven information systems engineering: the Tropos project. Inf
proposes the integrated cyber security risk management Syst 27(6):365–389
framework (i-CSRM) that adopts various existing stan- 7. Chen PP-S (1976) The entity-relationship model—toward a uni-
dards and cyber threat intelligence data for risk manage- fied view of data. ACM Trans Datab Syst (TODS) 1(1):9–36
ment. i-CSRM also includes machine learning (ML) 8. Cherdantseva Y et al (2016) A review of cyber security risk
assessment methods for SCADA systems. Comput Secur 56:1–27
models to predicate the risk types so that organisations can 9. Consortium WAS (2009) ‘Web application security consortium
undertake the necessary proactive measures to tackle the threat classification’
risks. The framework also includes a tool support to 10. Conti M, Dargahi T, Dehghantanha A (2018) Cyber threat
automate some of the risk management activities. Finally, intelligence: challenges and opportunities. Cyber threat intelli-
gence. Springer, Berlin, pp 1–6
i-CSRM is applied in a CI-based industrial context and the 11. Cord O (2001) Genetic fuzzy systems: evolutionary tuning and
results of applying the framework are very promising. learning of fuzzy knowledge bases. World Scientific
Specifically the studied context was able to identify and 12. Cordón O (2011) A historical review of evolutionary learning
assess risks using i-CSRM and determine the right level of methods for Mamdani-type fuzzy rule-based systems: designing

123
Neural Computing and Applications (2022) 34:15241–15271 15271

interpretable genetic fuzzy systems. Int J Approx Reason 33. Sapori E, Sciutto M, Sciutto G (2014) ScienceDirect a quantita-
52(6):894–913 tive approach to risk management in critical infrastructures.
13. Enache MC (2015) Web application frameworks. Annals of the Transp Res Proc 3(3):740–749. https://doi.org/10.1016/j.trpro.
University Dunarea de Jos of Galati: Fascicle: XVII, Medicine, 2014.10.053
21(3) 34. Singh SK et al (2020) Machine learning-based network sub-
14. Evans E (2004) Domain-driven design: tackling complexity in the slicing framework in a sustainable 5G environment. Sustain-
heart of software. Addison-Wesley Professional ability 12(15):6250
15. Gandhi R et al (2011) Dimensions of cyber-attacks: Cultural, 35. Straub D, Boudreau M-C, Gefen D (2004) Validation guidelines
social, economic, and political. IEEE Technol Soc Mag for IS positivist research. Commun Assoc Inf Syst 13(1):24
30(1):28–38 36. Strom BE et al (2017) Finding cyber threats with ATT&CK-
16. Goodpaster KE (1991) ‘Business ethics and stakeholder analysis’, based analytics. The MITRE Corporation, Bedford, MA, Tech-
Business ethics quarterly, pp 53–73 nical Report No. MTR170202
17. GOST R (2009) ‘ISO/IEC 31010-2011 Risk management. Risk 37. Tactic A (2017) Techniques and Common Knowledge
assessment methods (ATT&CK)
18. Gupta R et al (2020) Machine learning models for secure data 38. Tanwar S et al (2019) Machine learning adoption in blockchain-
analytics: A taxonomy and threat model. Comput Commun based smart applications: The challenges, and a way forward.
153:406–440 IEEE Access 8:474–488
19. Husák M et al (2018) Survey of attack projection, prediction, and 39. Tounsi W, Rais H (2018) A survey on technical threat intelli-
forecasting in cyber security. IEEE Commun Surv Tutor gence in the age of sophisticated cyber attacks. Comput Secur
21(1):640–660 72:212–233
20. Islam S et al (2017) A risk management framework for cloud 40. Workman M, Bommer WH, Straub D (2008) Security lapses and
migration decision support. J Risk Financ Manage 10(2):10 the omission of information security measures: A threat control
21. Izuakor C, White R (2016) Critical infrastructure asset identifi- model and empirical test. Comput Hum Behav 24(6):2799–2816
cation: policy, methodology and gap analysis. In: Critical 41. Zadeh LA (1988) Fuzzy logic. Computer 21(4):83–93
infrastructure protection X: 10th IFIP WG 11.10 international 42. Abouzakhar N (2013) Critical infrastructure cybersecurity: a
conference, ICCIP 2016, Arlington, VA, USA, March 14–16, review of recent threats and violations. In: European conference
2016, Revised Selected Papers 10. pp 27–41. Springer, Berlin on information warfare and security, ECCWS, pp 1–10
22. Kemabonta T, Kabalan M (2018) Using what you have, to get 43. Hokstad P, Utne IB, Vatn J (2012) Risk and vulnerability analysis
what you want–a different approach to electricity market design of critical infrastructures. Springer Ser Reliab Eng 64:23–33.
for local distribution companies (DISCOs) in Nigeria. In: 2018 https://doi.org/10.1007/978-1-4471-4661-2_3
IEEE global humanitarian technology conference (GHTC). IEEE, 44. Gai K et al (2016) Dynamic energy-aware cloudlet-based mobile
pp 1–2 cloud computing model for green computing. J Netw Comput
23. Knight S, Burn J (2005) Developing a framework for assessing Appl 59:46–54
information quality on the World Wide Web. Inf Sci 8 45. ISO 27005:2018 (ISO 27005) Information technology—Security
24. Kure H, Islam S (2019) Cyber threat intelligence for improving techniques—Information security risk management, https://www.
cybersecurity and risk management in critical infrastructure. iso.org/standard/75281.html
J Univ Comput Sci 25(11):1478–1502 46. ISO 31000: 2018 (ISO 31000) Risk management—Guidelines,
25. Leroux N, de Kaper S (2014) Play for Java: Covers Play 2. https://www.iso.org/standard/65694.html
Manning Publications Co 47. ISO/IEC 27001 (ISO 27001) Information technology - Security
26. Lilly B et al (2019) Applying indications and warning frame- techniques - Information security management systems -
works to cyber incidents. In: 2019 11th international conference Requirements, https://www.iso.org/isoiec-27001-information-
on cyber conflict (CyCon). IEEE, pp 1–21 security.html
27. Machado L, Filho O, Ribeiro J (2009) UWE-R: an extension to a 48. NIST Special Publication 800-39 , (NIST 800-39)Managing
web engineering methodology for rich internet applications. Information Security Risk, Organization, Mission, and Informa-
WSEAS Trans Inf Sci Appl 6(4):601–610 tion System View, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/
28. Markowski AS, Mannan MS (2009) Fuzzy logic for piping risk nistspecialpublication800-39.pdf
assessment (pfLOPA). J Loss Prev Process Ind 22(6):921–927 49. NIST(NIST CSF), Framework for Improving Critical Infrastruc-
29. Martin RA (2007) Common weakness enumeration. Mitre ture Cybersecurity, Version 1.1 , 2018, https://www.nist.gov/
Corporation cyberframework
30. Mbanaso UM, Abrahams L, Apene OZ (2019) Conceptual design 50. Centre of Internet Security (CIS) (2020) https://www.cisecurity.
of a cybersecurity resilience maturity measurement (CRMM) org/
framework. Afr J Inf Commun 23:1–26
31. Onochie UP, Egware HO, Eyakwanor TO (2015) The Nigeria Publisher’s Note Springer Nature remains neutral with regard to
electric power sector (opportunities and challenges). J Multidis- jurisdictional claims in published maps and institutional affiliations.
cip Eng Sci Technol 2(4):494–502
32. Rød B et al (2020) From risk management to resilience man-
agement in critical infrastructure. J Manag Eng 36(4):4020039

123