@article(Almeida2018, author = {Lu{\'{i}}s Almeida and Ana Resp{\'{i}}cio}, year = {2018}, title = {Decision support for selecting information security controls}, journal = {Journal of Decision Systems}, volume = {27}, pages = {173--180}, doi = {10.1080/12460125.2018.1468177}, ) @article(Bettaieb2020, author = {Seifeddine Bettaieb and Seung Yeob Shin and Mehrdad Sabetzadeh and Lionel C. Briand and Michael Garceau and Antoine Meyers}, year = {2020}, title = {Using machine learning to assist with the selection of security controls during security assessment}, journal = {Empirical Software Engineering}, volume = {25}, number = {4}, pages = {2550--2582}, doi = {10.1007/s10664-020-09814-x}, ) @techreport(NIST-1800-26, author = {Jennifer Cawthra and Michael Ekstrom and Lauren Lusty and Julian Sexton and John Sweetnam}, year = {2020}, title = {Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events}, type = {Special Publication (NIST SP)}, number = {1800-26}, institution = {{National Institute of Standards and Technology}}, doi = {10.6028/NIST.SP.1800-26}, ) @misc(cisControls, author = {{Center for Information Security}}, year = {2021}, title = {{CIS Critical Security Controls -- Version 8}}, howpublished = {\url{https://www.cisecurity.org/controls/v8} [Accessed: 2024-06-21]}, ) @inproceedings(Dewri2007, author = {Rinku Dewri and Nayot Poolsappasit and Indrajit Ray and Darrell Whitley}, year = {2007}, title = {Optimal security hardening using multi-objective optimization on attack tree models of networks}, booktitle = {Proceedings of the 14th ACM Conference on Computer and Communications Security}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, pages = {204--213}, doi = {10.1145/1315245.1315272}, ) @misc(Drake, author = {Victoria Drake}, title = {{Threat Modeling}}, howpublished = {\url{https://owasp.org/www-community/Threat_Modeling} [Accessed: 2023-12-11]}, ) @misc(Feather2005, author = {Martin S. Feather and Steven L. Cornford and Kenneth A. Hicks and Kenneth R. Johnson:}, year = {2005}, title = {Applications of tool support for risk-informed requirements reasoning}, howpublished = {\url{https://www.researchgate.net/publication/220403935_Applications_of_tool_support_for_risk-informed_requirements_reasoning} [Accessed: 2024-06-21]}, ) @misc(ITSG-33, author = {{Government of Canada}}, year = {2014}, title = {{IT Security Risk Management: A Lifecycle Approach -- Security Control Catalogue}}, howpublished = {\url{https://www.cisecurity.org/controls/v8} [Accessed: 2024-06-21]}, ) @article(Hofner2011, author = {Peter H{\"{o}}fner and Ridha Khedri and Bernhard M{\"{o}}ller}, year = {2011}, title = {An Algebra of Product Families}, journal = {Software and Systems Modeling}, volume = {10}, number = {2}, pages = {161--182}, doi = {10.1007/s10270-009-0127-2}, ) @misc(ISO-31000, author = {{International Organization for Standardization}}, year = {2018}, title = {{ISO/IEC 31000:2018 Risk Management -- Guidelines}}, howpublished = {\url{https://www.iso.org/standard/65694.html} [Accessed: 2024-06-21]}, ) @misc(ISO-27002, author = {{International Organization for Standardization}}, year = {2022}, title = {{ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection -- Information security controls}}, howpublished = {\url{https://www.iso.org/standard/75652.html} [Accessed: 2024-06-21]}, ) @misc(ISO-27005, author = {{International Organization for Standardization}}, year = {2022}, title = {{ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection -- Guidance on managing information security risks}}, howpublished = {\url{https://www.iso.org/standard/80585.html} [Accessed: 2023-12-11]}, ) @techreport(NIST-RMF, author = {{Joint Task Force Interagency Working Group}}, year = {2018}, title = {Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy}, type = {Special Publication (NIST SP)}, number = {800-37 Revision 2}, institution = {{National Institute of Standards and Technology}}, doi = {10.6028/NIST.SP.800-37r2}, ) @techreport(NIST-800-53B, author = {{Joint Task Force Interagency Working Group}}, year = {2020}, title = {Control Baselines for Information Systems and Organizations}, type = {Special Publication (NIST SP)}, number = {800-53B}, institution = {{National Institute of Standards and Technology}}, doi = {10.6028/nist.sp.800-53b}, ) @techreport(NIST-800-53r5, author = {{Joint Task Force Interagency Working Group}}, year = {2020}, title = {Security and Privacy Controls for Information Systems and Organizations}, type = {Special Publication (NIST SP)}, number = {800-53 Revision 5}, institution = {{National Institute of Standards and Technology}}, doi = {10.6028/NIST.SP.800-53r5}, ) @misc(DEFEND, author = {Peter Kaloroumakis and Michael Smith}, year = {2020}, title = {Toward a Knowledge Graph of Cybersecurity Countermeasures}, howpublished = {\url{https://apps.dtic.mil/sti/citations/AD1156977} [Accessed: 2024-06-21]}, ) @article(khalaf2021web, author = {Osamah Ibrahim Khalaf and Munsif Sokiyna and Youseef Alotaibi and Abdulmajeed Alsufyani and Saleh Alghamdi}, year = {2021}, title = {Web Attack Detection Using the Input Validation Method: {DPDA} Theory}, journal = {Computers, Materials \& Continua}, volume = {68}, number = {3}, doi = {10.32604/cmc.2021.016099}, ) @article(Kiesling2016, author = {Elmar Kiesling and Andreas Ekelhart and Bernhard Grill and Christine Strauss and Christian Stummer}, year = {2016}, title = {Selecting security control portfolios: a multi-objective simulation-optimization approach}, journal = {EURO Journal on Decision Processes}, volume = {4}, number = {1-2}, pages = {85--117}, doi = {10.1007/s40070-016-0055-7}, ) @article(Liu2011aa, author = {Qixu Liu and Yuqing Zhang}, year = {2011}, title = {{VRSS}: A New System for Rating and Scoring Vulnerabilities}, journal = {Computer Communications}, volume = {34}, pages = {264--273}, doi = {10.1016/j.comcom.2010.04.006}, ) @techreport(CVSS, author = {Peter Mell and Karen Scarfone and Sasha Romanosky}, year = {2007}, title = {The Common Vulnerability Scoring System {(CVSS)} and Its Applicability to Federal Agency Systems}, type = {NIST Interagency Report}, number = {7435}, institution = {National Institute of Standards and Technology}, doi = {10.6028/NIST.IR.7435}, ) @misc(STRIDE, author = {Microsoft}, year = {2022}, title = {Microsoft Threat Modeling Tool -- Threats}, howpublished = {\url{https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats} [Accessed: 2024-06-21]}, ) @misc(NIST-800-154, author = {{Murugiah Souppaya and Karen Scarfone}}, year = {2016}, title = {Guide to Data-Centric System Threat Modeling}, howpublished = {\url{https://csrc.nist.gov/pubs/sp/800/154/ipd} [Accessed: 2024-06-21]}, ) @inproceedings(Nassar2021, author = {Mohamed Nassar and Joseph Khoury and Abdelkarim Erradi and Bou-Harb, Elias}, year = {2021}, title = {Game Theoretical Model for Cybersecurity Risk Assessment of Industrial Control Systems}, booktitle = {2021 11th IFIP International Conference on New Technologies, Mobility and Security (NTMS)}, pages = {1--7}, doi = {10.1109/NTMS49979.2021.9432668}, ) @techreport(NIST-PF, author = {{National Institute of Standards and Technology}}, year = {2020}, title = {The {NIST} Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management}, type = {Cybersecurity White Papers (CSWP)}, number = {10}, institution = {{National Institute of Standards and Technology}}, doi = {10.6028/nist.cswp.10}, ) @techreport(NIST-CSF, author = {{National Institute of Standards and Technology}}, year = {2024}, title = {The {NIST} Cybersecurity Framework {(CSF)} 2.0}, type = {Cybersecurity White Papers (CSWP)}, number = {29}, institution = {{National Institute of Standards and Technology}}, doi = {10.6028/NIST.CSWP.29}, ) @incollection(OWEN2015573, author = {Guillermo Owen}, year = {2015}, title = {Game Theory}, editor = {James D. Wright}, booktitle = {International Encyclopedia of the Social \& Behavioral Sciences (Second Edition)}, edition = {second edition}, publisher = {Elsevier}, address = {Oxford}, pages = {573--581}, doi = {10.1016/B978-0-08-097086-8.43045-X}, ) @article(Park2020, author = {Jun Young Park and Eui Nam Huh}, year = {2020}, title = {A cost-optimization scheme using security vulnerability measurement for efficient security enhancement}, journal = {Journal of Information Processing Systems}, volume = {16}, number = {1}, pages = {61--82}, doi = {10.3745/JIPS.02.0128}, ) @techreport(NIST-800-160v2r1, author = {Ron Ross and Victoria Pillitteri and Richard Graubart and Deborah Bodeau and Rosalie Mcquaid}, year = {2021}, title = {Developing Cyber-Resilient Systems: A Systems Security Engineering Approach}, type = {Special Publication (NIST SP)}, number = {800-160, Volume 2 Revision 1}, institution = {{National Institute of Standards and Technology}}, doi = {10.6028/NIST.SP.800-160v2r1}, ) @inproceedings(Rouland2023ab, author = {Quentin Rouland and Stojanche Gjorcheski and Jason Jaskolka}, year = {2023}, title = {Eliciting a Security Architecture Requirements Baseline from Standards and Regulations}, booktitle = {2023 IEEE 31st International Requirements Engineering Conference Workshops}, series = {REW}, address = {Hannover, Germany}, pages = {224--229}, doi = {10.1109/rew57809.2023.00045}, ) @article(scholte2012, author = {Theodoor Scholte and Davide Balzarotti and Engin Kirda}, year = {2012}, title = {Have things changed now? An empirical study on input validation vulnerabilities in web applications}, journal = {Computers \& Security}, volume = {31}, number = {3}, pages = {344--356}, doi = {10.1016/j.cose.2011.12.013}, ) @inproceedings(Theodoor2012, author = {Theodoor Scholte and William Robertson and Davide Balzarotti and Engin Kirda}, year = {2012}, title = {Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis}, booktitle = {2012 IEEE 36th Annual Computer Software and Applications Conference}, pages = {233--243}, doi = {10.1109/COMPSAC.2012.34}, ) @inproceedings(Smith2017, author = {Andrew M. Smith and Jackson R. Mayo and Vivian Kammler and Robert C. Armstrong and Yevgeniy Vorobeychik}, year = {2017}, title = {Using computational game theory to guide verification and security in hardware designs}, booktitle = {2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)}, pages = {110--115}, doi = {10.1109/HST.2017.7951808}, ) @book(Straffin1993, author = {Philip D. Straffin}, year = {1993}, title = {Game Theory and Strategy}, edition = {second}, publisher = {The Mathematical Association of America}, ) @book(PASTA, author = {Tony UcedaV\'{e}lez and Marco M. Morana}, year = {2015}, title = {Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis}, edition = {first}, publisher = {John Wiley \& Sons}, doi = {10.1002/9781118988374}, ) @inproceedings(Wang2010, author = {Baoyi Wang and Jianqiang Cai and Shaomin Zhang and Jun Li}, year = {2010}, title = {A network security assessment model based on attack-defense game theory}, booktitle = {2010 International Conference on Computer Application and System Modeling (ICCASM 2010)}, volume = {3}, pages = {V3--639--V3--643}, doi = {10.1109/ICCASM.2010.5620536}, ) @article(Yevseyeva2015, author = {Iryna Yevseyeva and Basto-Fernandes, Vitor and Michael Emmerich and {Van Moorsel}, Aad}, year = {2015}, title = {Selecting Optimal Subset of Security Controls}, journal = {Procedia Computer Science}, volume = {64}, pages = {1035--1042}, doi = {10.1016/j.procs.2015.08.625}, )