References

  1. Luís Almeida & Ana Respício (2018): Decision support for selecting information security controls. Journal of Decision Systems 27, pp. 173–180, doi:10.1080/12460125.2018.1468177.
  2. Seifeddine Bettaieb, Seung Yeob Shin, Mehrdad Sabetzadeh, Lionel C. Briand, Michael Garceau & Antoine Meyers (2020): Using machine learning to assist with the selection of security controls during security assessment. Empirical Software Engineering 25(4), pp. 2550–2582, doi:10.1007/s10664-020-09814-x.
  3. Jennifer Cawthra, Michael Ekstrom, Lauren Lusty, Julian Sexton & John Sweetnam (2020): Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. Special Publication (NIST SP) 1800-26. National Institute of Standards and Technology, doi:10.6028/NIST.SP.1800-26.
  4. Center for Information Security (2021): CIS Critical Security Controls – Version 8. https://www.cisecurity.org/controls/v8 [Accessed: 2024-06-21].
  5. Rinku Dewri, Nayot Poolsappasit, Indrajit Ray & Darrell Whitley (2007): Optimal security hardening using multi-objective optimization on attack tree models of networks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, pp. 204–213, doi:10.1145/1315245.1315272.
  6. Victoria Drake: Threat Modeling. https://owasp.org/www-community/Threat_Modeling [Accessed: 2023-12-11].
  7. Martin S. Feather, Steven L. Cornford, Kenneth A. Hicks & Kenneth R. Johnson: (2005): Applications of tool support for risk-informed requirements reasoning. https://www.researchgate.net/publication/220403935_Applications_of_tool_support_for_risk-informed_requirements_reasoning [Accessed: 2024-06-21].
  8. Government of Canada (2014): IT Security Risk Management: A Lifecycle Approach – Security Control Catalogue. https://www.cisecurity.org/controls/v8 [Accessed: 2024-06-21].
  9. Peter Höfner, Ridha Khedri & Bernhard Möller (2011): An Algebra of Product Families. Software and Systems Modeling 10(2), pp. 161–182, doi:10.1007/s10270-009-0127-2.
  10. International Organization for Standardization (2018): ISO/IEC 31000:2018 Risk Management – Guidelines. https://www.iso.org/standard/65694.html [Accessed: 2024-06-21].
  11. International Organization for Standardization (2022): ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection – Information security controls. https://www.iso.org/standard/75652.html [Accessed: 2024-06-21].
  12. International Organization for Standardization (2022): ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection – Guidance on managing information security risks. https://www.iso.org/standard/80585.html [Accessed: 2023-12-11].
  13. Joint Task Force Interagency Working Group (2018): Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Special Publication (NIST SP) 800-37 Revision 2. National Institute of Standards and Technology, doi:10.6028/NIST.SP.800-37r2.
  14. Joint Task Force Interagency Working Group (2020): Control Baselines for Information Systems and Organizations. Special Publication (NIST SP) 800-53B. National Institute of Standards and Technology, doi:10.6028/nist.sp.800-53b.
  15. Joint Task Force Interagency Working Group (2020): Security and Privacy Controls for Information Systems and Organizations. Special Publication (NIST SP) 800-53 Revision 5. National Institute of Standards and Technology, doi:10.6028/NIST.SP.800-53r5.
  16. Peter Kaloroumakis & Michael Smith (2020): Toward a Knowledge Graph of Cybersecurity Countermeasures. https://apps.dtic.mil/sti/citations/AD1156977 [Accessed: 2024-06-21].
  17. Osamah Ibrahim Khalaf, Munsif Sokiyna, Youseef Alotaibi, Abdulmajeed Alsufyani & Saleh Alghamdi (2021): Web Attack Detection Using the Input Validation Method: DPDA Theory. Computers, Materials & Continua 68(3), doi:10.32604/cmc.2021.016099.
  18. Elmar Kiesling, Andreas Ekelhart, Bernhard Grill, Christine Strauss & Christian Stummer (2016): Selecting security control portfolios: a multi-objective simulation-optimization approach. EURO Journal on Decision Processes 4(1-2), pp. 85–117, doi:10.1007/s40070-016-0055-7.
  19. Qixu Liu & Yuqing Zhang (2011): VRSS: A New System for Rating and Scoring Vulnerabilities. Computer Communications 34, pp. 264–273, doi:10.1016/j.comcom.2010.04.006.
  20. Peter Mell, Karen Scarfone & Sasha Romanosky (2007): The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems. NIST Interagency Report 7435. National Institute of Standards and Technology, doi:10.6028/NIST.IR.7435.
  21. Microsoft (2022): Microsoft Threat Modeling Tool – Threats. https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats [Accessed: 2024-06-21].
  22. Murugiah Souppaya and Karen Scarfone (2016): Guide to Data-Centric System Threat Modeling. https://csrc.nist.gov/pubs/sp/800/154/ipd [Accessed: 2024-06-21].
  23. Mohamed Nassar, Joseph Khoury, Abdelkarim Erradi & Elias Bou-Harb (2021): Game Theoretical Model for Cybersecurity Risk Assessment of Industrial Control Systems. In: 2021 11th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–7, doi:10.1109/NTMS49979.2021.9432668.
  24. National Institute of Standards and Technology (2020): The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Cybersecurity White Papers (CSWP) 10. National Institute of Standards and Technology, doi:10.6028/nist.cswp.10.
  25. National Institute of Standards and Technology (2024): The NIST Cybersecurity Framework (CSF) 2.0. Cybersecurity White Papers (CSWP) 29. National Institute of Standards and Technology, doi:10.6028/NIST.CSWP.29.
  26. Guillermo Owen (2015): Game Theory. In: James D. Wright: International Encyclopedia of the Social & Behavioral Sciences (Second Edition), second edition edition. Elsevier, Oxford, pp. 573–581, doi:10.1016/B978-0-08-097086-8.43045-X.
  27. Jun Young Park & Eui Nam Huh (2020): A cost-optimization scheme using security vulnerability measurement for efficient security enhancement. Journal of Information Processing Systems 16(1), pp. 61–82, doi:10.3745/JIPS.02.0128.
  28. Ron Ross, Victoria Pillitteri, Richard Graubart, Deborah Bodeau & Rosalie Mcquaid (2021): Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. Special Publication (NIST SP) 800-160, Volume 2 Revision 1. National Institute of Standards and Technology, doi:10.6028/NIST.SP.800-160v2r1.
  29. Quentin Rouland, Stojanche Gjorcheski & Jason Jaskolka (2023): Eliciting a Security Architecture Requirements Baseline from Standards and Regulations. In: 2023 IEEE 31st International Requirements Engineering Conference Workshops, REW, Hannover, Germany, pp. 224–229, doi:10.1109/rew57809.2023.00045.
  30. Theodoor Scholte, Davide Balzarotti & Engin Kirda (2012): Have things changed now? An empirical study on input validation vulnerabilities in web applications. Computers & Security 31(3), pp. 344–356, doi:10.1016/j.cose.2011.12.013.
  31. Theodoor Scholte, William Robertson, Davide Balzarotti & Engin Kirda (2012): Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis. In: 2012 IEEE 36th Annual Computer Software and Applications Conference, pp. 233–243, doi:10.1109/COMPSAC.2012.34.
  32. Andrew M. Smith, Jackson R. Mayo, Vivian Kammler, Robert C. Armstrong & Yevgeniy Vorobeychik (2017): Using computational game theory to guide verification and security in hardware designs. In: 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 110–115, doi:10.1109/HST.2017.7951808.
  33. Philip D. Straffin (1993): Game Theory and Strategy, second edition. The Mathematical Association of America.
  34. Tony UcedaVélez & Marco M. Morana (2015): Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis, first edition. John Wiley & Sons, doi:10.1002/9781118988374.
  35. Baoyi Wang, Jianqiang Cai, Shaomin Zhang & Jun Li (2010): A network security assessment model based on attack-defense game theory. In: 2010 International Conference on Computer Application and System Modeling (ICCASM 2010) 3, pp. V3–639–V3–643, doi:10.1109/ICCASM.2010.5620536.
  36. Iryna Yevseyeva, Vitor Basto-Fernandes, Michael Emmerich & Aad Van Moorsel (2015): Selecting Optimal Subset of Security Controls. Procedia Computer Science 64, pp. 1035–1042, doi:10.1016/j.procs.2015.08.625.
Comments and questions to: eptcs@eptcs.org
For website issues: webmaster@eptcs.org