The National Institute of Standards and Technology (NIST) has issued a framework to provide
guidance for organizations within critical infrastructure sectors to reduce the risk associated
with cyber security. The framework is called NIST Cyber Security Framework for Critical
Infrastructure (CSF). Many organizations are currently implementing or aligned to different
information security frameworks. The implementation of NIST CSF needs to be aligned with and
complement the existing frameworks. NIST states that the NIST CSF is not a maturity
framework. Therefore, there is a need to adopt an existing maturity model or create one to have
a common way to measure the CSF implementation progress. This paper explores the
applicability of number of maturity models to be used as a measure to the security poster of
organizations implementing the NIST CSF. This paper reviews the NIST CSF and compares it to
other information security related frameworks such as COBIT, ISO/IEC 27001 and the ISF
Standard of Good Practice (SoGP) for Information Security. We propose a new information
security maturity model (ISMM) that fills the gap in the NIST CSF.
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This is a whitepaper on Product Security that largely focusses on building key security capabilities for products that are developed using DevOps methodology. It also consists of an effort to set up and accomplish the governance of Product Security in the DevOps world.
A UML Profile for Security and Code Generation IJECEIAES
Recently, many research studies have suggested the integration of safety engineering at an early stage of modeling and system development using Model-Driven Architecture (MDA). This concept consists in deploying the UML (Unified Modeling Language) standard as aprincipal metamodel for the abstractions of different systems. To our knowledge, most of this work has focused on integrating security requirements after the implementation phase without taking them into account when designing systems. In this work, we focused our efforts on non-functional aspects such as the business logic layer, data flow monitoring, and high-quality service delivery. Practically, we have proposed a new UML profile for security integration and code generation for the Java platform. Therefore, the security properties will be described by a UML profile and the OCL language to verify the requirements of confidentiality, authorization, availability, data integrity, and data encryption. Finally, the source code such as the application security configuration, the method signatures and their bodies, the persistent entities and the security controllers generated from sequence diagram of system’s internal behavior after its extension with this profile and applying a set of transformations.
MILS is a component-based approach to secure and dependable systems design and implementation that encourages a marketplace of general-purpose commercial components, leading to lower development cost
MILS is a two phase approach (John Rushby’s “Modern MILS”):
Design a Policy Architecture
Abstract architecture diagram represented by “boxes and arrows”
Operational components and architecture achieve system purpose
Assumes the architecture (components and connectors) will be strictly enforced in the implementation
Implement the policy architecture on a robust resource-sharing platform
MILS foundational components (FCs) enable sharing of physical resources, creating strongly separated “exported resources”
FCs should be individually developed and assured according to standardized specifications
FCs compose “additively” to form a distributed trusted sharing substrate, the MILS Platform
MILS provides a compositional approach to construction, assurance, and system certification
This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
SEGMENTATION AND CLASSIFICATION OF BRAIN TUMOR CT IMAGES USING SVM WITH WEIGH...csandit
In this article a method is proposed for segmentation and classification of benign and malignant
tumor slices in brain Computed Tomography (CT) images. In this study image noises are
removed using median and wiener filter and brain tumors are segmented using Support Vector
Machine (SVM). Then a two-level discrete wavelet decomposition of tumor image is performed
and the approximation at the second level is obtained to replace the original image to be used
for texture analysis. Here, 17 features are extracted that 6 of them are selected using Student’s
t-test. Dominant gray level run length and gray level co-occurrence texture features are used for
SVM training. Malignant and benign tumors are classified using SVM with kernel width and
Weighted kernel width (WSVM) and k-Nearest Neighbors (k-NN) classifier. Classification
accuracy of classifiers are evaluated using 10 fold cross validation method. The segmentation
results are also compared with the experienced radiologist ground truth. The experimental
results show that the proposed WSVM classifier is able to achieve high classification accuracy
effectiveness as measured by sensitivity and specificity.
A WIND POWER PREDICTION METHOD BASED ON BAYESIAN FUSIONcsandit
Wind power prediction (WPP) is of great importance to the safety of the power grid and the
effectiveness of power generations dispatching. However, the accuracy of WPP obtained by
single numerical weather prediction (NWP) is difficult to satisfy the demands of the power
system. In this research, we proposed a WPP method based on Bayesian fusion and multisource
NWPs. First, the statistic characteristics of the forecasted wind speed of each-source
NWP was analysed, pre-processed and transformed. Then, a fusion method based on Bayesian
method was designed to forecast the wind speed by using the multi-source NWPs, which is more
accurate than any original forecasted wind speed of each-source NWP. Finally, the neural
network method was employed to predict the wind power with the wind speed forecasted by
Bayesian method. The experimental results demonstrate that the accuracy of the forecasted
wind speed and wind power prediction is improved significantly.
““USATESTDOWN” A PROPOSAL OF A USABILITY TESTING GUIDE FOR MOBILE APPLICATION...csandit
The usability testing of mobile applications involving persons with Down syndrome is an issue
that has not be comprehensively investigated and there is no single proposal that takes on board
all the issues that could be taken into account[1]. This study aims to propose a practical guide
¨USATESTDOWN¨ to measure and evaluate the usability of mobile applications focusing on
Down syndrome users and their primary limitations. The study starts with an analysis of
existing methodologies and tools to evaluate usability and integrates concepts related to
inspection and inquiry methods into a proposal. The proposal includes the opinions of experts
and representative users; their limitations, the applicability during the development process and
the accessibility. This guide is based on the literature review and the author
EXPOSURE AND AVOIDANCE MECHANISM OF BLACK HOLE AND JAMMING ATTACK IN MOBILE A...ijcseit
Mobile ad hoc network (MANETs) is an infrastructure-less/self-configurable system in which every node
carries on as host or router and every node can participate in the transmission of packets. Because of its
dynamic behaviour such system is more susceptible against various sorts of security threats, for example,
Black hole, Wormhole , Jamming , Sybil, Byzantine attack and so on which may block the transmission of
the system. Black hole attack and Jamming attack is one of them which promote itself has shortest or new
fresh route to the destination while jamming attack which make activity over the system. This paper
introduces the thorough literature study for the Black hole attack and jamming attack of both the attack by
various researchers.
CORRELATION BASED FUNDAMENTAL FREQUENCY EXTRACTION METHOD IN NOISY SPEECH SIGNALijcseit
This paper proposed a correlation based method using the autocorrelation function and the YIN. The
autocorrelation function and also YIN is a popular measurement in estimating fundamental frequency in
time domain. The performance of these two methods, however, is effected due to the position of dominant
harmonics (usually the first formant) and the presence of spurious peaks introduced in noisy conditions.
The experimental results of computer simulations on female and male voices in different noises perform
that the gross pitch errors are lower in proposed method as compared to other related method in different
types of signal to noise ratio conditions.
L’habitat, « De la maison cocon à la maison ruche : symbolique et usages de l...Harris Interactive France
Enquête 1/3 – Février : « Demain tous colocataires ? Des usages multiples de l’habitat »
Les zooms de L’Observatoire Cetelem s’intéressent aux nouveaux modes de vie et proposent d’investir un grand thème en trois temps, sollicitant l’avis des Français au travers de trois vagues de sondage. Les zooms viennent ainsi compléter et enrichir le dispositif d’observation et d’études existant de L’Observatoire Cetelem.
La première édition des zooms de L’Observatoire Cetelem porte sur l’habitat, un thème à la fois central dans la vie des Français et un précieux indicateur de l’évolution des modes de vie. À cette occasion, L’Observatoire Cetelem a sollicité Harris Interactive pour réaliser un premier sondage sur « Demain tous colocataires ? Des usages multiples de l’habitat » : quelle perception ont les Français de l’habitat ? sont-ils attachés à leur logement ? De quelle manière envisagent-ils la colocation, le télétravail ou la location entre particuliers ? Deux autres sondages suivront en mars et avril pour compléter l’étude.
http://harris-interactive.fr/opinion_polls/demain-tous-colocataires-des-usages-multiples-de-lhabitat/
QUALITY OF SERVICE STABILITY BASED MULTICAST ROUTING PROTOCOL FOR MANETScseij
Mobile Ad Hoc Networking Does Not Own Any Fixed Infrastructure And Hence, Stable Routing Is The
Major Problem. The Mobility Nature Of Manet’s Node Facilitates Rediscovery Of A New Path To
Organizing A Routing. In Order To Intensify The Quality Of Service And Routing Stability In Manet, We
Propose A Dynamic Quality Of Service Stability Based Multicast Routing Protocol By Modifying The
Cuckoo Search Algorithm Through A Modernizing Mechanism Which Is Derived From The Differential
Evolution Algorithm. Tuned Csa Is A Combined Feature Of Csa And De Algorithms. Periodically, Each
Node In The Network Creates Neighbour Stability And Qos Database At Every Node By Calculating The
Parameters Like Node And Link Stability Factor, Bandwidth Availability, And Delays. Finally, Multicast
Path Constructs Route Request And Route Reply Packets, Stability Information And Performing Route
Maintenance.
DESIGN OF SOFT VITERBI ALGORITHM DECODER ENHANCED WITH NON-TRANSMITTABLE CODE...IJCSEA Journal
Viterbi Algorithm Decoder Enhanced with Non-transmittable Codewords is one of the best decoding
algorithm which effectively improves forward error correction performance. HoweverViterbi decoder
enhanced with NTCs is not yet designed to work in storage media devices. Currently Reed Solomon (RS)
Algorithm is almost the dominant algorithm used in correcting error in storage media. Conversely, recent
studies show that there still exist low reliability of data in storage media while the demand for storage
media increases drastically. This study proposes a design of the Soft Viterbi Algorithm decoder enhanced
with Non-transmittable Codewords (SVAD-NTCs) to be used in storage media for error correction. Matlab
simulation was used in this design in order to investigate behavior and effectiveness of SVAD-NTCs in
correcting errors in data retrieving from storage media.Sample data of one million bits are randomly
generated, Additive White Gaussian Noise (AWGN) was used as data distortion model and Binary Phase-
Shift Keying (BPSK) was applied for simulation modulation. Results show that,behaviors of SVAD-NTC
performance increase as you increase the NTCs, but beyond 6NTCs there is no significant change and
SVAD-NTCs design drastically reduce the total residual error from 216,878 of Reed Solomon to 23,900.
FACILITATING VIDEO SOCIAL MEDIA SEARCH USING SOCIAL-DRIVEN TAGS COMPUTINGcsandit
Online video search or stream live on social media has become tremendous widespread and
speedy increased continuously in recent years. Most of the videos shared on social media are
aimed at the more number of views from audiences. What and how many videos the users
shared all around the world have created a great amount and varied videos and the other data
into Internet cloud’s database and even can be viewed as a kind of big data of digital contents.
This research is to present how to implement a social-driven tags computing (SDT) which can
be used to facilitate online video search on social media platforms
Secure cloud transmission protocol (SCTP) was proposed to achieve strong authentication and secure
channel in cloud computing paradigm at preceding work. SCTP proposed with its own techniques to attain
a cloud security. SCTP was proposed to design multilevel authentication technique with multidimensional
password generations System to achieve strong authentication. SCTP was projected to develop multilevel
cryptography technique to attain secure channel. SCTP was proposed to blueprint usage profile based
intruder detection and prevention system to resist against intruder attacks. SCTP designed, developed and
analyzed using protocol engineering phases. Proposed SCTP and its techniques complete design has
presented using Petrinet production model. We present the designed SCTP petrinet models and its
analysis. We discussed the SCTP design and its performance to achieve strong authentication, secure
channel and intruder prevention. SCTP designed to use in any cloud applications. It can authorize,
authenticates, secure channel and prevent intruder during the cloud transaction. SCTP designed to protect
against different attack mentioned in literature. This paper depicts the SCTP performance analysis report
which compares with existing techniques that are proposed to achieve authentication, authorization,
security and intruder prevention.
In this paper, we propose a method that aligns comparable bilingual tweets which, not only
takes into account the specificity of a Tweet, but treats also proper names, dates and numbers in
two different languages. This permits to retrieve more relevant target tweets. The process of
matching proper names between Arabic and English is a difficult task, because these two
languages use different scripts. For that, we used an approach which projects the sounds of an
English proper name into Arabic and aligns it with the most appropriate proper name. We
evaluated the method with a classical measure and compared it to the one we developed. The
experiments have been achieved on two parallel corpora and shows that our measure
outperforms the baseline by 5.6% at R@1 recall.
KEYWORDS
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This is a whitepaper on Product Security that largely focusses on building key security capabilities for products that are developed using DevOps methodology. It also consists of an effort to set up and accomplish the governance of Product Security in the DevOps world.
A UML Profile for Security and Code Generation IJECEIAES
Recently, many research studies have suggested the integration of safety engineering at an early stage of modeling and system development using Model-Driven Architecture (MDA). This concept consists in deploying the UML (Unified Modeling Language) standard as aprincipal metamodel for the abstractions of different systems. To our knowledge, most of this work has focused on integrating security requirements after the implementation phase without taking them into account when designing systems. In this work, we focused our efforts on non-functional aspects such as the business logic layer, data flow monitoring, and high-quality service delivery. Practically, we have proposed a new UML profile for security integration and code generation for the Java platform. Therefore, the security properties will be described by a UML profile and the OCL language to verify the requirements of confidentiality, authorization, availability, data integrity, and data encryption. Finally, the source code such as the application security configuration, the method signatures and their bodies, the persistent entities and the security controllers generated from sequence diagram of system’s internal behavior after its extension with this profile and applying a set of transformations.
MILS is a component-based approach to secure and dependable systems design and implementation that encourages a marketplace of general-purpose commercial components, leading to lower development cost
MILS is a two phase approach (John Rushby’s “Modern MILS”):
Design a Policy Architecture
Abstract architecture diagram represented by “boxes and arrows”
Operational components and architecture achieve system purpose
Assumes the architecture (components and connectors) will be strictly enforced in the implementation
Implement the policy architecture on a robust resource-sharing platform
MILS foundational components (FCs) enable sharing of physical resources, creating strongly separated “exported resources”
FCs should be individually developed and assured according to standardized specifications
FCs compose “additively” to form a distributed trusted sharing substrate, the MILS Platform
MILS provides a compositional approach to construction, assurance, and system certification
This material provides a description of assurance cases, a key element in the
CITADEL System Assurance and Certification. In addition, it also includes a
set of assurance case argument patterns that can be used to develop these
assurance cases. The assurance case patterns are instantiated by using
AM-ETB and the system model in the CITADEL modeling language. As
regards to the evaluation of Adaptive MILS assurance cases. it involves the
analysis of the soundness of the assurance case, the integrity of the evidence
supporting the claims made in the assurance case, and the certification of the
Adaptive MILS system.
SEGMENTATION AND CLASSIFICATION OF BRAIN TUMOR CT IMAGES USING SVM WITH WEIGH...csandit
In this article a method is proposed for segmentation and classification of benign and malignant
tumor slices in brain Computed Tomography (CT) images. In this study image noises are
removed using median and wiener filter and brain tumors are segmented using Support Vector
Machine (SVM). Then a two-level discrete wavelet decomposition of tumor image is performed
and the approximation at the second level is obtained to replace the original image to be used
for texture analysis. Here, 17 features are extracted that 6 of them are selected using Student’s
t-test. Dominant gray level run length and gray level co-occurrence texture features are used for
SVM training. Malignant and benign tumors are classified using SVM with kernel width and
Weighted kernel width (WSVM) and k-Nearest Neighbors (k-NN) classifier. Classification
accuracy of classifiers are evaluated using 10 fold cross validation method. The segmentation
results are also compared with the experienced radiologist ground truth. The experimental
results show that the proposed WSVM classifier is able to achieve high classification accuracy
effectiveness as measured by sensitivity and specificity.
A WIND POWER PREDICTION METHOD BASED ON BAYESIAN FUSIONcsandit
Wind power prediction (WPP) is of great importance to the safety of the power grid and the
effectiveness of power generations dispatching. However, the accuracy of WPP obtained by
single numerical weather prediction (NWP) is difficult to satisfy the demands of the power
system. In this research, we proposed a WPP method based on Bayesian fusion and multisource
NWPs. First, the statistic characteristics of the forecasted wind speed of each-source
NWP was analysed, pre-processed and transformed. Then, a fusion method based on Bayesian
method was designed to forecast the wind speed by using the multi-source NWPs, which is more
accurate than any original forecasted wind speed of each-source NWP. Finally, the neural
network method was employed to predict the wind power with the wind speed forecasted by
Bayesian method. The experimental results demonstrate that the accuracy of the forecasted
wind speed and wind power prediction is improved significantly.
““USATESTDOWN” A PROPOSAL OF A USABILITY TESTING GUIDE FOR MOBILE APPLICATION...csandit
The usability testing of mobile applications involving persons with Down syndrome is an issue
that has not be comprehensively investigated and there is no single proposal that takes on board
all the issues that could be taken into account[1]. This study aims to propose a practical guide
¨USATESTDOWN¨ to measure and evaluate the usability of mobile applications focusing on
Down syndrome users and their primary limitations. The study starts with an analysis of
existing methodologies and tools to evaluate usability and integrates concepts related to
inspection and inquiry methods into a proposal. The proposal includes the opinions of experts
and representative users; their limitations, the applicability during the development process and
the accessibility. This guide is based on the literature review and the author
EXPOSURE AND AVOIDANCE MECHANISM OF BLACK HOLE AND JAMMING ATTACK IN MOBILE A...ijcseit
Mobile ad hoc network (MANETs) is an infrastructure-less/self-configurable system in which every node
carries on as host or router and every node can participate in the transmission of packets. Because of its
dynamic behaviour such system is more susceptible against various sorts of security threats, for example,
Black hole, Wormhole , Jamming , Sybil, Byzantine attack and so on which may block the transmission of
the system. Black hole attack and Jamming attack is one of them which promote itself has shortest or new
fresh route to the destination while jamming attack which make activity over the system. This paper
introduces the thorough literature study for the Black hole attack and jamming attack of both the attack by
various researchers.
CORRELATION BASED FUNDAMENTAL FREQUENCY EXTRACTION METHOD IN NOISY SPEECH SIGNALijcseit
This paper proposed a correlation based method using the autocorrelation function and the YIN. The
autocorrelation function and also YIN is a popular measurement in estimating fundamental frequency in
time domain. The performance of these two methods, however, is effected due to the position of dominant
harmonics (usually the first formant) and the presence of spurious peaks introduced in noisy conditions.
The experimental results of computer simulations on female and male voices in different noises perform
that the gross pitch errors are lower in proposed method as compared to other related method in different
types of signal to noise ratio conditions.
L’habitat, « De la maison cocon à la maison ruche : symbolique et usages de l...Harris Interactive France
Enquête 1/3 – Février : « Demain tous colocataires ? Des usages multiples de l’habitat »
Les zooms de L’Observatoire Cetelem s’intéressent aux nouveaux modes de vie et proposent d’investir un grand thème en trois temps, sollicitant l’avis des Français au travers de trois vagues de sondage. Les zooms viennent ainsi compléter et enrichir le dispositif d’observation et d’études existant de L’Observatoire Cetelem.
La première édition des zooms de L’Observatoire Cetelem porte sur l’habitat, un thème à la fois central dans la vie des Français et un précieux indicateur de l’évolution des modes de vie. À cette occasion, L’Observatoire Cetelem a sollicité Harris Interactive pour réaliser un premier sondage sur « Demain tous colocataires ? Des usages multiples de l’habitat » : quelle perception ont les Français de l’habitat ? sont-ils attachés à leur logement ? De quelle manière envisagent-ils la colocation, le télétravail ou la location entre particuliers ? Deux autres sondages suivront en mars et avril pour compléter l’étude.
http://harris-interactive.fr/opinion_polls/demain-tous-colocataires-des-usages-multiples-de-lhabitat/
QUALITY OF SERVICE STABILITY BASED MULTICAST ROUTING PROTOCOL FOR MANETScseij
Mobile Ad Hoc Networking Does Not Own Any Fixed Infrastructure And Hence, Stable Routing Is The
Major Problem. The Mobility Nature Of Manet’s Node Facilitates Rediscovery Of A New Path To
Organizing A Routing. In Order To Intensify The Quality Of Service And Routing Stability In Manet, We
Propose A Dynamic Quality Of Service Stability Based Multicast Routing Protocol By Modifying The
Cuckoo Search Algorithm Through A Modernizing Mechanism Which Is Derived From The Differential
Evolution Algorithm. Tuned Csa Is A Combined Feature Of Csa And De Algorithms. Periodically, Each
Node In The Network Creates Neighbour Stability And Qos Database At Every Node By Calculating The
Parameters Like Node And Link Stability Factor, Bandwidth Availability, And Delays. Finally, Multicast
Path Constructs Route Request And Route Reply Packets, Stability Information And Performing Route
Maintenance.
DESIGN OF SOFT VITERBI ALGORITHM DECODER ENHANCED WITH NON-TRANSMITTABLE CODE...IJCSEA Journal
Viterbi Algorithm Decoder Enhanced with Non-transmittable Codewords is one of the best decoding
algorithm which effectively improves forward error correction performance. HoweverViterbi decoder
enhanced with NTCs is not yet designed to work in storage media devices. Currently Reed Solomon (RS)
Algorithm is almost the dominant algorithm used in correcting error in storage media. Conversely, recent
studies show that there still exist low reliability of data in storage media while the demand for storage
media increases drastically. This study proposes a design of the Soft Viterbi Algorithm decoder enhanced
with Non-transmittable Codewords (SVAD-NTCs) to be used in storage media for error correction. Matlab
simulation was used in this design in order to investigate behavior and effectiveness of SVAD-NTCs in
correcting errors in data retrieving from storage media.Sample data of one million bits are randomly
generated, Additive White Gaussian Noise (AWGN) was used as data distortion model and Binary Phase-
Shift Keying (BPSK) was applied for simulation modulation. Results show that,behaviors of SVAD-NTC
performance increase as you increase the NTCs, but beyond 6NTCs there is no significant change and
SVAD-NTCs design drastically reduce the total residual error from 216,878 of Reed Solomon to 23,900.
FACILITATING VIDEO SOCIAL MEDIA SEARCH USING SOCIAL-DRIVEN TAGS COMPUTINGcsandit
Online video search or stream live on social media has become tremendous widespread and
speedy increased continuously in recent years. Most of the videos shared on social media are
aimed at the more number of views from audiences. What and how many videos the users
shared all around the world have created a great amount and varied videos and the other data
into Internet cloud’s database and even can be viewed as a kind of big data of digital contents.
This research is to present how to implement a social-driven tags computing (SDT) which can
be used to facilitate online video search on social media platforms
Secure cloud transmission protocol (SCTP) was proposed to achieve strong authentication and secure
channel in cloud computing paradigm at preceding work. SCTP proposed with its own techniques to attain
a cloud security. SCTP was proposed to design multilevel authentication technique with multidimensional
password generations System to achieve strong authentication. SCTP was projected to develop multilevel
cryptography technique to attain secure channel. SCTP was proposed to blueprint usage profile based
intruder detection and prevention system to resist against intruder attacks. SCTP designed, developed and
analyzed using protocol engineering phases. Proposed SCTP and its techniques complete design has
presented using Petrinet production model. We present the designed SCTP petrinet models and its
analysis. We discussed the SCTP design and its performance to achieve strong authentication, secure
channel and intruder prevention. SCTP designed to use in any cloud applications. It can authorize,
authenticates, secure channel and prevent intruder during the cloud transaction. SCTP designed to protect
against different attack mentioned in literature. This paper depicts the SCTP performance analysis report
which compares with existing techniques that are proposed to achieve authentication, authorization,
security and intruder prevention.
In this paper, we propose a method that aligns comparable bilingual tweets which, not only
takes into account the specificity of a Tweet, but treats also proper names, dates and numbers in
two different languages. This permits to retrieve more relevant target tweets. The process of
matching proper names between Arabic and English is a difficult task, because these two
languages use different scripts. For that, we used an approach which projects the sounds of an
English proper name into Arabic and aligns it with the most appropriate proper name. We
evaluated the method with a classical measure and compared it to the one we developed. The
experiments have been achieved on two parallel corpora and shows that our measure
outperforms the baseline by 5.6% at R@1 recall.
KEYWORDS
A SURVEY ON RECENT APPROACHES COMBINING CRYPTOGRAPHY AND STEGANOGRAPHYcsandit
Digital communication witnesses a noticeable and continuous development in many
applications in the Internet. Hence, a secure communication sessions must be provided. The
security of data transmitted across a global network has turned into a key factor on the network
performance measures. Cryptography and steganography are two important techniques that are
used to provide network security. In this paper, we conduct a comparative study of
steganography and cryptography. We survey a number of methods combining cryptography and
steganography techniques in one system. Moreover, we present a classification of these
methods, and compare them in terms of the algorithm used for encryption, the steganography
technique and the file type used for covering the information.
A KALMAN FILTERING TUTORIAL FOR UNDERGRADUATE STUDENTSIJCSES Journal
This paper presents a tutorial on Kalman filtering that is designed for instruction to undergraduate
students. The idea behind this work is that undergraduate students do not have much of the statistical and
theoretical background necessary to fully understand the existing research papers and textbooks on this
topic. Instead, this work offers an introductory experience for students which takes a more practical usage
perspective on the topic, rather than the statistical derivation. Students reading this paper should be able
to understand how to apply Kalman filtering tools to mathematical problems without requiring a deep
theoretical understanding of statistical theory.
MULTILINGUAL CONVERSATION ASCII TO UNICODE IN INDIC SCRIPTcsandit
In this paper we discuss the various ASCII based scripts that are made for Indian languages
and the problems associated with these types of scripts. Then we will discuss the solution we
suggest to overcome these problems in the form of “Multilingual ASCII to Unicode Converter”.
We also explain the need of regional languages for the development of a person. This paper also
contains information of UNICODE and various other issues related to regional languages.
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSijseajournal
In the past 10 years, the research community has produced a significant number of design notations to
represent security properties and concepts in a design artifact. The need to improve the security of software
has become a key issue for developers.The security function needs to be incorporated into the software
development process at the requirement, analysis, design, and implementation stages as doing so may help
to smooth integration and to protect systems from attack. Security affects all aspects ofa software program,
which makes the incorporation of security features a crosscutting concern. Therefore, this paper looks at
the feasibility and potential advantages of employing an aspect orientation approach in the software
development lifecycle to ensure efficient integration of security.These notations are aimed at documenting
and analyzing security in a software design model. It also proposes a model called the Aspect-Oriented
Software Security Development Life Cycle (AOSSDLC), which covers arrange of security activities and
deliverables for each development stage. It is concluded that aspect orientation is one of the best options
available for installing security features not least because of the benefit that no changes need to be made to
the existing software structure.
National Institute of Standards and Technology (NIST) Cybersecurity Framework...MichaelBenis1
The National Institute of Standards and Technology (NIST) has released version 2.0 of its landmark Cybersecurity Framework (NIST CSF). This framework is a comprehensive set of guidelines, best practices, and standards designed to help organizations manage and reduce cybersecurity risks. It is widely regarded as one of the most important resources for cybersecurity professionals, providing a roadmap for improving cybersecurity posture across various sectors.
The NIST Cybersecurity Framework was first introduced in 2014 in response to Executive Order 13636, which called for the development of a voluntary framework to improve cybersecurity in critical infrastructure. Since then, the framework has been widely adopted by organizations in both the public and private sectors, serving as a valuable tool for managing cybersecurity risks.
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T OllieShoresna
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T L A W
3
The NIST
Cybersecurity
Framework:
Overview and
Potential Impacts
By Lei Shen
W
ith the recent and increasing number of high-
profile data breaches, businesses are becoming
increasingly concerned about cybersecurity. Such
data breaches have cost the affected companies
millions of dollars due to liability, lawsuits, reduced
earnings, decreased consumer trust, and falling stock
prices, while putting consumers at risk. Even though
the recent attacks have targeted consumer data, such
attacks may have even greater impact when targeted at
the nation’s critical infrastructure. The White House
acknowledged this when it issued Executive Order
13636,1 which required the National Institute of
Standards and Technology (NIST), a non-regulatory
agency of the Department of Commerce, to develop a
“cybersecurity framework” to help regulators and indus-
try participants identify and mitigate cyber risks that
potentially could affect national and economic security.
To develop the framework and gain an under-
standing of the current cybersecurity landscape, NIST
consulted hundreds of security professionals in the
industry. It held a number of workshops that were
attended by many participants from the private sec-
tor, and it reviewed numerous comments to the drafts
of the proposed framework that it posted for review.2
More than 3,000 individuals and organizations con-
tributed to the framework.3
On February 12, 2014, NIST released its final
cybersecurity framework, titled “Framework for
Improving Critical Infrastructure Cybersecurity”
(hereinafter Framework).4 Through the collaborative
public-private partnership, the resulting Framework
adopts industry standards and best practices to provide
a set of voluntary, risk-based measures that can be used
by organizations to address their cybersecurity risk.
Although the goal of the Framework is to better
protect critical infrastructure,5 such as banks and utili-
ties, from cyber attacks, the Framework is a flexible
and technology-neutral document that can be used by
organizations of any size, sophistication level, or degree
of cyber risk. Organizations can use the Framework as a
guideline to assess their existing cybersecurity program
or to build one from scratch, set goals for cybersecurity
that are in sync with their business environment, pri-
oritize opportunities for improvement, or establish a
plan for improving or maintaining their cybersecurity.
The Framework also is a valuable tool to help
executives understand their company’s security prac-
tices. Executives may use the Framework to see how
their company’s cybersecurity practices measure up
to the Framework’s standards, understand where the
company’s vulnerabilities lie, and determine if they
are doing enough.
While the Framework is voluntary and may be
criticized as being little more than a compilation of
established industry securit ...
International Journal of Engineering Research and Development (IJERD)IJERD Editor
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals,
yahoo journals, bing journals, International Journal of Engineering Research and Development, google journals, hard copy of journal
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
This article examines the emerging need for software assurance. As defense contractors continue to develop systems for the Department of Defense (DoD) those systems must meet stringent requirements for deployment. However as over half of the vulnerabilities are found at the application layer organizations must ensure that proper mechanisms are in place to ensure the integrity, availability, and confidentiality of the code is maintained. Download paper at https://www.researchgate.net/publication/255965523_Integrating_Software_Assurance_into_the_Software_Development_Life_Cycle_(SDLC)
Numerous security metrics have been proposed in the past for protecting computer networks.
However we still lack effective techniques to accurately measure the predictive security risk of
an enterprise taking into account the dynamic attributes associated with vulnerabilities that can
change over time. In this paper we present a stochastic security framework for obtaining
quantitative measures of security using attack graphs. Our model is novel as existing research
in attack graph analysis do not consider the temporal aspects associated with the
vulnerabilities, such as the availability of exploits and patches which can affect the overall
network security based on how the vulnerabilities are interconnected and leveraged to
compromise the system. Gaining a better understanding of the relationship between
vulnerabilities and their lifecycle events can provide security practitioners a better
understanding of their state of security. In order to have a more realistic representation of how
the security state of the network would vary over time, a nonhomogeneous model is developed
which incorporates a time dependent covariate, namely the vulnerability age. The daily
transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We
also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact
measures evolve over a time period for a given network.
PREDICTIVE CYBER SECURITY ANALYTICS FRAMEWORK: A NONHOMOGENOUS MARKOV MODEL F...cscpconf
Numerous security metrics have been proposed in the past for protecting computer networks.
However we still lack effective techniques to accurately measure the predictive security risk of
an enterprise taking into account the dynamic attributes associated with vulnerabilities that can
change over time. In this paper we present a stochastic security framework for obtaining
quantitative measures of security using attack graphs. Our model is novel as existing research
in attack graph analysis do not consider the temporal aspects associated with the
vulnerabilities, such as the availability of exploits and patches which can affect the overall
network security based on how the vulnerabilities are interconnected and leveraged to
compromise the system. Gaining a better understanding of the relationship between
vulnerabilities and their lifecycle events can provide security practitioners a better
understanding of their state of security. In order to have a more realistic representation of how
the security state of the network would vary over time, a nonhomogeneous model is developed
which incorporates a time dependent covariate, namely the vulnerability age. The daily
transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We
also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact
measures evolve over a time period for a given network.
What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
Would you drive BLINDFOLDED?
A false sense of security?
Without a Security Framework…
Why Cyber Security Framework?
How would I measure my effectiveness?
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
2. 52 Computer Science & Information Technology (CS & IT)
However, in this paper, we show that NIST CSF is not comprehensive to address all information
security related processes that are addressed in some of those frameworks. The main objective of
the framework is to manage cyber security risks within the organizations that implement it. In the
NIST CSF, the Framework Implementation Tiers" part, referred to as Tiers", is detailed as one
of three parts that the framework consists of [1]. However, the Tiers does not provide
organizations with a mechanism to measure the progress of implementing NIST CSF or their
maturity level and information security processes' capabilities. Tiers is just visionary tool that
allows organizations to understand their cyber security risk management approach and what are
the processes in place to manage the risk. NIST official web site [2] has stated that the Tiers are
not intended to be measurement tool to maturity levels.
This paper is a comprehensive comparison between NIST CSF, COBIT, ISO/IEC 27001 and ISF
frameworks. It identifies the gap of key information security processes that are addressed in some
frameworks but not in NIST CSF. We fill this gap and propose a new capability maturity model
(CMM) to measure NIST CSF implementation progress.
2. OVERVIEW OF THE NIST CYBER SECURITY FRAMEWORK
The NIST CSF consists of three main parts in which, cyber security is considered as a risk that is
managed through the enterprise risk management process [1]. Thus, we identify the NIST CSF
framework as risk-based framework. The three parts are: framework core, risk tiers, and
framework profile.
Table 1: Frameworks Comparison
Framework Control Categories Control Objectives Activities
NIST CSF [1] Functions (5) Categories (22) Subcategories (98)
ISF [3] Categories (4) Areas (26) Topics (118)
ISO27001 (2013) [4] Clauses (14) Control objective (35) Controls (114)
COBIT5 (2013) [5] Domains (5) Processes (37) Practices (210)
2.1 FRAMEWORK CORE
The framework core consists of a set of cyber security activities. These activities are grouped in
Subcategories" which are grouped too in Categories". The categories are sorted in five different
Functions": Identify, Protect, Detect, Respond, and Recover. The NIST CSF five functions are
concurrent and continuous. When the functions collectively implemented they form a high-level
and strategic view of the cyber security risk management program. The Framework Core part has
also the desired outcomes (controls objectives) and informative references. Informative
references are list of cyber security activities in standards, guidelines, or practices such as as
COBIT, ISO/IEC 27001 and the ISF SoGP. The comparison between the NIST CSF and other
frameworks will be done on the level of the cyber security activities to ensure that all key
information securities activities are addressed. Table 1 compares the structure of NIST CSF with
the structure of selected sample of frameworks.
3. Computer Science & Information Technology (CS & IT) 53
2.2 RISK TIERS
The Tiers part of the NIST CSF is a visionary tool that allows organizations to understand their
cyber security risk management approach and what are the processes in place to manage the risk.
Based on the identified processes in place, the organization may be classified in one of four tier
levels. The tier levels range from Partial" in Tier 1,Risk Informed" in Tier 2, Repeatable" in
Tier 3, to Adaptive" in Tier 4.
2.3 FRAMEWORK PROFILE
The framework profile, referred to as profile", is a tool to document, implement, and track the
organizations' opportunities for improving their cyber security posture. The profile has the current
cyber security activities implemented by the organization, as well as the planned activities to be
implemented in order to close the gap between the current and the to-be" state. Organizations
need to identify which cyber security activities are needed to improve the current state based on
risk assessment to identify risks that may prevent achieving the business objectives.
3. RELATED WORK
We reviewed the Baldrige Excellence Framework" and Baldrige Excellence Builder" at NIST
website [6]. We found that these two documents were not introduced to serve as Maturity Model.
However, they are a continues effort linked to the Tiers, where the main aim is to help
organizations to evaluate how effective is their cyber security risk management effort. The
Baldrige Excellence Builder links the cyber security program with several areas such as
leadership, customers, employees, and the outcome results. In [7], the authors proposed a method
to select measures which evaluate the gap between the current and the target states based on the
NIST CSF risk Tiers. In [8], on the other hand, the authors highlighted the need for Compliance
Assessment in order to reduce the gap in the Processes pillar (one of three pillars including
Human Resources and Technology). Therefore, they proposed a model that is generic to allow for
overall compliance evaluation.
4. NIST CSF EVALUATION
NIST CSF, as a framework, has the following nature:
• Focus on information security high-level requirements.
• Applicable for the development of information security program and policy
Examples of other frameworks include, COBIT, ISO/IEC 27001 and the ISF SoGP for
Information Security. However, the detailed cyber security activities are usually listed in
standards, guidelines, and practices. They have the following nature:
• Focus on information security technical and functional controls (customizable).
• Applicable for developing checklists and conducting compliance/audit assessments.
Examples of standards and guidelines include NIST SP 800-53, ISO-27001 Annex, and ISF
SoGP. The NIST CSF has mapped number of standards in the informative references. The
mapped standards include NIST SP 800 series, COBIT 5, ISA 62443, ISO/IEC 27001:2013, and
4. 54 Computer Science & Information Technology (CS & IT)
CCS [1]. ISF SoGP was not mapped in the NIST CSF framework. Therefore, we will use the ISF
SoGP mapping [9] to NIST CSF to conduct the comparison with NIST CSF.
NIST CSF clearly indicates that organizations planning to implement it can use their existing
processes and place them on top of the NIST CSF to identify gaps with respect to the framework
[1]. However, this assumes that NIST CSF will be comprehensive and adopted framework will be
always equal or less than NIST. This is illustrated in Figure 1-a.
Of course the other scenario of NIST CSF being not comprehensive and has a gap when
compared with other frameworks is possible. In order to verify this scenario (illustrated in Figure
1-b), we matched all mapped CSF informative references with the corresponding framework.
Numeric statistics of this match are as follows:
Framework CSF Gap Gap %
-----------------------------------------------
ISO 27001 93 21 18.4%
ISF 49 69 58.5%
COBIT5 165 45 21.4%
Figure 1: Two gap scenarios for CSF being comprehensive
We found that the compliance process is one gap area, related to information security, that is
identified and need to be addressed in future update to NIST CSF. For example, MEA03
(Monitor, Evaluate and Assess Compliance with External Requirements) is a COBIT process that
is not mapped to NIST CSF. Also, SI2.3 (Monitoring Information Security Compliance) is ISF
process that is not mapped to NIST CSF. In addition, ISO/IEC 27001 has one process (A.18:
Compliance) that is partially mapped to NIST CSF. NIST CSF has mapped only the following
five ISO/IEC processes: A.18.1 (Compliance with legal and contractual requirements), A.18.1.3
(Protection of records), A.18.1.4 (Privacy and protection of personally identifiable information),
A.18.2.2 (Compliance with security policies and standards), and A.18.2.3 (Technical compliance
review).
We traced the Compliance Assessment in NIST 800 series and found two main publications ([10]
and [11]) that highlighted this topic. The Compliance Assessment was addressed under the Risk
Monitoring process, roles and responsibilities associated with it. The two main objectives of the
Risk Monitoring process are to verify the existence of the control (Compliance) and the efficiency
5. Computer Science & Information Technology (CS & IT) 55
of the control to mitigate the risk [11]. Compliance assessment is very essential to ensure that
identified control to mitigate the risk is implemented correctly and operating as intended. For
detailed responsibilities of each role in the compliance process refer to the following in [10]:
Role Reference [10]
-------------------------------------------------------------------
Info. system owner Sec. D.9, Page D-5
Info. system security officer Sec. D.10, Page D-6
info. security architect sec. D.11, Page D-6
security control assessor sec. D.13, Page D-7
We propose to add the compliance assessment process as a process in NIST CSF (be the category
number 23). This category will contain the missed subcategories highlighted previously. The
process should at least contain the following as subcategories:
• Legal and Regulatory Compliance
• Information Privacy
• Intellectual property
• Compliance with security policies and standards
5. MEASURING MATURITY OF ORGANIZATIONS IMPLEMENTING NIST
CSF
The profile part of the NIST CSF is focused on tracking the organization progress in implement-
ing the gaps to move from the current state to the defined target. NIST CSF has provided the
Tiers as visionary tool that allows organizations to understand their cyber security risk
characteristics. However, as we highlighted in Section 1, Tiers does not provide organizations
with a mechanism to measure the progress of implementing NIST CSF or their maturity level and
information security processes capabilities.
Therefore, a maturity model is needed to measure the information security processes capabilities.
The main objective of such maturity model is to identify a baseline to start improving the security
posture of an organization when implementing NIST CSF. The maturity model then is used in
cycles to build consensus, set the priorities of investment in information security, and after all
measure the implementation progress [12]. Some of the frameworks that we studied come with
maturity model (like COBIT and ISF). For other frameworks that do not have maturity model like
ISO 27001, other information security related maturity models like ONG C2M2 and SSE MM are
used (Figures 2 and 3). We studied the different maturity models to verify if they map to each
other in order to utilize any of them to measure the maturity of organizations implementing NIST
CSF. The main focus of our study was to compare the scale used by each model and the domains
evaluated by each model.
We reviewed the four maturity models SSE CMM [13], ONG C2M2 [14], ISF MM [15], and
COBIT PAM MM [16]. Unlike the other three maturity models, ONG C2M2 is three scale model
and assesses ten domains. Refer to Figure 2.
6. 56 Computer Science & Information Technology (CS & IT)
Figure 2: ONG C2M2 Maturity Model scales and domains
Figure 3: SSE Maturity Model scales and domains
While SSE CMM (Figure 3), ISF MM (Figure 4) and PAM MM (Figure 5) are the same scale
maturity models, yet the problem of mapping exists. In Table 2, we identified that level 2
Planned and Tracked" of SSE CMM is not mapped to any of the other maturity models. Figure 3
illustrates the levels and domains of SSE CMM. On the other hand, in ISF MM and PAM MM,
level 2 and 3 is the opesite of each other. Figures 4 and 5 illustrate the levels and domains of ISF
MM and PAM MM.
Figure 4: ISF Maturity Model scales and domains
7. Computer Science & Information Technology (CS & IT) 57
Figure 5: PAM Maturity Model scales and domains
We performed a comprehensive comparison of all the domains in the four maturity models. These
domains are carefully examined in an attempt to verify the applicability of any maturity model
regardless of the deployed framework. However, our study shows the lack of one-to-one mapping
or any clear way to map these domains in an applicable way. There are items in certain models
that are mapped to multiple items in other models. While other items have no mapping as show in
Table 3. For example, Monitor Posture" in SSE CMM is mapped to three items in ISF MM, three
items in PAM, and two items in ONG C2M2. While Monitor and Control Technical Effort" in
SSE CMM and Manage Operation" in PAM have no mapping in ISF MM and ONG C2M2.
Moreover, the Administer Security Controls" in SSE MM is mapped to seven items in PAM
MM.
Table 2: Maturity Models Scale Comparison
SSE CMM [13] ISF MM [15] COBIT PAM [16] ONG C2M2 [14]
L1
Performed Informally
L1
Performed
L1
Performed Process
L1
Performed but Ad-hoc
L2
Planned and Tracked
No Mapping No Mapping No Mapping
L3
Well Defined
L2
Planned
L3
Established Process
L2
Defined and Resourced
No Mapping L3
Managed
L2
Managed Process
L3
Governed and
Effectively Resourced
L4
Quantitatively Controlled
L4
Measured
L4
Predictable Process
No Mapping
L5 Tailored L5
Continuously Improving
L5
Optimizing Process
No Mapping
Our study, as summarized in Tables 2 and 3, illustrates the mapping of ONG C2M2 with the
other three maturity models in Table 2. It shows that ONG C2M2 has similarity and map to the
first three levels of the ISF MM (Figure 4). However, there is a gap in the assessed areas due to
the difference in the number of both maturity models (10 assessed areas in ONG C2M2 versus 21
in ISF MM). There are assessed areas in ISF MM which are not mapped to ONG C2M2 such as
Compliance", Security Audit", Security Architecture", and Secure Application Development".
Other areas of ONG C2M2 are mapped to more than one area in ISF MM. For example, Cyber
security Program Management" in ONG C2M2 was mapped to three areas in ISF MM,
namely,Security Strategy", Security Governance", and Security Policy".
9. Computer Science & Information Technology (CS & IT) 59
6. PROPOSED INFORMATION SECURITY MATURITY MODEL
In the previous sections, we discussed few critical issues about NIST CSF framework. In order to
understand the importance of a new cabability maturity modle for the NIST CSF, we highlight the
following factors:
• The need for business management to measure the maturity of the security program to
assure the reliability of the IT services enabling and supporting their business [12].
• NIST CSF framework tiers are not intended to be measurement tool to maturity levels
[2].
• The identified gap in NIST CSF.
• The lack of (one-to-one) mapping in both scale levels and the assessed areas of the
different existing maturity modules.
Taking into considerations all the above factors, there is a need to define a new CMM for NIST
CSF. Therefore, we propose a five-level scale with 23 assessed areas as shown in Figure 6. Our
suggested assessed areas are shown in Table 4. These areas are the 22 in NIST CSF categories
plus the compliance assessment (No. 6 in Table 4).
Three of the four maturity models we compared are five-level scales in addition of other five
information security related maturity models reviewed by [12]. This supports our decision to
make the proposed maturity model a five-level scale. However, detailed review of the required
scale characteristics, such as the scale levels, scale level definitions, or scale measures (staged
versus continuous), need to be addressed in future work.
The proposed ISMM will enable the organizations to measure their implementation progress over
time. They will use the same measuring tool in a regular basis to ensure maintaining the desired
security posture. Furthermore, using the same measuring tool by different organizations will
allow the benchmarking between those organizations [12].
10. 60 Computer Science & Information Technology (CS & IT)
Table 4: The 23 assessed areas of the proposed maturity model
1 Asset Management
2 Business Environment
3 Governance
4 Risk Assessment
5 Risk Management Strategy
6 Compliance
Assessment
7 Access Control
8 Awareness and Training
9 Data Security
10 Information Protection Processes and Procedures
11 Maintenance
12 Protective Technology
13 Anomalies and Events
14 Security Continuous Monitoring
15 Detection Processes
16 Response Planning
17 Response Communications
18 Response Analysis
19 Response Mitigation
20 Response Improvements
21 Recovery Planning
22 Recovery Improvements
23 Recovery Communications
Figure 6: Proposed Information Security Maturity Model (ISMM)
7. CONCLUSION
NIST CSF has been introduced to organizations with critical infrastructure as an integrated
framework to implement in order to improve their security postures. The NIST recommended to
use the framework on top of and to complement any implemented framework within the
organization. The ongoing enhancement nature of the information security programs drives the
organizations to continuously measure their capabilities of achieving the desired outcome of the
11. Computer Science & Information Technology (CS & IT) 61
implemented framework. The organizations use the capability maturity models to evaluate their
capabilities. This will give the management of the organization the bases of their decisions to
define and prioritize their investment strategy in building the information security.
This paper considered the evaluation of the NIST CSF comprehensiveness to ensure that it will
cover any existing framework. Moreover, the paper reviewed number of maturity models to
assess the applicability to use with NIST CSF and the existence of mapping between the NIST
CSF control objectives and the assessed areas. The paper used three information security related
frameworks (ISO 27001, ISF, and COBIT5) and four maturity models (ISF, PAM, SSE CMM,
and ONG C2M2).
The review considered the mapping made by NIST CSF to other frameworks and confirmed that
the NIST CSF did not adequately address the compliance assessment process. The evaluation of
the maturity models considered the scale levels definitions and the assessed areas. In both
dimensions, there was no one-to-one mapping between the different maturity models. Therefore,
we concluded that none of the evaluated maturity models can be used with NIST CSF to have a
wide coverage and mapping to implemented framework. The paper proposed a new maturity
model of five-level scale and include the twenty two NISCT CSF categories with addition of the
compliance assessment process.
As for the future work, first, this paper shows the comparison between the assessed areas in
different maturity models, but it did not compare them with the NIST CSF. This comparison is
important to identify which maturity model can be used as a bases to define the scale levels of the
proposed NIST CSF maturity model. The scope of the comparison also needs to be expanded to
cover more cyber security and information security related maturity models such as the
Community Cyber Security Maturity Model [17] and the Information Security Governance model
[12]. Second, the current best practice of the information security business structure needs to be
considered to resort the 23 assessed areas according to that structure grouping areas performed in
one entity together. For example, business processes like the asset management, change
management, threat monitoring, or risk management might be used to group related NIST CSF
categories.
REFERENCES
[1] NIST, Framework for improving critical infrastructure cybersecurity,"
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf, 2014.
[2] N. Keller, Cybersecurity framework faqs framework components,"
https://www.nist.gov/cyberframework/cybersecurity-framework-faqs-frameworkcomponents, 2015,
accessed: December 11, 2016.
[3] ISF, The standard of good practices for information security," in Information Security Forum ISF,
2014.
[4] S. Schweizerische, Information technology-security techniques-information security management
systems-requirements," ISO/IEC International Standards Organization, 2013.
[5] ISACA, Cobit 5: A business framework for the governance and management of enterprise it," 2012.
12. 62 Computer Science & Information Technology (CS & IT)
[6] L. Scott, Baldrige cybersecurity initiative," https://www.nist.gov/baldrige/productsservices/baldrige-
cybersecurity-initiative, 2016, accessed: November 10, 2016.
[7] S. Fukushima and R. Sasaki, Application and evaluation of method for establishing consensus on
measures based on cybersecurity framework," in The Third International Conference on Digital
Security and Forensics (DigitalSec2016), 2016, p. 27.
[8] N. Teodoro, L. Goncalves, and C. Serr~ao, Nist cybersecurity framework compliance: A generic
model for dynamic assessment and predictive requirements," in Trustcom/BigDataSE/ISPA, 2015
IEEE, vol. 1. IEEE, 2015, pp. 418{425.
[9] ISF, Isf standard and nist framework poster," in Information Security Forum ISF, 2014.
[10] J. T. FORCE and T. INITIATIVE, Guide for applying the risk management framework to federal
information systems," NIST special publication, vol. 800, p. 37, 2010.
[11] P. D. Gallagher and G. Locke, Managing information security risk organization, mission, and
information system view," National Institute of Standards and Technology, 2011.
[12] M. Lessing, Best practices show the way to information security maturity,"
http://hdl.handle.net/10204/3156, 2008, accessed: January 10, 2017.
[13] Carnegie-Mellon-University, Systems security engineering capability maturity model (sse-cmm)
model description document version 3.0," 1999.
[14] D. of Energy, Oil and natural gas subsector cybersecurity capability maturity model (ong-c2m2
v1.1)," Department of Energy, Washington, DC: US, 2014.
[15] ISF, Time to grow using maturity models to create and protect value," in Information Security Forum
ISF, 2014.
[16] ISACA, COBIT Process Assessment Model (PAM): Using COBIT 5. ISACA, 2013.
[17] G. B. White, The community cyber security maturity model," in Technologies for Homeland
Security (HST), 2011 IEEE International Conference on. IEEE, 2011, pp. 173{178.
![David C. Wyld et al. (Eds) : ITCS, SIP, CST, ARIA, NLP - 2017
pp. 51– 62, 2017. © CS & IT-CSCP 2017 DOI : 10.5121/csit.2017.70305
INFORMATION SECURITY MATURITY
MODEL FOR NIST CYBER SECURITY
FRAMEWORK
Sultan Almuhammadi and Majeed Alsaleh
College of Computer Sciences and Engineering,
King Fahd University of Petroleum and Minerals,
Dhahran, Saudi Arabia
ABSTRACT
The National Institute of Standards and Technology (NIST) has issued a framework to provide
guidance for organizations within critical infrastructure sectors to reduce the risk associated
with cyber security. The framework is called NIST Cyber Security Framework for Critical
Infrastructure (CSF). Many organizations are currently implementing or aligned to different
information security frameworks. The implementation of NIST CSF needs to be aligned with and
complement the existing frameworks. NIST states that the NIST CSF is not a maturity
framework. Therefore, there is a need to adopt an existing maturity model or create one to have
a common way to measure the CSF implementation progress. This paper explores the
applicability of number of maturity models to be used as a measure to the security poster of
organizations implementing the NIST CSF. This paper reviews the NIST CSF and compares it to
other information security related frameworks such as COBIT, ISO/IEC 27001 and the ISF
Standard of Good Practice (SoGP) for Information Security. We propose a new information
security maturity model (ISMM) that fills the gap in the NIST CSF.
KEYWORDS
Information Security, Maturity Model, Cyber-Security.
1. INTRODUCTION
Many organizations could be aligned with one of the information security related best practice
frameworks. This makes the alignment of the NIST CSF with such frameworks a must. NIST
CSF is a set of industry standards and best practices [1]. The framework of NIST CSF clearly
indicates that organizations planning to implement it can use their existing processes and place
them on top of the NIST CSF to identify gaps with respect to the framework. This implies the
comprehensiveness of the NIST CSF when compared with other frameworks such as COBIT,
ISO/IEC 27001 and ISF Standard of Good Practices (SoGP). Thus, to ensure applicable
alignment with any information security framework, we need to confirm the comprehensiveness
or identify any possible gap in NIST CSF.](https://image.slidesharecdn.com/csit76505-170307113112/85/INFORMATION-SECURITY-MATURITY-MODEL-FOR-NIST-CYBER-SECURITY-FRAMEWORK-Sultan-1-320.jpg)
![52 Computer Science & Information Technology (CS & IT)
However, in this paper, we show that NIST CSF is not comprehensive to address all information
security related processes that are addressed in some of those frameworks. The main objective of
the framework is to manage cyber security risks within the organizations that implement it. In the
NIST CSF, the Framework Implementation Tiers" part, referred to as Tiers", is detailed as one
of three parts that the framework consists of [1]. However, the Tiers does not provide
organizations with a mechanism to measure the progress of implementing NIST CSF or their
maturity level and information security processes' capabilities. Tiers is just visionary tool that
allows organizations to understand their cyber security risk management approach and what are
the processes in place to manage the risk. NIST official web site [2] has stated that the Tiers are
not intended to be measurement tool to maturity levels.
This paper is a comprehensive comparison between NIST CSF, COBIT, ISO/IEC 27001 and ISF
frameworks. It identifies the gap of key information security processes that are addressed in some
frameworks but not in NIST CSF. We fill this gap and propose a new capability maturity model
(CMM) to measure NIST CSF implementation progress.
2. OVERVIEW OF THE NIST CYBER SECURITY FRAMEWORK
The NIST CSF consists of three main parts in which, cyber security is considered as a risk that is
managed through the enterprise risk management process [1]. Thus, we identify the NIST CSF
framework as risk-based framework. The three parts are: framework core, risk tiers, and
framework profile.
Table 1: Frameworks Comparison
Framework Control Categories Control Objectives Activities
NIST CSF [1] Functions (5) Categories (22) Subcategories (98)
ISF [3] Categories (4) Areas (26) Topics (118)
ISO27001 (2013) [4] Clauses (14) Control objective (35) Controls (114)
COBIT5 (2013) [5] Domains (5) Processes (37) Practices (210)
2.1 FRAMEWORK CORE
The framework core consists of a set of cyber security activities. These activities are grouped in
Subcategories" which are grouped too in Categories". The categories are sorted in five different
Functions": Identify, Protect, Detect, Respond, and Recover. The NIST CSF five functions are
concurrent and continuous. When the functions collectively implemented they form a high-level
and strategic view of the cyber security risk management program. The Framework Core part has
also the desired outcomes (controls objectives) and informative references. Informative
references are list of cyber security activities in standards, guidelines, or practices such as as
COBIT, ISO/IEC 27001 and the ISF SoGP. The comparison between the NIST CSF and other
frameworks will be done on the level of the cyber security activities to ensure that all key
information securities activities are addressed. Table 1 compares the structure of NIST CSF with
the structure of selected sample of frameworks.](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)