Abstract
Organizations are faced with a clear need for increasing the maturity of their cybersecurity capabilities to keep pace with the ever-evolving cyber threats and accelerated institutional digitalization driven by financial reward and competitive edge. In this context, organizations acknowledge the importance of strengthening their cybersecurity programs to protect critical business processes along with the confidentiality, availability, and integrity of information and information systems through people, processes, and technology by preventing, detecting, and responding to cyber attackers resorting to sophisticated cyber tactics, techniques, and procedures (TTPs). Meanwhile, national and international standardization bodies reacted through the development of various cybersecurity risk management frameworks and standards that can be leveraged by organizations while maturing their cybersecurity capabilities. In a nutshell, this paper aims to provide a critical evaluation of several widespread cybersecurity risk management frameworks adopted by organizations to alleviate cyber risks. The paper starts with an introduction about the key drivers for adopting a cybersecurity risk management framework within organizations. Further, the paper gives an overview of several well-renowned cybersecurity risk management frameworks and related standards, methods and methodologies. Furthermore, the paper defines the evaluation criteria used for comparing frameworks and provides a holistic evaluation of selective cybersecurity risk management frameworks aiming to support decision-making with respect to framework selection, facilitate pragmatic implementation of cybersecurity programmes, and help organizations cope with cybersecurity risks. Finally, the paper presents the concluding remarks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Cabinet Office: The UK cyber security strategy: protecting and promoting the UK in a digital world. Crown, London (2011)
United States Army: Field Manual 3–38: cyber electromagnetic activities. US Army, Kansas (2014)
Bank of England: CBEST Intelligence-Led Testing Understanding Cyber Threat Intelligence Operations. Bank of England, London (2016)
ETSI: CYBER; Global Cyber Security Ecosystem (2017). https://www.etsi.org/deliver/etsi_tr/103300_103399/103306/01.02.01_60/tr_103306v010201p.pdf. Accessed 31 July 2018
Lonea, A.M., Popescu, D.E., Prostean, O.: The overall process taken by enterprises to manage the IaaS cloud services. In: Proceedings of the European Conference on Information Systems Management (ECIME 2012), University College Cork, Cork, pp. 168–177 (2012)
Lonea, A.M., Tianfield, H., Popescu, D.E.: Identity management for cloud computing. In: Balas, V., Fodor, J., Várkonyi-Kóczy, A. (eds.) New Concepts and Applications in Soft Computing. Studies in Computational Intelligence, vol. 417, pp. 175–199. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-28959-0_11
Poppensieker, T., Riemenschnitter, R.: A new posture for cybersecurity in a networked world (2018). https://www.mckinsey.com/business-functions/risk/our-insights/a-new-posture-for-cybersecurity-in-a-networked-world. Accessed 31 July 2018
EY: Cybersecurity regained: preparing to face cyber attacks 20th Global Information Security Survey 2017–18 (2018). https://www.ey.com/Publication/vwLUAssets/ey-cybersecurity-regained-preparing-to-face-cyber-attacks/$FILE/ey-cybersecurity-regained-preparing-to-face-cyber-attacks.pdf. Accessed 31 July 2018
ENISA: ENISA Threat Landscape Report 2017 15 Top Cyber-Threats and Trends (2018). https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017/at_download/fullReport. Accessed 31 July 2018
EY: Governing cyber risk in financial services, pp. 2–7 (2017)
World Economic Forum: Digital Transformation Initiative Maximizing the Return on Digital Investments (2018). http://www3.weforum.org/docs/DTI_Maximizing_Return_Digital_WP.pdf. Accessed 31 July 2018
PwC: Top financial services issues of 2018 (2017). https://www.pwc.se/sv/pdf-reports/finansiell-sektor/top-financial-services-issues-of-2018.pdf. Accessed 31 July 2018
PwC: Revitalizing privacy and trust in a data-driven world Key findings from The Global State of Information Security® Survey 2018 (2018). https://www.pwc.com/us/en/cybersecurity/assets/revitalizing-privacy-trust-in-data-driven-world.pdf. Accessed 31 July 2018
Ali, S., Padmanabhan, V., Dixon, J.: Why Cybersecurity is a Strategic Issue (2014). https://www.bain.com/insights/why-cybersecurity-is-a-strategic-issue/. Accessed 31 July 2018
Lindstrom, P., Rosen, M., Pike, S.: DX Security: A Security Model for the DX Platform, pp. 2–13 (2018)
Information Security Forum: IRAM2 The next generation of assessing information risk, pp. 1–90 (2014)
PwC: 10 most likely ways your operational technology network will be compromised December 2015 Cyber savvy: Securing operational technology assets (2016). https://www.pwc.com/ca/en/consulting/publications/2016–01-18-pwc-cyber-savvy-securing-operational-technology-assets.pdf. Accessed 31 July 2018
Deloitte: ISO27032: Guidelines for cyber security a Deloitte point of view on analysing & implementing the guideline (2012). https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Risk/iso27032_guidelines_cybersecurity_2011_deloitte_uk.pdf. Accessed 31 July 2018
Verizon: 2018 Data Breach Investigations Report, 11th edn (2018). https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf. Accessed 31 July 2018
Deloitte: The value of visibility Cybersecurity risk management examination (2017). https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-the-value-of-visibility-cybersecurity-risk-management-examination.pdf. Accessed 31 July 2018
EY: Cyber program management Identifying ways to get ahead of cybercrime (2014). https://www.ey.com/Publication/vwLUAssets/EY-cyber-program-management/$FILE/EY-cyber-program-management.pdf. Accessed 31 July 2018
World Economic Forum: The Global Risks Report 2018, 13th edn (2018). http://www3.weforum.org/docs/WEF_GRR18_Report.pdf. Accessed 31 July 2018
Europol: Internet Organised Crime Threat Assessment 2017 (2017). https://www.europol.europa.eu/sites/default/files/documents/iocta2017.pdf. Accessed 31 July 2018
IBM Security: IBM X-Force Threat Intelligence Index 2018 Notable security events of 2017, and a look ahead (2018). https://public.dhe.ibm.com/common/ssi/ecm/77/en/77014377usen/security-ibm-security-solutions-wg-research-report-77014377usen-20180404.pdf. Accessed 31 July 2018
Mavroeidis, V., Bromander, S.: Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence. In: 2017 European Intelligence and Security Informatics Conference (EISIC), Athens, pp. 91–98. IEEE (2017)
Center for Internet Security: Top 10 Malware, January 2018. https://www.cisecurity.org/top-10-malware-january-2018/. Accessed 31 July 2018
The British Standards Institution: Emerging trends in the cyber landscape – 2018 (2017). https://www.bsigroup.com/contentassets/d6a55cdd1c7f4849811d48e6397340b7/csir—emerging_cyber_trends.pdf?amp;epslanguage=fr-FR. Accessed 31 July 2018
Deutscher, S., Bohmayr, W., Yin, W., Russo, M.: Cybersecurity Meets IT Risk Management: A Corporate Immune and Defense System (2014). https://www.bcg.com/publications/2014/technology-strategy-organization-cybersecurity-meets-it-risk-management.aspx. Accessed 31 July 2018
Juniper Research: The Future of Cybercrime & Security: Enterprise Threats & Mitigation 2017–2022 (2017). https://www.juniperresearch.com/press/press-releases/cybercrime-to-cost-global-business-over-$8-trn. Accessed 31 July 2018
National Institute of Standards and Technology: Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (2018). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. Accessed 31 July 2018
ENISA: ENISA overview of cybersecurity and related terminology (2017). https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/enisa-overview-of-cybersecurity-and-related-terminology. Accessed 31 July 2018
Mayer Brown: 2018 Outlook: Cybersecurity and Data Privacy (2018). https://www.mayerbrown.com/files/Publication/186b642e-812a-4b83-8e2d-138d6c9a4f6f/Presentation/PublicationAttachment/dbb4215a-6522-4bb6-9007-12a81d4d7075/Mayer-Brown-2018-Cyber-Data%20Privacy-Outlook.pdf. Accessed 31 July 2018
Deloitte: Cyber risk and regulation in Europe: A new paradigm form banks (2018). https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-cyber-risk-and-regulation-in-europe.pdf. Accessed 31 July 2018
EY: Payment Services Directive 2 for FinTech & Payment Service Providers Accelerate your growth journey (2017). https://www.ey.com/Publication/vwLUAssets/HVG-payment-services-directive-2/$FILE/HVG-payment-services-directive-2.pdf. Accessed 31 July 2018
EY: Networking and Information Security (NIS) Directive An outline of consequences and next steps (2017). https://www.ey.com/Publication/vwLUAssets/EY-networking-and-information-security-directive-nis/$FILE/EY-networking-and-information-security-directive-nis.pdf. Accessed 31 July 2018
ENISA: ENISA’s Position on the NIS Directive (2016). https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/enisas-position-on-the-nis-directive/. Accessed 31 July 2018
EY: Cybersecurity requirements for financial services companies Overview of the finalized Cybersecurity Requirements from the New York State Department of Financial Services (DFS) (2017). https://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-requirements-for-financial-services-companies/$FILE/EY-cybersecurity-requirements-for-financial-services-companies.pdf. Accessed 31 July 2018
Deloitte: Data and records disposition under new cybersecurity regulations: Is your organization ready? (2018). https://www2.deloitte.com/content/dam/Deloitte/us/Documents/regulatory/us-regulatory-data-disposition-nyfds-cybersecurity.pdf. Accessed 31 July 2018
Chaudhary, R., Hamilton, J.: The Five Critical Attributes of Effective Cybersecurity Risk Management, pp. 3–11 (2015)
Cisco: Cybersecurity Management Program (2017). https://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-management-programs.pdf. Accessed 31 July 2018
Rogers, B.E., Dunkerley, D.: CRISC™ Certified in Risk and Information Systems Control All-in-One Exam Guide. McGraw-Hill Education, New York (2016)
CNSSI: Committee on National Security Systems (CNSS) Glossary. National Security Agency, Fort Meade (2015)
Axelos: MoR® Glossary of Terms – English (2012). https://www.axelos.com/Corporate/media/Files/Glossaries/MoR-Glossary-of-Terms_GB.pdf. Accessed 31 July 2018
International Organization for Standardization: ISO/IEC 27000:2018 Information technology – Security techniques – Information security management systems – Overview and vocabulary (2018). https://www.iso.org/standard/73906.html. Accessed 31 July 2018
Institute of Risk Management: A Risk Practitioners Guide to ISO 31000:2018 (2018). https://www.theirm.org/media/3513119/IRM-Report-ISO-31000-2018-v3.pdf. Accessed 31 July 2018
ISO: IEC 31010:2009 Preview Risk management – Risk assessment techniques (2009). https://www.iso.org/standard/51073.html. Accessed 31 July 2018
ISO: ISO/IEC 27005:2018 Information technology – Security techniques – Information security risk management (2018). https://www.iso.org/standard/75281.html. Accessed 31 July 2018
ENISA: Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools (2006). https://www.enisa.europa.eu/publications/risk-management-principles-and-inventories-for-risk-management-risk-assessment-methods-and-tools/at_download/fullReport. Accessed 31 July 2018
WISER Consortium: D6.2 - Best Practices & Early Assessment Pilots, Final Version (2016). https://www.cyberwiser.eu/content/d62-best-practices-early-assessment-pilots-final-version. Accessed 31 July 2018
ISO: ISO/IEC 27032:2012 Information technology – Security techniques – Guidelines for cybersecurity (2012). https://www.iso.org/standard/44375.html. Accessed 31 July 2018
ISACA: The Risk IT Framework Excerpt (2009). http://www.isaca.org/Knowledge-Center/Research/Documents/Risk-IT-Framework-Excerpt_fmk_Eng_0109.pdf. Accessed 31 July 2018
Gashgari, G., Walters, R.J., Wills, G.: A proposed best-practice framework for information security governance. In: IoTBDS, pp. 295–301 (2017)
Innotrain IT: IT Service Management Methods and Frameworks Systematization (2010). http://www.central2013.eu/fileadmin/user_upload/Downloads/outputlib/Innotrain_Systematization_2011_04_05_FINAL.PDF. Accessed 31 July 2018
ENISA: Integration of risk management/risk assessment into business governance. Project report (2008). https://www.enisa.europa.eu/publications/archive/integration-of-rm-ra-into-business-governance/at_download/fullReport. Accessed 31 July 2018
Talabis, M.R.M., Martin, J.L.: Information Security Risk Assessment Toolkit, pp. 37–41. Elsevier, Amsterdam (2013)
NIST: NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations (2013). https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf. Accessed 31 July 2018
Department for Business, Innovation and Skills (BIS): The Risk IT Framework Excerpt (2014). https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/261681/bis-13-1294-uk-cyber-security-standards-research-report.pdf. Accessed 31 July 2018
Taubenberger, S.: Vulnerability identification errors in security risk assessments. Doctorate, The Open University (2014)
Ionita, D.: Current established risk assessment methodologies and tools. Master, University of Twente (2013)
NIST: NIST Special Publication 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems (2010). https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-37r1.pdf. Accessed 31 July 2018
NIST: NIST Special Publication 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations (2014). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf. Accessed 31 July 2018
NIST: NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments (2012). https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf. Accessed 31 July 2018
NIST: NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View (2011). https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf. Accessed 31 July 2018
Software Engineering Institute: Introducing OCTAVE Allegro: improving the information security risk assessment process. Technical report (2007). https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001_14885.pdf. Accessed 31 July 2018
Jones, J.A.: An introduction to factor analysis of information risk (FAIR). Risk Manag. Insight LLC (2006)
Tweneboah-Koduah, S., Buchanan, W.J.: Security risk assessment of critical infrastructure systems: a comparative study. Comput. J. 61, 1389–1406 (2018)
Fulford, E.: What factors influence companies’ successful implementations of technology risk management systems? Muma Bus. Rev. 1(13), 157–169 (2017)
Sherwood, J., Clark, A., Lynas, D.: Enterprise Security Architecture. White Paper, SABSA Limited (2009)
Van Os, R.: Comparing security architectures: defining and testing a model for evaluating and categorizing security architecture frameworks. Master’s thesis, Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, Sweden (2014)
Bodeau, D.J., Graubart, R.: Cyber Resiliency Engineering Framework. MTR110237 (2011). https://www.mitre.org/sites/default/files/pdf/11_4436.pdf. Accessed 31 July 2018
AICPA: SOC 2® examinations and SOC for Cybersecurity examinations: Understanding the key distinctions (2017). https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity/soc-2-vs-cyber-whitepaper-web-final.pdf. Accessed 31 July 2018
CIS: CIS Controls Framework (2018). https://www.cisecurity.org/controls/. Accessed 31 July 2018
COSO: Internal Control – Integrated Framework, Executive Summary (2013). https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf. Accessed 31 July 2018
COSO: Enterprise Risk Management – Integrating with Strategy and Performance, Executive Summary (2017). https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf. Accessed 31 July 2018
ISO: ISO 31000:2018 (2018). https://www.iso.org/standard/65694.html. Accessed 31 July 2018
Davies, J.: ITIL Foundation All-in-One Exam Guide. McGraw-Hill Education, New York (2016)
ISACA: COBIT5 Enabling Processes (2012). http://www.isaca.org/COBIT/Documents/COBIT-5-Enabling-Processes-Introduction.pdf. Accessed 31 July 2018
Curley, M., Kenneally, J., Carcary, M. (eds.): IT Capability Maturity Framework TM (IT-CMF TM) The Body of Knowledge Guide, 2nd edn. Van Haren Publishing, Zaltbommel (2016)
ISO: We’re ISO: we develop and publish International Standards (2018). https://www.iso.org/standards.html. Accessed 31 July 2018
IEC: Developing International Standards (2018). http://www.iec.ch/about/activities/standards.htm. Accessed 31 July 2018
ITU: ITU-T Recommendations and other publications (2018). https://www.itu.int/en/ITU-T/publications/Pages/default.aspx. Accessed 31 July 2018
BSI: What is a standard? & What does it do? (2018). https://www.bsigroup.com/en-GB/standards/Information-about-standards/what-is-a-standard/. Accessed 31 July 2018
ENISA: Information security and privacy standards for SMEs.56 (2015). https://www.enisa.europa.eu/publications/standardisation-for-smes/at_download/fullReport. Accessed 31 July 2018
Cloud Standards Customer Council: Cloud Security Standards: What to Expect & What to Negotiate Version 2.0 (2016). https://www.omg.org/cloud/deliverables/CSCC-Cloud-Security-Standards-What-to-Expect-and-What-to-Negotiate.pdf. Accessed 31 July 2018
ISA: The 62443 series of standards Industrial Automation and Control Systems Security (2016). https://www.isa.org/isa99/. Accessed 31 July 2018
Cabinet Office and HMG: HMG IA Standard No. 6 Protecting Personal Data and Managing Information Risk (2011). https://data.gov.uk/data/contracts-finder-archive/download/611325/439bbc8a-9249-4210-93a8-8c33edcba603. Accessed 31 July 2018
ISO: ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements (2013). https://www.iso.org/standard/54534.html. Accessed 31 July 2018
ISO: ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls (2013). https://www.iso.org/standard/54533.html. Accessed 31 July 2018
ISF: The 2011 Standard of Good Practice for Information Security, pp. 1–271 (2011)
BSI: BSI-Standard 100-1: Information Security Management Systems (ISMS) Version 1.5 (2008). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-1_e_pdf.pdf?__blob=publicationFile&v=1. Accessed 31 July 2018
BSI: BSI-Standard 100-2: IT-Grundschutz Methodology Version 2.0 (2008). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-2_e_pdf.pdf?__blob=publicationFile. Accessed 31 July 2018
Cross, J.: ISO 31010 risk assessment techniques and open systems. In: Sixth Workshop on Open Systems Dependability, Tokyo, pp. 15–18 (2017)
IRM: A Risk Management Standard (2002). https://www.theirm.org/media/886059/ARMS_2002_IRM.pdf. Accessed 31 July 2018
Mackenzie, N., Knipe, S.: Research dilemmas: paradigms, methods and methodology. Issues Educ. Res. 16(2), 193–205 (2006)
Ghauri, P., Gronhaug, K.: Research Methods in Business Studies, 4th edn. Pearson Education Limited, Essex (2010)
Palvia, P., Mao, E., Salam, A.F., Soliman, K.S.: Management information systems research: what’s there in a methodology? Commun. Assoc. Inf. Syst. 11(16), 289–309 (2003)
Avison, D., Fitzgerald, G.: Information Systems Development – Methodologies, Techniques and Tools, 3rd edn. McGraw-Hill Education, New York (2002)
NIST: New NIST Publication Provides Guidance for Computer Security Risk Assessments (2012). https://www.nist.gov/news-events/news/2012/09/new-nist-publication-provides-guidance-computer-security-risk-assessments. Accessed 31 July 2018
CIS: CIS RAM Version 1.0 Center for Internet Security® Risk Assessment Method For Reasonable Implementation and Evaluation of CIS Controls TM. Center for Internet Security (2018). https://learn.cisecurity.org/cis-ram. Accessed 31 July 2018
Carnegie Mellon University: Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide (2016). https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-method-description-and-user-guide.pdf. Accessed 31 July 2018
Department of Homeland Security: Cyber Resilience Review (CRR) (2018). https://www.us-cert.gov/ccubedvp/assessments. Accessed 31 July 2018
Nurse, J.R.C., Creese, S., De Roure, D.: Security risk assessment in internet of things systems. IT Prof. 19(5), 20–26 (2017). https://doi.org/10.1109/MITP.2017.3680959
Sherwood, J., Clark, A., Lynas, D.: Enterprise Security Architecture: A Business-Driven Approach. Taylor & Francis Group, Boca Raton (2005)
Freund, J., Jones, J.: Measuring and Managing Information Risk: A FAIR Approach. Elsevier, Oxford (2015)
Alberts, J.C., Dorofee, A.J.: OCTAVE Criteria, Version 2.0, pp. 12–20 (2001)
American Institute of Certified Professional Accountants: Trust Services Criteria (2017). https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf. Accessed 31 July 2018
The Open Group: Risk Taxonomy (O-RT), Version 2.0 Technical Standard (2013). https://publications.opengroup.org/c13k. Accessed 31 July 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Giuca, O., Popescu, T.M., Popescu, A.M., Prostean, G., Popescu, D.E. (2021). A Survey of Cybersecurity Risk Management Frameworks. In: Balas, V., Jain, L., Balas, M., Shahbazova, S. (eds) Soft Computing Applications. SOFA 2018. Advances in Intelligent Systems and Computing, vol 1221. Springer, Cham. https://doi.org/10.1007/978-3-030-51992-6_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-51992-6_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-51991-9
Online ISBN: 978-3-030-51992-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)