Figure 2 adopted from [1] shows the Cybersecurity Resilience Maturity Assessment Framework (CRMAF) core for Critical National Information Infrastructure (CNII). The framework derived from the national cyberspace operational structure described in [25], which describes three layers of national cyber operations, namely: government, organisation and the individual. In context, The CRMAF is designed for organisational cybersecurity resilience measurement. Nevertheless, the organisational cybersecurity resilience for key CNIIs can be aggregated and normalised to provide insights for national cybersecurity resilience. The CRMAF as illustrated in Figure 2 consists of three major components: the cybersecurity controls, cybersecurity resilience mathematical model (a computational algorithm) and the CNII resilience quadrant (CNIIRQ)
Cybersecurity controls: these are a set of functions and sub-functions that provide the basis for the measurement of the degree of maturity – that is, the cybersecurity resilience maturity of CNII. In the CRMAF, cybersecurity controls are broken down into five distinct but connected layers; namely resilience temporal dimensions (RTD) based on [5], [7], [26] which define resilience in terms of a system’s ability to prevent an incident from occurring (pre-event); minimise the impact and duration of attack (event-management); and recover to optimal service after an attack (post-event). The other layers with each of the layer providing inputs to the layer immediately adjoining it from left to right. The theoretical concepts and cybersecurity frameworks described in this article were adopted to conceptualise the building blocks of the framework core. The components are described in details in the following sections.
The RTDs are linked to the resilience functions (RFs), the resilience functions supply inputs into the RTDs. There are five RFs derived from the five pillars of the NIST cybersecurity framework [27] ( i.e. identify, protect, detect, respond and recover) and mapped into the three resilience RTDs. Consequently, pre-event RTD has identify, detect and protect; respond and recover RFs are mapped onto the event-management and post-event RTDs respectively. Other cybersecurity controls are resilience functions category (RFCs) and the resilience controls (RCs), each providing inputs into their adjoining layers of the cybersecurity controls. Thus, RFCs are mapped into the relevant RFs and RCs are mapped into relevant RFCs,
Resilience Measure (RM) illustrated as the first of the cybersecurity controls on the CRMAF from the left in Figure 2 is the granular unit of measure of the actual cybersecurity practices against baseline cybersecurity controls described in the framework. Its quantitative weights are defined on a 5-level ratio scale between 0 – 4 and provides equal intervals between adjoining levels of the RM. This is appropriate as the ratio scale starts from zero (0) and advances to higher weights [28]; zero represents the absence of control, which is vital for the quantification of measurement. The weights of the resilience measure are described in Table 1.
Table 1: Cybersecurity Resilience Measure Scale adopted from [1]
Weight
|
Qualitative
|
Description
|
0
|
Not achieved
|
Complete absence of cybersecurity controls in place.
|
1
|
Loosely achieved
|
Negligible cybersecurity controls are in place and incoherently applied.
|
2
|
Partially achieved
|
Moderate cybersecurity controls are in place but not consistently and structurally organised; many and/or important elements are missing.
|
3
|
Largely achieved
|
Cybersecurity controls are structurally implemented but some elements are missing.
|
4
|
Fully achieved
|
Best practices in cybersecurity practices and controls are comprehensively implemented.
|
Based on the scale presented in Table 1, CNII organisations that apply the highest weight (4) in the assessment of their cybersecurity practices will be more resilient compared to those that apply 1, 2 or 3. Those that have zero (0) compliance, equally have zero (0) resilience. The RM is built into the CRMAT to enable the quantification of resilience during assessment.
Cybersecurity Resilience Mathematical Model (CRMM)
The CRMM derived from the cybersecurity controls presented in Figure 2 and described in the preceding section provides the algorithmic functions for the computational engine of the CRMAT that underpin the quantitative assessment of the cybersecurity resilience maturity of a CNII. the CRMM is presented in equation. The complete derivation of the CRMM is presented in [1].
CNIIRI = 0.55(PRTDIN) + 0.30(EMRTDI) + 0.15(PoRTDI) ………………………...Equation (1)
Thus, CIINRI, which lies between 0.00 – 1.00 represents the composite CNIIRI value of a CNII organisation.
Cybersecurity Resilience Comparative Quadrant (CRCQ)
The CRCQ also referred to here as the CNII resilience quadrant (CNIIRQ) intuitively analyse and compare the Cybersecurity Resilience Maturity of organisations. CNII resilience index (CNIIRI) scores are grouped into a four-band scale called the cybersecurity resilience comparative quadrant (CRCQ). The CRCQ provides a mechanism for a single view of the CNIIRI of several CNII organisations for ranking and visualisation of the degree of resilience maturity of CNII organisation[29]. This comparative tool is also helpful in comparing the performance of the control metrics at different levels as a way of determining the effects of contributing elements relative to one another. For instance, the scores of the individual elements of the RTD (i.e., pre-event, during event and post-event) can be compared to determine their contributing effects in quantifying the Cybersecurity Resilience Maturity of a CNII organisation. Table 2 provides the scale range defined for the four quadrants, labelled Q1, Q2, Q3 and Q4 respectively. The table also provides a detailed interpretation of each quadrant.
Table 2: CNII Cybersecurity Resilience Comparative Quadrant (CNIICRCQ) [29].
Quadrant
|
Composite Value
|
Note
|
Q1
|
0.00 – 0.25
|
Initial: very low level of resilience resulting from a few resilience controls in place that are incoherently adopted.
|
Q2
|
0.26 – 0.51
|
Defined: This demonstrates a low level of resilience as a result of the inconsistent and unstructured application of resilience controls with many and/or important elements of resilience controls missing.
|
Q3
|
0.51 – 0.75
|
Managed: High resilience occasioned by a structured but inconsistent implementation of resilience controls with a few and/or minor elements missing.
|
Q4
|
0.76 – 1.00
|
Optimised: Optimal resilience achieved based on best practices and application of cybersecurity controls are comprehensively implemented.
|