The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Measuring the State of Indiana's Cybersecurity

Download

Download PDF Document
PDF

Author

James E. Lerums

Tech report number

CERIAS TR 2019-2

Entry type

phdthesis

Abstract

This dissertation introduces a scorecard to enable the State of Indiana to measure the cybersecurity of its public and private critical infrastructure and key resource sector organizations. The scorecard was designed to be non-threatening and understandable so that even small organizations without cybersecurity expertise can voluntarily self-asses their cybersecurity strength and weaknesses. The scorecard was also intended to enable organizations to learn, so that they may identify and self-correct their cybersecurity vulnerabilities. The scorecard provided quantifiable feedback to enable organizations to benchmark their initial status and measure their future progress. Using the scorecard, the Indiana Executive Council for Cybersecurity launched a Pilot to measure cybersecurity of large, medium, and small organizations across eleven critical infrastructure and key resources sectors. This dissertation presents the analysis and results from scorecard data provided by the Pilot group of 56 organizations. The cybersecurity scorecard developed as part of this dissertation has been included in the Indiana Cybersecurity Strategy Plan published September 21, 2018.

Download

PDF

Date

2019 – 1 – 16

Institution

Purdue University

Key alpha

Critical Infrastructure, Key Resource, Scorecard, Evaluation, Cybersecurity, Strategic Plan

Organization

Department of Computer and Information Technology

School

Purdue University

Publication Date

2019-01-16

Contents

LIST OF TABLES .............................................................................................................. 9 LIST OF FIGURES .......................................................................................................... 10 GLOSSARY ..................................................................................................................... 11 LIST OF ABBREVIATIONS ........................................................................................... 12 ABSTRACT ...................................................................................................................... 13 CHAPTER 1. INTRODUCTION .................................................................................. 14 1.1 Background ........................................................................................................... 14 1.2 Significance........................................................................................................... 15 1.3 Statement of Purpose ............................................................................................ 16 1.4 Research Questions ............................................................................................... 16 1.5 Assumptions .......................................................................................................... 16 1.6 Limitations ............................................................................................................ 17 1.7 Delimitations ......................................................................................................... 18 1.8 Organization .......................................................................................................... 18 LITERATURE REVIEW ....................................................................... 19 2.1 Overview ............................................................................................................... 19 2.2 Critical Infrastructures .......................................................................................... 19 2.3 Fundamentals of Critical Infrastructure Industrial Control Systems .................... 20 2.4 Cyber-Physical Attacks ......................................................................................... 23 2.5 Tools for Increasing Critical Infrastructure Cybersecurity ................................... 24 2.5.1 Standards ........................................................................................................ 25 2.5.2 Assessment Tools .......................................................................................... 27 2.5.3 Vendors’ Solutions ........................................................................................ 29 2.6 Challenges to Improving Cybersecurity ............................................................... 30 2.6.1 Identifying Cybersecurity Resource Considerations ..................................... 30 2.6.2 Cybersecurity Costs -Benefit Analysis .......................................................... 31 2.6.3 Additional Issues that May Affect Improving Cybersecurity ........................ 33 2.6.3.1 Regulated Rate Pricing ............................................................................. 34 2.6.3.2 Critical Infrastructures Organization Sizes ............................................... 34 2.7 Summary ............................................................................................................... 36 METHODS AND PROCEDURES ......................................................... 37 3.1 Overview ............................................................................................................... 37 3.2 Research Questions ............................................................................................... 37 3.3 The State of Indiana’s Cybersecurity Scorecard Initiative Background ............... 38 3.4 Designing the Cybersecurity Scorecard (Study Design) ...................................... 40 3.5 Participants and Recruitment Process ................................................................... 49 3.6 Data Collection Procedure .................................................................................... 50 3.7 Data Analysis ........................................................................................................ 50 3.8 Validity and Reliability ......................................................................................... 51 ANALYSIS AND RESULTS ................................................................. 52 4.1 Overview ............................................................................................................... 52 4.2 Survey Demographics ........................................................................................... 52 4.3 Analysis Questions................................................................................................ 54 4.3.1 How Do Questions Rank by Scores? ............................................................. 54 4.3.2 Does Ranking of Questions by Size Differ? .................................................. 57 4.3.3 Does Ranking of Questions by Sectors Differ? ............................................. 58 4.3.4 How do Organization Sizes Rank by Scores? ............................................... 59 4.3.5 How do Sectors Rank by Score? ................................................................... 60 4.3.6 Does Information Technology Outsourcing Affect Scores? ......................... 62 4.3.7 Does Cybersecurity Outsourcing Affect Scores? .......................................... 63 4.4 Summary ............................................................................................................... 65 DISCUSSION AND RECOMMEDATIONS ......................................... 66 5.1 Research Question 1 ............................................................................................. 67 5.2 Answer to Research Question 1 ............................................................................ 67 5.3 Research Question 2 ............................................................................................. 67 5.4 Answer to Research Question 2 ............................................................................ 67 5.5 Significance of This Study .................................................................................... 68 5.6 Implications for Indiana Critical Infrastructure Cybersecurity ............................. 71 5.7 Recommendations for Future Studies ................................................................... 73 5.8 Summary ............................................................................................................... 74 APPENDIX A. INDIANA CYBERSECURITY SCORECARD ..................................... 76 APPENDIX B. SCORECARD ALIGNMENT WITH NIST-CSF CATEGORIES ......... 87 APPENDIX C. SCORECARD QUALTRICS CONFIGURATION ................................ 89 APPENDIX D. QUALTRICS EXPORT AND EXCEL DATA CODING .................... 106 APPENDIX E. SPSS PREPARATION STEPS FOR STATISTICAL ANALYSIS ..... 111 APPENDIX F. SAS STEPS FOR POWER PROCEDURE ANALYSIS ...................... 115 APPENDIX G PILOT GROUP SCORECARD DATA ................................................. 117 LIST OF REFERENCES ................................................................................................ 119 VITA ............................................................................................................................... 124

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.