Computers & Security 128 (2023) 103139

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

Modelling language for cyber security incident handling for critical

infrastructures
Haralambos Mouratidis a,∗, Shareeful Islam b, Antonio Santos-Olmo a,c, Luis E. Sanchez a,c,
Umar Mukhtar Ismail d
a
Institute for Analytics and Data Science, University of Essex, UK
b
School of Computing and Information Science, Anglia Ruskin University, UK
c
GSyA Research Group, University of Castilla-La Mancha, Ciudad Real, Spain
d
Department of Engineering & Computing, University of East London, UK

a r t i c l e i n f o a b s t r a c t

Article history: Cyber security incident handling is a consistent methodology with which to ensure overall business con-
Received 7 September 2022 tinuity. However, specifically handling incidents for critical information infrastructures is challenging ow-
Revised 27 December 2022
ing to the inherent complexity and evolving nature of the threat. Despite the number of contributions
Accepted 12 February 2023
made to cyber incident handling, there is little evidence of literature that focuses on modelling activities
Available online 15 February 2023
that will enhance developers’ abilities to model incident handling processes and activities according to
Keywords: different views. Modelling languages of this nature should integrate essential concepts and a descriptive
Critical infrastructure implementation process in order to enable developers to analyse, represent and reason about the crucial
Meta-model incident handling efforts required to support critical information infrastructures. The aim of this paper is,
Incident response as part of the CyberSANE EU project, to develop a Cyber Incident Handling Modelling Language (CIHML)
Cyber incident that focuses explicitly on modelling incident handling in the context of a critical information infrastruc-
Cyber course of action
ture. The work is innovative in its approach because it consolidates concepts from various domains such
Cyber threat intelligence
Security requirements
as security requirements, forensics, threat intelligence, critical infrastructures and cyber incident handling.
The approach will allow the phases of the incident handling lifecycle to be modelled from three different
views (critical information infrastructures, threat and risk analysis, and incident response). An implemen-
tation process is also proposed, which will serve as a comprehensive guide for developers in order to
create these modelling views. Finally, CIHML is evaluated using a real-life scenario from the CyberSANE
project to demonstrate its applicability. The incident observed had a severe impact on the overall business
continuity of the context studied. The results obtained from the study show that CIHML can help critical
information infrastructure operators to identify, evaluate, represent and model cyber incidents in critical
information systems, in addition to providing the support required to determine the response strategies
needed in order to mitigate these cyber-attacks.
© 2023 The Author(s). Published by Elsevier Ltd.
This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/)

1. Introduction more complex, multi-vector, and rapidly evolving, which results in

severe disruptions to critical services and overall business continu-
Critical Information Infrastructures (CIIs), such as energy, trans- ity (Kure et al., 2022). Despite the significant investments made in
portation and telecommunication networks, are greatly depended order to implement security controls, organisations must develop
upon for the delivery of reliable essential services. The complex- incident handling processes with which to prepare for impending
ity among various components of CIIs (such as people, processes, incidents (Wang and Park, 2017). The research and industrial com-
and technology), make them a prime target for cybercriminals. munities have made several efforts to provide incident handling
There has recently been a constant increase in the number of high- processes (Papastergiou et al., 2019; Sabillon, 2022; Salvi et al.,
profile security incidents that continually target CIIs (Lewis, 2019; 2022; Staves et al., 2022). However, there is a lack of focus on
Maglaras et al., 2018). Cyberattacks are now becoming increasingly the model-based approach for a comprehensive incident analysis
that will provide a common understanding of possible incidents
and their mitigation. This limitation poses a significant challenge
∗
Corresponding author. for the extensive study and representation of a security incident
E-mail address: h.mouratidis@essex.ac.uk (H. Mouratidis).

https://doi.org/10.1016/j.cose.2023.103139
0167-4048/© 2023 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/)
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

handling process, especially for CIIs. It also hinders the ability of discussion is presented in Section 5, and the paper concludes in
CII operators to understand the security and privacy-related re- Section 6.
quirements for incident handling.
This paper presents a new Cyber Incident Handling Modelling 2. Related work and background
Language (CIHML) that supports the analysis, reasoning and repre-
sentation of cyber incident handling processes in CII. The CIHML This section presents the existing work that is relevant to our
is part of research efforts in CyberSANE1 to develop a modelling work, including incident handling, security modelling, and relevant
language that will enable CII operators to reason about cyber in- standards.
cident handling requirements, security and privacy requirements. Possible attacks by attackers may lead to various cybersecu-
The main aim of the CyberSANE project is to improve the secu- rity incidents, including critical service operation disruption, data
rity and resilience of Critical Information Infrastructures through leak and software interruption (Gaidarski and Minchev, 2021;
the use of a dynamic collaborative response system with which Lehto, 2022). Cybersecurity incident management deals with mul-
to manage incidents and analyse and forecast threats. The project tiple steps with which to analyse and manage these incidents. Se-
places emphasis on the effective interactions among the CII opera- curity incidents are undesired events that impact on the different
tors and develops correlation techniques and standards that can be dimensions of the valuable assets that make up a company’s in-
employed to analyse events and information sharing. To this end, formation systems (Mahima, 2021). These incidents are caused by
CIHML contributes with systematic incident management and the failures in the implementation of the security controls that protect
coordination of CII operators in order to support the objectives of these assets, i.e. by vulnerabilities that exist in the information sys-
the CyberSANE. This signifies that CIHML is requirements driven tems. These vulnerabilities are exploited by attempts to reach these
– it uses requirements-based concepts (such as actor, goals, con- assets and cause damage to them (Ramsay et al., 2020).
straints) to analyse and model cyber incident handling. The key In order to minimise the damage of these incidents, organi-
contributions of this paper are summarised as follows: sations attempt to apply the most appropriate incident response
methods (Prasad and Rohokale, 2020). Many organisations have fo-
• A meta-model that consists of a set of concepts with which to cused on managing risks through integrated services in Computer
specify and express cyber incident handling according to the Security Incident Response Teams (CSIRT), as these have proved to
specific requirements and contexts of CIIs. It extends require- be one of the best solutions with which to improve cybersecurity
ments engineering concepts, including relevant cybersecurity by collaborating with each other, sharing knowledge and learning
and privacy domains, in addition to a wide range of industrial from cross experiences (Tanczer et al., 2018). However, the imple-
best practices, guidelines and standards. mentation of a CSIRT comes at a considerable cost, which makes it
• The provision of a process that guides the effective modelling suitable only for large organisations, thus implying need to create
of security and privacy concerns related to incident handling simpler and more effective incident management systems for small
processes, including the analysis of incidents such as potential and medium-sized enterprises (Plėta et al., 2020).
impact and the likelihood of an attack, the CII assets affected, Security incident management and response can be consid-
the consequences of threats and risks, and incident response ered a hot research topic with some relevant open questions
strategies. (Grispos et al., 2017). One of the most relevant question is how
• The formulation of modelling views with which to represent to achieve a reasonable situational awareness in order to discover
specific requirements for incident handling. The objective of the situation regarding vulnerabilities, threats and possible secu-
these modelling views is to drive the practical analysis, preven- rity incidents (Ahmad et al., 2021). Intense research has recently
tion, detection, response and mitigation of various cyber inci- been carried out in this area by, for example proposing models
dents. The modelling views entail graphical visualisation that with which to explain how organisations should achieve situa-
will also facilitate understanding and enhance the ability of CII tional awareness of cybersecurity (Ahmad et al., 2020). It is argued
operators to model and reason about security and privacy re- that providing a rapid and efficient response to security incidents
quirements. clearly supports cybersecurity awareness and improves the overall
• CIHML is validated through a real-case study from the Cyber- cybersecurity performance of companies (Naseer et al., 2021), or
SANE EU funded project. Our results show that CIHML enables that misinformation should be considered as one of the key rea-
operators to perform the detailed modelling of a cyber inci- sons for the lack of situational awareness (Ahmad et al., 2019).
dent (Jigsaw Ransomware). It also supports the explicit repre- Indeed, it is often claimed that attackers take advantage of the
sentation of the potential impact of a cyber incident (accord- lack of corporate communication following cybersecurity incidents
ing to high, medium and low priority) on the different assets (Knight and Nurse, 2020) and the lack of learning from their expe-
of the context studied in a structured and analysable manner. riences of incidents (Ahmad et al., 2020). One study concluded that
Moreover, CIHML enables the modelling of mitigation strategies learning from a low impact incident should not be ignored when
that improve upon existing control measures and more ade- compared to a high impact incident, thus allowing the organisation
quately defend against cyberattacks, which are vital to incident to aim for initial and early events (Ahmad et al., 2012).
response. In general, CIHML provides a better understanding of A number of research proposals have emerged in response
the entire CII setting and overall incident response decision- to these problems in incident management, and several incident
making and communication process among stakeholders. management approaches and frameworks have been introduced
with the main objective of providing guidelines with which to en-
The paper is structured as follows: Section 2 covers the re-
hance incident handling capabilities. Tøndel provides a systematic
lated works, while Section 3 presents a description of the ap-
overview of current incident management practices based on the
proach/methodology, along with the criteria considered in order
underlying phases of the incident management process. The study
to develop CIHML. This section also introduces new concepts, a
emphasizes more empirical studies, tactic knowledge and the iden-
conceptual model, and a process for CIHML. The implementation
tification of root causes in order to understand and manage the in-
and evaluation of CIHML is provided in Section 4 by means of a
cident (Tøndel et al., 2014). Nnoli et al. (2012) meanwhile, highlight
real-life case study derived from the CyberSANE Project. A general
the importance of effective forensic investigations while analysing
the incident owing to the lack of guidance with which to investi-
1
CyberSANE: https://www.cybersane-project.eu/ gate forensic evidence.

2
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

The aforementioned work also emphasizes the consider- pendence of organisations and Advanced Persistent Threats (APTs)
ation of root cause analysis from all dimensions for in- (Settanni et al., 2017). Other research highlights the importance of
cident analysis. Metzger et al. (2011) proposed a process- having an effective model that regulates the management of se-
based integrated incident management approach that combines curity incidents in critical infrastructures and analyses the char-
all incident reporting channels for rapid incident response . acteristics that an incident management model should have, fo-
Papastergiou et al. (2019) presents an overview of the CyberSANE cusing on the energy sector (Plėta et al., 2020). Focusing on the
system that tackles the incident, concentrating particularly on Eu- critical sector of airports, attempts have been made to develop
ropean Critical Information Infrastructures. The approach integrates some models based on ontologies, which include aspects such as
active incident handling with a reactive approach in order to pro- incident management, and the attempts made to correlate them
vide a real-time insight into attacks and alerts related to cyber and enrich them with information from external databases (Canito
events using multiple subcomponents. Athinaiou et al. (2018) de- et al., 2020). With regard to the aviation sector, research has also
veloped a security incident response modelling language by inte- been carried out based on the analysis of the most serious inci-
grating a cyber-physical system with incident response considered dents suffered in recent years, reaching the conclusion that it is
for health-based critical infrastructures . Incidents are specifically necessary to develop specific CSIRTs for this sector and that they
modelled by means of reflexive associations that cascade the influ- should be based on NIST principles (Lekota and Coetzee, 2019).
ence from one incident to another incident. The model is visually Other researchers have focused on analysing current SIEMs in or-
presented using various notations without providing any details on der to determine their strengths and weaknesses when applied to
how the incident could be a response. incident management in critical infrastructures, reaching the con-
There are also works that aim to evaluate the incident handling clusion that the current models should be strengthened so as to
experience. Kuypers (2017) evaluates how cybersecurity incidents improve reaction time and decision-making capacity in the face
are dealt with in large organisation. The investigation considers of a high number of incidents (González-Granadillo et al., 2021).
many incidents over a period of time and observes that small inci- What all the research does agree on is that it is necessary to fur-
dents are increasing while large incidents are remarkably constant ther develop models with which to manage security incidents in
over time. The result shows that organisations have become more this type of infrastructure.
efficient at dealing with large cyber incidents when compared to If we focus on the development of meta-models for incident
small incidents. Metzger employed real-world incident investiga- management in critical infrastructures, there are very few publi-
tion as the basis on which to recommend a security incident re- cations. In the naval sector, attempts have been made to develop
sponse process, including clearly defining the roles and responsi- some models for incident response management, such as the Cy-
bilities required to manage an incident (Metzger et al., 2011). The ber Incident Response Decision Model (CIRDM), which is based on
study also emphasizes the need for centralised monitoring tools a metamodel whose main elements are component, system, mis-
and highlights that there is a specific low-risk security incident sion, function, vulnerability and countermeasure (Visscher, 2021).
which may occur frequently. Fombona Cadavieco et al. (2012) in- Within the hydrocarbon transport sector, an ontological model for
vestigated incidents in a higher education institute over a period security incident management is also presented, focusing on the
of time, and the results show that software-related incidents are relationships that exist between the different elements, which are:
more frequent than other incident types, and that incident rates CyberIncident, AttackVector, Vulnerability, Asset, Victim, Offender,
are constant despite the fact that the number of devices is increas- Request, Investigator, ActionPlan, ApplicationAnalysis, CortainInci-
ing. Chockalingam proposed the development of an ontology for dent, and Financial (Chockalingam and Maathuis, 2022). As can be
security incident management, which aims to make security in- seen, there is little research on the development of these meta-
cident response more practical, and validated it in a case study models for critical infrastructures, and they tend to have little in
(Chockalingam and Maathuis, 2022). common when it comes to defining their constituent elements.
Furthermore, various standards have emerged that focus on at- Other research is oriented towards the construction of a mod-
tempting to solve some aspects related to security incident man- elling language for security incident response (Athinaiou et al.,
agement. NIST SP 800-61 (Cichonski et al., 2012) is a widely used 2018). The creation of a system that can support security
structural approach that guides the planning, detects access, and managers in incident management in CIIs is also dealt with
provides reports and lessons learned in order to manage the in- (Papastergiou et al., 2019), as is incident handling, targeting criti-
cident. ISO provides a basic definition of concepts and phases for cal sectors such as energy and transport (Papastergiou et al., 2021).
information security incident management, including a structured But all this research is linked to partial results obtained from the
guideline with which to plan and prepare incident management. Cybersane project, of which the research proposed in this publica-
NIST SP 800-61 provides an incident response guideline that aims tion is also part.
to provide practical guidance in order to respond to cybersecurity Below (see Table 1), a comparison has been made of the ele-
incidents. The guideline comprises detailed recommendations that ments that make up the CIHML proposal along with other propos-
can be used to establish an incident response programme with a als for meta-models for security requirements that currently exist.
focus on the structure of an incident response team, the steps re- As can be seen, 6 proposals have been selected, in addition to
quired in order to perform incident handling (such as incident de- CIHML. The main conclusions that can be drawn from the compar-
tection and analysis), and incident response coordination and in- ative analysis are the following:
formation sharing. Furthermore, ETSI_TR_103_331_V1.2.1, 2019 pro-
vides threat information sharing and exchange in a standardised
and structured manner. ENISA (2010) also provides guidelines for • All of them differ as regards the selection of the elements that
incident handling by combining both ISO/IEC and NIST and focuses make up the meta-models. Most of them coincide as regards
mainly on the incident response. ISO27035:2016 provides guidance taking into account the central elements (Actor, asset, goal, vul-
for Incident Management Principles (ISO/IEC_27035-1:2016, 2016) nerability), but they tend to differ in the case of the other ele-
and Guidelines for Planning and Preparing for Incident Response ments.
(ISO/IEC_27035-2:2016, 2016). • It is also possible to see that, although most of them are ori-
Upon concentrating on the case of incident management when ented towards critical infrastructures, they are focused on dif-
focused on critical infrastructures, it will be noted that re- ferent sectors (Energy, Water and sewage treatment, Naval Sec-
searchers highlight its importance, as derived from the interde- tor, Hydrocarbons, etc.).

3
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 1
Comparison of meta-model proposals for security requirements.

Faily and Yeboah-Ofori and i-CSRM (Kure et al., Chockalingam and

CIHML Fléchais, (2010) Simou et al. (2016) Islam (2019) Visscher, (2021) 2022) Maathuis, (2022)

Actor Yes Yes Yes Yes No Yes No

Malicious Actor Yes Parc Parc No No Parc No
Asset Yes Yes Yes No No Yes Yes
Vulnerability Yes Yes No Yes Yes Yes Yes
Threat Yes Yes No Yes No Yes No
Impact Yes No No No No No
Risk Yes Yes No Yes No Yes No
Goal Yes Yes Yes Yes No Yes No
Constraint Yes No No No No No No
CyberIncident Yes No Yes Yes No Yes Yes
Control Yes Parc Parc Yes No Yes No
Mechanism
CCA Yes No No No No No No
Evidence Yes No Yes No No No No
TTP Yes No No Yes No Yes No
Dependency Yes Yes No No No No No
OtherElement Scenario, Misuse Protective, Cloud CSC Requirements, Component, Indicator, Plan, AttackVector, Victim,
case, Security provider, InformationSharing System, Mission, Threat Actor, Offender, Request,
Attribute, Documentation, Function, Investigator,
Requirements, Resource Countermeasure ActionPlan,
Task, pplicationAnalysis,
CortainIncident,
Financial
Orientedto CII - Energy CII - Water and Cloud system SuplyChain CII - Naval Sector CII - General CII - Hydrocarbons
sewage treatment

• Moreover, some proposals use similar concepts, but they are proposals regarding Domain-Specific Languages (Kosar et al., 2016),
not exactly the same, and they differ in their sub-elements. in which it was concluded that the adaptation of this method-
• Finally, another interesting conclusion of the comparative study ology and a guideline implies the integration of new context-
is that other elements included in other meta-models could be specific concepts and consolidation with pre-existing ones in a
analysed in order to discover whether they could enrich the comprehendible and consistent manner that satisfies the require-
proposal made by CIHML. And it would be possible to analyse ments for incident handling. CIHML, therefore, leverages and ex-
whether the variability in the meta-models is associated with tends the existing requirements engineering concepts in Secure
their sectoral or technological focus. Tropos (Mouratidis et al., 2016) with relevant concepts from such
domains as digital forensics, cyber resiliency and cyber threat in-
We have made several observations regarding the existing
telligence. The rationale behind adopting Secure Tropos is that it is
works, standards, and practices relating to incident management.
well suited to the modelling of security requirements and provides
Firstly, the existing works place more emphasis on the technical
an in-depth analysis of the security issues in an organisation and
solutions required in order to manage the incident rather than a
its social setting.
root cause analysis of the incident by taking into account assets,
Secondly, a conceptual model is developed in order to provide
threat intelligence, vulnerabilities, evidence, incident, and control.
the foundation for the specification and representation of the ex-
Secondly, little effort has been made to develop an incident man-
tracted concepts. The main reason for the conceptual model is to
agement modelling language specifically focusing on critical infor-
provide a high-level understanding of the concepts and their re-
mation infrastructure. Finally, the incident analysis needs to con-
lationships in order to model incident handling activities so as to
sider security requirements, threat intelligence, risk and forensic
provide shared knowledge among developers and the CII incident
evidence from a holistic perspective if it is to tackles today’s so-
response team (IRT). The conceptual model for the language is de-
phisticated incident and complex system context. Our work con-
veloped using a UML class diagram, which employs a graphical no-
tributes to addressing these limitations. In particular, the main
tation to construct and visualize object-oriented systems by repre-
contribution of this work is: (i) the development of a cybersecurity
senting a system’s classes, their attributes, operations and the re-
incident handling modelling language from a holistic perspective;
lationships among objects (Idani, 2009). Each concept is presented
(ii) the visual analysis of the incident from three distinct views, in-
as a class with a list of attributes, the concepts are related to each
cluding the critical information infrastructure, threat and risk anal-
other using relationships such as association and generalisation,
ysis, and incident response, and (iii) an evaluation of the applica-
and a glossary is provided in order to elucidate the meaning of
bility of the CIHML using a real industrial use case scenario.
the concepts. Moreover, a process with which to supplement the
meta-model is included. The process serves as a guide for devel-
3. Methodology used to develop CIHML
opers in the course of implementing the conceptual model. The
process consists of activities and tasks, and it encompasses various
In this section, we present a summary of the approach followed
techniques, methodologies, and industrial standards so as to ensure
when developing CIHML, which comprises two important parts,
validity, comprehensibility and compliance with generally accepted
namely (i) the identification of concepts and (ii) the development
guidelines.
of a conceptual model and a process.
The development of any modelling language principally requires
a structured definition, elicitation, and reasoning of domain-related 3.1. Research objective and criteria for CIHML
concepts, along with the application of a well-established method-
ology (Nordstrom et al., 1999). Moreover, Kosar carried out a sys- In order to develop a more elaborate alignment between CIHML
tematic mapping study in order to analyse the different existing and standard methods, we consider the main objectives of the re-

4
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

search and present several core criteria that should be fulfilled to these concepts is based on the analysis, elicitation and docu-
achieve the objectives. The criteria consider the specific require- mentation of stakeholders’ requirements in the CyberSANE project
ments of the CyberSANE Project stakeholders, i.e. the artefacts the (CyberSANE, 2022). This will additionally make it possible to de-
prospective users of CIHML expect from it. These artefacts have velop a unified approach that will be provide broader adaption
been established by analysing the patterns of actions, expectations of the proposed approach. Some of the concepts are, therefore,
and decision making that should be supported. generic, but others such as CIIs focus on understanding the whole
The review of the existing works and practice as presented in CII system context, in addition to which our approach links the
Section 2 was used as the basis on which to define the main ob- control mechanism with the course of action required to tackle
jectives of this work, which are provided below, while the crite- the incidents. The underlying goal is to ensure that the concepts
ria were defined according to specific design principles and re- are integral for the effective and efficient prevention, detection, re-
quirements that every modelling language should aim to satisfy sponse and mitigation of various cyberattacks against the CIIs. We
(Kolovos et al., 2006). We have defined the following criteria for have, therefore, identified and consolidated the following concepts
the CIHML: in CIHML

• Improve the incident handling of critical infrastructure by pro- • Critical Information Infrastructure (CII): this implies commu-
viding a modelling language that includes a comprehensive un- nication networks, information-based facilities, cyber-physical
derstanding of the critical infrastructure context. assets or systems that support the operations of critical in-
• Systematically guide the incident response process on the basis frastructure, which if damaged, would result in serious conse-
of a control mechanism and its categorisation and cyber course quences for the proper functioning of critical public, govern-
of action. This supports determination control types which are ment or industrial services. CII can also be considered to be
more important for CI context. those systems that provide resources or services upon which
• Develop an incident modelling and handling approach, from the essential functions depend, of which possible incapacitation or
critical infrastructure context to the analysis of threats, vulner- destruction would result in a significant effect on the economy,
abilities and risks relating to the incident, thus allowing appro- security and/or health of society.
priate reasoning and modelling views to be obtained for the in- • Actor: this represents an entity with intentions, goals, and ob-
cident and suitable actions with which to tackle the incident to jectives within a system. An actor also participates in a process,
be determined. performs a task, or carries out an action within an organisa-
• Integrate the existing best practices, guidelines and concepts for tional setting. An actor is categorised according to type (such
the development of a unified incident handling process, includ- as a developer), including the role performed by an actor (such
ing impact assessment, with a view to more widespread adop- as system development and administration).
tion in any specific CI sector. • Assets: these are cyber resources that can be used by the actors
• Requirements-Driven Modelling Approach: CIHML shall provide to support the critical functions such as systems, software, data,
the mechanisms required in order to elicit, collect and analyse network devices, or other components that enable information-
requirements associated with security and privacy requirements related activities, management, service delivery. Assets are char-
towards cyber incident handling in CIIs. acterised by varying attributes such as categorisation and crit-
• Embed Essential Domain Specific Concepts and industry spe- icality. An asset can be categorised according to network, soft-
cific best practice: CIHML shall consider a certain set of do- ware, or data. An asset’s criticality expresses the importance or
mains specific concepts, relevant properties, and industry spe- degree to which the asset is relied upon for the delivery of crit-
cific standards and practices, thus allowing it to provide com- ical functions.
prehensive support for incident handling. CIHML shall, there- • Goal: this represents a strategic interest that an actor aims to
fore, encapsulate domain specific concepts from security re- achieve. Goals are mainly introduced in order to achieve pos-
quirements, incident handling, forensics, risk management and sible security constraints that are imposed on an actor or that
incident handling. exist within CIIs. A goal consists of attributes such as type and
• Different Levels of Abstraction: CIHML shall provide adequate purpose; for example, authentication and authorisation controls
modelling capabilities from a conceptual, strategic, and tactical could be the goal of an asset whose purpose is to ensure secu-
point of view, each focusing on various aspects that promote rity protection.
the modularity and separation of incident handling processes • Constraint: a set of restrictions related to security and privacy
and supports the reasoning and analysis of incidents and se- that must be satisfied for a specific asset or actor goal to be
lected controls. achieved. It consists of a ’type’ attribute that distinguishes se-
• Analysis of Cyber and Representation of Incidents: CIHML shall curity and privacy constraints.
facilitate a systematic analysis of cyber incidents by enabling • Malicious Actor: this represents an individual, groups or organ-
the effective representation of operational and security threats, isations that participate in hostile actions or operate with ma-
vulnerabilities and risks to CII assets. It shall provide easy ways licious intents in order to have harmful effects on CIIs. It is im-
in which to create dynamic models that are capable of showing perative to identify and represent different types of threat ac-
various incident assessment outcomes, such as the severity of tors on the basis of distinctive characteristics and motives (such
threat elements, affected assets, and the corresponding control as goals, motivation, tactics, and procedure) to compromise CIIs.
measures. Threat actors can, therefore, be characterised by their goals, and
the tactics, techniques, and procedures that they use.
3.2. CIHML concepts • Cyber Incident: this implies a security-related event that pro-
duces unanticipated consequences, unwanted occurrences or
This section presents a detailed description of the essential con- instances that will probably compromise, breach, or violate the
cepts used when developing CIHML. As mentioned earlier, the con- security policy. A cyber incident has an adverse effect on the
cepts were mostly conceived from various domains including se- organisation’s information system owing to any potential dis-
curity, forensics, threat intelligence, critical infrastructure and cy- ruption and impacts on confidentiality, integrity and availabil-
ber incident handling, which are relevant for the development ity. A cyber incident provides a useful understanding of possi-
of the modelling language. The rationale behind the inclusion of ble threats within the organisation. For example, a cyber inci-

5
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

dent can include but is not limited to the unauthorised disclo- tor. The TTP could be used to gather information about the at-
sure of classified information, the unauthorised modification of tack pattern, resources deployed, and exploits used. TTP is rele-
classified information, and the malicious disruption, use or pro- vant as regards identifying threat actors and gaining knowledge
cessing of CIIs. about the attacker’s motives and expected impact.
• Impact: the measurable implications or consequences caused by ◦ Tactics: these describe how threat actors operate during dif-
a security incident for assets within CIIs. The intention is to ferent types of attacks.
measure the potential severity of the adverse effect that a secu- ◦ Techniques: these are the strategies used by the adversary
rity incident has on CIIs. The impact contains attributes such as to facilitate initial attacks, such as the tools, skills and capa-
description, type, affected, affected infrastructure, and severity. bilities deployed.
• Vulnerability: this refers to weaknesses in an asset or a security ◦ Procedures: these are the set of tactics and techniques put
mechanism that can be exploited by a threat and which could together to carry out an attack. Procedures may vary de-
result in degradation or loss (incapacity to perform its desig- pending on the threat actor’s objective, purpose and nature
nated function). of the attack.
• Threat: this implies any cyber-event with the potential to have
an unwanted effect on or harm the asset because of vulnerabil-
ities being exploited by a threat actor. The attributes of threat 3.3. Conceptual model
include a category that describes the class of threat (such as a
denial of service), the severity of the threat with regard to its Fig. 1 shows the conceptual model for CIHML, which provides
potential impact and affected assets in order to identify the as- an interpretation of and highlights the relationship among the con-
sets affected by the threat. cepts. The concepts in the meta-model are represented as boxes,
• Risk: this is the potential consequence of an incident, threat while the attributes are properties inside the boxes, and the rela-
or vulnerability that can result in a range of negative conse- tionship between the concepts is created using arrowed lines. The
quences, loss, damage, or the undesirable change to assets. Risk critical information infrastructure provides vital functions and op-
is associated with attributes such as the likelihood, which mea- erations within a specific sector such as health and energy, whose
sures the possibility of a potential risk occurring, and impact, disruption could result in severe disruption to the economic well-
which estimates the potential losses associated with an identi- being, security, or safety of society. The critical infrastructure is
fied risk. usually operated and used by actors who have different types of
• Control Mechanism: this represents any technical safeguards, goals (security and privacy goals). Moreover, each critical infras-
systems, or processes that are used to safeguard assets, man- tructure consists of and requires a wide range of cyber assets for it
age risk, control threats, manage security incidents and miti- to deliver critical functions. The critical infrastructure is, therefore,
gate vulnerabilities. The concept is characterised by attributes appraised in order to specify the underlying domain and boundary
according to type, goals, and measure of effectiveness to either of operations, the actors whose interest and goals must be repre-
remove, counter, or mitigate risks or cyber-incidents. There are sented, the particular security and privacy constraints imposed on
three distinct types of control mechanisms: actor goals, and the supporting cyber assets.
◦ Detective Mechanisms: these include security control mea- Assets have varying levels of criticality and are usually associ-
sures implemented to detect and send an alert regarding ated with vulnerabilities. In particular, misconfigurations or lapses
impending threats or incidents. in controls can introduce vulnerabilities, and they can be subject
◦ Preventive Mechanisms: these are designed to prevent a se- to exploitation by a malicious actor. A malicious actor possesses a
curity incident, a threat or risk from occurring, and reduce different set of skills and goals with which to compromise an asset.
or avoid the likelihood of them and their potential impact A malicious actor’s activities could result in a threat. A threat en-
on CIIs. tails different characteristics and is categorised according to type
◦ Corrective Mechanisms: these include control measures that and severity. Moreover, the manifestation of a threat could result
are taken to address existing damage or restore CIIs to their in a risk such as the interruption of critical functions that would
prior state following a security incident. lead to a cyber incident and subsequently have a variety of im-
• Evidence: this represents electronic data concerning observable pacts on one or more assets. Fundamentally, a prioritised set of
patterns, artefacts, or behaviour that can be used to analyse a control mechanisms in the form of procedures or technical safe-
security incident. Evidence is generated from various sources guards is typically implemented in order to address vulnerabilities
such as log files, error messages, intrusion detection systems, or and threats, prevent risks, and ultimately mitigate the impact of
firewalls. For example, evidence of an incident may be captured cyber incidents on the critical infrastructure. Control mechanisms
in several logs that each contains different types of data. It in- are implemented according to the detective, preventive and cor-
cludes attributes such as type, to indicate the evidence type, rective mechanisms for various purposes, such as detecting threats,
and the source from which evidence is extracted, such as intru- minimising the potential impact of a threat, and restoring cyber as-
sion detection system logs. sets to a prior state, respectively. In addition, the evidence is gen-
• Cyber Course of Action: this is related to a set of security erated and collected by security mechanisms containing informa-
controls with which to tackle the incident. It is characterised tion about threat patterns and cyber incidents. The evidence col-
by procedural and technical courses of action that are applied lected can be aggregated and analysed with the purpose of detect-
within an operational setting in response to the impact of ing patterns and trends, along with responding to cyber incidents.
cyber-incident. The control focuses mainly on the vulnerabili- The occurrence of a cyber incident triggers the process for inci-
ties that are exploited for the incident, and suitable remedia- dent handling, which has the goal of mitigating the impact of a
tion. In contrast to Control Mechanism, Cyber Course of Action cyber incident, and of eradicating the root cause of a cyber inci-
is intended to integrate a combination of technologies and ad- dent. Cyber course of action expresses the measures required in
ministrative procedures with which to recover from and adapt order to address and respond to an impending incident by utilis-
to adverse security incidents, risks and impacts on CIIs that ing the procedural course of action and technical courses of action
have not been sufficiently prevented by the Control Mechanism. and is initialised by an actor such as IRT. The cyber course of ac-
• Tactics, techniques, and procedures (TTP): These represent the tion also improves the existing control mechanism and an overall
behaviour or mode of operation of the adversary or threat ac- security posture of critical infrastructure.

6
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Fig. 1. Conceptual Model for Cyber Incident Response Modelling.

3.3.1. Modelling views decomposition is to enable the creation of a graphical view of

It is worth mentioning that a distinctive facet of CIHML is that the different phases of incident handling in CII. The decompo-
it embraces the notion of decomposing the conceptual model ac- sition will enhance the developers’ understanding of the main
cording to three key sub-models/views, namely CII analysis, threat elements of the meta-model, mostly because it becomes more ex-
and risk analysis, and incident response view. The goal of this pressive in order to improve knowledge and facilitate the full im-

7
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 2
CII Analysis View.

MODEL 1: Analysis Of CII

Motive: The basis of this model is to provide a graphic representation of the CII with regard to its boundary. The model will enhance the developer’s awareness
and understanding of the connection between the CII and assets, critical functions being supported, and the consideration of the human elements that influence
the operations of CII.

Key Concepts Description

CII It will facilitate the understanding and identification of the critical infrastructure and its associated functions. The goal is to ensure
that the CII is modelled according to the predetermined services or functions
Asset The ICT systems that are essential for the operation of the CII are modelled according to criticality level or support for CII functions.
Goal Actor goals are included in the modelling in order to analyse and reason about privacy and security requirements from the CII point of
view, as well as actors’ interest from incident response viewpoint.
CII The model includes the CII, which contains a set of assets that could be exploited by a Malicious Actor, and which are affected by the
impact of a Cyber Incident.
Constraint The security and privacy constraints imposed that must be met for the satisfaction of security and privacy goals are also modelled.
Actor The model will aim to identify the different actors involved or who have a strategic interest in the CII (such as owners, users,
operators, and regulators)
Perceived Result: The main result is to provide an awareness of the CII in an organisational context and identify and assess potential vulnerabilities, threats, and
risks that could lead to a cyber-incident, along with incident response activities.

Table 3
Threat and risk Analysis View.

MODEL 2: Threat and Risk Analysis

Motive: The model provides a general representation of potential threats, vulnerabilities and risks that could lead to a cyber-incident, including the analysis of the
potential impact on assets.

Key Concepts Description

Vulnerabilities The underlying and emerging vulnerabilities associated with assets are included in the model
Threat Provides a clear articulation and granular characterisation of prevailing cyber threats
Risk Potential Risk is identified by modelling the threat scenarios within the context of relevant vulnerabilities.
CII The model includes the CII, which contains a set of assets that could be exploited by a Malicious Actor, and which are affected by the
impact of a Cyber Incident.
Threat Actor Captures the different threat actor types that could compromise assets, including characteristics such as the commonly used tactics,
techniques and procedures.
ControlMechanisms The existing control mechanisms that perform certain functionalities such as removing, identifying, or mitigating a cyber-incident are
also included in the model—the inclusion of control mechanisms in the model assists as regards determining the controls that are in
place.
Perceived Result: The result shows a threat and risk analysis report, including a list of threats, threat intelligence information, and controls.

plementation of the concepts and their relationships. Tables 2– key aspect as regards a successful incident response process. In
4, therefore, provide a summary of the different views, the mo- this respect, the analysis of CIIs involves the modelling of criti-
tives behind creating the views, the concepts that can be uti- cal infrastructure from an organisational and operational perspec-
lized to create the views, and the perceived outcome of each tive in order to establish a clear awareness of the current factors
view. that may influence an organisation. The goal is to present the CII
sector, functions and assets that are used to manage, control, and
3.4. CIHML process support the provisioning of critical services. The concepts that sup-
port the creation of a modelling view in this activity include Criti-
As mentioned earlier, CIHML comprises a process whose ob- cal information infrastructure, Asset, Goal, Constraint and Actor. An
jective is to serve as a guide with which to analyse, spec- actor such as a developer or security analyst with significant fa-
ify and graphically model incident handling processes in CIIs. miliarity with and knowledge of an organisation’ operational con-
The process consists of three different sequential sets of ac- text could, therefore, initiate this activity according to the criti-
tivities, as shown in Fig. 2, that are tailored according to the cal service-dependent approach proposed by ENISA (Mattioli and
three modelling views presented in the previous section. When Levy-Bencheton, 2014).
formulating the process, we used various guidelines, standards The identification of critical services as a critical task consists of
and best practices relating to multiple domains, such as ISO two different techniques, namely state-driven and operator-driven.
27,0 0 0 (Humphreys, 2016), ENISA guidelines (Mattioli and Levy- In the state-driven approach, the process used to identify CIIs is
Bencheton, 2014), NIST (Cichonski et al., 2012), and OWASP (2014). guided by governmental agencies that have the mandate to iden-
These standards have been widely adopted in different CII sectors, tify and protect CIIs, and it is more relevant for scenarios in which
and their integration within the process provides numerous bene- governmental agencies are involved in the process of identifying
fits. Standards mostly involve inputs from a wide range of domain CIIs in a generic context. The operator-driven approach is, however,
experts and primarily ensure conformity to requirements, assess- more specific, and the leading role of identifying CIIs is, therefore,
ment criteria and methodologies, and usually reflect recommended assigned to the operators or asset owners of CIIs within an or-
practices (Viegas and Kuyucu, 2022). ganisation. It is more context-specific and more suited to support-
ing the stakeholders within an organisation who are knowledge-
3.4.1. Activity 1: analysis of CII able about their infrastructure and the critical sector within which
The objective of this activity is to identify and analyse CIIs, an organisation operates. The developer may, therefore, consider
along with operational context. The identification of operational adopting the operator-driven approach in this activity because ac-
context that influences an organisation’s services and functions is tors such as owners or operators of CIIs are more involved in the

8
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 4
Incident Response View.

MODEL 1: Analysis Of CII

Motive: aims to capture incident response strategies that can be used to identify cyber-incidents, contain and minimize the impact, and recover from
cyber-incidents. It will enhance the understanding of relevant response strategies that are suited to an organisation in order to effectively and efficiently contain or
mitigate the impact of potential threats, vulnerabilities, risks and cyber-incidents.

Key Concepts Description

Cyber Course of Action The model represents a combination of operational and technological processes that are used to respond to, protect and recover from
(CCoA) cyber-incidents. CCoA consists of such strategies as Procedural and Technical CCoA. Procedural CCoA models cyber-incident handling
strategies by human elements (including security awareness and management oversight), policies and plan, and regulatory compliance.
Technical CCoA comprises those actions that enable the orchestration and automation of incident response mechanisms with which to
ensure that the desired security and privacy posture of the CII is maintained during an incident. Technical CCoA is categorised
according to key elements, such as protection actions and recovery actions.
Assets The CCoA is comprehensively mapped onto each Asset in order to highlight and correlate the CCoA strategies (procedural or technical
strategy) that are most suitable for or applicable to the security and privacy contexts of a CII as far as handling the incident is
concerned
Impact The efficiency and scope of CCoA strategies are included in the model to highlight the extent to which the specific impacts of a
cyber-incident that can be mitigated.
CII The model includes the CII, which contains a set of assets that could be exploited by a Malicious Actor, and which are affected by the
impact of a Cyber Incident.
Actor Similarly, actors (such as IRT) are included in this model in order to identify the role that each Actor plays in the direction,
implementation and achievement of the different CCoA strategies.
Control Mechanism The existing control mechanisms that perform certain functionalities such as removing, identifying, or mitigating cyber-incident are
modelled.
Perceived Result: Specification of the relevant incident handling strategies that are applicable to a given context of cyber-incident within the CII, including the
actors involved in the initialisation and maintenance of the incident handling process.

Fig. 2. CIHML Process.

process. The activity includes three tasks, which are explained be- ance provided by the European Programme for Critical informa-
low. The SPEM 2.0 diagram defining the basic pattern of inputs, tion infrastructure Protection framework (EPCIP) (EPCIP, 2008). EP-
tasks and outputs of this activity is shown in Fig. 3. CIP identified a total of 10 sectors that are defined on the basis of
various impact assessments and studies carried out by stakehold-
Task 1.1: identify critical sector and functions. This task enables ers. A diverse range of critical functions is provided in order to re-
the representation of a critical sector pertinent to an organisation late these critical sectors and the critical functions they support. In
based on the Critical information infrastructure concept. An organi- addition, ENISA (Mattioli and Levy-Bencheton, 2014) has provided
sation that provides critical functions is represented as a CII within an indicative list of critical sectors, associated sub-sectors and ser-
a defined boundary. Essentially, the output of this task provides an vices that could be consulted by developers. This classification pro-
overview and understanding of critical information infrastructure vides a channel that could guide the modelling of critical sectors
and the critical functions whose interruption could lead to severe and functions. Another important source to consider is the ENISA
damage or consequences. The critical infrastructure extends across report entitled "Baseline Security Recommendations for the Inter-
many sectors, such as healthcare, transport, energy, etc. A sufficient net of Things in the context of critical information infrastructures”
identification of a critical sector that applies to an organisation’s (Sklyar and Kharchenko, 2019). IoT and CPS devices are becoming
operational setting and the critical functions being provided are incresingly key elements of CIIs, and the majority of CPS-security
fundamental points for the analysis of a CII activity. This implies related works are focusing on these critical infrastructures for any
the understanding of the critical sector in which the organisation sector (Adepu et al., 2019). Rosado et al. (2022) have, therefore, de-
operates in order to clear the path for the performance of subse- veloped a pattern called MARISMA-CPS that builds the scaffolding
quent activities. for the management of risk analysis processes that is specifically
One viable technique that can be used to identify a critical sec- oriented towards CPS-based environments and is, owing to its na-
tor and functions is that of exploring strategic and operational ob- ture, extensible to ICIs. This pattern contains catalogues of different
jectives in order to understand the critical sector that is relevant types of key elements involved in the technical infrastructure of an
for an organisation. It can be supported by following the guid- SCP environment. We have taken the families and types of assets

9
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Fig. 3. SPEM 2.0 diagram of Activity 1: Analysis of CII.

Table 5 • Specifying Actor according to types (such as developers, users,

Families and types of assets for CIIs based on MARISMA-CPS pattern.
operators, regulators), and strategic hierarchies within the or-
Family of Assets Type of Assets ganisation (such as managers, directors, providers), etc.
Devices Hardware, software, actuators, and sensors. • Specifying the role of actors by presenting details of the associ-
Ecosystem Devices Devices to interface with Things, devices to ated influence, responsibilities, and participation in critical in-
manage Things, and embedded systems. frastructure operations.
Communications Networks and protocols. • Associating actors with the goals they pursue, such as ensuring
Infrastructure Routers, gateways, power supply, and security.
the security and privacy of data.
Decision Making Algorithms for data mining, and data processing
and computing. • Specifying security and privacy constraint. Constraints can be
Applications & Services Data analytics and visualisation, device and determined by identifying essentially relevant non-functional
network management, and device usage. requirements (with emphasis on security and privacy), such as
Information/Data Information stored in a database (at rest).
data encryption and authentication.
Information sent or exchanged through the
network (in transit).
Information used by an application, service, or IoT Task 1.3: – determine assets and criticality. It is crucial to determine
element (in use). the criticality of assets that are essential to sustaining critical func-
tions (such as networks and systems). The aim is to support the
analysis and modelling of assets according to a specific category,
defined by Rosado and that are, according to ENISA report, typi- including asset components and criticality level.
cal in CPS systems, and which are essential components for CIIs. The first step in this task is, therefore, to identify and cate-
Table 5, therefore, shows the different types of assets to be in- gorise assets according to a classification scheme. Assets can be
corporated into our asset catalogue, based on MARISMA-CPS asset categorised according to different types of identification elements,
classification, grouped by family of assets. such as literal identifies, relationship identifiers, synthetic identi-
These families of assets are the basis for CIIs because they cover fiers, and extension identifiers (Wunder et al., 2011). Each iden-
all the elements of any given CII. For example, for a health envi- tification element considers the different type of information. For
ronment such as a smart hospital, the relevant assets that form instance, the relationship identifiers are used when assets are to
part of the asset family, such as information/data, may include pa- be identified on the basis of their relationship with another asset.
tients’ clinical results and medical files, along with their personal The next step in this task is to determine asset criticality. We ad-
data. Other examples of assets could include laboratory informa- vocate the use of an existing asset criticality rating specific to an
tion systems, hospital information systems, health monitoring de- organisation or based on the impact ratings proposed in this paper.
vices, or even the hospital power system, etc. to name but a few. With regard to the Asset Criticality Rating, different impact fac-
Similarly, an alternative way in which to identify critical functions tors can be used to determine criticality, such as: (a) service im-
is to consider which functions will result in significant adverse im- pact - the impact on the loss or degradation of a critical function,
pacts such as loss or destruction or the interruption to function or (b) population affected - the percentage of the population affected
data. These categories can be further expanded with respect to the by the disruption of critical functions, and (c) economic impact –
requirements of the critical sector and the organisation’s goals and the financial cost of service disruption (Theoharidou et al., 2009).
objectives. The critical information infrastructure owners will decide which
criteria to use on the basis of compliance with several require-
Task 1.2: create actor profile. This task creates the actor profile, in- ments. The service impact criteria have, therefore, been employed
cluding actors, roles, goals, and constraints. This task assists as re- in order to provide a table of indicative impact criteria that will
gards attaining a better understanding of the specific role of actors serve as a reference with which to determine asset criticality. This
and their intentions within an organisational setting. In summary, is done in conjunction with potential levels of impact provided by
the task can be achieved by: the FIPS impact rating, as shown in Table 6 (EPCIP, 2008).

10
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 6
The impact on loss of services owing to the failure or malfunction of an asset.

Potential Impact Definition Impact Rating

Low The loss of or damage to an asset is expected to have a limited adverse effect that: (i) causes degradation to the extent 1
that critical functions are provided but the effectiveness of the functions is noticeably reduced; (ii) results in a minor
disruption to other assets, or (iii) results in a minor financial loss.
Medium The loss or damage of an asset will; (i) cause the significant degradation of critical functions to the extent that a critical 2
function will be provided, but effectiveness is significantly reduced (ii) result in significant damage to other assets and
components, or (iii) result in a significant financial loss
High The potential loss or damage of an asset will: (i) cause the severe degradation to the extent that critical functions cannot 3
be provided; (ii) result in severe damage to or the loss of other assets, or (iii) result in a major financial loss.

Fig. 4. SPEM 2.0 diagram of Activity 2: Threat Analysis Model.

3.4.2. Activity 2– threat analysis model Task 2.1 – identify and analyse threats. This is the first task in this
Upon completing the CII analysis, it is necessary to under- activity that deals with the identification of potential threats, vul-
stand the risk and threat landscape. This activity, therefore, com- nerabilities, and risks. In other words, the assets identified in the
prises techniques with which to identify and assess vulnerabilities, previous task are used as the basis on which to profile all possi-
threats and risks that could result in a cyber incident that could ble threats that could negatively impact on the assets. It requires
potentially impact on the CII. The activity requires a structured a sound approach that enables the gathering of valuable insights
representation of threat information that expresses valuable situ- based on the analysis of situational and contextual threats that are
ational and contextual threats that are specific to the organisation. more specific to an organisation’s threat landscape. The use of the
We advocate the use of two different methods, i.e. a threat classi- threat classification approach therefore makes it possible to lever-
fication approach and a cyber incident operationalisation approach age threat taxonomies and models in order to identify potential
for this activity. On the one hand, the threat classification approach threats that may compromise assets, including exploitable vulner-
focuses on the analysis of the commonly listed threats and vul- abilities, which will improve the developers’ ability to understand
nerabilities found in threat taxonomies, classification, and informa- the nature of threats in a more structured manner.
tion sources (such as ENISA Threats taxonomy) that are likely to This task is accordingly enabled by the Threat concept. At this
affect CIIs. This approach is broad-ranging, and involves the iden- juncture, the first attempt to identify threats is to consider infor-
tification, review, and assessment of an extensive list of potential mation sources that provide a comprehensive list of threats. Many
threats, and the likely impact they will have on CII. However, as sources provide timely and relevant threat information, such as cy-
threats vary over time and the techniques used by cybercriminals ber threat intelligence platforms, tools and standards. In this con-
continue to evolve, this could be resource consuming and difficult text, ENISA published a Threat Taxonomy with the objective of
for use by non-security experts. assisting in the understanding of threats related to information
On the other hand, cyber incident operationalisation is more and communication technology assets. The ENISA Threat Taxon-
specific to the assessment of specific threats, vulnerabilities and omy can, therefore, be adopted as a reliable source of threat in-
risks that have materialized and resulted in a cyber incident from formation. The ENISA Threat Taxonomy provides a comprehensive
a holistic viewpoint of the Threat Actor. It focuses mainly on the and well-structured taxonomy of threats that aims at improving
cyber incidents that are caused by a threat actor in order to sys- the understanding of threats related to CII (ENISA, 2016)
tematically explore, characterise and determine the strategies that Once the threat information source has been identified, the
could be used to operationalise the incident. However, one limi- next task is to methodically analyse the threats in terms of classi-
tation of this approach is that it potentially overlooks a vast pool fication and severity and create an association with the assets that
of threat information that developers can use to understand and are most affected by the threat. This analysis is enabled the Cate-
analyse emerging cyber threats. Both approaches are suitable as gory and Severity attributes. It is imperative to perform this anal-
regards assisting developers to attain a better understanding and ysis according to standard methodologies. In this respect, threat
assessment of a cyber incident in detail. This activity, therefore, evaluation models such as STRIDE Model (Microsoft, 2007) can be
consists of the following tasks. The SPEM 2.0 diagram defining the used. The STRIDE model is particularly utilised to categorise threats
basic pattern of inputs, tasks and outputs of this activity is shown according to exploits such as Spoofing Identity, Tampering, Repu-
in Fig. 4. diation, Information Disclosure, Denial of Service and Elevation of

11
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 7 are mostly constant over time. The Temporal Metrics is based on
Threat Categorisation Matrix.
factors that change over time, such as the availability of exploit
Category Consideration code (Cichonski et al., 2012). Environmental metrics consider fac-
Spoofing (S) Attackers masquerade as a legitimate user, system or tors such as the presence of mitigations in the cyber environment.
application element The rating system also consists of a numerical score that produces
Tampering (T) Attackers modify or tamper with assets in transit or a score ranging from 0 to 10, which can be mapped onto qualita-
in-store tive ratings, as shown in Table 11. Once vulnerabilities have been
Repudiation (R) Attackers perform actions that cannot be traced
identified and assigned a severity score, an association is created
Information Attackers disrupt or interrupt normal operations of the
Disclosure (I) asset in the model between the potential threats that could exploit the
Elevation (E) Attackers obtain access privilege to an asset without vulnerability, along with the assets associated with the vulnerabil-
legitimate authority. ity

Table 8 Task 2.3 – identify risks. The goal of this task is to identify and as-
DREAD Model. sess the potential outcomes of a successful threat to a cyber asset,
Category Question such as the possibilities of the destruction of, modification of, or
Damage Potential (D) How extensive is the damage potential?
interruptions to assets or critical functions. This can be instanti-
Reproducibility (R) How easy it is for the threat to be repeated or ated by using the Risk concept of the meta-model. Moreover, there
reoccur? are many approaches with which to perform risk analysis that can
Exploitability (E) How easy is it to launch the treat? be utilised for this purpose. The developer needs to define an ap-
Affected Users (A) Approximately how many users will be affected?
proach that makes the identification and accurate estimation of
Discoverability (D) How easy is it to discover the vulnerabilities?
risks possible. This will help to ensure that major or prioritised
risks are not overlooked. The key factors that are considered in or-
der to estimate risk likelihood include threat agent and vulnerabil-
Privilege. In addition, Microsoft’s DREAD model (Meier, 2003), pro- ity factors, while others used to estimate risk impact include tech-
vides a framework with which to rate, compare, and prioritise the nical and business impact factors. The threat factors employed in
severity of various threats by rating them on an ordinal scale. The order to estimate risk likelihood involve assigning a set of options
model consists of five main categories: Damage, Reproducibility, to each factor, and each option contains an associated likelihood
Exploitability, Affected user, and Discoverability. These two models rating from 0 to 9 (as shown in Table 12).
can be utilised to categorise and determine the severity of threats. Technical impact factors are similarly used to determine the im-
The use of the ENISA Threat Taxonomy in conjunction with the pact of risks. Each factor is assigned a set of options, and each op-
STRIDE and DREAD models therefore makes it possible to create a tion is associated with an impact rating from 0 to 9, (as shown
threat analysis matrix reflecting the severity and category of po- in Table 13). The developer can, therefore, determine the severity
tential threats. In particular, the threats listed in sources such as of risks for assets and business functions, in addition to ensuring
the ENISA taxonomy can be modelled according to exploits in or- that priority is given to more severe risks. This activity produces
der to represent the threat actor’s intention according to STRIDE a summary of threat, vulnerability and risk register within the CII
(as shown in Table 7). Moreover, threats can be rated by follow- context, as shown in Tables 14 and 15.
ing the customised and accompanying questions shown in Tables 8
and 9. 3.4.3. Activity 3– incident response
The above scales can be used to rate and determine the severity This is the last activity that involves the specification and repre-
of each threat according to the DREAD model. The questions can sentation of incident response activities. The objective of this activ-
also be modified or extended accordingly. A rating table is used ity is to capture incident response strategies on the basis of threats
with corresponding values of 3, 2 and 1 to represent (3) high, (2) and vulnerabilities and to improve the understanding and analysis
medium and (1) and low, respectively. The outcome can fall within of incident response strategies in terms of containment and erad-
the scope of 5 to 15 to denote threat severity from low to high. The ication actions. The output is, therefore, the modelling of incident
threats with an overall rating of 12–15 can be treated as having response activities according to the specific needs of critical infras-
’High Severity’, 8–11 as ’Medium Severity’, and 5–7 as ’Low Sever- tructure. The activity is, therefore, decomposed into multiple parts
ity’, as shown in Table 10. in order to enable the creation of different views or sub-models,
as described in the following section. The SPEM 2.0 diagram defin-
Task 2.2 – identify vulnerabilities. The second task involves the ing the basic pattern of inputs, tasks and outputs of this activity is
identification of vulnerabilities that can be exploited by the threat. shown in Fig. 5.
The identification and modelling of vulnerabilities are supported
by the Vulnerability concept, whereby the different types of vul- Task 3.1 – identification and analysis of incidents. This task provides
nerabilities associated with assets are identified using the Type a meticulous analysis of one or multiple incidents. The analysis
attribute. At this point, the developer must explore databases to considers attributes such as the severity and priority of incidents.
identify vulnerabilities efficiently. CIHML uses the National Vul- Primarily, the task consists of two steps, namely cyber incident de-
nerability Database (NVD), (Booth et al., 2013) and Common Vul- tection and analysis, which pave the way for the subsequent task
nerabilities and Exposures (Common Vulnerabilities and Exposures for containment, eradication, and recovery.
CVE., 2023) as sources of vulnerability information. The vulnerabil- In the case of Incident detection, this phase entails the applica-
ities identified need to be rated according to their severity, which tion of different techniques and tools with which to detect cyber
is enabled by the Rating attribute. A vulnerability severity rating incidents. A developer must collect and log security event data for
system can be used for reasons of consistency. The security sever- the detection of incidents and the support of incident analysis us-
ity rating helps developers to determine how best to approach a ing the Evidence and Incident Type attribute of CyberIncident con-
vulnerability based on the CVSS (NIST, 2022) rating, which consists cepts. The Evidence concept enables the various automated detec-
of a formula made up of three main metric groups: base, tempo- tion capabilities that are used to identify a cyber incident to be
ral and environmental. The Base metric assesses the severity of identified. Incidents can, therefore, be detected by various means,
a vulnerability on the basis of its intrinsic characteristics, which with varying levels of detail. Automated detection capabilities such

12
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 9
Threat Rating Matrix.

Category 3 (High) 2 (Medium) 1 (Low)

Damage Potential (D) Complete system or data destruction, and Compromises or impacts on a subset of Minor: an impact on a small number of
unavailability of assets and critical assets and critical functions assets and critical functions
functions
Reproducibility (R) A threat could be reproduced to The threat can be reproduced, but only by It is improbable that the threat will be
compromise assets and critical functions an authorised user replicated.
Exploitability (E) A novice threat actor can easily Attack tools freely available, or an exploit Advanced programming and in-depth
compromise assets and bring down is easily performed using novice tools knowledge, with custom or advanced
critical function. tools
Affected Users (A) All users Some users but not all None
Discoverability (D) Vulnerabilities in the asset are very Weaknesses in the assets are rarely Vulnerabilities are hardly present and
noticeable and can be easily exploited discovered. rarely discovered.

Fig. 5. SPEM 2.0 diagram of Activity 3: Incident Response.

Table 10 sary to review the collected evidence and attack vectors that the
Threat Severity Matrix.
threat action is using in order to exploit the vulnerability, The task
Values Rating is, therefore, enabled using concepts and attributes of the mod-
12 to 15 High elling language such as Priority, AffectedAssets Impact, Threat, Vul-
8 to 11 Medium nerabilities, Risks, and Control Mechanism. Some incidents are rel-
5 to 7 Low atively more important and require a more urgent response than
others. A developer should, therefore, assign an incident priority
Table 11
scheme based on its impact and urgency for resolution. This "Pri-
Vulnerability Rating. ority" attribute enables a developer to determine incident priority
according to a prioritization matrix. The attribute "AffectedAssets"
Rating Score
is used to identify the assets that have been affected by a cyber in-
Low 0.1–3.9 cident by creating an association between the cyber incident and
Medium 4.0–6.9
the assets perceived to be affected.
High 7.0–8.9
Critical 9.0–10.0 The consequences of an incident for assets are similarly quan-
tified using the Impact concept and on the basis of the qualitative
or quantitative value. The Control Mechanism concept enables the
developer to represent the existing control actions, processes and
as log management tools, antivirus software, intrusion detection
mechanisms being used to prevent or mitigate potential incidents,
systems, intrusion detection systems, and vulnerability scan data
which are categorised according to the Corrective Mechanism, Pre-
can be used to detect incidents. Incidents may also be detected
ventive Mechanism, and Detective Mechanism. Furthermore, it is
by manual means such as user reports, especially because some
worth noting that control mechanisms do not always provide the
incidents can be easily detected manually, whereas others can go
complete security and protection of assets as desired, and the at-
undetected without automated processes.
tribute Measure of Effectiveness consequently enables the assess-
Furthermore, in the case of Incident analysis, the analysis fo-
ment of the effectiveness of existing control measures in terms of
cuses on evaluating an incident in order to determine its scope,
relevance and robustness to control mechanisms in order to ad-
the methods used, and the vulnerabilities exploited. It is neces-

Table 12
Risk Likelihood.

Threat Factor
Factor Description 0 to < 3 (Low) 3 to < 6 (Medium) 6 to 9 (High)

Ease of Discovery How easy is it for this group of threat agents Practically impossible Difficult Substantially easy
to discover this vulnerability?
Ease of Exploit How easy is it for this group of threat agents Theoretical Difficult Substantially easy
to exploit this vulnerability?
Awareness How well known is this vulnerability to this Unknown Obvious Public knowledge
group of threat agents?
Intrusion Detection How likely is it that an exploit will be Active detection Logged & reviewed Not reviewed
detected? mechanisms

13
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 13
Risk Impact to Technical Impact.

Technical Impact
2 4 6 7 9
Factor Question to ask

Loss of How much data Minimal Minimal critical Extensive Extensive critical All data disclosed
Confidentiality (C) could be disclosed non-sensitive data data disclosed non-sensitive data data disclosed
and how sensitive disclosed disclosed
is it?
Loss of Integrity (I) How much data Minimal slightly Minimal seriously Extensive slightly Extensive seriously Extensive seriously
could be corrupted corrupt data corrupt data corrupt data corrupt data corrupt data
and how damaged
is it?
Loss of Availability How much service Minimal primary Extensive Extensive primary Extensive primary All services
(A) could be lost, and services secondary services services services completely lost
how vital is it? interrupted interrupted interrupted interrupted
Loss of Are the threat All services Possibly traceable Possibly traceable Possibly traceable Completely
Accountability (AC) agents’ actions completely lost anonymous
traceable to an
individual?

Table 14
Threat, Vulnerability and Risk Register.

Threat Threat Category Target Threat Severity Severity

Type Assets
S T R I D E D R E A D

Table 15 trols such as security policy, security procedures, business conti-

Threat, Vulnerability and Risk Register.
nuity plans; (b) business processes such as risk assessment and
Vulnerability Risk Technical risk management process; (c) operational controls such as opera-
Type CVE Reference Rating Impact of Risk tional procedures, change control, problem management, back up,
and secure disposal, and (d) technical controls such as patch man-
agement, antivirus controls, IDS, firewall and content filtering. Ul-
dress the cyber incident. These considerations will, therefore, pro- timately, this ISO guideline can be used to assess the effectiveness
vide the developer with sufficient insight with which to assess the of controls using the attribute Measure of Effectiveness.
subsequent containment and mitigation strategies according to the
order based on which cyber incidents should be handled. Task 3.2 – define incident containment, eradication and recovery ac-
It is vital to use an incident prioritisation matrix to determine tions. The goal of progressing through the preceding task is to de-
incident priority. Cyber incident prioritisation can be performed fine actions that will contain and eradicate an incident. In other
according to three criteria: (a) functional impact of the incident words, it is crucial to implement strategies with which to contain
(such as current and likely future negative impact on critical func- and remove incidents in order to avoid incidents of overwhelming
tions), (b) information impact of the incident (such as the confi- assets. This task, therefore, focuses on the analysis of appropriate
dentiality, integrity and availability of assets), and (c) recoverability and implementable incident response strategies with which to ad-
from the incident (such as time and types of resources that are re- dress cyber incidents. The goal is to enable a developer to create an
quired in order to recover from the incident) NIST (Cichonski et al., independent model that captures the essential strategies required
2012). The purpose of this prioritisation is based on the presump- in order to contain and reduce the potential impacts of an incident,
tion that highly rated incidents must be handled and resolved be- along with the strategies for the actual restoration of affected as-
fore low rated incidents. Although the developer can best decide sets. As occurs with the previous models, the modelling activity in
an appropriate criterion, the functional impact criteria are more this task uses concepts from the incident handling modelling lan-
suitable as regards prioritising incidents according to negative im- guage, along with the integration of various techniques and prac-
pacts on critical functions, and this is consequently considered in tices in order to support the modelling activity.
this process and presented in Table 16. The central concept that enables modelling at this level is fun-
Furthermore, as mentioned earlier, the impact or magnitude of damentally the CyberCourseOfAction, which entails a combination
harm resulting from a cyber incident is estimated using the Impact of processes or measures with which to respond to or mitigate the
concept. The Severity attribute of the concept is specifically used to potential impacts of predefined or anticipated cyber incidents. As
determine an impact in terms of loss, failure or damage that could the control actions for incident containment and eradication may
result in an adverse effect on critical functions or assets. A ma- vary according to incident types, strategies for a cyber course of
trix with which to determine the impact on organisational assets actions consider these variations in order to enable the implemen-
and functions can be used. The assessment scales shown in the im- tation of different strategies for each significant incident type. Cy-
pact matrix can be tailored according to organisation-specific con- ber course of action strategies can, therefore, be implemented from
ditions, as shown in Table 17: two perspectives, namely (i) a procedural course of actions dealing
Moreover, the effectiveness of control can be determined by with control actions such as security policies and awareness and
using standard quality metrics for each of the control categories. training, and (ii) a technical course of actions such as cryptography
ISO/IEC 27004:2016-12-15 provides guidelines that are intended and access control. These two categories of cyber course of action
to assist organisations in evaluating the information security per- are modelled according to ProceduralCourseOfAction and Technical-
formance and the effectiveness of the ISMS" (ISO/IEC_27004:2016, CourseOfAction inherence.
2016). The guideline identifies a measurement method and four When defining and modelling technical and procedural courses
groups of controls that can be measured: (a) management con- of actions, it is, therefore, essential to consider a set of standard

14
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 16
Functional Impact Categories for Incident Prioritization.

Category Rating Definition

None 0 No effect on the ability to provide all users with critical functions.
Low 1 The minimal effect. All users can be provided with critical functions but with limited efficiency.
Medium 2 The inability to provide a subset of users with critical functions.
High 3 Complete incapacity to provide any users with critical functions.

Table 17
Incident Impact Rating.

Qualitative Values Semi-Qualitative Values Description

Very High 95–100 10 The impact of an incident is sweeping, affecting almost all of the assets and critical functions.
High 80–95 8 The impact of an incident is extensive, affecting most of the assets, including many critical functions.
Moderate 21–79 5 The impact of an incident is substantial, affecting a signification portion of assets, including some critical
functions.
Low 5–20 2 The impact of an incident is limited in nature, affecting some assets but not involving any critical functions
Very low 0–4 0 The impact of an incident is minimal and negligible, involving a few if any assets and involving no critical
functions.

Table 18
Incident Response Matrix.

Cyber Incident Impact Control Mechanism CCoA

Type Affected Asset Severity Affected Assets Incident Priority Severity Detective Preventive Corrective Procedural Technical

actions for cyber defence that provides actionable practices and tool, therefore, allows the creation, customisation and adaptation
mechanisms with which to contain, mitigate and eradicate most of of each model to the context of the infrastructure in which the
the pervasive and dangerous cyber-attacks. We follow CIS CSC con- process is being applied, defining each of its elements and connec-
trols to determine the suitable controls. This activity produces an tions related to the managed security incidents. In addition, the
incident response register summarising all the information related models generated can be used as a knowledge base to support the
to the CyberCourseOfAction, as shown in Table 18. rapid and effective categorisation of future incidents. Fig. 6 shows
an example of a CII Analysis Model created in CyberSANE. As stated
3.5. CyberSANE tool previously, the CII analysis includes asset, goal, constraint, actor,
vulnerability and specific CI sector, signifying that this information
In order to support the implementation and application of the can be used to identify and analysis possible incidents.
CIHML Process, a tool called CyberSANE has been developed. It is Furthermore, the tool makes it possible to collect, compile and
a Cloud web application developed using HTML5 (HTML, CSS and summarise all the information obtained from security incidents
JavaScript) and Node.js technologies, complemented with an API through the CIHML Process. It consequently provides the tasks
that, through a series of endpoints, allows the integration of the of analysis, categorisation, prioritisation and decision-making with
models and data generated in the web tool into other external automated support for incident management and resolution. Fig. 7
systems in a manner that is easy and transparent for the opera- shows an example of the incident prioritisation task implemented
tor. The tool can run through the use of a standard web browser in CyberSANE, which includes the incident heat map in order to
and can be accessed at https://cybersane-4af7f.web.app/. It is nec- visually present and prioritise the incidents. This will support in-
essary to create credentials prior to accessing the portal. The initial formed decision making in terms of a specific incident that re-
page, therefore, allows users with valid credentials to log in so as quires immediate attention.
to carry out the activities provided in the dashboard.
The objective of the tool is to automate the incident handling
4. Implementation
process. It consists of two main interfaces, Critical Information In-
frastructure (CII) and incident analysis, which are associated with
We have implemented the proposed modelling language in a
the relevant functionality required to perform tasks. The main fea-
real industrial context. The goal of the implementation is to pro-
tures include modelling, reporting, prioritisation and attack path
vide a detailed description of how the proposed model can be
Discovery, which are required for the CII and incident analyses. The
used to improve the understanding and representation of cyber in-
CII analysis considers assets, goal, constraint, vulnerability, and ac-
cident handling activities. The study context is based on an energy
tor based on the specific context. The modelling feature makes it
company that specialises in solar energy production, storage and
possible to visually present all these entities using standard nota-
distribution services. In order to protect the confidentiality of our
tions for the purpose of critical analysis. One of the key benefits of
study context, we have used a fictitious name "ABZ" to refer to
the tool is the prioritisation of the incident through the adaption
our case study. the objective of the implementation is, therefore,
of an incident heat map. The incident heat map, therefore, visually
to: i) Demonstrate the applicability of the cyber incident modelling
presents the incidents in different coloured segments on the basis
language to a real studied context; ii) Determine the suitability of
of their priorities. This makes it possible to understand which inci-
modelling for the CII, and iii) Generalise our findings to existing
dents need immediate attention, thus allowing appropriate control
works.
actions to be taken into consideration in order to tackle the inci-
dent. The tool includes the reporting features required in order to
produce a detailed incident based on the tasks performed in the 4.1. Study context
incident identification and prioritisation activities.
CyberSANE tool allows the different models developed through ABZ operates an integrated platform (SIDE/Smartly Integrated
the CIHML Process to be generated graphically and intuitively. The Distributed Energy platform), with several digital services on top

15
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Fig. 6. Example of CII Analysis Model in CyberSANE tool.

Fig. 7. Example of incident prioritisation in CyberSANE tool.

that help energy "customers", utilities and grid operators to opti- • The SIDE Panel, which is an electric panel specially designed to
mise power flows, secure the electricity grid and finally reduce the accelerate the installation process of the system and eliminate
cost of electricity. The SIDE platform constitutes a smart software- connectivity errors; and the SIDE IoT platform, which is our ab-
hardware solution optimised for Grid 2 Home / Home 2 Grid opti- stract software running framework.
misation of a distributed generation system. The platform incorpo-
rates a bundle of components such as: Attacks on "Solar Energy Production, Storage and Distribution
Service": Various combined cyber-attacks may affect the solar en-
ergy service examined. With regard to the cyber part, there may be
attacks on the back-end SIDE Platform, such as gaining unauthen-
• A range of web apps for the end-user (SIDE UIs) that enable
ticated, remote access to IoT components and other components in
users to see the power flow between the solar system, the bat-
order to disrupt services. Other cyber-attacks may target the IT and
tery and the grid of their households in real-time.
communication systems that are used to process the sensed data
• The SIDE gateway, which is an intermediate device between
and transmit them to the corresponding IT systems.
sensors, smart meters, inverters, the battery and appliances and
the SIDE Platform that creates value from data collection and
control. 4.2. Cyber incident
• The SIDE Virtual Power Plant (VPP), which is a cloud infrastruc-
ture and software platform that operates a smart grid network ABZ experienced a cybersecurity incident on multiple systems
of a population of distributed assets that are securely intercon- across their network. The in-house security team determined that
nected via Side Gateway. a large-scale malware incident had occurred and had quickly
• The SIDE CRM, which is a bespoke back-office CRM application spread across the network, affecting several CII assets, including
that automates the entire business process. customer information and system/process data. A detailed analysis

16
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 19
Analysis of CII Table.

Critical Infrastructure Asset

Critical Sector Critical Functions Category Type Criticality

Electricity Solar energy management services Communication Customer Premises Network 2

Production, distribution and Network Distribution Grid Network 3
transmission of solar energy Transmission Grid Network 3
Systems Distribution Management Systems 3
Advanced Metering Infrastructure 2
Supervisory Control and Data Acquisition 2
Smartly Integrated Distributed Energy Platform 3
Data Personal/Private Data 2
Process Data 2
Metre configuration data 2
Software/Hardware Data 1
Security Controls Security Information and Event Management (SIEM) 2
Network Security and Monitoring Tools 1

of the actual nature and scale of the malware attack revealed the 4.4.1. Activity 2 – threat analysis model
presence of a "Jigsaw Ransomware attack", which is a form of ma- This activity identifies and analyses the threat and generates
licious code that infects systems and typically performs operations the risk register on the basis of the incident pertinent to ABZ.
such as file encryption. The attack propagated and encrypted mul- We emphasized the identification, analysis and modelling of the
tiple hard disks containing processes, systems and customer data, potential threats that may lead to the exploitation, interruption
rendering them inoperable and inaccessible to both users and cus- or destruction of assets and critical functions negatively. This was
tomers. This resulted in the unavailability of the production, dis- achieved by exploring the ENISA Threat Taxonomy, which pro-
tribution, and transmission functions of solar energy. A ransom vides a tier-based classification and grouping of threats into var-
note was subsequently generated demanding payment in Bitcoins ious categories. The engagement and support of the Security Ana-
and threatening to delete encrypted files for every hour of non- lysts, therefore, allowed us to perform an overall assessment that
payment of the ransom. In summary, the Jigsaw Ransomware inci- produced a complete overview of those threats and vulnerabilities
dent resulted in solar energy management systems becoming com- that could result in the assets being compromised. Tables 21 and
pletely unfunctional, thus incapacitating the distribution of energy 22 present the main threats and vulnerabilities.
to customers. A threat analysis model (Fig. 9) was subsequently designed in
After realising that the situation existed, the company saw the order to graphically and accurately represent the possible sever-
need to have a holistic and integrated approach for the identi- ity of threats, a vulnerabilities rating, and the level of the impact
fication, assessment and recovery from the cyber incident. Fur- associated with risks. The model provides the ability to articulate
thermore, the decision-makers required a modelling approach that complex information and enhances awareness of threat landscape,
could improve the understanding and representation of the pro- in addition to enabling ABZ to clarify its threat assumptions. The
cesses, threats and vulnerabilities while simultaneously facilitating model, therefore, represents ABZ within its boundary as a critical
incident resolution in an easy-to-use and easy-to-understand fash- infrastructure consisting of multiple assets and potential threat ac-
ion. tors – cybercriminals and the malicious insider. Each threat actor is
mapped onto a specific threat, including the vulnerabilities that are
typically exploited in order to compromise assets, and the result-
4.3. Process implementation ing risk or consequences of threat actor activities. In this instance,
a cybercriminal using a set of TTP, identifies missing authentication
In this section, we present a summary of the implementation vulnerabilities existing in a decision support system that assists the
process of CIHML. It is essential to mention that the implementa- operators to monitor, control, and optimise the performance of the
tion processes, details and artefacts are summarised in this paper electric distribution system, and security configuration vulnerabil-
owing to space limitations. ities in communication networks. The cybercriminal launches an
entire attack set that would include multiple threats and purposes.
A malicious code is specifically injected that enables the threat ac-
4.4. Activity 1 – identify critical sector and functions
tor to change the configuration of network communications and al-
lows them to gain access to and modify sensitive data. The actions
The implementation activities were initiated in conjunction
of the threat actor resulted in multiple forms of risks – unautho-
with a team of Security Analysts and IRT. Formal engagements and
rised tampering and the disclosure of sensitive data and unavail-
briefings concerning the implementation process were carried out
ability of service, which consequently affected the production, dis-
in order to prevent any misunderstandings regarding the contex-
tribution, and transmission of solar energy.
tual aspects of our approach and to prevent premature conclusions.
The modelling of all the elements related to an incident, along
Inputs from multiple stakeholders were, therefore, used as the ba-
with the relationships among them, therefore allows both the op-
sis on which to develop the first step towards identifying the criti-
erators and the specific cyber security personnel involved to visu-
cal functions’ peculiar to ABZ. In this direction, having analysed its
ally obtain an accurate overview of all the aspects related to the
context in terms of its strategic and operational objectives, ABZ’s
context of the cyber incident. The model thereby provides a bet-
domain of operations falls under solar energy production, storage
ter understanding and analysis of the existing vulnerabilities, the
and distribution. The analysis yielded a detailed list of assets and
threats involved in the incident, the attack mechanisms and even
their criticality, actors, security and privacy constraints, as shown
the behaviour of the cyber attacker.
in Tables 19 and 20, respectively. This activity also produces a CII
In addition, as a result of this activity, a qualitative assessment
analysis model that visually captures the critical functions, Actor,
of the different factors that allow the contextualisation and an un-
and constraints (Fig. 8).

17
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 20
Actor Profile.

Actor Goals Constraints

Type Role Type Security Privacy

Generation and The operating managers Ensure efficient delivery of Protection against cyber Share/use private customer
distribution operators responsible for the critical functions incidents that could cause data and system data only
optimisation of blackouts, power when approved
production, distribution overloads, device
and transmission of solar malfunction, and data
energy tampering
Technology vendors Provision of third-party Provision of reliable cyber Integrity and availability of Complete compliance with
software and hardware solutions to support and hardware and GDPR rules for Data
solutions such as SCADA workflow, production and software solutions Privacy
Software distribution of solar
energy
End-user Consumption/use of solar Consumption of stable, Secure access to energy Proper notification
energy at domestic and cost-effective and reliable services and monitoring regarding the purpose of
industrial levels. solar energy and control use, processing and
transfer of personal data
System Operator Responsible for the Maintain security Authorised access and use Share/use private data
configuration, supporting procedures for assets and of assets only when approved.
and maintaining cyber customer data security
assets.

Fig. 8. Analysis of CII Model.

Table 21
Threat Analysis.

Threat Category Threat Severity

Threat Type Target Assets Severity
S T R I D E D R E A D
∗ ∗ ∗
Malicious Code Overall Assets 3 2 3 3 3 High
∗ ∗
Elevation of privilege Overall Data 2 2 3 1 3 Medium
∗ ∗
Data tampering Private, Metre and 3 2 3 2 3 High
Process Data

18
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 22
Vulnerability Analysis.

Vulnerability
Risk Technical Impact
Risk
Type CVE Reference Rating C I A AC

Elevation of privilege CVE-2018-8453 High Unauthorized tampering and 7 7 9 6

vulnerability disclosure sensitive data.
File Disclosure CVE-2019-11510 Critical Unavailability of essential 6 7 9 9
vulnerability functions and services

Fig. 9. Threat Analysis Model.

derstanding of the impact of the incident (categorisation and crit- sponse. The first task was an internal investigation of the cyber
icality of the threats involved in each incident, evaluation of the incident and its potential impact on assets. The initial application
related vulnerabilities, assessment and potential impact of the in- of detection mechanisms and incident analysis activities allowed
herent risks) is also generated. This information complements the the IRT to express concerns and establish the operationalisation of
incident knowledge base and provides initial guidance with which a Jigsaw Ransomware as a result of cybercriminal activities that
to facilitate an accurate understanding of the context, causes and exploited a buffer flow vulnerability and malicious code injection.
effects of each event after modelling. The modelling language also The analysis accordingly identified the cybercriminal’s fingerprints
includes a comprehensive understanding and the specific vision of on one of the systems, and a further examination revealed that
the critical infrastructure context. the incident had impacted on multiple assets and rendered critical
In addition, and as mentioned previously, the Cybersane soft- functions unavailable. An incident register was created containing
ware offers tools that guide the operator in the analysis and pri- analysis information, including the type, affected assets, severity,
oritisation of cyber incidents. It also allows the reuse of knowledge and other details about the incident, as shown in Table 23.
generated from the modelling of previous security events as a basis Furthermore, a holistic and definitive model was developed on
for analysis and decision-making on new incidents that may have the basis of the incident identification and analysis register, which
common characteristics. provided a more precise representation of the incident details to
ensure streamlined, consistent and coordinated response activities.
4.4.2. Activity 3 – incident response In particular, the model offers a consolidated view of the specifici-
The IRT at ABZ initiated a sequence of modelling activities that ties of the cyber incident (Fig. 10). The view is underpinned by the
were aimed at representing the cyber incident analysis and re- analysis result obtained from the IRT. The model highlights the ac-

19
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 23
Incident Identification and Analysis.

Cyber Incident Details

Impact
ID Type Priority Affected Assets & Functions

CI01 Malicious Code Data extrusion 1 Private Data 10

Injection Data encryption 2 Transmission Grid Network 8
(Jigsaw Lateral Movement 1 Distribution Management System 8
Ransomware) Production, Distribution, and Transmission of solar electric power 8

Fig. 10. Incident Analysis.

tivities of a Cybercriminal as the perpetrator of the incident, This the existing control mechanisms. Before the implementation of the
person performed the reconnaissance of ancillary communication course of action strategies, the IRT had identified weaknesses in
channels, systems and services in order to identify common ex- existing control measures, thus allowing the cybercriminal to in-
isting vulnerabilities. The cyber attacker then used a set of tactics, filtrate all inbound and outbound connections into the communi-
techniques and procedures to accomplish the injection of malicious cation networks of ABZ. The IRT, therefore, deployed a procedural
code by exploiting a buffer overflow vulnerability. The malicious course of action, which introduced a set of administrative controls
code followed a succession of stages, from the exfiltration, lateral in the form of policies and standard operating procedures. For ex-
movement and encryption of data. The operationalisation of the at- ample, policies mandating automated patch management to sys-
tack enabled the attacker to gain access to and rendered critical tems, along with regular data backup, were introduced. In addi-
distribution management systems, transmission control networks, tion, the technical course of actions was introduced, imposing a set
and personal data unavailable. The model, therefore, provided the of monitoring, detection and control systems for incident contain-
basis for IRT and ABZ operators to understand and plan for an im- ment and eradication purposes. The IRT consequently proceeded to
plementable cyber course of actions with which to react to the in- develop an incident response model based on the cyber course of
cident. action strategies highlighted in Table 24. The model played a vital
The second task involved the IRT embarking on a coordinated role in providing a realistic representation of multiple actions and
set of actions that stress the allocation of capabilities and resources enabling the IRT to articulate the elements of incident response
for the eradication and recovery from the cyber incident. The ac- strategies in terms of the strategic and functional course of actions,
tions entail a various coordinated cyber course of action strategies thus helping ABZ to develop a clear incident response roadmap
from a procedural and technical perspective, whose main objective (Fig. 11).
was to limit further impact on ABZ assets, along with improving

20
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Table 24
Incident Response Strategies.

Control Mechanism CCoA

Actor Goal Detective Preventive Corrective Procedural Technical

IRT Eradicate and Intrusion Detection Firewalls Data and Process Management and software Manage Network Devices Using Multifactor
recover from Systems Backup update tools Authentication and Encrypted Sessions
incident Regular data backup and Host-based firewalls on end systems, with a
proper protection using default-deny rule that drops all traffic except
encryption those services and ports that are explicitly
allowed

Fig. 11. Incident Containment, Eradication and Recovery.

The incident analysis information was, therefore, used as the regards planning incident response actions based on the defined
basis on which to generate models, including specific action plan- and depicted priorities calculated from the information gathered
ning to tackle the threats identified. The cyber courses of action in the previous step. The strategic and functional course of actions
similarly also considered the actions required in order to review similarly became part of the tool’s knowledge base, thus enhancing
and correct the vulnerabilities found. Cybersane’s decision-making support features based on the future
The models generated not only offered the possibility of repre- possibilities of reusing the knowledge generated in the incident re-
senting cyber-action strategies, but also of providing a specific con- sponse for the company itself.
text for all the factors to be taken into account and the relation-
ships among the different elements linked in the response plan. In 5. Discussion
addition, both the context and assessment of the incident and the
proposed course of action were modelled by taking into account The proposed modelling language presented in this paper has
the control mechanism and its categorisation, and the cyber course proved to be effective as regards analysing and representing cyber-
of action was adapted to a critical infrastructure context. security incident handling processes. We have identified a list of
In a complementary manner, the added value of the Cybersane criteria for the modelling language, and CIHML satisfies these crite-
tool as regards providing support for decision making should be ria. We have considered three different views, namely CII analysis,
highlighted. In this respect, heat maps were a valuable resource as threat and risk analysis, and incident response views that allow the

21
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

visual representation of the incident handling process. The under- on the appropriate incident response actions and strategies. The
lying concepts of CIHML are formed according to relevant cyberse- controls are categorised in terms of detective, preventive and cor-
curity domains, including security requirements, incident handling, rective controls with a procedural and technical course of actions.
forensics, and risk management. This means that the concepts are CIHML integrates industry specific standards and practices such as
vital for analysing the incident and including and determining the STRIDE and CVE, which will support the more widespread adoption
suitable cyber course of actions for the incident management. The of CIHML. The underlying activities used for the CIHML are fully
proposed process consists of three activities that allow CII opera- operational based on the context studied. The visual modelling of
tors to systematically manage post-incident activities based on the the CII, threat and incident analysis made it easy to communicate
implementation of the concepts and models in CIHML. the incident by relating information to the relevant stakeholder,
and this further supports informed decision making.
5.1. Observed results
5.3. Challenges encountered
Upon observing the studied context, it was found that the pro-
posed approach is promising for the analysis and modelling of in- A few challenges were observed after implementing the CIHML
cident response processes for critical information infrastructure. In in the context studied. Some of the challenges encountered apper-
particular, the three distinct models relating to CII, threat and risk, tain the sharing of common knowledge of the concepts among CII
incident response and its visual presentation efficiently connect operators. Although we proposed a conceptual model and a rep-
critical infrastructure and related functions with specific threats, resentation of the concepts and their attributes, we observed that
risks and incidents, thus allowing an appropriate cyber course of the operators initially struggled to understand the specific termi-
actions to be determined. The process systematically supports the nology/concepts of CIHML, which resulted in inconsistency and an
analysis and control of the cyber incident, in addition to producing ineffective implementation. Based on the context studied, the users
various artefacts with which to record threats, risks, incidents, and found it challenging to develop the model. Additionally, if the CII
control actions. context is complex, such as large number of assets, actors, func-
tions and goals, then the model will be much more complex. We,
5.2. Lessons learned therefore, aim to develop a user manual document that will allow
the users to easily follow the process and develop the artefacts.
The implementation process made it possible to learn lessons We shall develop guidelines on how to split the model in order
and discover opportunities for improvements. Our observations in- to provide a better understanding of the CII. We also plan to in-
dicate that the CII operators involved in the implementation pro- clude a common point of compromise to allow the controls to be
cess of CIHML initially found it challenging to understand and cre- prioritised in order to tackle incidents. We additionally intend to
ate the different modelling views in CIHML. In other instances, op- use an ontology as the foundation on which to enhance the con-
erators successfully created the models without understanding the ceptual elements of CIHML, whose objective will be to convey a
actual purpose and benefits for creating them. This is mainly be- shared understanding of the concepts.
cause the CII operators had varying levels of knowledge and expe-
rience of requirements engineering and modelling, which in some 6. Conclusion
respects hindered their ability to sufficiently understand the con-
cepts and how they could be used to create the different models. Cyber threats are rapidly evolving, which is constantly increas-
However, as the implementation exercise progressed, their under- ing the security incident, particularly as regards the critical infor-
standing improved significantly, and they performed the activities mation infrastructure. As recent conflicts (e.g. Ukraine-Russia war)
rapidly and spent less time building the models. For instance, the have shown, critical infrastructures are one of the weakest points
analysis of CII enabled them to gain a new perspective of the criti- in the ecosystem of a modern society. Security incidents may, de-
cal functions, requirements, roles and actor goals that they had not pending on the severity of their impact, have catastrophic conse-
previously considered. In particular, CIHML initiates with a critical quences for the global continuity of businesses, governments, and
infrastructure analysis, including specific critical sector, assets, pos- affect the quality of citizens’ lives.
sible actors within the sector, their goals and related security and This paper presents a new proposal with which to deal with
privacy constraints. The underlying model based on these entities incident management in critical infrastructures. To this end, a lan-
visually demonstrates the interdependencies among them and sup- guage and a modelling process have been developed with the aim
ports the threat analysis. of analysing and managing security incidents in this type of infras-
Similarly, the threat analysis modelling approach fostered im- tructure.
plicit analysis. We found that it empowers CII operators to iden- The results obtained from its application in the context of case
tify new vulnerabilities of the assets, understand the threats that studies show that it is a viable solution for the management of this
are associated with a specific cyber incident, how an incident oc- type of incident. The work decomposes multiple models, which
curred, and the priority and impact of the incident. It aims to allow the visual representation of and correlation among threats,
provide a structured representation of threat information that ex- risk, incident and control. Its application to a critical infrastructure
presses valuable situational and contextual threats within specific in the energy sector has been presented in this paper.
CII context. To this end, CIHML has adopted the STRIDE and DREAD As future work, we plan to add new case studies, which will
models and links with the CVE for the potential causes for the allow a transfer of knowledge from the linguistic model to critical
threats. The vulnerabilities are also ranked on the basis of the CVSS infrastructures, and this will provide valuable feedback to improve
score. The threats and vulnerabilities allow risks to be identified the modelling language presented. This will also provide valuable
and quantified. The incidents are identified and prioritised on the datasets to be used in the subsequent phases.
basis of the threats and vulnerabilities and are linked with the as- We now plan to extend the model by adding new data anal-
sets and functions. CIHML also guided the practitioners to choose ysis techniques associated with the field of deep learning. To this
right level of controls and course of action required to tackle the end, the current model will be integrated with machine learning
incidents. The incident containment and eradication model also algorithms in order to obtain incident patterns associated with the
helped the CII operators to achieve consistent results by provid- type of critical infrastructure, and to predict future incidents, along
ing a baseline of control considerations that led them to focus with the severity associated with them. Incident prediction will

22
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

also be validated using datasets of cybersecurity incidents on crit- Common Vulnerabilities and Exposures (CVE). MITRE; 2023. Avaliable from: https:
ical infrastructures in different sectors. //cve.mitre.org/.
CyberSANE, 2022. SU-ICT-01-2018: “Dynamic Countering of Cyber-Attacks”. Cyber-
Finally, the CyberSANE tool employed to support CIHML will SANE Available from: https://www.cybersane-project.eu/.
continue to evolve by partially automating the overall process, al- ENISA, 2010. Good Practice Guide for Incident Management. ENISA Avail-
ways seeking to ensure that the automation of the functionalities able from: https://www.enisa.europa.eu/publications/good-practice-guide-for-
incident-management.
is of value to professionals by helping them to make decisions but ENISA, 2016. ENISA Threat Taxonomy - Data Europa EU. ENISA Available
allowing them to make the final decision. from: https://www.enisa.europa.eu/topics/threat- risk- management/threats-
and- trends/enisa- threat- landscape/threat- taxonomy/view.
EPCIP, 2008. Council Directive 2008/114/EC on the Identification and Description of
European Critical Infrastructures and the Assessment of the Need to Improve
Declaration of Competing Interest Their Protection. EPCIP Union OJotE, editor.
ETSI_TR_103_331_V1.2.1. ETSI_TR_103_331_V1.2.1. Structured threat information
The authors declare that they have no known competing finan- sharing. In: (ETSI). ETSI, editor.: Sep, 2019; 2019.
Faily, S., Fléchais, I., 2010. A meta-model for usable secure requirements engineering.
cial interests or personal relationships that could have appeared to In: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure
influence the work reported in this paper Systems, pp. 29–35. doi:10.1145/1809100.1809105.
Fombona Cadavieco, J., Rodríguez Pérez, C., Barriada Fernández, C, 2012. Information
technology incident management: a case study of the university of Oviedo and
the faculty of teacher training and education. Int. J. Educ. Technol. High. Educ.
CRediT authorship contribution statement 9 (2), 280–295. doi:10.7238/rusc.v9i2.1399.
Gaidarski, I., Minchev, Z., Tagarev, T., Atanassov, K.T., Kharchenko, V., Kacprzyk, J.,
Haralambos Mouratidis: Project administration, Conceptualiza- 2021. Insider threats to IT security of critical infrastructures. In: Digital Trans-
formation, Cyber Security and Resilience of Modern Societies. Springer Interna-
tion. Shareeful Islam: Supervision, Methodology. Antonio Santos-
tional Publishing, Cham, pp. 381–394. doi:10.1007/978- 3- 030- 65722- 2_24.
Olmo: Visualization, Formal analysis. Luis E. Sanchez: Visualiza- González-Granadillo, G., González-Zarzosa, S., Diaz, R., 2021. Security information
tion, Investigation. Umar Mukhtar Ismail: Software, Investigation, and event management (SIEM): analysis, trends, and usage in critical infrastruc-
tures. Sensors 21 (14), 4759. doi:10.3390/s21144759.
Validation.
Grispos, G., Glisson, W.B., Storer, T., 2017. Enhancing security incident response
follow-up efforts with lightweight agile retrospectives. Digit. Investig. 22, 62–
Data availability 73. doi:10.1016/j.diin.2017.07.006.
Humphreys, E, 2016. Implementing the ISO/IEC 27001: 2013 ISMS Standard. Artech
The data that has been used is confidential. House ISBN: 1608079317.
Idani, A., Halpin, T., Krogstie, J., Nurcan, S., Proper, E., Schmidt, R., Soffer, P., et al.,
2009. UML models engineering from static and dynamic aspects of formal
specifications. In: Enterprise, Business-Process and Information Systems Mod-
Acknowledgments eling. Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 237–250. doi:10.1007/
978- 3- 642- 01862- 6_20.
ISO/IEC_27004:2016. ISO/IEC FCD 27004:2016, Information Technology — Security
This work has received funding from the European Union’s
techniques — Information security management – Monitoring, Measurement,
Horizon 2020 research and innovation programme under grant Analysis and Evaluation (Second Edition), ISO/IEC_27004:2016. 2016. Available
agreement No 833683, AETHER-UCLM (PID2020-112540RB-C42) from: https://www.iso.org/standard/64120.html. [Accessed 22/12/2022].
and ALBA-UCLM (TED2021-130355B-C31) funded by "Ministerio de ISO/IEC_27035-1:2016. ISO/IEC 27035-1:2016, Information technology — Security
techniques — Information security incident management — Part 1: principles
Ciencia e Innovación", Spain. of incident management; 2016. Available from: https://www.iso.org/standard/
60803.html. [Accessed 22/12/2022].
ISO/IEC_27035-2:2016. ISO/IEC 27035:2016-2, Information technology — Security
References techniques — Information security incident management — Part 2: guidelines
to plan and prepare for incident response; 2016. Available from: https://www.
Adepu, S., Kang, E., Mathur, A.P., 2019. Challenges in secure engineering of criti- iso.org/standard/62071.html. [Accessed 22/12/2022].
cal infrastructure systems. In: Proceedings of the 34th IEEE/ACM International Knight, R., Nurse, J.R.C., 2020. A framework for effective corporate communication
Conference on Automated Software Engineering Workshop (ASEW), pp. 61–64. after cyber security incidents. Comput. Secur. 99, 102036. doi:10.1016/j.cose.
doi:10.1109/ASEW.2019.0 0 030. 2020.102036.
Ahmad, A., Hadgkiss, J., Ruighaver, A.B., 2012. Incident response teams – challenges Kolovos, D.S., Paige, R.F., Kelly, T., Polack, F.A., 2006. Requirements for domain-spe-
in supporting the organisational security function. Comput. Secur. 31 (5), 643– cific languages. In: Proceedings of the ECOOP Workshop on Domain-Specific
652. doi:10.1016/j.cose.2012.04.001. Program Development (DSPD).
Ahmad, A., Webb, J., Desouza, K.C., Boorman, J., 2019. Strategically-motivated ad- Kosar, T., Bohra, S., Mernik, M., 2016. Domain-specific languages: a systematic map-
vanced persistent threat: definition, process, tactics and a disinformation model ping study. Inf. Softw. Technol. 71, 77–91. doi:10.1016/j.infsof.2015.11.001.
of counterattack. Comput. Secur. 86, 402–418. doi:10.1016/j.cose.2019.07.001. Kure, H.I., Islam, S., Mouratidis, H., 2022. An integrated cyber security risk manage-
Ahmad, A., Desouza, K.C., Maynard, S.B., Naseer, H., Baskerville, R.L., 2020. How inte- ment framework and risk predication for the critical infrastructure protection.
gration of cyber security management and incident response enables organiza- Neural Comput. Appl. doi:10.10 07/s0 0521- 022- 06959- 2.
tional learning. J. Assoc. Inf. Sci. Technol. 71 (8), 939–953. doi:10.1002/asi.24311. Kuypers, M.A, 2017. Risk in Cyber Systems. Management Science & Engineering:
Ahmad, A., Maynard, S.B., Desouza, K.C., Kotsias, J., Whitty, M.T., Baskerville, R.L., Stanford University.
2021. How can organizations develop situation awareness for incident response: Lehto, M., Lehto, M., Neittaanmäki, P, 2022. Cyber-Attacks Against Critical Infrastruc-
a case study of management practice. Comput. Secur. 101, 102122. doi:10.1016/ ture. In: Cyber Security: Critical Infrastructure Protection. Springer International
j.cose.2020.102122. Publishing, Cham, pp. 3–42. doi:10.1007/978- 3- 030- 91293- 2_1.
Athinaiou, M., Mouratidis, H., Fotis, T., Pavlidis, M., Panaousis, E., Furnell, S., Moura- Lekota, F., Coetzee, M., 2019. Cybersecurity incident response for the Sub-Saharan
tidis, H., Pernul, G., 2018. Towards the definition of a security incident response African aviation industry. In: Proceedings of the International Conference on Cy-
modelling language. In: Trust, Privacy and Security in Digital Business. Springer ber Warfare and Security. Reading: Academic Conferences International Limited,
International Publishing, Cham, pp. 198–212. doi:10.1007/978- 3- 319- 98385- 1_ pp. 536–545 XI-XII.
14. Lewis, T.G, 2019. Critical Infrastructure Protection in Homeland security: Defending
Booth, H., Rike, D., Witte, G.A., 2013. The National Vulnerability Database (NVD): a Networked Nation. John Wiley & Sons ISBN: 1119614538.
Overview. ITL Bulletin. National Institute of Standards and Technology, Gaithers- Maglaras, L.A., Kim, K.-.H., Janicke, H., Ferrag, M.A., Rallis, S., Fragkou, P., et al., 2018.
burg, MD Available from: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_ Cyber security of critical infrastructures. ICT Express 4 (1), 42–45. doi:10.1016/j.
id=915172. icte.2018.02.001.
Canito, A., Aleid, K., Praça, I., Corchado, J., Marreiros, G., 2020. An ontology to pro- Mahima, D., 2021. Cyber threat in public sector: modeling an incident response
mote interoperability between cyber-physical security systems in critical infras- framework. In: Proceedings of the International Conference on Innovative
tructures. In: Proceedings of the IEEE 6th International Conference on Computer Practices in Technology and Management (ICIPTM), pp. 55–60. doi:10.1109/
and Communications (ICCC), pp. 553–560. doi:10.1109/ICCC51575.2020.9345163. ICIPTM52218.2021.9388333.
Chockalingam, S., Maathuis, C., 2022. An ontology for effective security incident Mattioli R., Levy-Bencheton C. Methodologies for the identification of critical infor-
management. In: Proceedings of the International Conference on Cyber Warfare mation infrastructure assets and services; European Union Agency for Network
and Security, pp. 26–35. doi:10.34190/iccws.17.1.6. and Information Security (ENISA). December, 2014. ISBN 978-92-9204-106-9,
Cichonski, P., Millar, T., Grance, T., Scarfone, K., 2012. Computer security incident doi:10.2824/38100.
handling guide. NIST Spec. Publ. 800 (61), 1–147. http://dx.doi.org/10.6028/NIST. Meier, J., 2003. Improving Web Application Security: Threats and Countermeasures.
SP.800-61r2. Microsoft Press ISBN: 0735618429.

23
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Metzger, S., Hommel, W., Reiser, H., 2011. Integrated security incident manage- Theoharidou, M., Kotzanikolaou, P., Gritzalis, D, Palmer, C., Shenoi, S., 2009. Risk-
ment – concepts and real-world experiences. In: Proceedings of the Sixth In- based criticality analysis. In: Critical Infrastructure Protection III. Springer Berlin
ternational Conference on IT Security Incident Management and IT Forensics, Heidelberg, Berlin, Heidelberg, pp. 35–49. doi:10.1007/978- 3- 642- 04798- 5_3.
pp. 107–121. doi:10.1109/IMF.2011.15. Viegas, V., Kuyucu, O., 2022. International security standards. In: IT Security Con-
Microsoft, 2007. Getting Started with the Threat Modeling Tool. Microsoft Microsoft trols: A Guide to Corporate Standards and Frameworks. Apress, Berkeley, CA,
Article. pp. 17–65. doi:10.1007/978- 1- 4842- 7799- 7_2.
Mouratidis, H., Argyropoulos, N., Shei, S, Karagiannis, D., Mayr, H.C., Mylopoulos, J., Visscher, C., 2021. Towards Cyber Incident Response on Naval Ships: The Cyber In-
2016. Security requirements engineering for cloud computing: the secure tro- cident Response Decision Model. EEMCS: Electrical Engineering, Mathematics
pos approach. In: Domain-Specific Conceptual Modeling: Concepts, Methods and Computer Science. University of Twente, Thales Nederland B.V., Hengelo,
and Tools. Springer International Publishing, Cham, pp. 357–380. doi:10.1007/ The Netherlands.
978- 3- 319- 39417- 6_16. Wang, P., Park, S.-.A., 2017. Communication in Cybersecurity: a public communica-
Naseer, A., Naseer, H., Ahmad, A., Maynard, S.B., Masood Siddiqui, A, 2021. Real-time tion model for business data breach incident handling. Issues in Information
analytics, incident response process agility and enterprise cybersecurity per- Systems 18 (2). doi:10.48009/2_iis_2017_136-147.
formance: a contingent resource-based analysis. Int. J. Inf. Manag. 59, 102334. Wunder J., Halbardier A., Waltermire D. Specification For Asset Identification 1.1.
doi:10.1016/j.ijinfomgt.2021.102334. In: NIST, ed.: US Department of Commerce, National Institute of Standards and
NIST, 2022. NVD. Common Vulnerability Scoring System. NIST Available from: https: Technology; 2011.
//nvd.nist.gov/vuln-metrics/cvss#. Yeboah-Ofori, A., Islam, S., 2019. Cyber security threat modeling for supply chain
Nnoli, H., Lindskog, D., Zavarsky, P., Aghili, S., Ruhl, R., 2012. The governance of organizational environments. Future Internet 11 (3), 63. doi:10.3390/fi11030063.
corporate forensics using COBIT, NIST and increased automated forensic ap-
proaches. In: Proceedings of the International Conference on Privacy, Security, Haralambos (Haris) Mouratidis is Director, Institute for
Risk and Trust and International Confernece on Social Computing, pp. 734–741. Analytics and Data Science (IADS) and Professor, School of
doi:10.1109/SocialCom-PASSAT.2012.109. Computer Science and Electronic Engineering, University
Nordstrom, G., Sztipanovits, J., Karsai, G., Ledeczi, A., 1999. Metamodeling-rapid de- of Essex. He holds a B.Eng. (Hons) from the University of
sign and evolution of domain-specific modeling environments. In: Proceedings Wales, Swansea (UK), and a M.Sc. and PhD from the Uni-
of the ECBS’99 IEEE Conference and Workshop on Engineering of Computer- versity of Sheffield (UK). He is also Fellow of the Higher
Based Systems, pp. 68–74. doi:10.1109/ECBS.1999.755863. Education Academy (HEA) and Professional Member of
OWASP, 2014. OWASP Risk Rating Methodology 2014. OWASP Available from: https: the British Computer Society (BCS). Haris has been a vis-
//owasp.org/www-community/OWASP_Risk_Rating_Methodology. iting researcher at the National Institute of Informatics
Papastergiou, S., Mouratidis, H., Kalogeraki, E.-.M., Macintyre, J., Iliadis, L., Ma- (NII), Japan, and a visiting fellow at the British Telecom
glogiannis, I., Jayne, C., 2019. Cyber security incident handling, warning and (BT), U.K and the University College London, U.K. He is
response system for the european critical information infrastructures (Cyber- visiting professor at the University of the Aegean, Greece.
SANE). In: Engineering Applications of Neural Networks. Springer International His research interests lie in the area of secure software
Publishing, Cham, pp. 476–487. doi:10.1007/978- 3- 030- 20257- 6_41. systems engineering, requirements engineering, and information systems develop-
Papastergiou, S., Mouratidis, H., Kalogeraki, E.-.M., 2021. Handling of advanced per- ment. He is interested in developing methodologies, modelling languages, ontolo-
sistent threats and complex incidents in healthcare, transportation and energy gies, tools and platforms to support the analysis, design, monitoring of security,
ICT infrastructures. Evol. Syst. 12 (1), 91–108. doi:10.1007/s12530- 020- 09335-4. privacy, risk and trust for large-scale complex software systems. He has published
Plėta, T., Tvaronavičienė, M., Della Casa, S, 2020. Cyber effect and security manage- more than 130 papers (h-index 21) and he has secured funding as Principal Inves-
ment aspects in critical energy infrastructures. Insights Reg. Dev. 2, 538–548. tigator from national (Engineering and Physical Sciences Research Council (EPSRC),
doi:10.9770/IRD.2020.2.2(3). Royal Academy of Engineering, Technology Strategy Board (TSB)) and international
Prasad, R., Rohokale, V., 2020. Cyber Security: the Lifeline of Information (EU, NII) funding bodies as well as industrial funding (British Telecom, ELC, Pow-
and Communication Technology. Springer ISBN: 303031703X doi:10.1007/ erchex, FORD) towards his research. His e-mail address is h.mouratidis@essex.ac.uk
978- 3- 319- 98385- 1_14.
Ramsay, J.D., Cozine, K., Comiskey, J., 2020. Theoretical Foundations of Homeland
Security: Strategies, Operations, and Structures. Routledge ISBN: 0429535562. Shareeful Islam is currently working at the School of
Rosado, D.G., Santos-Olmo, A., Sánchez, L.E., Serrano, M.A., Blanco, C., Moura- Computing and Information Science, Anglia Ruskin Uni-
tidis, H., et al., 2022. Managing cybersecurity risks of cyber-physical systems: versity, UK. He was the visiting researcher at the National
the MARISMA-CPS pattern. Comput. Ind. 142, 103715. doi:10.1016/j.compind. Institute of Informatics (NII), Japan and SBA research, Aus-
2022.103715. tria. His research interests lie in the areas of cyber secu-
Sabillon, R., 2022. Cybersecurity incident response and management. In: Research rity, risk management, requirement engineering and in-
Anthology on Business Aspects of Cybersecurity. IGI Global, Hershey, PA, USA, formation systems. He has pioneered work in developing
pp. 611–620. doi:10.4018/978- 1- 6684- 3698- 1.ch028. risk assessment and treatment methods using business
Salvi, A., Spagnoletti, P., Noori, N.S., 2022. Cyber-resilience of critical cyber infras- and technical goals, modelling language for cyber security
tructures: integrating digital twins in the electric power ecosystem. Comput. risk management. The works are implemented in various
Secur. 112, 102507. doi:10.1016/j.cose.2021.102507. application domains including cloud migration, critical in-
Settanni, G., Skopik, F., Shovgenya, Y., Fiedler, R., Carolan, M., Conroy, D., et al., 2017. frastructure, and healthcare sector cyber security. He has
A collaborative cyber incident management system for European interconnected published more than 70 papers (h-index 26) and he has
critical infrastructures. J. Inf. Secur. Appl. 34, 166–182. doi:10.1016/j.jisa.2016.05. led and/or participated in projects funded by the European Union (FP7), Innovate
005. UK, FwF, and DAAD. He has experience of acting as evaluator for national and in-
Simou, S., Kalloniatis, C., Mouratidis, H., Gritzalis, S., Lambrinoudakis, C., Gabillon, A., ternational funding bodies including the EPSRC, FwF, and CHIST-ERA. His e-mail ad-
2016. A Meta-model for assisting a cloud forensics process. In: Risks and Secu- dress is Shareeful.islam@aru.ac.uk
rity of Internet and Systems. Springer International Publishing, Cham, pp. 177–
187. doi:10.1007/978- 3- 319- 31811- 0_11.
Sklyar, V., Kharchenko, V., 2019. ENISA documents in cybersecurity assurance for
Antonio Santos-Olmo is M.Sc and PhD. in Computer Sci-
industry 4.0: iIoT threats and attacks scenarios. In: Proceedings of the 10th
ence by the University of Castilla-La Mancha. He is an As-
IEEE International Conference on Intelligent Data Acquisition and Advanced
sistant Professor at the Escuela Superior de Informática
Computing Systems: Technology and Applications (IDAACS), pp. 1046–1049.
of the University of Castilla- La Mancha in Ciudad Real
doi:10.1109/IDAACS.2019.8924452.
(Spain). M.Sc in Information Systems Audit from the Poly-
Staves, A., Anderson, T., Balderstone, H., Green, B., Gouglidis, A., Hutchison, D.,
technic University of Madrid, and Certified Information
2022. A cyber incident response and recovery framework to support oper-
System Auditor by ISACA. He is the Director of Software
ators of industrial control systems. Int. J. Crit. Infrastruct. Prot. 37, 100505.
Factory departments of the company Sicaman Nuevas Tec-
doi:10.1016/j.ijcip.2021.100505.
nologías S.L. His research activities are management se-
Tøndel, I.A., Line, M.B., Jaatun, M.G., 2014. Information security incident manage-
curity system, security metrics, data mining, data clean-
ment: current practice as reported in the literature. Comput. Secur. 45, 42–57.
ing, and business intelligence. He participates in the GSyA
doi:10.1016/j.cose.2014.05.003.
research group of the Department of Computer Science
Tanczer, L.M., Brass, I., Carr, M, 2018. CSIRTs and global cybersecurity: how techni-
at the University of Castilla- La Mancha, in Ciudad Real
cal experts support science diplomacy. Glob. Policy 9 (S3), 60–66. doi:10.1111/
(Spain). His email is antonio.santosolmo@uclm.es
1758-5899.12625.

24
H. Mouratidis, S. Islam, A. Santos-Olmo et al. Computers & Security 128 (2023) 103139

Luis E. SáNchez holds a PhD in Computer Science from Umar Mukhtar Ismail is a Lecturer in the Department
the University of Castilla-La Mancha (Spain), a MSc in of Computer Science and Digital Technologies. He is cur-
Computer Science from the Polytechnic University of rently the programme leader for BSc (Hons) Cyber Secu-
Madrid (Spain) and holds a degree in Computer Science rity Networks and BSc (Hons) Cloud Computing. He is in-
from the University of Granada (Spain). He is Certified volved in research development projects that aim enhanc-
Information System Auditor by ISACA and Leader Audi- ing the security, privacy and resilience systems and ap-
tor of ISO27001 by IRCA. He is Assistant Professor at plications in various domains such as critical information
the University of the Armed Forces of Ecuador. He par- infrastructure, cyber physical systems, supply chain, cloud
ticipates at the GSyA research group of the Department computing, medical and healthcare systems. Umar is a
of Information Technologies and Systems at the Castilla- Fellow of the Higher Education Academy, a member of
La Mancha University and he is a researcher of Biologi- British Computing Society (BCS), Institute of Electrical and
cal Neurocomputing and Cyberdefense within the PROM- Electronics Engineers (IEEE), Information Systems Audit
ETEO project. He was Assistant Professor of the Technolo- and Control Association (ISACA), and member of organis-
gies and Information Systems Department of the University of Castilla-La Mancha. ing committee for various international conferences. His email is u.ismail@uel.ac.uk
He has directed more than 50 projects in multinational companies. He has more
than 60 national and international papers and conference on Software Engineering
and Teaching. He belongs to various professional and research associations (COIIL-
CLM, ALI, ASIA, TUVRheinland, ISACA, eSec INTECO, SC27 AENOR ...). His email is
luise.sanchez@uclm.es

25