Cyber Evaluation and Management Toolkit (CEMT): Face Validity of Model-Based Cybersecurity Decision Making
Abstract
:1. Introduction
1.1. Background
“The DON needs a new approach to cybersecurity that goes beyond compliance because our over-reliance on compliance has resulted in insecure systems, which jeopardise the missions these systems support. Instead of a compliance mindset, the DON will shift to Cyber Ready, where the right to operate is earned and managed every day. The DON will make this transition by adhering to an operationally relevant, threat-informed process that affordably reduces risk and produces capabilities that remain secure after they have been delivered at speed”.[5] (p. 7)
1.2. Literature Review
1.3. Cyberworthiness
“The desired outcome of a range of policy and assurance activities that allow the operation of Defence platforms, systems and networks in a contested cyber environment. It is a pragmatic, outcome-focused approach designed to ensure all Defence capabilities are fit-for-purpose against cyber threats”.[43]
“2.10 The seaworthiness governance principles require that seaworthiness decisions are made:
a. mindfully—decisions are more effective and less likely to have unintended consequences when they are made with a thorough understanding of the context, the required outcome, the options available, and their implications now and in the future
b. collaboratively—obtaining input from all stakeholders and engaging in joint problem-solving results in better decisions (bearing in mind that collaboration does not necessarily require consensus)
c. accountably—decisions only become effective when people take accountability for making them happen
d. transparently—decisions are more effective when everyone understands what has been decided and why”.[44] (p.33)
1.4. Addressing the Problem
- Usability—there is limited ability to easily create and review these graph-based threat assessments, especially in large, complex systems;
- Efficiency—reusability of these assessments is limited in comparison to compliance-based approaches that re-apply a common control set;
- Maintainability—it is difficult to update complex graph-based assessments without specialised toolsets as the system or threat environment evolves.
- Are integrated threat models, developed using model-based systems engineering (MBSE) techniques, an effective and efficient basis for the assessment and evaluation of cyberworthiness?
- Do the developed threat models provide decision makers with the necessary understanding to make informed security risk decisions?
- Does the process provide sufficient reusability and maintainability that the methodology is more efficient than prevailing compliance-based approaches?
- Do cybersecurity risk practitioners prefer the integrated threat model approach to traditional security risk assessment processes?
2. Materials and Methods
2.1. Threat-Based Cybersecurity Engineering
- Threat Context, derived from the system or capability design/architecture;
- Threat Identification, provided by the Cyber Threat Intelligence function within an organisation;
- Threat Insight, contributed by the Cyber Threat Emulation function within an organisation;
- Best Practice Controls, distilled from the various cybersecurity frameworks available within the cybersecurity body of knowledge.
- Preventative Controls, a baseline of preventative cybersecurity controls within the system, for inclusion in the system design;
- Detecting Controls, a baseline of detection and response controls relevant to the system, for implementation by the Cyber Operations function within an organisation;
- Recovery Controls, a baseline of recovery and resilience controls relevant to the system, for implementation by the System Operations function within an organisation;
- Residual Risk, the overall risk presented by the threats to the capability given the mitigation mechanisms that are in place.
2.2. Cyber Evaluation and Management Toolkit (CEMT)
2.3. CEMT Sample Model
2.3.1. Threat Modelling
- Misuse case diagrams;
- Intermediate mal-activity diagrams;
- Detailed mal-activity diagrams.
2.3.2. Threat Mitigation
- Allocating assets to the threat model;
- Tracing controls to the threat model.
2.3.3. Risk Assessment
- Attack tree assessment;
- Parametric risk analysis;
- Risk evaluation.
2.4. Achieving Threat-Based Cybersecurity Engineering
2.5. Efficiency through Automation
- Automated update of complex drawings and simulations to ensure that changes to the design or threat environment can be incorporated efficiently into the threat model;
- Automated model validation to ensure that basic review tasks are automated, allowing expert reviewers to focus on the actual threat assessment component;
- Automated documentation to ensure that the process of creating enduring design artefacts is efficient and accurate.
3. Results
3.1. Face Validity Trial Setup
3.2. Face Validity Trial Data Collection and Setup
4. Discussion
- Appropriateness of the assessed controls to the system being assessed, as demonstrated by the responses to Question 1;
- Prioritisation of controls, as demonstrated by the responses to Questions 6 and 14;
- Ability for non-expert decision makers to understand the assessment, as demonstrated by Questions 7, 8, and 17.
4.1. Significance
- Extended Model-Based Taxonomy—an extension of an open model-based systems engineering language such as UML or SysML; this is provided to facilitate a model-based approach;
- Threat Focused—the threats to the system, rather than a best-practice control baseline or asset hierarchy, is used as the focal point of the assessment;
- Detailed Adversary Modelling—the actions of the adversary are modelled in detail, facilitating a precise discussion and review of any threat analysis;
- Visualisation and Simulation of Threat—detailed adversary modelling is expressed in simplified graphs such as attack trees, and branches of those graphs can be simulated quantitatively;
- Explicit Traceability to Threats—derived security controls are directly traceable to adversary actions, facilitating discussion and review of the importance of each control in terms of the malicious action it mitigates.
4.2. Future Work
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Australian Government—Department of Home Affairs, Protective Security Policy Framework. Available online: https://www.protectivesecurity.gov.au (accessed on 25 April 2024).
- National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC), NIST Risk Management Framework (RMF). Available online: https://csrc.nist.gov/projects/risk-management/about-rmf (accessed on 25 April 2024).
- Australian Government—Australian Signals Directorate, Information Security Manual (ISM). Available online: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism (accessed on 25 April 2024).
- National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC), NIST Special Publication 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations. Available online: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final (accessed on 25 April 2024).
- U.S. Department of Navy; Cyber Strategy, November 2023. Available online: https://dvidshub.net/r/irstzr (accessed on 25 April 2024).
- Australian Government—Australian Signals Directorate, System Security Plan Annex Template (March 2024). Available online: https://www.cyber.gov.au/sites/default/files/2024-03/System%20Security%20Plan%20Annex%20Template%20%28March%202024%29.xlsx (accessed on 25 April 2024).
- National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC), Control Catalog (spreadsheet). Available online: https://csrc.nist.gov/files/pubs/sp/800/53/r5/upd1/final/docs/sp800-53r5-control-catalog.xlsx (accessed on 25 April 2024).
- National Institute of Standards and Technology (NIST), OSCAL: The Open Security Controls Assessment Language. Available online: https://pages.nist.gov/OSCAL/ (accessed on 25 April 2024).
- MITRE ATT&CK Framework. Available online: https://attack.mitre.org/ (accessed on 25 April 2024).
- The Department of Defense Cyber Table Top Guide, Version 2, 16 September 2021. Available online: https://www.cto.mil/wp-content/uploads/2023/06/DoD-Cyber-Table-Top-Guide-v2-2021.pdf (accessed on 25 April 2024).
- Monroe, M.; Olinger, J. Mission-Based Risk Assessment Process for Cyber (MRAP-C). ITEA J. Test Eval. 2020, 41, 229–232. [Google Scholar]
- Kuzio de Naray, R.; Buytendyk, A.M. Analysis of Mission Based Cyber Risk Assessments (MBCRAs) Usage in DoD’s Cyber Test and Evaluation; Institute for Defense Analyses: Alexandria, VA, USA, 2022; IDA Publication P-33109. [Google Scholar]
- Kordy, B.; Piètre-Cambacédès, L.; Schweitzer, P.P. DAG-based attack and defense modeling: Don’t miss the forest for the attack trees. Comput. Sci. Rev. 2014, 13–14, 1–38. [Google Scholar] [CrossRef]
- Weiss, J.D. A system security engineering process. In Proceedings of the 14th Annual NCSC/NIST National Computer Security Conference, Washington, DC, USA, 1–4 October 1991. [Google Scholar]
- Schneier, B. Attack trees: Modeling security threats. Dr Dobb’s J. Softw. Tools 1999, 12–24, 21–29. Available online: https://www.schneier.com/academic/archives/1999/12/attack_trees.html (accessed on 25 April 2024).
- Paul, S.; Vignon-Davillier, R. Unifying traditional risk assessment approaches with attack trees. J. Inf. Secur. Appl. 2014, 19, 165–181. [Google Scholar] [CrossRef]
- Kordy, B.; Pouly, M.; Schweitzer, P. Probabilistic reasoning with graphical security models. Inf. Sci. 2016, 342, 111–131. [Google Scholar] [CrossRef]
- Gribaudo, M.; Iacono, M.; Marrone, S. Exploiting Bayesian Networks for the analysis of combined Attack Trees. Electron. Notes Theor. Comput. Sci. 2015, 310, 91–111. [Google Scholar] [CrossRef]
- Holm, H.; Korman, M.; Ekstedt, M. A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits. Inf. Softw. Technol. 2015, 58, 304–318. [Google Scholar] [CrossRef]
- Moskowitz, I.; Kang, M. An insecurity flow model. In Proceedings of the 1997 Workshop on New Security Paradigms, Cumbria, UK, 23–26 September 1997; pp. 61–74. [Google Scholar]
- McDermott, J.; Fox, C. Using abuse case models for security requirements analysis. In Proceedings of the 15th Annual Computer Security Applications Conference, Phoenix, AZ, USA, 6–10 December 1999; pp. 55–64. [Google Scholar]
- Sindre, G.; Opdahl, A.L. Eliciting security requirements with misuse cases. Requir. Eng. 2004, 10, 34–44. [Google Scholar] [CrossRef]
- Karpati, P.; Sindre, G.; Opdahl, A.L. Visualizing cyber attacks with misuse case maps. In Requirements Engineering: Foundation for Software Quality; Springer: Berlin/Heidelberg, Germany, 2010; pp. 262–275. [Google Scholar]
- Abdulrazeg, A.; Norwawi, N.; Basir, N. Security metrics to improve misuse case model. In Proceedings of the 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensics, Kuala Lumpur, Malaysia, 26–28 June 2012. [Google Scholar]
- Saleh, F.; El-Attar, M. A scientific evaluation of the misuse case diagrams visual syntax. Inf. Softw. Technol. 2015, 66, 73–96. [Google Scholar] [CrossRef]
- Mai, P.; Goknil, A.; Shar, L.; Pastore, F.; Briand, L.C.; Shaame, S. Modeling Security and Privacy Requirements: A Use Case-Driven Approach. Inf. Softw. Technol. 2018, 100, 165–182. [Google Scholar] [CrossRef]
- Matuleviaius, R. Fundamentals of Secure System Modelling; Springer International Publishing: Cham, Switzerland, 2017; pp. 93–115. [Google Scholar]
- Sindre, G. Mal-activity diagrams for capturing attacks on business processes. In Requirements Engineering: Foundation for Software Quality; Springer: Berlin/Heidelberg, Germany, 2007; pp. 355–366. [Google Scholar]
- Opdahl, A.; Sindre, G. Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Softw. Technol. 2009, 51, 916. [Google Scholar] [CrossRef]
- Karpati, P.; Redda, Y.; Opdahl, A.; Sindre, G. Comparing attack trees and misuse cases in an industrial setting. Inf. Softw. Technol. 2014, 56, 294. [Google Scholar] [CrossRef]
- Tondel, I.A.; Jensen, J.; Rostad, L. Combining Misuse Cases with Attack Trees and Security Activity Models. In Proceedings of the 2010 International Conference on Availability, Reliability and Security, Krakow, Poland, 15–18 February 2010; pp. 438–445. [Google Scholar]
- Meland, P.H.; Tondel, I.A.; Jensen, J. Idea: Reusability of threat models—Two approaches with an experimental evaluation. In Engineering Secure Software and Systems; Springer: Berlin/Heidelberg, Germany, 2010; pp. 114–122. [Google Scholar]
- Purton, L.; Kourousis, K. Military Airworthiness Management Frameworks: A Critical Review. Procedia Eng. 2014, 80, 545–564. [Google Scholar] [CrossRef]
- Mo, J.P.T.; Downey, K. System Design for Transitional Aircraft Support. Int. J. Eng. Bus. Manag. 2014, 6, 45–56. [Google Scholar] [CrossRef]
- Hodge, R.J.; Craig, S.; Bradley, J.M.; Keating, C.B. Systems Engineering and Complex Systems Governance—Lessons for Better Integration. INCOSE Int. Symp. 2019, 29, 421–433. [Google Scholar] [CrossRef]
- Simmonds, S.; Cook, S.C. Use of the Goal Structuring Notation to Argue Technical Integrity. INCOSE Int. Symp. 2017, 27, 826–841. [Google Scholar] [CrossRef]
- United States Government Accountability Office. Weapon Systems Cybersecurity: DOD just Beginning to Grapple with Scale of Vulnerabilities. GAO-19-129. 2018. Available online: https://www.gao.gov/products/gao-19-128 (accessed on 15 June 2024).
- Joiner, K.F.; Tutty, M.G. A tale of two allied defence departments: New assurance initiatives for managing increasing system complexity, interconnectedness and vulnerability. Aust. J. Multi-Discip. Eng. 2018, 14, 4–25. [Google Scholar] [CrossRef]
- Joiner, K.F. How Australia can catch up to U.S. cyber resilience by understanding that cyber survivability test and evaluation drives defense investment. Inf. Secur. J. A Glob. Perspect. 2017, 26, 74–84. [Google Scholar] [CrossRef]
- Thompson, M. Towards Mature ADF Information Warfare—Four Years of Growth. Defence Connect Multi-Domain. 2020. Available online: https://www.defenceconnect.com.au/supplements/multi-domain-2 (accessed on 15 June 2024).
- Fowler, S.; Sweetman, C.; Ravindran, S.; Joiner, K.F.; Sitnikova, E. Developing cyber-security policies that penetrate Australian defence acquisitions. Aust. Def. Force J. 2017, 102, 17–26. [Google Scholar]
- Australian Senate. Budget Hearings on Foreign Affairs Defence and Trade, Testimony by Vice Admiral Griggs, Major General Thompson and Minister of Defence (29 May, 2033–2035 hours). 2018. Available online: https://parlview.aph.gov.au/mediaPlayer.php?videoID=399539timestamp3:19:43 (accessed on 15 June 2024).
- Australian Government. ADF Cyberworthiness Governance Framework; Australian Government: Canberra, Australia, 2020.
- Australian Government. Defence Seaworthiness Management System Manual. 2018. Available online: https://www.defence.gov.au/sites/default/files/2021-01/SeaworthinessMgmtSystemManual.pdf (accessed on 15 June 2024).
- Allen, M.S.; Robson, D.A.; Iliescu, D. Face Validity: A Critical but Ignored Component of Scale Construction in Psychological Assessment. Eur. J. Psychol. Assess. Off. Organ Eur. Assoc. Psychol. Assess. 2023, 39, 153–156. [Google Scholar] [CrossRef]
- Fowler, S.; Sitnikova, E. Toward a framework for assessing the cyber-worthiness of complex mission critical systems. In Proceedings of the 2019 Military Communications and Information Systems Conference (MilCIS), Canberra, Australia, 12–14 November 2019. [Google Scholar]
- Fowler, S.; Joiner, K.; Sitnikova, E. Assessing cyber-worthiness of complex system capabilities using MBSE: A new rigorous engineering methodology. IEEE Syst. J. 2022. submitted. Available online: https://www.techrxiv.org/users/680765/articles/677291-assessing-cyber-worthiness-of-complex-system-capabilities-using-mbse-a-new-rigorous-engineering-methodology (accessed on 25 April 2024).
- Cyber Evaluation and Management Toolkit (CEMT). Available online: https://github.com/stuartfowler/CEMT (accessed on 25 April 2024).
- Fowler, S. Cyberworthiness Evaluation and Management Toolkit (CEMT): A model-based approach to cyberworthiness assessments. In Proceedings of the Systems Engineering Test & Evaluation (SETE) Conference 2022, Canberra, Australia, 12–14 September 2022. [Google Scholar]
- National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC), NIST Special Publication 800-160 Rev. 2: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. Available online: https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final (accessed on 25 April 2024).
- National Institute of Standards and Technology (NIST), CSF 2.0: Cybersecurity Framework. Available online: https://www.nist.gov/cyberframework (accessed on 25 April 2024).
- Madni, A.; Purohit, S. Economic analysis of model-based systems engineering. Systems 2019, 7, 12. [Google Scholar] [CrossRef]
- Bussemaker, J.; Boggero, L.; Nagel, B. The agile 4.0 project: MBSE to support cyber-physical collaborative aircraft development. INCOSE Int. Symp. 2023, 33, 163–182. [Google Scholar] [CrossRef]
- Amoroso, E.G. Fundamentals of Computer Security Technology; Pearson College Div: Englewood Cliffs, NJ, USA, 1994. [Google Scholar]
- INCOSE. Systems Engineering Vision 2020; International Council on Systems Engineering: Seattle, WA, USA, 2007. [Google Scholar]
- Madni, A.M.; Sievers, M. Model-based systems engineering: Motivation, current status, and research opportunities. Syst. Eng. 2018, 21, 172–190. [Google Scholar] [CrossRef]
- Huang, J.; Gheorghe, A.; Handley, H.; Pazos, P.; Pinto, A.; Kovacic, S.; Collins, A.; Keating, C.; Sousa-Poza, A.; Rabadi, G.; et al. Towards digital engineering—The advent of digital systems engineering. Int. J. Syst. Syst. Eng. 2020, 10, 234–261. [Google Scholar] [CrossRef]
- Chelouati, M.; Boussif, A.; Beugin, J.; El Koursi, E.-M. Graphical safety assurance case using goal structuring notation (gsn)– challenges, opportunities and a framework for autonomous trains. Reliab. Eng. Syst. Saf. 2023, 230, 108–933. [Google Scholar] [CrossRef]
- Sujan, M.; Spurgeon, P.; Cooke, M.; Weale, A.; Debenham, P.; Cross, S. The development of safety cases for healthcare services: Practical experiences, opportunities and challenges. Reliab. Eng. Syst. Saf. 2015, 140, 200–207. [Google Scholar] [CrossRef]
- Nguyen, P.H.; Ali, S.; Yue, T. Model-based security engineering for cyber-physical systems: A systematic mapping study. Inf. Softw. Technol. 2017, 83, 116–135. [Google Scholar] [CrossRef]
- Geismann, J.; Bodden, E. A systematic literature review of model-driven security engineering for cyber–physical systems. J. Syst. Softw. 2020, 169, 110697. [Google Scholar] [CrossRef]
- Carter, B.; Adams, S.; Bakirtzis, G.; Sherburne, T.; Beling, P.; Horowitz, B. A preliminary design-phase security methodology for cyber–physical systems. Systems 2019, 7, 21. [Google Scholar] [CrossRef]
- Larsen, M.H.; Muller, G.; Kokkula, S. A Conceptual Model-Based Systems Engineering Method for Creating Secure Cyber-Physical Systems. INCOSE Int. Symp. 2022, 32, 202–213. [Google Scholar] [CrossRef]
- Japs, S.; Anacker, H.; Dumitrescu, R. SAVE: Security & safety by model-based systems engineering on the example of automotive industry. In Proceedings of the 31st CIRP Design Conference, Online, 19–21 May 2021. [Google Scholar]
- Navas, J.; Voirin, J.; Paul, S.; Bonnet, S. Towards a model-based approach to systems and cybersecurity: Co-engineering in a product line context. Insight (Int. Counc. Syst. Eng.) 2020, 23, 39–43. [Google Scholar] [CrossRef]
- Geismann, J.; Gerking, C.; Bodden, E. Towards ensuring security by design in cyber-physical systems engineering processes. In Proceedings of the International Conference on the Software and Systems Process, Gothenburg, Sweden, 26–27 May 2018. [Google Scholar]
- Mažeika, D.; Butleris, R. MBSEsec: Model-based systems engineering method for creating secure systems. Appl. Sci. 2020, 10, 2574. [Google Scholar] [CrossRef]
- Object Management Group. UAF: Unified Architecture Framework. 2022. Available online: https://www.omg.org/spec/UAF. (accessed on 15 June 2024).
- Jurjens, J. Secure Systems Development with UML; Springer: Berlin/Heidelberg, Germany, 2005. [Google Scholar]
- Apvrille, L.; Roudier, Y. Towards the model-driven engineering of secure yet safe embedded systems. Int. Workshop Graph. Models Secur. 2014, 148, 15–30. [Google Scholar] [CrossRef]
Survey Question | Strongly Disagree | Disagree | Neutral | Agree | Strongly Agree | |
---|---|---|---|---|---|---|
Q1 | The CEMT produces risk assessments that are tailored to the context in which the system operates | 0 | 0 | 15 | 50 | 35 |
Q2 | Cyberworthiness assessments are simple to produce using the CEMT | 5 | 0 | 40 | 35 | 20 |
Q3 | The CEMT is an effective use of time | 0 | 0 | 30 | 25 | 45 |
Q4 | The CEMT process is intuitive | 0 | 5 | 25 | 45 | 25 |
Q5 | The CEMT encourages stakeholders to work collaboratively to determine the residual risk level | 0 | 0 | 10 | 35 | 55 |
Q6 | The CEMT clearly identifies which security controls are important to the system | 0 | 0 | 5 | 55 | 40 |
Q7 | The CEMT produces transparent cyberworthiness assessments | 0 | 5 | 10 | 40 | 45 |
Q8 | The CEMT facilitates informed decision making with respect to the identified cybersecurity risks | 0 | 0 | 5 | 50 | 45 |
Q9 | The CEMT produces cyberworthiness assessments that have ongoing value through the future phases of the capability life cycle | 0 | 0 | 10 | 40 | 50 |
Q10 | The CEMT would improve my understanding of the cyberworthiness of a system | 0 | 0 | 10 | 20 | 70 |
Q11 | The CEMT produces accurate assessments of a system’s cyberworthiness | 0 | 10 | 20 | 35 | 35 |
Q12 | The CEMT facilitates the engagement of stakeholders and the provision of meaningful input from those stakeholders into a cyberworthiness assessment | 0 | 0 | 20 | 40 | 40 |
Q13 | The cyberworthiness assessments produced by the CEMT are sufficiently detailed | 0 | 5 | 20 | 30 | 45 |
Q14 | The CEMT identifies the relative impact of security controls with respect to the cyberworthiness of the system | 0 | 5 | 15 | 40 | 40 |
Q15 | The CEMT is not overly dependent on the subjective opinion of subject matter experts | 0 | 0 | 30 | 50 | 20 |
Q16 | The CEMT provides sufficient information to allow decision makers to be accountable for their decisions | 0 | 10 | 15 | 35 | 40 |
Q17 | The CEMT clearly highlights the areas of greatest cyber risk to the system | 0 | 0 | 15 | 35 | 50 |
Q18 | The CEMT adds value to a system and/or project | 0 | 0 | 5 | 35 | 60 |
Q19 | The CEMT provides a complete and comprehensive approach to determining cyberworthiness | 5 | 10 | 10 | 50 | 25 |
Q20 | The CEMT is an improvement over existing cyberworthiness assessment processes | 0 | 5 | 10 | 20 | 65 |
Model-Based Security Assessment Approach | Extended Model-Based Taxonomy | Threat Focused | Detailed Adversary Modelling | Visualisation and Simulation of Threats | Explicit Traceability to Threats | |
---|---|---|---|---|---|---|
1 | CSRM [62] | Y | N | N | N | N |
2 | Larsen et al. [63] | Y | N | N | N | N |
3 | SAVE [64] | Y | Y | N | N | N |
4 | Navas et al. [65] | Y | Y | N | N | N |
5 | Geissman et al. [66] | Y | Y | N | N | N |
6 | MBSESec [67] | Y | Y | Y | N | N |
7 | UAF [68] | Y | N | N | N | N |
8 | UMLSec [69] | Y | N | N | N | N |
9 | SysML-Sec [70] | Y | N | N | N | N |
10 | CEMT | Y | Y | Y | Y | Y |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Fowler, S.; Joiner, K.; Ma, S. Cyber Evaluation and Management Toolkit (CEMT): Face Validity of Model-Based Cybersecurity Decision Making. Systems 2024, 12, 238. https://doi.org/10.3390/systems12070238
Fowler S, Joiner K, Ma S. Cyber Evaluation and Management Toolkit (CEMT): Face Validity of Model-Based Cybersecurity Decision Making. Systems. 2024; 12(7):238. https://doi.org/10.3390/systems12070238
Chicago/Turabian StyleFowler, Stuart, Keith Joiner, and Siqi Ma. 2024. "Cyber Evaluation and Management Toolkit (CEMT): Face Validity of Model-Based Cybersecurity Decision Making" Systems 12, no. 7: 238. https://doi.org/10.3390/systems12070238
APA StyleFowler, S., Joiner, K., & Ma, S. (2024). Cyber Evaluation and Management Toolkit (CEMT): Face Validity of Model-Based Cybersecurity Decision Making. Systems, 12(7), 238. https://doi.org/10.3390/systems12070238