Theoretical Framework of Cybersecurity Resilience Maturity Assessment Model for Critical Information Infrastructure

Abstract

Modern Societies depend heavily on Critical infrastructures (CIs) to thrive. The CI in turn is driven by critical information infrastructures  (CIIs) which is a combination of information technology (IT) and operations technology (OT). However, the CIs are underpinned by the  CIIs, thus, they (CIs) inherit the vulnerabilities of the CIIs and share the same threats as the CIIs. Failure of the CIIs driving the CIs will  potentially lead to catastrophic consequences arising from cascaded, escalating and common cause effects against other dependent/ interdependent CIs/CIIs. Consequently, the CIIs should be resilient against cyberattacks. To enhance the cybersecurity resilience of CIIs,  maturity models (MM) are developed to measuretheir cybersecurity resilience, determine resilience gaps and proactively close these gaps for improved resilience. However, existing MMs and frameworks for this purpose lack theoretical foundations or at least their  underlying theories are not transparent. This makes the models either too generic or too industry-specific for adoption in the CII  ecosystem. Consequently, this article proposes a theoretical framework for developing cybersecurity resiliency maturity assessments  models for CIIs based a combination of the Bruneau Resilience Theory (BRT), Socio-Technical Systems Theory (STST) and Hollings’  Ecosystem Theory of Resilience (HETR). While the BRT supports the presentation of an MM that addresses CII resilience quantification  from 3 temporal dimensions, namely; pre-event, event management (during-event) and post-event activities; the STST provides the  ground for a proportionate combination of controls that measures the ability of CIIs to treat threats of technogenic, anthropogenic and  naturogenic origin; lastly, the HETR forms the basis for continuous resilience assessment at defined regular intervals.