PNNL

Abstract

Cybersecurity vulnerability assessment tools, frameworks, and methodologies are used to understand the cybersecurity maturity of a system or a facility. However, these tools are strictly developed based on standards defined by organizations such as the National Institute of Standards and Technology (NIST) and the U.S. Department of Energy; the majority of these tools and frameworks do not provide a platform to prioritize the requirements to reach a desired cybersecurity maturity. To address that challenge, we have been developing a framework and software application called cybersecurity vulnerability mitigation framework through empirical paradigm (CyFEr). CyFEr treats the problem at hand as a multi-criteria decision analysis (MCDA) problem, which requires that various criteria be weighed relatively. Defining those weights is non-trivial and often leads to subjective decisions leading to undesired complications. To facilitate such a weighting system in CyFEr, we evaluated the application of various rank-weight methods (such as rank sum, reciprocal rank, rank exponent, and rank order centroid). The efficacy of those rank-weight methods was evaluated by applying them and testing against the blockchain cybersecurity framework (BC2F). BC2F was developed using the NIST cybersecurity framework to evaluate the cybersecurity posture of the blockchain nodes and networks in a given blockchain application or use-case. This paper provides 1) technical insights on the application of rank-weight methods to cybersecurity vulnerability assessments, 2) an overview of BC2F, 3) the application of rank-weight methods to BC2F, and 4) a depiction of the integration of the discussed rank-weight methods in CyFEr.