Towards a Security Cost Model forCyber-Physical Systems

Towards a Security Cost Model for
Cyber-Physical Systems

Igor Ivkic, Andreas Mauthe, and Markus Tauber
University of Applied Sciences Burgenland - Eisenstadt, Austria Lancaster University - Lancaster, UK
Abstract

In times of Industry 4.0 and cyber-physical systems (CPS) providing security is one of the biggest challenges. A cyber attack launched at a CPS poses a huge threat, since a security incident may affect both the cyber and the physical world. Since CPS are very flexible systems, which are capable of adapting to environmental changes, it is important to keep an overview of the resulting costs of providing security. However, research regarding CPS currently focuses more on engineering secure systems and does not satisfactorily provide approaches for evaluating the resulting costs. This paper presents an interaction-based model for evaluating security costs in a CPS. Furthermore, the paper demonstrates in a use case driven study, how this approach could be used to model the resulting costs for guaranteeing security.

cyber-physical systems, onion layer model, cost of security

I Introduction

Industry 4.0 is driven by cyber-physical systems (CPS) and the internet of things (IoT) [1, 2], where computation, communication and control functions integrate the cyber and physical worlds [3, 4]. A CPS consists of interconnected IoT-devices, sensors and actuators, which are capable of measuring the physical environment, analysing it and guiding intelligent actions to affect it. The IoT can be considered as the backbone of a CPS, which connects this swarm of IoT-devices, sensors and actuators [5]. Unfortunately, advanced persistent threats (APT) [6] launched at a CPS can cause disruptions transcending both the cyber realm and affecting the physical world [7]. Stuxnet is just one example of such an attack, where several complex techniques have been used to interrupt the Iranian nuclear program [8]. This case perfectly demonstrates how a simple malware attack on a CPS can have catastrophic consequences in the physical world, leading to the emergence of numerous new security challenges [9].

One of these challenges is that the sheer number of IoT-devices, sensors and actuators within a CPS need to be managed. Similar to mobile device management (MDM), it is necessary to control the way how new IoT-devices enter a CPS, and how they interact with each other within it. One way of meeting this challenge could be using an IoT-framework for secure applications [10], where devices, systems and services can be managed in a local cloud environment. Additionally, the framework should provide a procedure, which ensures that only valid and authorized IoT-devices can host software (SW) systems and services within the local cloud [11].

Fig. 1: Overall use cases: entering a CPS and regulating a room’s temperature

Another challenge is that IoT-devices, after they have been successfully enrolled to be part of a CPS, have to perform additional security tasks when interacting with each other. For instance, as shown in Fig. 1, IoT-device 1 uses a sensor to measure the physical environment (e.g. a room’s temperature). Before the measured data is sent to IoT-device 2, additional security-related tasks need to be performed. First, it has to be verified whether the receiving device (IoT-device 2) is part of the same local cloud, and second, the temperature data needs to be encrypted before the transmission. This closed-loop CPS [12] guarantees that both IoT-devices are trustworthy (because they are part of the same local cloud) and the communication is secure (because of the encryption).

Even though performing additional steps for guaranteeing security are essential, they always require compromises. For instance, it takes a certain amount of time to verify whether IoT-device 2 is trustworthy, and to encrypt the temperature data before transmission. Hence, in other words, the additional time it takes to guarantee security (e.g. encryption) can be considered as the cost of security. Due to the complexity of a CPS and its interconnected IoT-devices, sensors and actuators, an approach is needed for modelling security costs in CPS.

In this paper, we present an interaction-based model for evaluating security costs for CPS. First, we define the elements of a CPS and explain the basic principles of our approach. Next, we describe two different use cases and show in an evaluation how the presented approach can be used to model the security costs of these use cases. Our contribution towards a security cost model for CPS is twofold:

  • firstly, we introduce a mathematical expression for aggregating the effort it takes to provide security for CPS and

  • secondly, we demonstrate how this expression can be used to describe the security costs in two different use cases.

The remainder of this paper is organized as follows: Section II summarizes the related work in the field and points out the background of this paper. Next, in Section III, we define the elements of a CPS and introduce an interaction-based mathematical expression for evaluating security costs. Finally, in Section IV, we describe two use cases and show in an exemplary evaluation how to model the security costs of the presented use cases.

Ii Related Work and Background

Measuring cyber security has been subject to many studies, resulting in proposing frameworks, methods and metrics for evaluating the security of specific systems, without referring to the resulting costs of security. In addition to that some of the presented approaches are limited by the usage of a single metric. For instance, in [13, 14] the authors show how the performance of a process can be measured, while the focus in [15, 16, 17, 18] is on evaluating the energy consumption. Other related work use methods and frameworks to evaluate how secure e.g. a system is [19, 20, 21, 22, 23]. In other words, these solutions evaluate whether a security control has been implemented or not, instead of measuring the actual costs. A summary of related work regarding security metrics has been provided by Yee in [24]. He first establishes the argument that many security metrics exist, but most of them are ineffective and not meaningful. Next, he provides a definition of a ”good” and a ”bad” metric and explains the difference between ”traditional” and ”scientifically based” security metrics. Finally, Yee presents his literature search on security metrics, which is based on various frameworks.

The vast majority of research related to Industry 4.0 and CPS currently focuses on general challenges [25, 5], design principles [1, 4], or engineering [2, 3]. However, in [9] the authors give an overview of the security concerns in CPS, identify challenges and summarize countermeasures. Rajkumar, De Niz and Klein [12] demonstrate further that the complexity of CPS requires more effort to analyse and defend it. The reason for that is the explosion of states when considering combinations of events. Additionally they provide theoretical approaches for dealing with cyber threats and countermeasures models for CPS under attack. Other related work provides a local cloud environment (Arrowhead Framework) for managing the swarm of IoT-devices, sensors and actuators based on a service-oriented architecture (SOA) [10]. Nevertheless, in comparison to the identified related work, this paper provides a more general, interaction-based approach for evaluating security costs in CPS.

This paper is a continuation of [26] where we introduced a high-level process flow based on Six Sigma for identifying, categorizing, analysing and eliminating security risks and measuring the resulting costs. This initial investigation included the evaluation of (i) how security risks of a smart business use case can be eliminated by implementing security controls, and (ii) how the resulting costs could be measured using a monetary cost metric (Euro). Even though the two use cases used IoT-devices and cloud computing the evaluation did not include the costs of security for a CPS. To extend this work the key new contribution of this paper is to present a mathematical expression, which can be used to describe and evaluate security costs of a CPS and which allows the usage of more then one cost metric.

Iii Modelling Security Costs

In this section we present an approach for evaluating the costs of security in CPS. We first present an onion layer model and explain the general functionality of the approach. Then, we describe how it can be used to evaluate security-related tasks performed by components, which participate in an interaction of a CPS. Finally, we discuss possible outcomes including the cause and effect of evaluating the cost of security by using the presented model.

Iii-a Definition

In many respects, the control system view in Fig. 1 corresponds to the most fundamental definition of what CPS are. However, this closed-loop control system view might unintentionally give the impression that a CPS consists of a single control logic, which uses many sensors and actuators to interact with the physical environment. In reality, a CPS is defined by a set of components, which interact with each other and the physical environment. These components refer to any hardware or software resources that are capable of computation, communication and controlling sensors and/or actuators. All in all, this extended definition allows describing even more complex CPS (such as the CPS in Fig. 1).

Within a CPS components interact with each other to serve a specific purpose. An interaction is a unit of work performed within a CPS, and treated in a coherent and reliable way independent of other interactions. Furthermore, an interaction refers to any usage of sensors, control functions and actuators, is executed at a specific point in time, and includes one or more participating components. Each component performs a number of different tasks, which can either be ordinary or security-related. An ordinary task, on the one hand, could be using a sensor to measure the physical environment, or using an actuator to change it. A security-related task, on the other hand, could be encrypting the measured data before sending it to another component. Thus, it is important to differentiate between those two types, since an evaluation of security costs should only focus on security-related tasks.

Iii-B Onion Layer Model

As previously defined, the security costs of a CPS including its interactions, components and security-related tasks could be modelled by using an onion layered approach. As shown in Fig. 2, the entirety of security costs in a CPS results in using one ore more metrics to measure the total amount of performed security-related tasks. Furthermore, the sum of all security-related tasks is performed by the total number of components within a CPS, which in turn can be part of various interactions. Summarizing, to evaluate how much it costs to guarantee security in a CPS, including all layers of Fig. 2, the onion layer model propose to form a sum of sums.

Fig. 2: Onion layer model for evaluating security costs in CPS

The presented onion layer approach describes security costs that are incurred each time an interaction is performed in a CPS. As defined in (1), the mathematical expression describes the total security costs of a CPS as a result of four different summations. The first sum () represents all existing interactions of a CPS, while the second () summarizes all components within one interaction. Followed by that is the sum () of all security-related tasks, which have been performed by a specific component. Finally, the last sum () adds up all metrics used to measure the performance of a specific security-related task. This mathematical expression enables to create a sum of sums, which includes all interactions, components, security-related tasks and metrics used to evaluate the security costs of a CPS.

(1)

The mathematical expression in (1) can be used in different ways to produce different kinds of results. For instance, a set of metrics could be used to evaluate the costs of performing security-related tasks, which are being performed by interconnected components of an interaction. In addition to that the measured security-related costs could be represented by either producing an overall result (total costs of an interaction), or by aggregating the results on different levels (e.g. per interaction, per component, per security-related task, per metric). Table I shows an example of how the costs of security could be aggregated (on different layers) by using two different metrics for measuring a various set of security-related tasks, which have been performed by two different components of one interaction:

Interaction
Components Tasks Metrics
1 2
1 1
2 1
2
TABLE I: Example I: Aggregation of Security Costs in a CPS

Iii-C Normalization

Evaluating security costs of a CPS a promising approach for predicting coming events and/or influencing future decisions. In order to be able to adapt to environmental changes, a CPS applies policies on component level. For instance, a self-adaptability policy could be applied to start an additional component, when more computational resources are needed to perform certain tasks (e.g. more computational power). However, in terms of security these policies can be used to either provide security to a CPS or restore it after an attack. Now, past measurement data of security costs of a CPS could therefore be used to implement a self-adaptation policy, which aims at providing the same level of security within a CPS, but at lower costs.

Even though, the presented approach can be used to evaluate the security costs of all interactions of a CPS, it implies using metrics with aggregatable measurment results. In other words, a metric might provide results, which cannot be aggregated with the results provided by another metric, due to incompatible units. Thus, the duration given in milliseconds (ms) uses a different unit than the load of a central processing unit (CPU) given in percent. Another problem is that when using two or more metrics with different units the results my require interpretation in order to make sense. For example, measuring the duration of a security task and the CPU load used to do so might provide the following two results:

  • x = 5 ms + 10%

  • x = 10 ms + 5%

Without normalization measured data provided by different metrics it is impossible to tell, which of the two measurements is ”better” or ”cheaper” in terms of security costs (e.g. x x or x x). The presented mathematical expression in (1) assumes in general that the results provided by the used metrics can be aggregated. Normalizing results provided by metrics with different units will not be further elaborated here (future work).

Another point is that the onion layer model only considers dependencies between layers in terms of security costs. For instance, two consecutive tasks (task 1 and task 2) may not be performed every time. Instead task 2 could be only executed, when a specific condition is met in task 1. Now, depending on how many tasks have been performed the dependency relationship between task 1 and task 2 will only be shown in the different cost measurements. A dependency analysis will be subject of future work and will not be further elaborated in this paper.

Iv Use Case Description and Evaluation

In the previous section we have defined that a CPS consists of different components, which combine computation, communication and controlling abilities to interact with other components and the physical world. Additionally, we described an onion layer model, which can be used to evaluate security costs of a CPS. In this section we describe two different use cases and demonstrate how the approach from Section III can be used to evaluate them. These two use cases are based on the CPS from Fig. 1, which consists of three components that interact with each other and with the physical environment. The first component (IoT-device 1) uses a sensor to measure the temperature of a room. Next, it uses an IoT-framework to verify whether the second component (IoT-device 2) is trustworthy, before transmitting the data. The same verification is done on the receiving side, where the IoT-device 2 verifies whether IoT-device 1 is trustworthy. Finally, after the IoT-framework confirms the trustworthiness of both IoT-devices, the second device starts cooling down the room, but only if the temperature is over a certain limit (e.g. 25 degree Celsius). Summarizing, this CPS uses three different component to measure the temperature of a room, perform security-related tasks to guarantee trustworthiness between components and effectively cool down the room (if the limit has been reached).

Iv-a Use Case I: On-Boarding Procedure

As previously mentioned, a CPS is formed by its components, which are capable of interacting with each other and with the physical world. Although, before these components start interacting with each other, they first need to be ”on-boarded” (or enrolled) to become part of a CPS. In other words, the IoT-devices need to register with an IoT-framework including their SW-system and produced services. For instance, IoT-device 1 uses SW-system 1 to control a temperature sensor and produces the service ”measure room temperature”. One way of enabling this on-boarding procedure is by using the Arrowhead framework [10], which can be used to create a SOA local cloud environment for managing the swarms of components, sensors and actuators within a CPS.

This Arrowhead local cloud provides an on-boarding procedure, which controls the way how an IoT-device including its SW-system and produced service enters a CPS. Furthermore, as Bicaku et al. [11] explained, it establishes a chain of trust to assure that the Arrowhead local cloud is not compromised upon the introduction of a new component. This is crucial, from a security perspective, since the on-boarding procedure guarantees that each component passed all requirements before being allowed to enter the Arrowhead local cloud. Additionally, it creates a trustworthy environment, where a component can use the Arrowhead cloud systems to verify whether another component is part of the same cloud before starting an interaction.

So, before the two IoT-devices from Fig. 1 start controlling the temperature of a room, they first have to enter the Arrowhead local cloud. By doing so, they have to go through the required steps of the on-boarding procedure in order to successfully enter the CPS. As explained in [11], the Arrowhead local cloud is composed of a number of systems, which perform specific tasks in the on-boarding procedure. Only if a new device successfully passes all tasks of all these systems it is allowed to enter the local cloud. Now, to support the overall use case from Fig. 1 there are two IoT-devices, which need to complete the on-boarding procedure. In other words, for each IoT-device there is an interaction between the device and the Arrowhead local cloud. During an interaction different tasks are performed by either the IoT-device or by one of the Arrowhead systems. Some of these tasks can be relevant to security, where e.g. a certificate is being transmitted and checked for validity. Finally, after both interactions have been completed successfully, the two IoT-devices are part of the CPS and can start regulating the room’s temperature.

Iv-B Evaluation of Use Case I

The on-boarding procedure is used by both IoT-devices (from Fig. 1) to enter the CPS. In other words, to ”on-board” both devices the same procedure needs to be completed twice, but the steps for each run are identical. Therefore only one interaction needs to be considered when evaluating the costs of security for use case I. However, it is necessary to separate ordinary and security-related tasks and to assign them to the performing component. According to the authors of [11] the following have been identified as security-related tasks:

  • task 3: Publish(DeviceRecord, device-key)
    performed by: IoT-device 1 and IoT-device 2

  • task 4: Authenticate(AuthenticationRequest)
    performed by: Arrowhead local cloud

  • task 5: Publish(SystemRecord, SW-key, local-cloud-SW-key)
    performed by: IoT-device 1 and IoT-device 2

  • task 6: Authorise(AuthorisationRequest)
    performed by: Arrowhead local cloud

  • task 7: Publish(ServiceRecord)
    performed by: IoT-device 1 and IoT-device 2

  • task 8: Authorise(AuthorisationRequest)
    performed by: Arrowhead local cloud

The execution of the on-boarding procedure for the first IoT-device means that the two components (IoT-device 1 and IoT-framework) perform a total of 6 security-related tasks (the same applies for on-boarding IoT-device 2). As shown in (2) and (3) the onion layer model can be used to describe the

Fig. 3: The sequence diagram for the overall use case for controlling the room temperature

resulting costs (c, c) for on-boarding both IoT-devices by using an exemplary metric for measuring the duration in ms:

(2)

(3)

The following table shows a summarized view on the evaluation of security costs of the on-boarding procedure of both IoT-devices:

Interaction 1
Component Task Duration
1 3 3 ms 17 ms
5 5 ms
7 9 ms
2 3 3 ms 17 ms
5 5 ms
7 9 ms
3 4 8 ms 26 ms
6 14 ms
8 4 ms
IoT-device 1; IoT-device 2; Arrowhead local cloud
TABLE II: On-Boarding Precedure Security Cost Evaluation

Iv-C Use Case II: Closed-Loop Temperature Control

Once the on-boarding procedure has been completed successfully and the two IoT-devices are part of the CPS they can start regulating the room’s temperature. In order to do so, each component performs different tasks and interacts with other components. First, IoT-device 1 uses a sensor to measure the room’s current temperature. Then, the first security-related task is performed by asking the Arrowhead local cloud, whether IoT-device 2 is trustworthy or not. The trustworthiness is verified by the systems of the local cloud, by checking if IoT-device 2 has successfully passed the on-boarding procedure. After the check confirms that IoT-device 2 is part of the Arrowhead local cloud, the first IoT-device performs another security-related task. This time an encryption algorithm is used to cipher the previously measured data, before it is being transmitted to the second IoT-device.

However, before IoT-device 2 decrypts the received message, it first uses the Arrowhead local cloud to verify, whether IoT-device 1 is trustworthy or not. If it is, the message is decrypted and checked, if the measured temperature is over a predefined limit (e.g.: 25 degree Celsius). Only if this limit has been reached, the second IoT-device sends a command to an air-conditioning system to cool down the room. Fig. 2 shows this closed-loop control logic from measuring the room’s temperature by using a sensor to performing security-relevant tasks and finally using an actuator to change the temperature.

Iv-D Evaluation of Use Case II

The complexity is even greater in the second use case, due to the interconnection of all three components to reach a common goal. This includes measuring the temperature of a room, verifying the trustworthiness of the two IoT-devices, establishing an encrypted data transmission and finally cooling down the room. To reach this goal, each component performs different tasks, which again need to be divided into ordinary and security-related tasks and then assigned to the performing component. As shown in Fig. 2, the following have been identified as security-related tasks:

  • task 3: check_trustworthiness(IoT-device 2)
    performed by: IoT-device 1

  • task 4: return(trustworthy)
    performed by: Arrowhead local cloud

  • task 5: encrypt(25 degree Celsius)
    performed by: IoT-device 1

  • task 7: check_trustworthiness(IoT-device 1)
    performed by: IoT-device 2

  • task 8: return(trustworthy)
    performed by: Arrowhead local cloud

  • task 9: decrypt(encrypted_data)
    performed by: IoT-device 2

The execution of the closed-loop temperature control involves three components (IoT-device 1, IoT-device 2, Arrowhead local cloud), which perform a total of 6 security-related tasks. Again, as shown in (4), the resulting costs (c) can be described by the onion layer model and evaluated by using the same metric as used in the previous use case evaluation (duration measured in ms):

(4)

The following table summarizes the evaluation of security costs of the closed-loop temperature control:

Interaction 2
Component Task Duration
1 3 2 ms 10 ms
5 8 ms
2 7 2 ms 9 ms
9 7 ms
3 4 1 ms 2 ms
8 1 ms
IoT-device 1; IoT-device 2; Arrowhead local cloud
TABLE III: Closed-Loop Temperature Control Security Cost Evaluation

The results in Table III perfectly demonstrate why it is important to evaluate security costs in CPS. For instance, if the same evaluation was done periodically (e.g. measuring the room’s temperature every 5 minutes) the results would show that the security costs remain constant regardless of the temperature limit being reached or not. As shown in Fig. 3, only after all security-related task (task 3 to task 8) have been performed it is verified, whether the temperature limit has been reached or not. So, the security costs could be significantly reduced in this CPS, if IoT-device 1 performs step 10 (check_limit_reached) after receiving the measured data from the sensor (step 2) and before checking the trustworthiness of IoT-device 2 (step 3). By doing so, the security-related tasks would only be performed when the temperature limit has been reached, which would reduce the security costs immensely.

V Conclusion and Future Work

In this paper, we introduced a new approach for evaluating security costs in CPS. We presented an overall use case including the interaction of components, sensors and actuators in a CPS. In this regard, we defined in Section III that a CPS is formed by its components, which are capable of computation, communication and control functions. Furthermore, we proposed an onion layer model, which forms a sum of sums of all interactions, components, security-related tasks performed and metrics used to measure security costs. Next, we described tow use cases where multiple components participate in an interaction and perform both ordinary and security-related tasks.

The first use case points out the necessary steps for entering and existing CPS without compromising it (on-boarding procedure). The second use case combines the usage of components, sensors and actuators to control the temperature of a room (closed-loop temperature control). Finally, we demonstrate how the proposed onion layer model can be used to evaluate the security costs of the two use cases. In this demonstration we used an exemplary metric (duration measured in ms) to show how to evaluate the duration of performing all security-related tasks (measured in ms).

The main contribution of this paper is the initial investigation of an approach for modelling security costs in CPS. This will be enhanced in future work by considering more use cases, providing a metric catalogue and exploring methodologies for normalizing measured data by different metrics. Furthermore, the mathematical expression presented in Section III (1) will be part of further research to create a more general, algorithmic and parametric equation for modelling security costs in CPS. Summarizing, the main goal is to develop a framework that uses metrics from catalogue to evaluate security costs, normalize the results and is applicable for any use case.

Acknowledgment

Research leading to these results has received funding from the EU ECSEL Joint Undertaking under grant agreement n°737459 (project Productive4.0) and from the partners’ national programmes/funding authorities and the project MIT 4.0 (FE02), funded by IWB-EFRE 2014 - 2020 coordinated by Forschung Burgenland GmbH.

References

  • Hermann et al. [2016] Mario Hermann, Tobias Pentek, and Boris Otto. Design principles for industrie 4.0 scenarios. In System Sciences (HICSS), 2016 49th Hawaii International Conference on, pages 3928–3937. IEEE, 2016.
  • Almada-Lobo [2016] Francisco Almada-Lobo. The industry 4.0 revolution and the future of manufacturing execution systems (mes). Journal of Innovation Management, 3(4):16–21, 2016.
  • Hu [2013] Fei Hu. Cyber-physical systems: integrated computing and engineering design. CRC Press, 2013.
  • Platzer [2018] André Platzer. Logical foundations of cyber-physical systems, 2018.
  • Esterle and Grosu [2016] Lukas Esterle and Radu Grosu. Cyber-physical systems: challenge of the 21st century. e & i Elektrotechnik und Informationstechnik, 133(7):299–303, 2016.
  • Tankard [2011] Colin Tankard. Advanced persistent threats and how to monitor and deter them. Network security, 2011(8):16–19, 2011.
  • Rajkumar et al. [2016a] Raj Rajkumar, Dionisio De Niz, and Mark Klein. Cyber-Physical Systems. Addison-Wesley Professional, 2016a.
  • Nourian and Madnick [2015] Arash Nourian and Stuart Madnick. A systems theoretic approach to the security threats in cyber physical systems applied to stuxnet. IEEE Transactions on Dependable and Secure Computing, 2015.
  • Wurm et al. [2017] Jacob Wurm, Yier Jin, Yang Liu, Shiyan Hu, Kenneth Heffner, Fahim Rahman, and Mark Tehranipoor. Introduction to cyber-physical system security: A cross-layer perspective. IEEE Trans. Multi-Scale Comput. Syst, 3(3):215–227, 2017.
  • Delsing [2017] Jerker Delsing. Iot automation: Arrowhead framework. CRC Press, 2017.
  • Bicaku et al. [2018] Ani Bicaku, Silia Maksuti, Csaba Hegedűs, Markus Tauber, Jerker Delsing, and Jens Eliasson. Interacting with the arrowhead local cloud: On-boarding procedure. In 2018 IEEE Industrial Cyber-Physical Systems (ICPS), pages 743–748. IEEE, 2018.
  • Rajkumar et al. [2016b] Raj Rajkumar, Dionisio De Niz, and Mark Klein. Cyber-Physical Systems. Addison-Wesley Professional, 2016b.
  • Dumas et al. [2013] Marlon Dumas, Marcello La Rosa, Jan Mendling, Hajo A Reijers, et al. Fundamentals of business process management, volume 1. Springer, 2013.
  • Gruhn and Laue [2006] Volker Gruhn and Ralf Laue. Complexity metrics for business process models. In 9th international conference on business information systems (BIS 2006), volume 85, pages 1–12. Citeseer, 2006.
  • Tauber et al. [2011] Markus Tauber, Saleem N Bhatti, and Yi Yu. Application level energy and performance measurements in a wireless lan. In Proceedings of the 2011 IEEE/ACM International Conference on Green Computing and Communications, pages 100–109. IEEE Computer Society, 2011.
  • Tauber et al. [2012] Markus Tauber, Saleem N Bhatti, and Yi Yu. Towards energy-awareness in managing wireless lan applications. In Network Operations and Management Symposium (NOMS), 2012 IEEE, pages 453–461. IEEE, 2012.
  • Tauber and Bhatti [2012] Markus Tauber and Saleem N Bhatti. The effect of the 802.11 power save mechanism (psm) on energy efficiency and performance during system activity. In Green Computing and Communications (GreenCom), 2012 IEEE International Conference on, pages 573–580. IEEE, 2012.
  • Kansal et al. [2010] Aman Kansal, Feng Zhao, Jie Liu, Nupur Kothari, and Arka A Bhattacharya. Virtual machine power metering and provisioning. In Proceedings of the 1st ACM symposium on Cloud computing, pages 39–50. ACM, 2010.
  • Hayden [2010] Lance Hayden. IT security metrics: A practical framework for measuring security & protecting data. McGraw-Hill Education Group, 2010.
  • Van Solingen and Berghout [1999] Rini Van Solingen and Egon Berghout. The Goal/Question/Metric Method: a practical guide for quality improvement of software development. McGraw-Hill, 1999.
  • Pfleeger [2009] Shari Lawrence Pfleeger. Useful cybersecurity metrics. IT professional, 11(3):38–45, 2009.
  • Tariq [2012] Muhammad Imran Tariq. Towards information security metrics framework for cloud computing. International Journal of Cloud Computing and Services Science, 1(4):209, 2012.
  • Luna et al. [2011] Jesus Luna, Hamza Ghani, Daniel Germanus, and Neeraj Suri. A security metrics framework for the cloud. In Security and Cryptography (SECRYPT), 2011 Proceedings of the International Conference on, pages 245–250. IEEE, 2011.
  • Yee [2013] George OM Yee. Security metrics: An introduction and literature review. In Computer and Information Security Handbook (Second Edition), pages 553–566. Elsevier, 2013.
  • Pereira et al. [2017] T Pereira, L Barreto, and A Amaral. Network and information security challenges within industry 4.0 paradigm. Procedia Manufacturing, 13:1253–1260, 2017.
  • Ivkić et al. [2017] Igor Ivkić, Stephan Wolfauer, Thomas Oberhofer, and Markus Tauber. On the cost of cyber security in smart business. IEEE (UK)-12th International Conference for Internet Technology and Secured Transactions (ICITST-2017), 2017.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
366788
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description