Use this URL to cite or link to this record in EThOS:
Title: Assurance techniques for assessing security control efficacy : an industrial control systems case study
Author: Knowles, Carl William
ISNI:       0000 0004 5918 0317
Awarding Body: Lancaster University
Current Institution: Lancaster University
Date of Award: 2016
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Thesis embargoed until 07 Jun 2021
Access from Institution:
This thesis establishes the “assurance technique” as the central mechanism through which we gather evidence to make claims of assurance about security. The use of such assurance techniques in the process of assessing Industrial Control System (ICS) environments is explored. In doing so it provides six key contributions to knowledge: (i) a state-of-the-art survey of ICS security research, which culminates in a framework for future research, of which the assessment of security control efficacy is one element; (ii) claims about the effectiveness and cost-effectiveness of 20 assurance techniques used to assess the efficacy of security control implementation (e.g., a penetration test); (iii) claims about the effectiveness and cost-effectiveness of 5 assurance techniques used to assess the competency of individuals to use the assurance techniques that assess security controls (e.g., a multiple-choice examination); (iv) demonstration of the need for standardisation in a subset of these assurance techniques, based on an analysis of the real-world readiness and competence of the industry to deliver them; (v) the establishment of five novel principles (“PASIV”) to guide the safe use of assurance techniques within operationally sensitive areas of ICS environments, and the determination of potential assurance technique use across three phases of the system development life cycle; and (vi) the mapping of assurance techniques to security control families within ISO/IEC 27001:2013 (and its ICS-specific counterpart, ISO/IEC TR 27019:2013) to identify potential sources of audit evidence generation about security control efficacy.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available