A Capability-Based Approach to Evaluate and Mitigate Identified Cybersecurity Gaps in Critical Infrastructures

Abstract

Recently, the number of cyber threats has shown a rapid increase all over the world. Different public and private infrastructure organisations of a society have varying capabilities and resources to address these threats and protect themselves from their harmful impact. Among these sectors, critical infrastructures are most vulnerable as they hold valuable data, the protection of which is both crucial and expected from a societal perspective. As data protection relies on different capabilities, it is vital to understand what a specific capability a particular infrastructure sector and an individual company will need and can achieve. There is a wealth of high-quality information available on the best practices of cybersecurity, for example in frameworks like the ISO series and the National Institute of Standards and Technology Cybersecurity Framework (CSF) 2.0. These frameworks contain actions that are generally considered beneficial for any company but provide limited guidance on how individual controls translate into actionable capabilities in a specific organisational context. However, very few companies have the resources to implement all the controls presented in these frameworks to reach the highest maturity levels possible in cybersecurity. In these situations, it is crucial to maximise the benefits gained from any chosen action. In this paper, we investigate how a capability-based assessment model, developed originally for the defence domain, can be adapted to evaluate cybersecurity capabilities in the context of critical infrastructure and explore its performance when applied to a healthcare sector company. This model assesses capability gaps by comparing the current state with a target level capability and applies this approach to the cybersecurity context of a healthcare organisation. The general aim of our study is to support simpler and more effective decision-making when selecting the next cybersecurity upgrade or systemic improvement. In future research, we plan to extend this model to other critical infrastructure sectors and compare its performance and generalisability to these sectors.