Mission assurance policy and risk management in cybersecurity

Mission assurance policy and risk management are essential in enabling decision makers to ensure successful completion of missions by addressing the security status of cyber assets. This paper presents a novel mission assurance policy that adapts to the dynamic security status of all mission assets to quickly and automatically determine mission assurance level and to decide what changes are needed accordingly. The novelty of this mission assurance policy stems from using a time Petri net model for determining the security status of cyber assets, and then employing binary or multi-valued logic decision diagrams to assess the mission assurance level. The ability of a mission assurance policy to successfully complete its objectives depends mainly on whether a risk management scheme is provided to reduce risk to an acceptable level. To that end, this paper also describes a risk management scheme to systematically deal with the main factors of risk management such as the temporal interdependencies of cyber assets, impact of attacks, and risk mitigation. Given that the status of cyber assets changes due to the dynamic cybersecurity environment of asset vulnerabilities, threats, and recovery, the proposed mission assurance policy and risk management scheme enable decision makers to cope with the real-time assessment of mission assurance level.