Introduction - List of Abbreviations - Vulnerability assessment of modern ICT infrastructure fr

List of Abbreviations

Chapter 3. Methodology

3.1 Introduction

This chapter presents the research methodologies employed in conducting this study. The literature review is described and presented in Chapter 2. Multiple methodologies were employed; the data gathering and analysis methodologies are also relevant techniques for conducting vulnerability and risk assessments, as discussed in Section 2.7.1. The majority of the work for each methodology could be conducted in parallel; an advantage of this was that any potential delays in one methodological implementation did not affect other areas of research. During the study, multiple conference and journal papers were submitted; this provided a continuous feedback from the peer- review process and from the conference presentations themselves. Appendix A contains a list of publications that were generated from the research. The flow of the research is shown in Figure 3.1, and a description of the process and their relation to the objectives is provided below:

The project was developed and designed from the initial concept, the research proposal was defended and ethical clearance was obtained.

The primary literature review was conducted, which was an expansion of the initial literature review conducted for the research proposal. This provided the background to conduct the study.

From the models reviewed in the literature, two new models were proposed: an IW incident model and a vulnerability assessment framework. This was an objective of the research in itself.

A continuous literature review was conducted, which allowed for the ongoing analysis of trends and occurring incidents. This contributes to the vulnerability assessment by providing current trends in threats and provides information on possible vulnerabilities based on previous incidents.

Interviews were conducted. The analysis of the interview responses was used to assist in designing the workshop objectives. These provided expert opinion on the criticality of the mobile infrastructure, general threat and vulnerability concerns, and specific concerns related to the mobile infrastructure and its use.

Simulations and mathematical calculations were performed to analyse specific scenarios and expand on previous research; the simulations can visually represent the results. These are used to assess specific vulnerabilities, and contribute to the vulnerability assessment.

The overall vulnerability assessment is based on the proposed framework, and performs the data-triangulation from the results of all the research methodologies. This is the objective of the research.

Conclusions and recommendations are drawn from the gathered data and assessment.

Initial Concept

Primary Literature Review

Continuous Literature

Review

Case Studies and Trend

Analysis

Interviews

Workshop

Simulations and Calculations Initial Literature Review

and Research Design

Proposal

Ethical Clearance

Information Warfare Framework Development

Vulnerability Assessment Framework Development

Survey

Overall Vulnerability Assessment

Conclusion and Recommendations

Submission

Figure 3.1: Flow of Dissertation Work

The multiple research methodologies are aimed at meeting the four primary objectives of the research study. The research methodologies described above relate to the main objectives and their breakdowns as follows:

Further develop a framework that may be used in vulnerability assessment of critical infrastructure from an IW perspective

o Further development of IW models and frameworks. This expands on the comparison of IW models in the literature review, and will be primarily deskwork.

A new model will be proposed.

o Assess existing frameworks. This will be primarily based on deskwork, and will be an extension of the vulnerability and risk assessment discussions from the literature review.

o Development of new framework. This will be primarily deskwork, where the proposed IW model will be integrated into the analysis of the vulnerability and risk assessment frameworks. From this a new vulnerability assessment framework will be proposed.

Gather data relating to attacks against information infrastructure;

o Gather data regarding the number of attacks. Document and secondary data analysis will be conducted to assess trends in the number of and types of attacks.

Data from the research workshop will also contribute.

o Gather data regarding computer-based security incidents. Document and secondary data analysis will be conducted to assess global trends of threats and vulnerabilities with regards to computer-security incidents. The interviews and research workshop will also contribute.

o Gather data regarding cell phone security incidents. Document and secondary data analysis will be conducted to assess global trends of threats and vulnerabilities with regards to mobile-related security incidents. The interviews and research workshop will also contribute.

Further establish the cellular phone infrastructure as a critical information infrastructure;

o A survey of informal enterprises using questionnaires will assess the possible economic impact from the informal sector should large-scale outages occur.

Interview results will solicit information on the perceived criticality of mobile phones on various sectors. Document analysis will also contribute.

Apply the proposed framework to a generic cellular phone infrastructure to assess potential vulnerabilities that may be encountered;

o The proposed vulnerability assessment framework will be used to triangulate the data collected from the various research methodologies. This will provide a generic vulnerability and risk profile for a mobile infrastructure in an IW environment.

The secondary objectives include:

Conducting a basic vulnerability assessment on another infrastructure;

o This will be deskwork, based on document analysis. The purpose is to provide an initial test of the proposed vulnerability assessment framework.

Provide suggestions for solutions and considerations to improve the protection of information infrastructures, and discuss related aspects that do not fall under the vulnerability assessment;

o This will be based on document analysis of whitepapers and vendor recommendations.

Possible solutions to security issues and concerns may be suggested in the research workshop, which will contribute to this section.

Table 3.1 illustrates the applicability of the research methods to the objectives. The sections in this chapter describe the research methodologies in more detail; including the administrative processes, data gathering protocols and the data analysis methods that are employed in the study. The chapter is structured as follows: Section 3.2 describes the administrative process, particularly the defence and acceptance of the research proposal, and the ethical clearance process. Section 3.3 describes all desk-based research, which includes the trend and incident analysis, creating the proposed frameworks, computer simulations, mathematical calculations, and the application of the proposed models. Section 3.4 describes the interview process, and Section 3.5 describes the workshop.

Section 3.6 describes the survey. Section 3.7 summarises and concludes the chapter.

Table 3.1: The Relationship of Research Methodology to Research Objectives Methods Trend Analysis Primary Data Collection

Simulations Calculations Other Deskwork

Objectives Document Secondary Data Interviews Workshop Survey

Further develop frameworks 

IW  

Vulnerability  

Gather Security Information      

Attack trends    

Security Trends    

Mobile Security Trends      

Establish the criticality of

the mobile infrastructure    

Apply Framework 

2^nd Vulnerability assessment  

Recommendations    

Dalam dokumen Vulnerability assessment of modern ICT infrastructure from an information warfare perspective. (Halaman 123-127)