{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,13]],"date-time":"2026-06-13T00:05:08Z","timestamp":1781309108076,"version":"3.54.1"},"reference-count":41,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2021,12,29]],"date-time":"2021-12-29T00:00:00Z","timestamp":1640736000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Maritime processes involve actors and systems that continuously change their underlying environment, location and threat exposure. Thus, risk mitigation requires a dynamic risk assessment process, coupled with an adaptive, event driven security enforcement mechanism, to efficiently deal with dynamically evolving risks in a cost efficient manner. In this paper, we propose an adaptive security framework that covers both situational risk assessment and situational driven security policy deployment. We extend MITIGATE, a maritime-specific risk assessment methodology, to capture situations in the risk assessment process and thus produce fine-grained and situation-specific, dynamic risk estimations. Then, we integrate DynSMAUG, a situation-driven security management system, to enforce adaptive security policies that dynamically implement security controls specific to each situation. To validate the proposed framework, we test it based on maritime cargo transfer service. We utilize various maritime specific and generic systems employed during cargo transfer, to produce dynamic risks for various situations. Our results show that the proposed framework can effectively assess dynamic risks per situation and automate the enforcement of adaptive security controls per situation. This is an important improvement in contrast to static and situation-agnostic risk assessment frameworks, where security controls always default to worst-case risks, with a consequent impact on the cost and the applicability of proper security controls.<\/jats:p>","DOI":"10.3390\/s22010238","type":"journal-article","created":{"date-parts":[[2021,12,29]],"date-time":"2021-12-29T23:31:35Z","timestamp":1640820695000},"page":"238","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["An Adaptive, Situation-Based Risk Assessment and Security Enforcement Framework for the Maritime Sector"],"prefix":"10.3390","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3192-667X","authenticated-orcid":false,"given":"Christos","family":"Grigoriadis","sequence":"first","affiliation":[{"name":"SecLab, Department of Informatics, University of Piraeus, Karaoli & Dimitriou 80, 18534 Piraeus, Greece"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0943-6180","authenticated-orcid":false,"given":"Romain","family":"Laborde","sequence":"additional","affiliation":[{"name":"Institut de Recherche en Informatique de Toulouse (IRIT), Universit\u00e9 Paul Sabatier, 31062 Toulouse, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5417-2022","authenticated-orcid":false,"given":"Antonin","family":"Verdier","sequence":"additional","affiliation":[{"name":"Institut de Recherche en Informatique de Toulouse (IRIT), Universit\u00e9 Paul Sabatier, 31062 Toulouse, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8771-9020","authenticated-orcid":false,"given":"Panayiotis","family":"Kotzanikolaou","sequence":"additional","affiliation":[{"name":"SecLab, Department of Informatics, University of Piraeus, Karaoli & Dimitriou 80, 18534 Piraeus, Greece"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2021,12,29]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"3453","DOI":"10.1109\/COMST.2018.2855563","article-title":"A survey of iot-enabled cyberattacks: Assessing attack paths to critical infrastructures and services","volume":"20","author":"Stellios","year":"2018","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_2","unstructured":"Greenberg, A. (2021, November 15). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Available online: https:\/\/www.wired.com\/story\/notpetya-cyberattack-ukraine-russia-code-crashed-the-world\/."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1049\/et.2019.0405","article-title":"Cyber pirates terrorise the high seas","volume":"14","author":"Newman","year":"2019","journal-title":"Eng. Technol."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Polemi, N., and Kotzanikolaou, P. (2015). Medusa: A supply chain risk assessment methodology. Cyber Security and Privacy Forum, Springer.","DOI":"10.1007\/978-3-319-25360-2_7"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Papastergiou, S., and Polemi, N. (2018). MITIGATE: A dynamic supply chain cyber risk assessment methodology. Smart Trends in Systems, Security and Sustainability, Springer.","DOI":"10.1007\/978-981-10-6916-1_1"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/s12198-018-0195-z","article-title":"MITIGATE: A dynamic supply chain cyber risk assessment methodology","volume":"12","author":"Schauer","year":"2019","journal-title":"J. Transp. Secur."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Laborde, R., Oglaza, A., Barr\u00e8re, F., and Benzekri, A. (2017, January 18\u201320). dynSMAUG: A dynamic security management framework driven by situations. Proceedings of the 2017 1st Cyber Security in Networking Conference (CSNet), Rio de Janeiro, Brazil.","DOI":"10.1109\/CSNET.2017.8241987"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"185","DOI":"10.1007\/s12243-018-0673-0","article-title":"A situation-driven framework for dynamic security management","volume":"74","author":"Laborde","year":"2019","journal-title":"Ann. Telecommun."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Benzekri, A., Laborde, R., Oglaza, A., Rammal, D., and Barr\u00e8re, F. (2019, January 23\u201325). Dynamic security management driven by situations: An Exploratory analysis of logs for the identification of security situations. Proceedings of the 2019 3rd Cyber Security in Networking Conference (CSNet), Quito, Ecuador.","DOI":"10.1109\/CSNet47905.2019.9108976"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Gadyatskaya, O., Labunets, K., and Paci, F. (2016). Towards empirical evaluation of automated risk assessment methods. International Conference on Risks and Security of Internet and Systems, Springer.","DOI":"10.1007\/978-3-319-54876-0_6"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Jing, Y., Ahn, G.J., Zhao, Z., and Hu, H. (2014, January 3\u20135). Riskmon: Continuous and automated risk assessment of mobile applications. Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, San Antonio, TX, USA.","DOI":"10.1145\/2557547.2557549"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Medhioub, M., Kim, T.H., and Hamdi, M. (2017, January 8\u201311). Adaptive risk treatment for cloud computing based on Markovian game. Proceedings of the 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC), Las Vegas, NV, USA.","DOI":"10.1109\/CCNC.2017.7983111"},{"key":"ref_13","unstructured":"Pyykk\u00f6a, H., Kuusij\u00e4rvib, J., Silverajanc, B., and Hinkkaa, V. (2020, January 27\u201330). The Cyber Threat Preparedness in the Maritime Logistics Industry. Proceedings of the 8th Transport Research Arena, Helsinki, Finland."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.tranpol.2020.10.001","article-title":"Cybersecurity in ports and maritime industry: Reasons for raising awareness on this issue","volume":"100","year":"2021","journal-title":"Transp. Policy"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Luo, Y. (2020). A Dynamic Visualization Platform for Operational Maritime Cybersecurity. Cooperative Design, Visualization, and Engineering, Springer International Publishing.","DOI":"10.1007\/978-3-030-60816-3"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Androjna, A., Brcko, T., Pavic, I., and Greidanus, H. (2020). Assessing Cyber Challenges of Maritime Navigation. J. Mar. Sci. Eng., 8.","DOI":"10.3390\/jmse8100776"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Leite Junior, W.C., de Moraes, C.C., de Albuquerque, C.E., Machado, R.C.S., and de S\u00e1, A.O. (2021). A Triggering Mechanism for Cyber-Attacks in Naval Sensors and Systems. Sensors, 21.","DOI":"10.3390\/s21093195"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1109\/MCOM.001.1900632","article-title":"Vessels cybersecurity: Issues, challenges, and the road ahead","volume":"58","author":"Caprolu","year":"2020","journal-title":"IEEE Commun. Mag."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Yoo, Y., and Park, H.S. (2021). Qualitative Risk Assessment of Cybersecurity and Development of Vulnerability Enhancement Plans in Consideration of Digitalized Ship. J. Mar. Sci. Eng., 9.","DOI":"10.3390\/jmse9060565"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"103429","DOI":"10.1016\/j.csi.2020.103429","article-title":"SafeSec Tropos: Joint security and safety requirements elicitation","volume":"70","author":"Kavallieratos","year":"2020","journal-title":"Comput. Stand. Interfaces"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"107934","DOI":"10.1016\/j.comnet.2021.107934","article-title":"Novel security models, metrics and security assessment for maritime vessel networks","volume":"189","author":"Enoch","year":"2021","journal-title":"Comput. Netw."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"104908","DOI":"10.1016\/j.ssci.2020.104908","article-title":"A novel cyber-risk assessment method for ship systems","volume":"131","author":"Bolbot","year":"2020","journal-title":"Saf. Sci."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"736","DOI":"10.1016\/j.future.2019.05.049","article-title":"CyberShip-IoT: A dynamic and adaptive SDN-based security policy enforcement framework for ships","volume":"100","author":"Sahay","year":"2019","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Singh, V.K., and Jain, R. (2016). Situation Recognition Using Eventshop, Springer.","DOI":"10.1007\/978-3-319-30537-0"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1007\/s007790170019","article-title":"Understanding and using context","volume":"5","author":"Dey","year":"2001","journal-title":"Pers. Ubiquitous Comput."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1177\/154193128803200221","article-title":"Design and evaluation for situation awareness enhancement","volume":"32","author":"Endsley","year":"1988","journal-title":"Proceedings of the Human Factors and Ergonomics Society 32nd Annual Meeting"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"162","DOI":"10.1037\/0033-2909.123.2.162","article-title":"Situation models in language comprehension and memory","volume":"123","author":"Zwaan","year":"1998","journal-title":"Psychol. Bull."},{"key":"ref_28","unstructured":"(2013). Information Technology\u2014Security techniques\u2014Information Security Management (Standard No. Technical Committee: ISO\/IEC JTC 1\/SC 27. ISO\/IEC 27001:2013). Technical Report."},{"key":"ref_29","unstructured":"(2005). Information Technology\u2014Security Techniques\u2014Information Security Risk Management (Standard No. ISO\/IEC 27005:2011). Technical Report."},{"key":"ref_30","unstructured":"Ross, R.S. (2012). Guide for Conducting Risk Assessments (NIST SP-800-30rev1), The National Institute of Standards and Technology (NIST)."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"102316","DOI":"10.1016\/j.cose.2021.102316","article-title":"Assessing IoT enabled cyber-physical attack paths against critical systems","volume":"107","author":"Stellios","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_32","unstructured":"(2021, September 01). National Vulnerability Database, Available online: https:\/\/nvd.nist.gov\/."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Grigoriadis, C., Berzovitis, M., Stellios, I., and Kotzanikolaou, P. (2021, January 4\u20138). A Cybersecurity Ontology to Support Risk Information Gathering in Cyber-Physical Systems. Proceedings of the 7th Workshop on the Security of Industrial Control Systems & of Cyber-Physical Systems (CyberICPS 2021), Darmstadt, Germany.","DOI":"10.1007\/978-3-030-95484-0_2"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1007\/s00778-003-0108-y","article-title":"Amit\u2014The situation manager","volume":"13","author":"Adi","year":"2004","journal-title":"VLDB J.\u2014Int. J. Very Large Data Bases"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Luckham, D. (2008). The power of events: An introduction to complex event processing in distributed enterprise systems. Workshop on Rules and Rule Markup Languages for the Semantic Web, Springer.","DOI":"10.1007\/978-3-540-88808-6_2"},{"key":"ref_36","unstructured":"Chadwick, D.W., Su, L., Otenko, O., and Laborde, R. (2006, January 5\u20137). Coordination between distributed PDPs. Proceedings of the Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY\u201906), London, ON, Canada."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"1071","DOI":"10.1002\/cpe.1284","article-title":"Coordinating access control in grid services","volume":"20","author":"Chadwick","year":"2008","journal-title":"Concurr. Comput. Pract. Exp."},{"key":"ref_38","unstructured":"Open Standard (2021, September 01). eXtensible Access Control Markup Language (XACML) Version 3.0. Available online: https:\/\/docs.oasis-open.org\/xacml\/3.0\/xacml-3.0-core-spec-os-en.html."},{"key":"ref_39","unstructured":"Open Standard (2021, November 15). Abbreviated Language for Authorization Draft Version 1.0. Available online: https:\/\/www.oasis-open.org\/committees\/download.php\/55228\/alfa-for-xacml-v1.0-wd01.doc."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1007\/s12243-013-0387-2","article-title":"A survey on addressing privacy together with quality of context for context management in the Internet of Things","volume":"69","author":"Chabridon","year":"2014","journal-title":"Ann. Telecommun."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Chabridon, S., Bouzeghoub, A., Ahmed-Nacer, A., Marie, P., and Desprats, T. (2017). Unified modeling of quality of context and quality of situation for context-aware applications in the internet of things. International and Interdisciplinary Conference on Modeling and Using Context, Springer.","DOI":"10.1007\/978-3-319-57837-8_30"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/1\/238\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:55:41Z","timestamp":1760169341000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/1\/238"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,12,29]]},"references-count":41,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,1]]}},"alternative-id":["s22010238"],"URL":"https:\/\/doi.org\/10.3390\/s22010238","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,12,29]]}}}