{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,6,2]],"date-time":"2022-06-02T02:11:17Z","timestamp":1654135877569},"reference-count":59,"publisher":"IGI Global","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014,4,1]]},"abstract":"<p>This paper provides a literature review and survey of maturity and process capability models, Critical Infrastructure Protection (CIP) tools and frameworks to identify strategies for assessing and measuring resilience and risk management capabilities, with a specific focus on the electricity generating sector. The focus is on the use of models such as CERT-RMM, and others, as a means of addressing challenges associated with cyber security and risk management. Foundational concepts, terminology and definitions are provided; examples of maturity and process capability models are presented and discussed, tools that enable process capability and resilience are identified, including those specific to the electricity generating sector. The evolution of models and how they have addressed challenges is presented, in addition to the characteristics and differences of models and the growth in domains where they can be used. The benefits of the application of process capability and maturity models in maintaining and enhancing resilience and cyber security protection is supported in this paper and recommendations for research opportunities that may yield further insight and measurement capabilities are offered.<\/p>","DOI":"10.4018\/ijsita.2014040104","type":"journal-article","created":{"date-parts":[[2015,1,30]],"date-time":"2015-01-30T19:41:07Z","timestamp":1422646867000},"page":"44-63","source":"Crossref","is-referenced-by-count":0,"title":["Maturity and Process Capability Models and Their Use in Measuring Resilience in Critical Infrastructure Protection Sectors"],"prefix":"10.4018","volume":"5","author":[{"given":"Clemith J.","family":"Houston Jr.","sequence":"first","affiliation":[{"name":"Office of Information Technology, University of Colorado Boulder, Boulder, CO, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Douglas C.","family":"Sicker","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Colorado Boulder, Boulder, CO, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"2432","reference":[{"key":"ijsita.2014040104-0","doi-asserted-by":"publisher","DOI":"10.1109\/EDOC.2002.1137696"},{"key":"ijsita.2014040104-1","doi-asserted-by":"publisher","DOI":"10.1109\/IWCIP.2005.18"},{"key":"ijsita.2014040104-2","doi-asserted-by":"crossref","unstructured":"Allen, J. H., & Young. (2012) Report from the first CERT-RMM users group workshop series. Software Engineering Institute. Retrieved from http:\/\/repository.cmu.edu\/sei\/685","DOI":"10.21236\/ADA611119"},{"key":"ijsita.2014040104-3","author":"R. J.Anderson","year":"2001","journal-title":"Security engineering: A guide to building dependable distributed systems"},{"issue":"1","key":"ijsita.2014040104-4","first-page":"1874","article-title":"Budget constrained optimal security hardening of control network for critical cyber-infrastructures.","volume":"2","author":"Z.Anwar","year":"2008","journal-title":"International Journal of Critical Infrastructure Protection"},{"key":"ijsita.2014040104-5","doi-asserted-by":"crossref","unstructured":"Areias, M., Moniz, P., & Verissimo, P. (2009). Security and reliability of critical utility infrastructures. 20th International conference on Electricity Distribution. Retrieved from http:\/\/ieeexplore.ieee.org\/xpl\/articleDetails.jsp?arnumber=5255845&refinements%3D4280740961%26sortType%3Dasc_p_Sequence%26filter%3DAND%28p_IS_Number%3A5255237%29","DOI":"10.1049\/cp.2009.1072"},{"key":"ijsita.2014040104-6","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.2"},{"key":"ijsita.2014040104-7","first-page":"1","article-title":"The state of the art in critical infrastructure protection: A framework for convergence.","volume":"1","author":"E.Bagheri","year":"2007","journal-title":"International Journal of Critical Infrastructure"},{"key":"ijsita.2014040104-8","unstructured":"Bider, I. (2000). Business process modeling \u2013 concepts. Proceedings of the Practical Business Process Modeling: PBPM 00. Stokholm. Retrieved from http:\/\/www.ibissoft.se\/english\/index0.html?frameset=research_frame.htm&itemframe=\/events\/pbpm\/pbpm00.htm"},{"key":"ijsita.2014040104-9","doi-asserted-by":"publisher","DOI":"10.1109\/MS.1997.589225"},{"key":"ijsita.2014040104-10","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2009.02.002"},{"key":"ijsita.2014040104-11","unstructured":"Caralli, R. A. (2012). Discerning the intent of maturity models from characterizations of security posture. Software Engineering Institute, Carnegie Mellon. Retrieved from http:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetID=58922"},{"key":"ijsita.2014040104-12","unstructured":"Caralli, R. A., Allen, J. H., Curtis, P. D., White, D. W., & Young, L. R. (2010). CERT resilience management model version 1.0, process areas, generic goals and practices, and glossary. Carnegie Mellon University, Software Engineering Institute. Technical Report CMU\/SEI-2010-TR-012. Retrieved from www.cert.org\/resilience\/download\/CERT-RMM_v1.0.pdf"},{"key":"ijsita.2014040104-13","doi-asserted-by":"crossref","unstructured":"Caralli, R. A., Knight, M., & Montgomery, A. (2012). Maturity models 101: A primer for applying maturity models to smart grid security, resilience and interoperability. Carnegie Mellon University, Software Engineering Institute. Technical Report. Retrieved from http:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=58916","DOI":"10.21236\/ADA610461"},{"key":"ijsita.2014040104-14","unstructured":"Cardenas, A. A., Amin, S., Sinopoli, B., Giani, A., Perrig, A., & Sastry, S. (2009). Challenges for securing cyber physical systems. In Workshop on future directions in cyber-physical systems security. Rutgers University. Retrieved from http:\/\/cimic.rutgers.edu\/positionPapers\/cps-security-challenges-Cardenas.pdf"},{"key":"ijsita.2014040104-15","author":"L.Comfort","year":"1999","journal-title":"Shared Risk: Complex Systems in Seismic Response"},{"key":"ijsita.2014040104-16","unstructured":"Crisis and Risk Network Report. (2009). Focal report 2 \u2013 Critical infrastructure protection. Crisis and Risk Network, Center for Security Studies. Retrieved from http:\/\/129.132.36.147\/serviceengine\/Files\/CRN\/105884\/ipublicationdocument_singledocument\/e1e2bf81-36fd-4407-95b3-50cf2655beeb\/en\/CRN-Report-Focal-Report-2-CIP.pdf"},{"key":"ijsita.2014040104-17","author":"P. R.Crosby","year":"1979","journal-title":"Quality is free: The art of making quality certain"},{"key":"ijsita.2014040104-18","author":"T. H.Davenport","year":"1993","journal-title":"Process Innovation"},{"key":"ijsita.2014040104-19","unstructured":"Deming, W. E. (1982). Quality, productivity and competitive position. Cambridge, MA: Massachusetts Institute of Technology, Center for Advanced Engineering Study, 373."},{"key":"ijsita.2014040104-20","doi-asserted-by":"publisher","DOI":"10.1007\/s001630100003"},{"key":"ijsita.2014040104-21","doi-asserted-by":"publisher","DOI":"10.1504\/IJCIS.2005.006122"},{"issue":"1","key":"ijsita.2014040104-22","first-page":"18","article-title":"Deriving a capability maturity model for electric utility security assessment.","volume":"8","author":"B.Endicott-Popovsky","year":"2005","journal-title":"Academy of Information and Management Sciences Journal"},{"issue":"1","key":"ijsita.2014040104-23","first-page":"65","article-title":"ISO, CMMI and PMBOK risk management: A comparative analysis.","volume":"1","author":"C. M.Gomes de Gusmao","year":"2003","journal-title":"The International Journal of Applied Management and Technology"},{"key":"ijsita.2014040104-24","author":"M.Hammer","year":"1993","journal-title":"Re-engineering the corporation; A manifesto for business revolution"},{"key":"ijsita.2014040104-25","unstructured":"Humphrey, W. (1987). Characterizing the software process: a maturity framework. Technical Report. Software Engineering Institute, Carnegie Mellon University, USA. Retrieved from http:\/\/www.sei.cmu.edu"},{"key":"ijsita.2014040104-26","unstructured":"Information Technology Infrastructure Library. (2011). Availability management. Information Technology Infrastructure Library. Retrieved from http:\/\/www.itlibrary.org\/index.php?page=Availability_Management"},{"key":"ijsita.2014040104-27","unstructured":"Juran, J. M. (1995). A history of managing for quality. Milwaukee, Wisconsin: ASQC Quality Press, 557."},{"issue":"20","key":"ijsita.2014040104-28","first-page":"7","article-title":"Assessing IT\/business alignment, information strategy.","volume":"1","author":"J.Luftman","year":"2003","journal-title":"The Executive\u2019s Journal"},{"key":"ijsita.2014040104-29","unstructured":"Mackin, T., Darken, R., & Lewis, T. G. (2007). Managing risk in critical infrastructure using network modeling, critical infrastructure protection, elements of risk. George Mason University. 65-78. Retrieved from http:\/\/cip.gmu.edu\/archive\/archive\/RiskMonograph_1207_rv.pdf"},{"key":"ijsita.2014040104-30","first-page":"9","article-title":"Resilience in the healthcare industry.","author":"L.Mallak","year":"1998","journal-title":"7th Annual Industrial Engineering Research Conference"},{"key":"ijsita.2014040104-31","doi-asserted-by":"publisher","DOI":"10.1111\/j.1539-6924.2007.00955.x"},{"key":"ijsita.2014040104-32","doi-asserted-by":"publisher","DOI":"10.1287\/orsc.13.5.514.7808"},{"key":"ijsita.2014040104-33","unstructured":"National Association of Regulatory Utility Commissioners. (2012). Cybersecurity for state regulators. National Association of Regulatory Utility Commissioners. Retrieved from http:\/\/energy.gov\/sites\/prod\/files\/NARUC%20Cybersecurity%20for%20State%20Regulators%20Primer%20-%20June%202012.pdf"},{"issue":"7","key":"ijsita.2014040104-34","doi-asserted-by":"crossref","DOI":"10.1145\/362280.362284","article-title":"Managing the computer resource: A stage hypothesis.","volume":"17","author":"R. L.Nolan","year":"1973","journal-title":"Communications of the ACM"},{"key":"ijsita.2014040104-35","unstructured":"North American Electric Reliability Corporation. (2013). Reliability standards. North American Electric Reliability Corporation. Retrieved from http:\/\/www.nerc.com\/pa\/stand\/Pages\/default.aspx"},{"key":"ijsita.2014040104-36","unstructured":"Oman, P., Risley, A., Roberts, J., & Schweitzer, E. (2002). Attack and defend tools for remotely accessible control and protection equipment in electric power systems, Paper #15, Texas A&M Annual Conference for Protective Relay Engineers, College Station, Texas. Retrieved from http:\/\/ants.mju.ac.kr\/2008Spring\/%EC%A0%84%EB%A0%A5%202008%EB%85%84\/cases\/defend%20tools.pdf"},{"key":"ijsita.2014040104-37","unstructured":"Oman, P., Schweitzer, E., & Frincke, D. (2000). Concerns about intrusions into remotely accessible substation controllers and SCADA systems. In Proceedings of the Twenty-Seventh Annual Western Protective Relay Conference (Vol. 160). Retrieved from http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.20.6519&rep=rep1&type=pdf"},{"key":"ijsita.2014040104-38","unstructured":"Patriot Act, U. S. A. (2001). Financial Crimes Enforcement Network, United States Department of Treasury. Retrieved from http:\/\/frwebgate.access.gpo.gov\/cgi-bin\/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf"},{"key":"ijsita.2014040104-39","doi-asserted-by":"crossref","unstructured":"Paulk, M. C., Weber, C. V., Garcia, S. M., Chrissis, M. B., & Bush, M. (1993). Key practices of the capability maturity model, version 1.1. Software Engineering Institute, Carnegie Mellon University. Retrieved from http:\/\/www.sei.cmu.edu\/library\/abstracts\/reports\/93tr025.cfm","DOI":"10.21236\/ADA263432"},{"key":"ijsita.2014040104-40","unstructured":"Risk Management Society. (2014). Risk management maturity model. Risk Management Society. Retrieved from http:\/\/www.rims.org\/resources\/ERM\/Pages\/RiskMaturityModel.aspx"},{"key":"ijsita.2014040104-41","author":"W. A.Shewhart","year":"1931","journal-title":"Economic control of quality of manufactured product"},{"key":"ijsita.2014040104-42","author":"W. A.Shewhart","year":"1986","journal-title":"Statistical method from the viewpoint of quality control"},{"key":"ijsita.2014040104-43","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-75462-8_6"},{"key":"ijsita.2014040104-44","unstructured":"Software Engineering Institute. (2009). SGMM: First annual report on smart grid implementation. Retrieved from http:\/\/www.sei.cmu.edu\/library\/assets\/sgmm.pdf"},{"key":"ijsita.2014040104-45","unstructured":"Software Engineering Institute. (2010). CERT resilience management model, version 1.0. technical report. Software Engineering Institute, Carnegie Mellon University. Retrieved from http:\/\/www.sei.cmu.edu\/library\/abstracts\/reports\/10tr012.cfm?DCSext.abstractsource=SearchResults"},{"key":"ijsita.2014040104-46","unstructured":"Software Engineering Institute. (2011a). CMMI. Capability maturity model \u2013 integration. Software Engineering Institute, Carnegie Mellon University. Retrieved from http:\/\/sei.cmu.edu\/cmmi"},{"key":"ijsita.2014040104-47","unstructured":"Software Engineering Institute. (2011b). CMMI for services. Software Engineering Institute, Carnegie Mellon University. Retrieved from http:\/\/www.sei.cmu.edu\/library\/abstracts\/reports\/10tr034.cfm"},{"key":"ijsita.2014040104-48","unstructured":"Software Engineering Institute. (2011c). Smart grid maturity model update. Software Engineering Institute, Carnegie Mellon University. http:\/\/www.sei.cmu.edu\/library\/assets\/brochures\/SGMM_2011.pdf"},{"key":"ijsita.2014040104-49","unstructured":"Steiner, S., Abraham, B., & MacKay, J. (1997). Understanding process capability indices. Institute for Improvement of Quality and Productivity, Department of Statistics and Actuarial Science, University of Waterloo, Waterloo, Ontario N2L 3G1. Retrieved from http:\/\/xa.yimg.com\/kq\/groups\/20114366\/26277246\/name\/Process+Capability.pdf"},{"key":"ijsita.2014040104-50","doi-asserted-by":"crossref","unstructured":"Ulieru, M., & Worthington, P. (2005). Holonic risk management framework. In Systems, Man and Cybernetics, 2005 IEEE International Conference on (Vol. 1, pp. 209-214). IEEE. Retrieved from http:\/\/ieeexplore.ieee.org\/xpl\/login.jsp?tp=&arnumber=1571147&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D1571147","DOI":"10.1109\/ICSMC.2005.1571147"},{"key":"ijsita.2014040104-51","unstructured":"United States Department of Energy. (2013). Electricity subsector cybersecurity capability maturity model (ES-C2M2). United States Department of Energy. Retrieved from http:\/\/energy.gov\/oe\/services\/cybersecurity\/electricity-subsector-cybersecurity-capability-maturity-model"},{"key":"ijsita.2014040104-52","unstructured":"United States House of Representative. (2013). Cyber threats and security solutions. United States House of Representatives. Energy and Commerce Committee. Retrieved from http:\/\/www.gpo.gov\/fdsys\/pkg\/CRPT-113hrpt33\/pdf\/CRPT-113hrpt33.pdf"},{"key":"ijsita.2014040104-53","unstructured":"United States White House. (1998). Presidential decision directive\/NSC-63. Washington, DC: The White House. Retrieved from http:\/\/www.fas.org\/irp\/offdocs\/pdd\/pdd-63.htm"},{"key":"ijsita.2014040104-54","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2006.95"},{"key":"ijsita.2014040104-55","doi-asserted-by":"crossref","unstructured":"Von Wangenheim, C. G., Hauck, J. C. R., Salviano, C. F., & Von Wangenheim, A. (2010). Systematic literature review of software process capability\/maturity models. In Proceedings of International Conference on Software Process Improvement and Capabity Determination (SPICE), Pisa, Italy.","DOI":"10.1109\/MS.2010.96"},{"key":"ijsita.2014040104-56","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-11405-2_3"},{"key":"ijsita.2014040104-57","doi-asserted-by":"publisher","DOI":"10.1109\/PES.2010.5589785"},{"key":"ijsita.2014040104-58","doi-asserted-by":"publisher","DOI":"10.1108\/09685220810862751"}],"container-title":["International Journal of Strategic Information Technology and Applications"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=122828","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,2]],"date-time":"2022-06-02T01:40:32Z","timestamp":1654134032000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/ijsita.2014040104"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2014,4,1]]},"references-count":59,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2014,4]]}},"URL":"https:\/\/doi.org\/10.4018\/ijsita.2014040104","relation":{},"ISSN":["1947-3095","1947-3109"],"issn-type":[{"value":"1947-3095","type":"print"},{"value":"1947-3109","type":"electronic"}],"subject":[],"published":{"date-parts":[[2014,4,1]]}}}