Date of Award

Spring 3-2022

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

First Advisor

Shengjie Xu, Ph.D.

Second Advisor

Omar El-Gayar, Ph.D.

Third Advisor

Austin O'Brien, Ph.D.

Abstract

To reduce or eliminate the impact of a cyber-attack on an organization, preparations to recover a failed system and/or data are usually made in anticipation of such an attack. To avoid a false sense of security, these preparations should, as closely as possible, reflect the organization’s capabilities, in order to inform future improvement and avoid unattainable goals. There is an absence of a strong basis for the selection of the metrics that are used to measure preparation. Informal and unreliable processes are widely used, and they often result in metrics that conflict with the organization’s capabilities and interests. The goal of this research was to establish a process that could be used to assess and validate an organization’s recovery objectives by ensuring the selection of metrics that align with the organization’s true capabilities.

To form the basis for a formalized process for selecting recovery metrics, a decision model is proposed to ensure that, at the minimum, an organization’s technical capabilities are considered, and that on the other hand, risk tolerance thresholds are not exceeded. A short survey of qualified practitioners was conducted to determine the preferred recovery metrics and other important priorities based on the expected impact of a cyber-attack. The results revealed that organizations mostly prefer to use the popular or well-known recovery objectives (RTO and RPO), and it was demonstrated that by using a clear and well-defined process, these metrics can be objectively and reliably established. Finally, considering the capabilities of an organization’s information systems, mathematical relationships between these metrics and other existing recovery metrics are proposed as part of the decision model to ensure that these recovery objectives are established within the organization’s technical and economic limits.

The resulting artifact was first evaluated using a numeric experiment to demonstrate its mathematical and technical soundness. It was then compared directly to previously proposed models using five different criteria to validate its ability to contribute meaningfully to the solution sought for the research problem. The comparison confirmed the utility, feasibility, repeatability, and reliability of the proposed solution. The artifact was then applied in a case study using an illustrative scenario comprising of real-world statistics. The findings were used to demonstrate that if a history of an information system’s performance in preparatory activities such as backup operations and recovery drills is incorporated into decisions concerning the selection of recovery objectives, the resulting metrics will more accurately represent the ability to satisfactorily recover the systems in an actual incident. This was verified by recommendations based on established frameworks. Finally, the resulting model was presented to qualified experts for expert opinion, and positive feedback was received from both technical and business operations perspectives. It was then concluded that recovery objectives can be established in alignment with the relevant details of an organization’s information systems, and that the impact on the organization’s ability to conduct recovery operations more effectively will be positive.

Share

COinS