A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System Certification

As Information and Communication Technology (ICT) systems become increasingly complex, the need for adaptable and efficient security certification frameworks grows. This paper introduces a flexible security evaluation methodology designed to serve as the foundation for cybersecurity certification ac...

Full description

Saved in:

Bibliographic Details
Main Authors:	Sara N. Matheu, Juan F. Martínez-Gil, Irene Bicchierai, Jan Marchel, Radosław Piliszek, Antonio Skarmeta
Format:	Article
Language:	English
Published:	MDPI AG 2025-02-01
Series:	Applied Sciences
Subjects:	cybersecuritycertification risk assessment ICT systems security evaluation MUD standard security labeling
Online Access:	https://www.mdpi.com/2076-3417/15/3/1600
Tags:	Add Tag No Tags, Be the first to tag this record!

_version_	1850199297402863616
author	Sara N. Matheu Juan F. Martínez-Gil Irene Bicchierai Jan Marchel Radosław Piliszek Antonio Skarmeta
author_facet	Sara N. Matheu Juan F. Martínez-Gil Irene Bicchierai Jan Marchel Radosław Piliszek Antonio Skarmeta
author_sort	Sara N. Matheu
collection	DOAJ
description	As Information and Communication Technology (ICT) systems become increasingly complex, the need for adaptable and efficient security certification frameworks grows. This paper introduces a flexible security evaluation methodology designed to serve as the foundation for cybersecurity certification across diverse ICT systems. The proposed methodology integrates risk assessment and test-based evaluation, offering a scalable approach that adapts to different tools and processes, addressing the limitations of existing rigid certification schemes. The certification approach expands on ETSI’s Risk-Based Security Assessment and Testing methods, based on ISO 31000 and ISO 29119, and it integrates widely recognized standards such as MUD. This ensures an objective, empirical evaluation process that enables partial automation and simplifies recertification. As a proof of concept, we validate the methodology in two real use cases, an ICT gateway for smart grids and an AI-powered investments platform, demonstrating its flexibility and applicability to real-world contexts while addressing the challenges of modern ICT ecosystems.
format	Article
id	doaj-art-42bc696e2bb946f9b438756db19db133
institution	OA Journals
issn	2076-3417
language	English
publishDate	2025-02-01
publisher	MDPI AG
record_format	Article
series	Applied Sciences
spelling	doaj-art-42bc696e2bb946f9b438756db19db1332025-08-20T02:12:38ZengMDPI AGApplied Sciences2076-34172025-02-01153160010.3390/app15031600A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System CertificationSara N. Matheu0Juan F. Martínez-Gil1Irene Bicchierai2Jan Marchel3Radosław Piliszek4Antonio Skarmeta5Department of Information and Communication Engineering, Computer Science Faculty, University of Murcia, 30100 Murcia, SpainDepartment of Information and Communication Engineering, Computer Science Faculty, University of Murcia, 30100 Murcia, SpainResilTech s.r.l., Piazza Nilde Iotti, 25, 56025 Pontedera, Italy7bulls.com, Aleja Armii Ludowej 26, 00-609 Warszawa, Poland7bulls.com, Aleja Armii Ludowej 26, 00-609 Warszawa, PolandDepartment of Information and Communication Engineering, Computer Science Faculty, University of Murcia, 30100 Murcia, SpainAs Information and Communication Technology (ICT) systems become increasingly complex, the need for adaptable and efficient security certification frameworks grows. This paper introduces a flexible security evaluation methodology designed to serve as the foundation for cybersecurity certification across diverse ICT systems. The proposed methodology integrates risk assessment and test-based evaluation, offering a scalable approach that adapts to different tools and processes, addressing the limitations of existing rigid certification schemes. The certification approach expands on ETSI’s Risk-Based Security Assessment and Testing methods, based on ISO 31000 and ISO 29119, and it integrates widely recognized standards such as MUD. This ensures an objective, empirical evaluation process that enables partial automation and simplifies recertification. As a proof of concept, we validate the methodology in two real use cases, an ICT gateway for smart grids and an AI-powered investments platform, demonstrating its flexibility and applicability to real-world contexts while addressing the challenges of modern ICT ecosystems.https://www.mdpi.com/2076-3417/15/3/1600cybersecuritycertificationrisk assessmentICT systemssecurity evaluationMUD standardsecurity labeling
spellingShingle	Sara N. Matheu Juan F. Martínez-Gil Irene Bicchierai Jan Marchel Radosław Piliszek Antonio Skarmeta A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System Certification Applied Sciences cybersecuritycertification risk assessment ICT systems security evaluation MUD standard security labeling
title	A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System Certification
title_full	A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System Certification
title_fullStr	A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System Certification
title_full_unstemmed	A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System Certification
title_short	A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System Certification
title_sort	flexible risk based security evaluation methodology for information communication technology system certification
topic	cybersecuritycertification risk assessment ICT systems security evaluation MUD standard security labeling
url	https://www.mdpi.com/2076-3417/15/3/1600
work_keys_str_mv	AT saranmatheu aflexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT juanfmartinezgil aflexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT irenebicchierai aflexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT janmarchel aflexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT radosławpiliszek aflexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT antonioskarmeta aflexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT saranmatheu flexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT juanfmartinezgil flexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT irenebicchierai flexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT janmarchel flexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT radosławpiliszek flexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification AT antonioskarmeta flexibleriskbasedsecurityevaluationmethodologyforinformationcommunicationtechnologysystemcertification

A Flexible Risk-Based Security Evaluation Methodology for Information Communication Technology System Certification

Similar Items