Electronic Thesis and Dissertation Repository

Thesis Format



Master of Science


Computer Science


Kontogiannis, Prof. Kostas


In today’s data-driven world, Information Systems, particularly the ones operating in regulated industries, require comprehensive security frameworks to protect against loss of confidentiality, integrity, or availability of data, whether due to malice, accident or otherwise. Once such a security framework is in place, an organization must constantly monitor and assess the overall compliance of its systems to detect and rectify any issues found. This thesis presents a technique and a supporting toolkit to first model dependencies between security policies (referred to as controls) and, second, devise models that associate risk with policy violations. Third, devise algorithms that propagate risk when one or more policies are found to be non-compliant and fourth, propose a technique that evaluates the overall security posture risk of a system as a function of the non-compliant policies, the affected policies, and the time elapsed since these policy violations discovered but not have been mitigated yet. More specifically, the approach is based on modeling the dependencies between the different controls in the NIST 800.53 framework by compiling a dependency multi-graph, devising a fuzzy-reasoning-based risk assessment technique that traverses the dependency multi-graph and assigns an overall security exposure risk score when one or more controls fail, and finally a technique for identifying the strategies an attacker can use, given the failed controls, and for which an organization should defend itself. This approach allows organizations to obtain a bird’s-eye view of their Information Systems’ cyber security posture and help triage the security control checks by focusing on the most vulnerable parts of their Information System ecosystem.

Summary for Lay Audience

The thesis is about designing and developing a cyber security methodology to assess a system’s compliance against specific standard security frameworks, especially when the system operates in heavily regulated industries. These frameworks, such as the NIST 800.53, provide a collection of prescribed policies a system must comply with and are known as security controls. The collective states of the controls at any given time, whether they are violated or not, define what we refer to as the security posture of the Information System. However, having a snapshot of the security posture is insufficient to protect information and verify compliance. We must also constantly assess the system’s posture and ensure potential risks are mitigated within the time allowed. The work performed in this research focuses on developing a novel method for assessing a failed security control’s impact on other controls and evaluating the overall cybersecurity risk in the presence of such failures. This way, organizations can determine whether there are any weak spots in their cyber security and fix them promptly. The research aims to help organizations protect their information and prevent attacks that could harm their business.