Opportunity Makes the Thief. A Risk Analysis and Vulnerability Identification Approach in Information Security Management Systems as a Method of Countering Cybercrimes
Krzysztof Świtała
Cardinal Stefan Wyszyński University in Warsaw , Polandhttps://orcid.org/0000-0003-0426-5383
Abstract
Data processing in ICT systems is a fundamental activity in the information society. The aim of this article is to present tools specific to information security management systems, such as risk and vulnerability analysis as solutions that can contribute to reducing the incidence of cybercrimes. Limiting the occurrence of such incidents can therefore be considered as a proactive method of preventing the presence of such criminal acts. Considerations include legal instruments such as the GDPR and the NIS2 Directive, which provide for breach and incident management procedures, as well as a risk-based approach. An analysis of vulnerabilities, together with mechanisms for their reporting and the exchange of such information between authorized entities, is proposed in the new NIS2 Directive. It is an essential tool for increasing the resilience of ICT systems by securing their weakest links. Technical standards from the information security area ISO 27000 are also covered in this article. The interdisciplinary nature of the subject matter analyzed implies a discussion of such methods of increasing the effectiveness of security in ICT systems as penetration testing and hardening.
Keywords:
cybersecurity, cybercrime, ISMS, risk management, vulnerability analysisReferences
Bacudio, Aileen, Xiaohong Yuan, Bill Chu, and Monique Jones. “An Overview of Penetration Testing.” International Journal of Network Security and Its Applications 6, no. 3 (2011): 19–38. (Crossref)
von Bertalanffy, Ludwig. General System Theory: Essays on Its Foundation and Development. New York: George Braziller, 1968.
Burdziak, Konrad. “Bezpośredniość zamachu, czyli kilka słów na temat obrony koniecznej w polskim prawie karnym.” Przegląd Sądowy, no. 1 (2018): 55–61.
Chakraborty, Nilotpal. “Intrusion Detection System and Intrusion Prevention System: a Comparative Study.” International Journal of Computing and Business Research 4, no. 2 (2013): 1–8.
Chen, Ping, Lieven Desmet, and Christophe Huygens. “A Study on Advanced Persistent Threats.” In Communications and Multimedia Security. Lecture Notes in Computer Science, vol. 8735, edited by Bart De Decker and André Zúquete, 63–72. Berlin: Springer, 2014. (Crossref)
Echeverria, Aaron, Cristhian Cevallos, Ivan Ortiz-Garces, and Roberto Andrade. “Cybersecurity Model Based on Hardening for Secure Internet of Things Implementation.” Applied Science 11, no. 7 (2021): 3260. (Crossref)
ENISA. “Identifying Emerging Cyber Security Threats and Challenges for 2030.” Athens, 2023. Accessed September 30, 2024. https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Foresight%20Cybersecurity%20Threats%20for%202030.pdf.
Filipkowski, Wojciech. “Przestępczość z użyciem komputerów i ich sieci.” In Kryminologia. Stan i perspektywy rozwoju, edited by Emil Pływaczewski, Sławomir Redo, Ewa M. Guzik-Makaruk, Katarzyna Laskowska, Wojciech Filipkowski, Ewa Glińska, Emilia Jurgielewicz-Delegacz, and Magdalena Perkowska, 511–34. Warsaw: Wolters Kluwer, 2019.
ISO 31000 – Risk management – Guidelines. Geneva 2018.
ISO/IEC 27000 – Information technology – Security techniques – Information security management systems – Overview and vocabulary. Geneva 2018.
ISO/IEC 27001 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements. Geneva 2022.
ISO/IEC 27005 – Information security, cybersecurity and privacy protection – Guidance on managing information security risks. Geneva 2022.
Kaczmarek, Andrzej, Monika Młotkiewicz, Agnieszka Łapińska, Agata Miłocha, and Michał Mazur. Jak rozumieć podejście oparte na ryzyku według RODO?. Warsaw: UODO, 2018. Accessed September 30, 2024. https://uodo.gov.pl/pl/file/706.
Kennedy, David, Jim O’Gorman, Devon Kearns, Mati Aharoni, and Daniel Graham. Metasploit. The Penetration Tester’s Guide. San Francisco: No Starch Press, 2025.
Kolouch, Jan, Daniel Tovarňák, Tomáš Plesník, Michal Javorník. “Cybersecurity: Notorious, but Often Misused and Confused Terms.” Masaryk University Journal of Law and Technology 17, no. 2 (2023): 281–305. (Crossref)
Kosiński, Jerzy. Paradygmaty cyberprzestępczości. Warsaw: Difin, 2015.
Lipowicz, Irena, Zygmunt Niewiadomski, Kazimierz Strzyczkowski, and Grażyna Szpor. Prawo administracyjne. Część materialna. Warsaw: LexisNexis, 2014.
Cardinal Stefan Wyszyński University in Warsaw https://orcid.org/0000-0003-0426-5383
