Developing Cyber Security Risk Assessment Framework for Railways Industry in Ethiopia

Abstract

Cybersecurity is very crucial for the railway's industry. The railway's organization should protect its asset from possible threats. An organization needs to assess cybersecurity risks primary to protect the assets. In order to conduct a cybersecurity risk assessment, a framework should be developed first. The researcher identified and investigated the railway's industry problem in Ethiopia and the gap of previous cybersecurity risk assessment standards, guidelines and frameworks and come up with the solution. The general objective of this research is to develop an integrated cybersecurity risk assessment framework for the railway's industry in Ethiopia to improve the level of safety and security. The synthesized result of thematic data analysis and the relevant framework, standard, guidelines such as ISO27001, NIST SP 800-30, and critical mass cybersecurity requirement standard is used to develop cybersecurity risk assessment framework for railways industry in Ethiopia. The national cybersecurity risk assessment process has3 main levels that are national, sectoral and organizational. The organizational level risk assessment process also has 3 main level that is strategic tactical/managerial and operational level. The organizational operational level has a total of 13 components that include cybersecurity strategic management awareness, organizational structure, established system context, purpose, scope, identify assets & intrusion detection, identify threats, identify vulnerability determine likelihood, determine impact, risk evaluation, communicate result and risk identification & evaluation update opportunity. The design science approach is applied in this study to develop and evaluate the framework. To evaluate the framework the researcher used a descriptive approach which is scenario and panel of expert’s method. The data is collected from Ethiopian Railways Corporation and Information Network Security agency then thematic data analysis approach is applied to analyze and interpret the data. Though two studies conducted on the financial sector in Ethiopia, the methodology to conduct this study and few CSRA process components (specific to the railway's industry in Ethiopia) makes this research different from the other two. Thus it provides the opportunity to extend the knowledge area. The result of this research can help improve organization cybersecurity risk assessment process.