Threat Modeling and Cyber Risk Management for Mitigation of Attacks on Government XYZ Corporate Services Applications
Threat Modeling and Cyber Risk Management for Mitigation of Attacks on Government XYZ Corporate Services Applications |
||
 |
 |
|
| © 2025 by IJETT Journal | ||
| Volume-73 Issue-6 |
||
| Year of Publication : 2025 | ||
| Author : Cakra Wibi Sasmito, Aditya Kurniawan | ||
| DOI : 10.14445/22315381/IJETT-V73I6P140 | ||
How to Cite?
Cakra Wibi Sasmito, Aditya Kurniawan, "Threat Modeling and Cyber Risk Management for Mitigation of Attacks on Government XYZ Corporate Services Applications," International Journal of Engineering Trends and Technology, vol. 73, no. 6, pp.485-495, 2025. Crossref, https://doi.org/10.14445/22315381/IJETT-V73I6P140
Abstract
This study aims to develop an end-to-end threat modelling and cyber threat remediation framework for the Corporate Services Application at Government XYZ. Since the cybersecurity threat landscape continues to evolve, government agencies need one threat modelling approach. This study fills the gap by integrating the NIST SP 800-30 risk management framework and MITRE ATT&CK, using threat intelligence from Web Application Firewall (WAF) and Intrusion Prevention System (IPS) logs. The suggested framework hierarchically decomposes, classifies, and prioritizes cyber threats to facilitate accurate risk estimation and mitigation plans specific to Government XYZ. According to the FAIR Institute’s risk quantification model, impact analysis is also part of this study and is converted to Indonesian GDP to quantify financial loss due to cyber threats. By integrating these methods, organizations can develop a formal threat identification and risk assessment process, minimizing the intricacies of cybersecurity endeavors. The results can enable the identification of high-risk attack vectors, determine their economic effect, and inform the allocation of resources toward better security controls. The present study offers a practical guideline for government agencies to improve resiliency against cyber threats while supporting Indonesia’s priority agenda for cybersecurity.
Keywords
Cyber risk management, Cybersecurity, MITRE ATT&CK framework, NIST SP800-30, Threat modeling.
References
[1] IBM Security, “Cost of a Data Breach Report 2024,” IBM, 2024.
[Publisher Link]
[2] “The Global Risks Report 2024,” World Economic Forum, 2024.
[Publisher Link]
[3] Positive Research 2023, Positive Technologies, 2023. [Online]. Available: https://global.ptsecurity.com/analytics/positive-research-2023
[4] Chuck Brooks, Cybersecurity Trends & Statistics For 2023; What You Need To Know, forbes, 2023. [Online]. Available: https://www.forbes.com/sites/chuckbrooks/2023/03/05/cybersecurity-trends--statistics-for-2023-more-treachery-and-risk-ahead-as-attack-surface-and-hacker-capabilities-grow/
[5] Mei Lanni, and Aditya Kurniawan, “Boosting Cyber Risk Assessment in Government Entities through Combined NIST and MITRE ATT&CK Threat Modeling,” Journal of System and Management Sciences, vol. 14, no. 6, pp. 283-299, 2024.
[CrossRef] [Google Scholar] [Publisher Link]
[6] Mohamed Ahmed et al., “MITRE ATT&CK-Driven Cyber Risk Assessment,” Proceedings of the 17th International Conference on Availability, Reliability and Security, Vienna, Austria, pp. 1-10, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[7] Eko Supristiowadi, and Yudho Giri Sucahyo, “Information Security Risk Management in the Financial Application System at the Agency Level (sakti) of the Ministry of Finance,” Indonesian Treasury Review: Journal of Treasury, State Finance and Public Policy, vol. 3, no. 1, pp. 22-33, 2018.
[Google Scholar]
[8] Muhamad Al Fikri et al., “Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique,” Procedia Computer Science, vol. 161, pp. 1206-1215, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[9] Xiong Wenjun, and Robert Lagerström, “Threat Modeling-A Systematic Literature Review,” Computers and Security, vol. 84, pp. 53-69, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[10] Rawan Al-Shaer, Jonathan M. Spring, and Eliana Christou, “Learning the Associations of MITRE ATT&CK,” 2020 IEEE Conference on Communications and Network Security (CNS), Avignon, France, pp. 1-9, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[11] Roger Kwon et al., “Cyber Threat Dictionary Using MITRE ATT&CK Matrix and NIST Cybersecurity Framework Mapping,” 2020 Resilience Week (RWS), Salt Lake City, UT, USA, pp. 106-112, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[12] Branko Bokan, and Joost Santos “Threat Modeling for Enterprise Cybersecurity Architecture,” 2022 Systems and Information Engineering Design Symposium (SIEDS), Charlottesville, VA, USA, pp. 25-30, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[13] Mathias Ekstedt et al., “Yet another Cybersecurity Risk Assessment Framework,” International Journal of Information Security, vol. 22, no. 6, pp. 1713-1729, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[14] Muhammad Khairul Faridi, Imam Riadi, and Yudi Prayudi, “E-Health Security System Threat Modeling Using STRIDE and DREAD Methods,” Edumatic: Journal of Informatics Education, vol. 5, no. 2, pp. 157-166, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[15] Azis Catur Laksono, and Yudi Prayudi, “Threat Modeling Using STRIDE and DREAD Approaches to Identify Security Risks and Mitigation in Academic Information Systems,” JUSTINDO (Indonesian Journal of Information Systems and Technology), vol. 6, no. 1, pp. 9-10, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[16] A.A. Putro, A. Ambarwati, and E. Setiawan, “Edlink E-Learning Risk Management Analysis Using NIST SP 800-30 Revision 1 Method,” Journal of Technology and Information (JATI), vol. 11, no. 2, pp. 125-136, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[17] Ranggi Praharaningtyas Aji, Maruf Maftukhin, and Rizky Bangkit Bachtiar, “Information System Risk Management at Purwokerto Regional Library,” JATISI (Journal of Informatics Engineering and Information Systems), vol. 8, no. 1, pp. 261-272, 2021.
[Google Scholar]
[18] Alma Iftina Azzahra Ain, Alawudiyah Ambarwati, and Lukman Junaedi, “Information Technology Risk Management and Asset Security Analysis Using Nist Sp 800-30 Revision 1,” Journal of Computer Science and Business, vol. 13, no. 2a, pp. 155-165, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[19] Adi Arga Arifnur, Hery Heryanto, and Yoga Megasyah, “Risk Management of Archiving Information Systems using NIST SP 800-30 at Kopertis Region IV Bandung,” The National Journal of Technology and Information Systems (TEKNOSI), vol. 9, no. 2, pp. 208-217, 2023.
[CrossRef] [Google Scholar] [Publisher Link]