Risk Modelling of Cyber Threats Against MIS and ERP Applications

Yıl 2024, Cilt: 11 Sayı: 2, 502 - 530, 31.12.2024

Ahmet Efe

https://doi.org/10.47097/piar.1550812

Öz

This study presents a detailed examination of cyber threats impacting Management Information Systems (MIS) and Enterprise Resource Planning (ERP) applications. It explores various types of cyber threats, such as malware, ransomware, phishing, insider threats, DDoS attacks, zero-day exploits, and Advanced Persistent Threats (APTs), assessing their potential impacts on businesses. The study introduces a novel risk modeling approach to quantify these threats by evaluating their threat levels, impacts, and probabilities of occurrence, providing a comprehensive risk score. Emphasizing the importance of proactive measures, advanced security technologies, and a strong organizational culture, the study highlights how these elements are crucial for effective cybersecurity. By integrating these strategies and continuously updating security measures, businesses can better protect their critical systems and mitigate the risks posed by evolving cyber threats.

Anahtar Kelimeler

Cybersecurity, MIS, ERP, Cyber Threats, Mitigation Strategies, Risk Modelling

MIS ve ERP Uygulamalarına Yönelik Siber Tehditlerin Risk Modellemesi

Öz

Bu çalışma, Yönetim Bilişim Sistemleri (MIS) ve Kurumsal Kaynak Planlama (ERP) uygulamalarını etkileyen siber tehditlerin ayrıntılı bir incelemesini sunmaktadır. Çalışmada, zararlı yazılımlar, fidye yazılımları, oltalama saldırıları, iç tehditler, DDoS saldırıları, sıfırıncı gün açıkları ve Gelişmiş Kalıcı Tehditler (APT'ler) gibi çeşitli siber tehdit türleri ele alınarak, bunların işletmeler üzerindeki olası etkileri değerlendirilmektedir. Çalışma, bu tehditlerin seviyelerini, etkilerini ve ortaya çıkma olasılıklarını değerlendirerek tehditlerin nicel olarak ölçülmesine olanak tanıyan yeni bir risk modelleme yaklaşımı sunmakta ve kapsamlı bir risk skoru sağlamaktadır. Proaktif önlemlerin, ileri güvenlik teknolojilerinin ve güçlü bir örgütsel kültürün önemine vurgu yapan bu çalışma, etkili bir siber güvenlik için bu unsurların kritik olduğunu öne çıkarmaktadır. Bu stratejilerin entegrasyonu ve güvenlik önlemlerinin sürekli güncellenmesiyle, işletmeler kritik sistemlerini daha iyi koruyabilir ve gelişen siber tehditlere karşı riskleri azaltabilir.

Anahtar Kelimeler

Siber Güvenlik, MIS, ERP, Siber Tehditler, Risk Azaltma Stratejileri, Risk Modelleme.

Kaynakça

• Adeusi, O. C., Adebayo, Y. O., Ayodele, P. A., Onikoyi, T. T., Adebayo, K. B., & Adenekan, I. O. (2024). IT standardization in cloud computing: Security challenges, benefits, and future directions. World Journal of Advanced Research and Reviews, 22(05), 2050-2057.
• Ahmadi, S. (2024). Zero Trust Architecture in Cloud Networks: Application, Challenges and Future Opportunities. Journal of Engineering Research and Reports, 26(2), 215-228.
• Ajiga, D. I., Ndubuisi, N. L., Asuzu, O. F., Owolabi, O. R., Tubokirifuruar, T. S., & Adeleye, R. A. (2024). AI-driven predictive analytics in retail: a review of emerging trends and customer engagement strategies. International Journal of Management & Entrepreneurship Research, 6(2), 307-321.
• Alaaraj, A., & Yassin, A. (2024). Investigating cybersecurity response strategies: Measures to responding to successful spear phishing attack, (Dissertation). Retrieved from https://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-24066
• Al-Daeef, M. M., Basir, N., & Saudi, M. M. (2017, July). Security awareness training: A review. In Proceedings of the world congress on engineering (Vol. 1, pp. 5-7).
• Alhalboosi, F. H. A., Mawlood, S. J., & Al-halboosi, I. A. M. (2021). Role of ERP systems in improving human resources management processes. Review of International Geographical Education Online, 11(4), 1667-1681.
• Aljawarneh, N., & Al-Omari, Z. (2018). The role of enterprise resource planning systems ERP in improving customer relationship management CRM: An empirical study of safeway company of Jordan. International Journal of Business and Management, 13(8), 86-100.
• Aljuhani, A. (2021). Machine learning approaches for combating distributed denial of service attacks in modern networking environments. IEEE Access, 9, 42236-42264.
• Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021). Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science, 3, 563060.
• Almushiti, E., Zaki, R., Thamer, N., & Alshaya, R. (2023, September). An Investigation of broken access control types, vulnerabilities, protection, and security. In International Conference on Innovation of Emerging Information and Communication Technology (pp. 253-269). Cham: Springer Nature Switzerland.
• Alquwayzani, A., Aldossri, R., & Frikha, M. (2024). Prominent security vulnerabilities in cloud computing. International Journal of Advanced Computer Science & Applications, 15(2).
• Alwashali, A. A. M. A., Abd Rahman, N. A., & Ismail, N. (2021, December). A survey of ransomware as a service (RaaS) and methods to mitigate the attack. In 2021 14th International Conference on Developments in eSystems Engineering (DeSE) (pp. 92-96). IEEE.
• Alzaabi, F. R., & Mehmood, A. (2024). A review of recent advances, challenges, and opportunities in malicious insider threat detection using machine learning methods. IEEE Access, 12, 30907-30927.
• Askarifar, S., Rahman, N. A. A., & Osman, H. (2018). A review of latest wannacry ransomware: Actions and preventions. J. Eng. Sci. Technol, 13, 24-33.
• Badmus, O., Rajput, S. A., Arogundade, J. B., & Williams, M. (2024). AI-driven business analytics and decision making. World Journal of Advanced Research and Reviews, 24(01), 616–633
• Borys, A., Kamruzzaman, A., Thakur, H. N., Brickley, J. C., Ali, M. L., & Thakur, K. (2022, June). An evaluation of IoT DDoS cryptojacking malware and Mirai Botnet. In 2022 IEEE World AI IoT Congress (AIIoT) (pp. 725-729). IEEE.
• Choudhuri, S. S. (2024). AI in ERP and supply chain management. Academic Guru Publishing House. Cisco. (2023). Annual cybersecurity report 2023. Cisco Systems. Retrieved from https://www.cisco.com/c/en/us/about/cybersecurity.html (accessed on 20.11.2024)
• Cloudflare. (2023). Cloudflare blog on DDoS attack vectors. Retrieved from https://www.cloudflare.com/blog/
• Colmenares, L. (2009). Benefits of ERP systems for accounting and financial management. In Allied Academies International Conference. Academy of Management Information and Decision Sciences. Proceedings (Vol. 13, No. 1, p. 3). Jordan Whitney Enterprises, Inc.
• Dalal, A., & Mahjabeen, F. (2014). Enhancing SAP Security in Cloud Environments: Challenges and Solutions. Revista de Inteligencia Artificial en Medicina, 5(1), 1-19.
• Davis, E., McGuire, K., & Robson, S. (2013). Data exfiltration: The challenge of data loss prevention. Journal of Information Security, 4(2), 115-127.
• Elsadig, M. A., & Fadlalla, Y. A. (2016). VANETs security issues and challenges: A survey. Indian Journal of Science and Technology, 9(28), 1-8.
• ESET. (2024). The State of ransomware 2024. ESET.
• Eshete, B., Alhuzali, A., Monshizadeh, M., Porras, P. A., Venkatakrishnan, V. N., & Yegneswaran, V. (2015, February). EKHunter: A Counter-offensive toolkit for exploit kit infiltration. In NDSS.
• Farok, N. A. Z., & Zolkipli, M. F. (2024). Incident response planning and procedures. Borneo International Journal eISSN 2636-9826, 7(2), 69-76.
• FireEye. (2024). Cyber threat report: trends and insights. FireEye, Inc.
• Hadnagy, C. (2018). Social engineering: The science of human hacking. Wiley.
• Hassan, S. A., Elakhdar, B. E., Saied, W. M., & Hassan, D. G. (2024, March). Leveraging new technologies for building a comprehensive smart MIS: integrating ERP, blockchain, IoT, context-awareness, and cloud computing. In 2024 6th International Conference on Computing and Informatics (ICCI) (pp. 459-465). IEEE.
• IBM. (2022). Cost of a Data Breach Report 2022. IBM Security. https://www.ibm.com/security/data-breach (accessed on 20.11.2024)
• IBM. (2023). Cost of a Data Breach Report 2023. IBM Security. Retrieved from https://www.ibm.com/security/data-breach (accessed on 20.11.2024)
• IBM. (2023). Cost of a data breach report 2023. IBM Security. Retrieved from https://www.ibm.com/security/data-breach (accessed on 20.11.2024)
• ISO. (2022). ISO/IEC 27001:2022 Information security management systems – Requirements. International Organization for Standardization.
• Jakobsson, M., & Myers, S. (2006). Phishing and countermeasures: Understanding the increasing problem of electronic identity theft. Springer.
• Kaspersky. (2024). Kaspersky security bulletin: overview of 2024 threats. Kaspersky Lab.
• Leidner, D. E., & Elam, J. J. (1993). Executive information systems: their impact on executive decision making. Journal of Management Information Systems, 10(3), 139-155.
• Malik, N., & Bilal, M. (2024). Natural language processing for analyzing online customer reviews: A survey, taxonomy, and open research challenges. PeerJ Computer Science, 10, e2203.
• Malik, A. W., Anwar, Z., & Rahman, A. U. (2022). A novel framework for studying the business impact of ransomware on connected vehicles. IEEE Internet of Things Journal, 10(10), 8348-8356.
• Mandiant. (2020). APT41: The Attackers who never left. Mandiant. Retrieved from https://www.mandiant.com/resources/apt41
• Marakas, G. M. (2003). Decision support systems in the 21st century (Vol. 134). Upper Saddle River, NJ: Prentice Hall.
• Martinez, J., & Wang, Y. (2023). Targeting critical infrastructure: The evolving ransomware landscape. International Cybersecurity Journal, 20(2), 112-130.
• Mattioli, M. (2020). The anatomy of phishing kits. Journal of Cyber Security Technology, 4(3), 150-163. McAfee. (2023). McAfee labs threats report: June 2023. McAfee LLC.
• Syed, Z., Dapaah, E., Mapfaza, G., Remias, T., & Mupa, M. N. (2024, August). Evaluating the effectiveness of cybersecurity protocols in SAP system upgrades.
• Microsoft. (2024). Microsoft security intelligence report: Volume 26. Microsoft Corporation.
• Miller, A. (2023). Ransomware trends and mitigation strategies. information Security Review, 29(1), 33-47.
• Mirza, Q. K. A., Mohi-Ud-Din, G., & Awan, I. (2016, March). A cloud-based energy efficient system for enhancing the detection and prevention of modern malware. In 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA) (pp. 754-761). IEEE. A10 Networks. (2024). The state of DDoS attacks. Retrieved from https://www.a10networks.com/
• Mitnick, K. D., & Simon, W. L. (2002). The art of deception: controlling the human element of security. Wiley.
• Mitnick, K. D., & Simon, W. L. (2002). The art of deception: controlling the human element of security. Wiley.
• Mohammad, R. M., Thabtah, F., & McCluskey, L. (2015). Tutorial and critical analysis of phishing websites methods. Computer Science Review, 17, 1-24.
• Mohamud, A. J. (2024). Impact of information security policies compliance (ispc) on reducing the incidence of security breaches in organizations: Systematic Literature Review.
• Nagar, G. (2024). The Evolution of Ransomware: Tactics, Techniques, and Mitigation Strategies. Valley International Journal Digital Library, 1282-1298.
• National Vulnerability Database (NVD). (2024). Zero-Day Vulnerability Statistics. National Institute of Standards and Technology. Retrieved from https://nvd.nist.gov/
• Neustar. (2022). DDoS attack trends and impact. Retrieved from https://www.home.neustar (accessed on 20.11.2024)
• NIST. (2021). Managing information security risk: Organization, mission, and information system view. NIST Special Publication 800-39. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-39/final
• Olmstead, K., Smith, A., & Rainie, L. (2021). Social media and privacy: An exploration of data scraping and its implications. Pew Research Center.
• Palo Alto Networks. (2023). Unit 42 cybersecurity report 2023. Palo Alto Networks.
• Pigni, F., Bartosiak, M., Piccoli, G., & Ives, B. (2018). Targeting Target with a 100 million dollar data breach. Journal of Information Technology Teaching Cases, 8(1), 9-23.
• Ponemon Institute. (2022). 2022 Cost of a data breach study. Ponemon Institute. Retrieved from https://www.ponemon.org/cost-of-a-data-breach
• Rahmatian, S. (2002). Transaction processing systems. Encyclopedia of Information Systems, 4, 479.
• Rashid, F. (2017). How WannaCry ransomware attacked hospitals, banks, and more. ZDNet. Retrieved from https://www.zdnet.com/article/how-wannacry-ransomware-attacked-hospitals-banks-and-more/
• Riley, M. (2014). Inside Target's massive data breach. Bloomberg Businessweek. Retrieved from https://www.bloomberg.com/news/articles/2014-02-26/inside-targets-massive-data-breach (accessed on 20.11.2024)
• Rossow, C. (2014). Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Network and distributed system security symposium (NDSS). A10 Networks. (2024). The state of DDoS attacks. Retrieved from https://www.a10networks.com/
• Salahdine, F., & Kaabouch, N. (2019). Social engineering attacks: A survey. Future internet, 11(4), 89.
• Salloum, S. A., Alshurideh, M., Elnagar, A., & Shaalan, K. (2020, March). Machine learning and deep learning techniques for cybersecurity: a review. In The International Conference on Artificial Intelligence and Computer Vision (pp. 50-57). Cham: Springer International Publishing.
• Saltzer, J., & Schroeder, M. D. (2021). Principles of computer system design: An introduction. Elsevier.
• SANS Institute. (2023). Cybersecurity awareness report. Retrieved from https://www.sans.org/security-awareness-training/
• Shaikh, M. R., Ullah, R., Akbar, R., Savita, K. S., & Mandala, S. (2024). Fortifying against ransomware: navigating cybersecurity risk management with a focus on ransomware insurance strategies. International Journal of Academic Research in Business and Social Sciences, 14(1), 1415-1430.
• Sharmeen, S., Ahmed, Y. A., Huda, S., Koçer, B. Ş., & Hassan, M. M. (2020). Avoiding future digital extortion through robust protection against ransomware threats using deep learning based adaptive approaches. IEEE Access, 8, 24522-24534.
• Sikdar, K. (2022). Cyber threat analysis and defense strategies. Springer.
• Subhani, A., Khan, I. A., & Zubair, A. (2021). Review of insider and insider threat detection in the organizations. Journal of Advanced Research in Social Sciences and Humanities, 6(4), 167-174.
• Symantec. (2021). Internet security threat report 2021. Symantec. Retrieved from https://www.broadcom.com/company/newsroom/press-releases
• Symantec. (2022). Internet security threat report: 2022. Symantec Corporation.
• Symantec. (2023). Internet security threat report 2023. Retrieved from https://www.broadcom.com/company/newsroom/press-releases?filtr=2023
• Tavani, H. T. (2016). Ethics and technology: Controversies, questions, and strategies for ethical computing. Wiley.
• Thomas, T., P. Vijayaraghavan, A., Emmanuel, S., Thomas, T., P. Vijayaraghavan, A., & Emmanuel, S. (2020). Adversarial machine learning in cybersecurity. Machine Learning Approaches in Cyber Security Analytics, 185-200.
• Trend Micro. (2023). Trend micro annual cybersecurity report. Trend Micro Inc.
• Tsohou, A., Karyda, M., & Stergioulas, L. (2015). Social engineering and security awareness: A comprehensive overview. Computers & Security, 54, 69-81.
• Veritas Technologies. (2024). Data protection and backup strategies: best practices. Veritas Technologies LLC.
• Verizon. (2023). 2023 Data breach investigations report. Verizon.
• Vishwanath, A., Herley, C., & Hobson, J. (2011). The role of email and social engineering in phishing attacks. ACM SIGSAC Conference on Computer and Communications Security, 106-118.
• Walko, J., Olney, M., & Hunt, D. (2020). The rise of SaaS ERP solutions. Management in Healthcare, 4(4), 340-349.
• Williams, H., & Davis, K. (2023). Insider threats and mitigation techniques. Journal of Organizational Security, 10(1), 56-71.
• Zero Day Initiative. (2023). Annual zero-day vulnerability report. Zero Day Initiative. Retrieved from https://www.zerodayinitiative.com/annual-report