Modelling language for cyber security incident handling for critical infrastructures


Mouratidis, H., Islam, S., Santos-Olmo, A., Sanchez, L. E. and Ismail, U. M. 2023. Modelling language for cyber security incident handling for critical infrastructures. Computers & Security. 128 (Art. 103139).
AuthorsMouratidis, H., Islam, S., Santos-Olmo, A., Sanchez, L. E. and Ismail, U. M.

Cyber security incident handling is a consistent methodology with which to ensure overall business continuity. However, specifically handling incidents for critical information infrastructures is challenging owing to the inherent complexity and evolving nature of the threat. Despite the number of contributions made to cyber incident handling, there is little evidence of literature that focuses on modelling activities that will enhance developers’ abilities to model incident handling processes and activities according to different views. Modelling languages of this nature should integrate essential concepts and a descriptive implementation process in order to enable developers to analyse, represent and reason about the crucial incident handling efforts required to support critical information infrastructures. The aim of this paper is, as part of the CyberSANE EU project, to develop a Cyber Incident Handling Modelling Language (CIHML) that focuses explicitly on modelling incident handling in the context of a critical information infrastructure. The work is innovative in its approach because it consolidates concepts from various domains such as security requirements, forensics, threat intelligence, critical infrastructures and cyber incident handling. The approach will allow the phases of the incident handling lifecycle to be modelled from three different views (critical information infrastructures, threat and risk analysis, and incident response). An implementation process is also proposed, which will serve as a comprehensive guide for developers in order to create these modelling views. Finally, CIHML is evaluated using a real-life scenario from the CyberSANE project to demonstrate its applicability. The incident observed had a severe impact on the overall business continuity of the context studied. The results obtained from the study show that CIHML can help critical information infrastructure operators to identify, evaluate, represent and model cyber incidents in critical information systems, in addition to providing the support required to determine the response strategies needed in order to mitigate these cyber-attacks.

JournalComputers & Security
Journal citation128 (Art. 103139)
Publisher's version
File Access Level
Digital Object Identifier (DOI)
Publication dates
Online15 Feb 2023
Publication process dates
Accepted12 Feb 2023
Deposited09 Mar 2023
FunderEuropean Union Horizon 2020
Ministerio de Ciencia e Innovación
Copyright holder© 2023 The Author(s).
Permalink -

Download files

Publisher's version
  • 88
    total views
  • 213
    total downloads
  • 12
    views this month
  • 17
    downloads this month

Export as

Related outputs

Vulnerability prediction for secure healthcare supply chain service delivery
Islam, S., Abba, A., Ismail, U., Mouratidis, H. and Papastergiou, S. 2022. Vulnerability prediction for secure healthcare supply chain service delivery. Integrated Computer-Aided Engineering. 29 (4), pp. 389-409.