MCSI SECTORAL PLAN FOR RESEARCH & DEVELOPMENT (2015 - 2020) / Study on the identification of indicators and substantiation of threshold values for cyber security incidents with significant impact, necessary for the transposition of the EU Directive 1148/2016 in Romania

Study on the identification of indicators and substantiation of threshold values for cyber security incidents with significant impact, necessary for the transposition of the EU Directive 1148/2016 in Romania

Project Manager: Dr. Eng. Adrian Victor VEVERA – Scientific Researcher II

Overall objectives of the project

  • identifying the best methodologies for determining the impact of IT security incidents both at an organization level and national level;
  • identifying the best computational methodologies as well as the most relevant statistical data sources and information for the establishment of the threshold values necessary to implement the requirements of the NIS Directive on cross-sectorial criteria;
  • identifying the specific sectorial criteria needed for the assessment of the impact of a cyber security incident at the level of the national operators of essential services, for each activity sector included in the Annex to the Directive.
  • calculating and the proposing, based on the application of the methodologies and using the data from previous research stages, of a set of threshold values ​​for identified cross-sectorial and sectorial criteria;
  • extending the methodologies and criteria identified in previous activities at the level of IT systems other than those of essential service providers;
  • the analysis of cyber security incidents reported at national and European level and the periodic review of thresholds for cyber-security incidents with significant impact.

Project description

The project finds its usefulness through the scientific substantiation of the normative acts subsequent to the transposition of the NIS Directive, the proposal of methodologies, the setting of specific criteria and threshold values ​​for them, both for the initial establishment and following update of the threshold criteria and values ​​for establishing the impact of incidents and the identification of essential services.

Results

  • research report on the analysis of the methods for determining the impact of computer security incidents;
  • research report on calculation methodology, statistical data sources and information relevant for setting the threshold values ​​required to implement the requirements of the NIS Directive on cross-sectoral criteria;
  • study on the impact of a computer security incident and the list of specific sectoral criteria for determining the impact of an IT security incident for each of the sectors of activity in the Annex to Directive 1148/2016, the calculation methodology and the relevant data sources needed to calculate the threshold values ;
  • the calculation methodology, the statistical data sources and the information relevant for establishing the threshold values ​​required to implement in practice the requirements of the NIS Directive on cross-sectorial criteria.
  • proposing a threshold set of cross-sectorial and sectorial criteria to establish the impact on essential service operators in line with Directive 1148/2016;
  • a set of methodologies and criteria applicable to information systems other than those of essential service providers;
  • developing a study on cyber security incidents reported at national and European level and proposals for revising thresholds for cyber security incidents with significant impact.
Short description

The project finds its usefulness through the scientific substantiation of the normative acts subsequent to the transposition of the NIS Directive, the proposal of methodologies, the setting of specific criteria and threshold values ​​for them, both for the initial establishment and following update of the threshold criteria and values ​​for establishing the impact of incidents and the identification of essential services.