de Kinde en, Syb en; Kaczma ek-Heß, Monika; Hacks, Simon
A icle — Published Ve sion
A Mul i-le el Re e ence Model and a Dedica ed Me hod o
Cybe -Secu i y by Design
Business & In o ma ion Sys ems Enginee ing
P o ided in Coope a ion wi h:
Sp inge Na u e
Sugges ed Ci a ion: de Kinde en, Syb en; Kaczma ek-Heß, Monika; Hacks, Simon (2024) : A Mul i-le el
Re e ence Model and a Dedica ed Me hod o Cybe -Secu i y by Design, Business & In o ma ion
Sys ems Enginee ing, ISSN 1867-0202, Sp inge Fachmedien Wiesbaden GmbH, Wiesbaden, Vol. 67,
Iss. 4, pp. 511-530,
h ps://doi.o g/10.1007/s12599-024-00899-y
This Ve sion is a ailable a :
h ps://hdl.handle.ne /10419/330634
S anda d-Nu zungsbedingungen:
Die Dokumen e au EconS o dü en zu eigenen wissenscha lichen
Zwecken und zum P i a geb auch gespeiche und kopie we den.
Sie dü en die Dokumen e nich ü ö en liche ode komme zielle
Zwecke e iel äl igen, ö en lich auss ellen, ö en lich zugänglich
machen, e eiben ode ande wei ig nu zen.
So e n die Ve asse die Dokumen e un e Open-Con en -Lizenzen
(insbesonde e CC-Lizenzen) zu Ve ügung ges ell haben soll en,
gel en abweichend on diesen Nu zungsbedingungen die in de do
genann en Lizenz gewäh en Nu zungs ech e.
Te ms o use:
Documen s in EconS o may be sa ed and copied o you pe sonal
and schola ly pu poses.
You a e no o copy documen s o public o comme cial pu poses, o
exhibi he documen s publicly, o make hem publicly a ailable on he
in e ne , o o dis ibu e o o he wise use he documen s in public.
I he documen s ha e been made a ailable unde an Open Con en
Licence (especially C ea i e Commons Licences), you may exe cise
u he usage igh s as speci ied in he indica ed licence.
h ps://c ea i ecommons.o g/licenses/by/4.0/
RESEARCH PAPER
A Mul i-le el Re e ence Model and a Dedica ed Me hod
o Cybe -Secu i y by Design
On he Example o he Elec ici y Sec o
Syb en de Kinde en •Monika Kaczma ek-Heß •Simon Hacks
Recei ed: 10 Oc obe 2023 / Accep ed: 24 May 2024 / Published online: 28 Oc obe 2024
ÓThe Au ho (s) 2024
Abs ac The inc eased eliance o o ganiza ions on
in o ma ion echnology inhe en ly inc eases hei ulne a-
bili y o cybe -secu i y a acks. As a esponse, a hos o
cybe -secu i y app oaches exis s. While use ul, hese
app oaches exhibi sho comings such as an inclina ion o
be agmen ed, no accoun ing o up- o-da e o ganiza-
ional da a, ocusing on singula ulne abili ies only, and
being eac i e, i.e., ocusing on pa ching up ulne abili ies
in cu en sys ems. The pape p esen s and e alua es a
modeling me hod aiming o add ess hose sho comings
and o suppo secu i y by design wi h a ocus on he
elec ici y sec o . The p oposed modeling me hod encom-
passes a mul i-le el e e ence model econs uc ing and
in eg a ing exis ing ini ia i es and suppo ing op-down
and bo om-up analyses. Compa ed o ea lie wo k, he
pape con ibu es (1) a p ocess model o cybe -secu i y by
design, which p oac i ely conside s secu i y as a i s -class
ci izen du ing he design p ocess, (2) a comple e co e age
o he mul i-le el model, in e ms o h ee iews comple-
men ing he in oduced p ocess model, (3) an elabo a ed
e alua ion, in e ms o epo ing on an addi ional design
science cycle.
Keywo ds Cybe -secu i y by design Modeling me hod
Secu i y e e ence amewo k Secu i y analysis Mul i-
le el modeling
1 In oduc ion
In he con ex o digi al ans o ma ion, in o ma ion ech-
nology (IT) has b ough abou conside able changes in
a ious indus ies, whe he s uc u al o ganiza ional chan-
ges, alue c ea ion, o o he s (Vial 2019; K aus e al.
2022). Conside he digi al ans o ma ion o he elec ici y
sec o , which is also in he ocus o his pape : digi al
ans o ma ion enables a a ie y o new business mod-
els (Nies en and Alkemade 2016; Pauks ad and Becke
2021), such as sma elec ic ehicles, whe e IT can be
used o op imize cha ging imes (Nies en and Alkemade
2016; Pauks ad and Becke 2021), o sma decen alized
ene gy sou ces, whe e p edic i e main enance may be used
o example o suppo o sho e wind u bines (Pauks ad
and Becke 2021). Ne e heless, digi al ans o ma ion also
inhe en ly comes wi h a a ie y o challenges. Among
hese a e (cybe -)secu i y conce ns, bo h o indus ies in
gene al (Vial 2019) and o he elec ici y sec o in pa -
icula (Cozzi e al. 2017, p. 124). Digi al ans o ma ion
especially includes a ulle in eg a ion o he di e en
componen s o e he in e ne , leading o a g ea e a ack
su ace, i.e., o mo e ulne abili ies and en y poin s ha
a acke s can le e age (Mo
¨lle 2023). These weaknesses
can de as a e he di e en digi ized uni s, such as o gani-
za ions, indus ies, o egions. This had been, o example,
demons a ed o he elec ici y sec o by a well-
Accep ed a e 1 e ision by Hans-Geo g Fill.
S. de Kinde en (&)
In o ma ion Sys ems G oup, Eindho en Uni e si y o
Technology, G oene Lope 3, 5612 AE Eindho en, The
Ne he lands
e-mail: [email p o ec ed]
M. Kaczma ek-Heß
Resea ch G oup o In o ma ion Sys ems and En e p ise
Modeling, Uni e si y o Duisbu g-Essen, Uni e si a
¨ ss aße 9,
45141 Essen, Ge many
S. Hacks
Depa men o Compu e and Sys ems Sciences, S ockholm
Uni e si y, Bo ga jo dsga an, 164 55 Kis a, Sweden
123
Bus In Sys Eng 67(4):511–530 (2025)
h ps://doi.o g/10.1007/s12599-024-00899-y
o ches a ed cybe -secu i y a ack on he Uk ainian elec-
ici y g id, a ge ing he IT in as uc u e o a egional
elec ici y dis ibu ion company, which caused powe
ou ages a ec ing app oxima ely 225,000 households (Case
2016; S ellios e al. 2018).
Cybe -secu i y has o en been ea ed as some hing o be
accoun ed o o added la e o exis ing applica ions and
sys ems (Wya 2017). Recen ly, i has become clea ha o
keep up wi h he inc easing equency and sophis ica ion o
a acks on IT in as uc u es, in con as o he adi ional
secu i y-by-obscu i y p inciples, o ganiza ions need o
apply a p oac i e app oach (Ab aham e al. 2019). Ra he
han ea ing cybe -secu i y as an a e hough o a sup-
plemen a y laye o be added o exis ing sys ems, i is
inc easingly ecognized ha a holis ic, in eg a ed app oach
is essen ial. This sys emic pe spec i e, o en encapsula ed
in he concep o cybe -secu i y by design, emphasizes he
necessi y o inco po a ing cybe -secu i y conside a ions
h oughou he en i e p oduc li ecycle (Geismann e al.
2018). Such an app oach inhe en ly acknowledges ha a
sys em’s esilience agains h ea s is signi ican ly enhanced
when secu i y is embedded in e e y pa o he sys em’s
a chi ec u e a he han being acked on. This pa adigm
shi owa ds iewing secu i y as an in eg al, insepa able
aspec o sys em design unde sco es he ele ance and
supe io i y o a sys emic app oach o e piecemeal s a e-
gies, highligh ing ha he sys em is mo e han he sum o
i s pa s.
Despi e a ious ini ia i es which a e ocused on e alu-
a ing and enhancing cybe -secu i y by design, challenges
pe sis in speci ic a eas. Fo ins ance, secu ing SCADA
sys ems (Che dan se a e al. 2016) and ensu ing cybe -
secu i y wi hin pa icula domains like sma g ids (Da eh
e al. 2022) p esen unique di icul ies (Che dan se a e al.
2016; de Kinde en e al. 2022).
Fi s , he app oaches end o be agmen ed, and lack
comp ehensi e co e age o li e-cycle phases ele an o
secu i y by design (Geismann e al. 2018). Fo one, he e is
a ocus ei he on op-down secu i y equi emen s analysis
( o example, wi h he NISTIR 7628) o on analyzing
speci ic ulne abili ies, a acks, and coun e measu es, bu
no on bo h. Second, he exis ing app oaches ocus on
singula ulne abili ies o componen s, no he sys em
which comp ises hese componen s. Thi d, he app oaches
insu icien ly accoun o up- o-da e da a on secu i y
a acks, and ou hly, hey o en lack so wa e ool suppo .
To add ess hese challenges and help o ganiza ions
ollow he cybe -secu i y by design p inciples, we deem
concep ual modeling (Mylopoulos 1992) o be a p omising
ins umen , and he e o e, we ha e p oposed in ou p e i-
ous wo k a e e ence model o cybe -secu i y by design
o sma g ids (de Kinde en e al. 2022), which combines
he NISTIR 7628 (Na ional Ins i u e o S anda ds and
Technology 2010) wi h a h ea modeling language (Ka -
sikeas e al. 2020). The e e ence model p o ides s a ic
suppo o end- o-end model-based cybe -secu i y analy-
sis, and as such suppo s secu i y and domain expe s
which only ha e basic knowledge o he o he s (i.e.,
secu i y o he domain unde s udy) o design secu e sys-
ems. Namely, he de eloped e e ence model p o ides
suppo du ing all phases: s a ing om he iden i ica ion o
(secu i y) equi emen s, h ough he iden i ica ion o ele-
an asse s, assessmen o isk and iden i ica ion o coun-
e measu es, o, inally, he design o a suppo ing
a chi ec u e. Please no e ha he e he e m ‘‘sys em‘‘ ep-
esen s an en i e o ganiza ion as i comp ises a combina ion
o in e ac ing componen s o applica ions. Thus, ou
app oach does no add ess he cybe -secu i y analysis o a
single componen o applica ion.
As he ini ial e e ence model i sel suppo ed a op-
down secu i y analysis (de Kinde en e al. 2022), o sup-
po he bo om-up secu i y analysis, such as ulne abili y
analysis, we complemen ed he e e ence model wi h
a ack simula ions (Hacks e al. 2022). To his aim, we
ex ended he e e ence model by including he aspec s
equi ed o he ulne abili y analysis and we p o ided
suppo o simula ions and h ea s analysis based on he
ex ended model.
Bo h p e ious wo ks ocus on ooling (i.e., he e e ence
model (de Kinde en e al. 2022) and he a ack simula-
ions (Hacks e al. 2022)). As such, hey do no o e
guidance on how conc e e e e ence model ins ances can
be c ea ed, meaning ha me hodical suppo is lacking.
Acco dingly, in his pape , we ackle he ollowing
esea ch ques ion: How can he p oposed mul i-le el e -
e ence model be explici ly used o suppo comp ehensi e
secu i y analyses o cybe -secu i y by design? To add ess
his ques ion, we p o ide a co esponding p ocess model
ha guides he use o he mul i-le el e e ence model and
suppo ing ools and discuss i s applica ion in he elec-
ici y sec o . In addi ion, his pape epo s on a alida ion
o ou modeling me hod.
Ou wo k i s squa ely wi hin design science (He ne
e al. 2004) and ollows he enginee ing cycles as p oposed
by Wie inga (2014). In his pape , we co e a comple e
enginee ing cycle which is a con inua ion o he ou comes
o wo p e ious enginee ing cycles. As such, i can be
cha ac e ized as ollows: (1) P oblem iden i ica ion and
ea men design: based on exis ing h ea modeling
app oaches, we design a p ocess ha sui s he demands o a
mul i-le el h ea model while accoun ing o he bi-di-
ec ional op-down and bo om-up secu i y design. Fo
ea men design, we iden i y equi emen s based on
insigh s om p e ious enginee ing cycles. (2) T ea men
implemen a ion: Besides he design o he new p ocess, we
ha e ex ended he ea lie e sion o he mul i-le el model
123
512 S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025)
o be in line wi h he equi emen s. Addi ionally o he
ex ensions, we o ganize he mul i-le el model in o iew-
poin s, each o which accompanies he p ocess model.
(3) T ea men alida ion: we pe o m a ligh weigh
demons a ion o he p oposed me hod including ou
ex ended model and he p ocess in in e iews wi h h ee
expe s om he elec ici y sec o , cybe -secu i y domain,
and modeling domain.
This pape a ge s bo h esea che s and p ac i ione s
who a e ac i e and/o in e es ed in cybe -secu i y by design
and/o he elec ici y sec o . Fo esea che s, we discuss a
mul i-le el e e ence model and a dedica ed me hod in he
con ex o cybe -secu i y by design, bene i ing om an
in eg a ed modeling and p og amming en i onmen , as a
possible solu ion o he exis ing challenges in he domain.
Fo p ac i ione s, we show how he e e ence model may
be ins an ia ed and used o guide he secu i y analyses om
he beginning o a p ojec , and poin ou he bene i s o
such a solu ion, as epo ed by domain s akeholde s.
The pape is s uc u ed as ollows. Fi s , o make he
pape sel -consis en , in Sec . 2we p o ide a sho o e -
iew o he main concep s, app oaches, and challenges in
he ield o cybe -secu i y by design and poin ou how
concep ual modeling can con ibu e o esol ing hose
challenges. Nex , in Sec . 3we p esen ou me hod’s goals
and a ge ed ision, which is based on ou p e ious
esea ch and has been u he de eloped o e lec he
iden i ied need o a guiding p ocess. In Sec . 4, we explain
ou esea ch app oach and discuss he ole o domain
expe s. In Sec . 5, we in oduce he mul i-le el e e ence
model on which he me hod ope a es, which was o iginally
p esen ed in (de Kinde en e al. 2022) and has been
upda ed o i he p ocess model, which is newly de eloped
in his wo k and p esen ed in Sec . 6. We discuss he
p oposed app oach’s u ili y and posi ion i owa ds o he
app oaches in Sec . 7. The pape concludes wi h inal
ema ks and an ou look on u u e esea ch.
2 Backg ound
The backg ound sec ion se es as he b idge be ween he
in oduc ion and he body o he manusc ip . I es ablishes
he con ex o he esea ch by discussing ele an li e a u e
and ou lining he knowledge gap he esea ch aims o ill.
2.1 Cybe -Secu i y by Design: Concep s, App oaches,
and Challenges
The o igins o ‘‘secu i y by design’’ can be aced back o
he 1970 s when he US De ense Science Boa d Task Fo ce
on Compu e Secu i y o mula ed ha ‘‘[p] o iding sa is-
ac o y secu i y con ols in a compu e sys em is a sys em
design p oblem’’ (Wa e 1970). Fi s ly, his was e e ed o
as ‘‘secu e design pa e ns’’ (Doughe y e al. 2009), bu
la e he e m ‘‘secu e by design’’ was es ablished (San os
e al. 2017).
‘‘Secu i y by design’’ includes wo key e ms: a esul
(i.e., ‘‘secu i y’’) ha is ealized by conc e e ac ions (i.e.,
‘‘design’’) (Byg a e 2022). ‘‘Secu i y’’ e e s o he ‘‘ab-
sence o limi a ion o ulne abili ies o h ea s’’ (Kahn
e al. 2011) owa ds a e e en objec like p i acy o sa e y
o pe sons, business success, o s a e so e -
eign y (Dunn Ca el y 2014). O en, his is boiled down o
he iad o Con iden iali y, In eg i y, and A ailabili y
(CIA) (He mann and P ido
¨hl 2020).
‘‘Design’’ is an ambiguous e m. Fo ins ance, conside
he way he e m is ea ed in he wo k o Ha zog (2018).
He e, he au ho e e s a one ime o he p ocess and he
esul s o echnologies, a ano he ime o a sys em’s
unc ions and i s e ec on people, and inally o he c e-
a ion o ools o unde s anding and ac ing unde cu en
condi ions. Gi en he a ious de ini ions and uses o he
e m ‘‘design’’, see Byg a e (2022), i can be a gued ha
he e m conno es an in en ional, di ec ed ac i i y. Design
in ol es enginee ing in he sense ha i b ings abou
some hing (Byg a e 2022).
Ensu ing secu i y in c i ical in as uc u es is challeng-
ing because, as al eady men ioned, secu i y is classically
ensu ed ex-pos . The e o e di e en ways o enable secu-
i y by design ha e been p oposed. Fo ins ance, Paye e
e al. (2015) a gue ha secu i y should be a conce n o IT
p ojec manage s and p opose o ex end p ojec manage-
men ac i i ies acco dingly. They de e mine six secu i y
cha ac e is ics ele an o p ojec s and ex end a p ojec
ma u i y model o assess p ojec secu i y. Geismann e al.
(2018) ake a simila app oach and in eg a e secu e so -
wa e enginee ing p ac ices in o he enginee ing p ocess o
Cybe -Physical Sys ems (CPS). Secu i y equi emen s a e
de ined on he sys em le el and acked o coun e mea-
su es. In u n, Liu e al. (2022) ake a mo e o mal posi ion
and a gue ha secu i y conce ns should al eady be con-
side ed in he ma hema ical- o mal assessmen o CPS.
Using he e m ‘‘secu e-by-cons uc ion’’, hey poin o
in o ma ion- heo e ic ounda ions, da a-d i en app oaches,
and secu i y o ne wo k mul i-agen s as u u e di ec ions
o such o mal assessmen s.
2.2 Modeling in Suppo o Secu i y Analysis
A wide a ie y o al eady es ablished me hods suppo he
o e a ching goal o secu i y by design. Some o hem ely
on an ins umen o help deal wi h complexi y, suppo ing
unde s anding and enabling communica ion be ween
in ol ed s akeholde s; namely, hey apply concep ual
modeling. Concep ual modeling may be de ined as ‘‘ he
123
S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025) 513
ac i i y o o mally desc ibing some aspec s o he physical
and social wo ld a ound us o unde s anding and com-
munica ion’’ (Mylopoulos 1992). The applica ion o mod-
eling o suppo secu i y analyses is deemed p omising as:
(1) i can p omo e a sha ed unde s anding o , among o h-
e s, he exis ing ulne abili ies and possible a ack ec o s
(Jiang e al. 2023; Geismann and Bodden 2020; 2) i has
he po en ial o ela e IT issues o en e p ise-le el use
scena ios (Jiang e al. 2023); and (3) concep ual modeling
acili a es (semi-)au oma ed easoning, enabling, among
o he s, simula ion. In addi ion, please no e ha he appli-
ca ion o a modeling language o ces one o be conc e e
and speci ic, which makes he analysis mo e aluable.
Mo eo e , a ious modeling languages may be used oge-
he o o e mo e comp ehensi e analyses o a sys em
unde s udy.
Va ious concep ual modeling app oaches ha e been
p oposed o suppo secu i y analyses, such as isk
assessmen me hods (ENISA 2022) ha ope a e on di e -
en abs ac ion le els. Fo one, hey suppo analysis o he
en i e o ganiza ion as such, on a sys ems le el, and o
single so wa e sys ems.
Fo ins ance, on an o ganiza ional le el, FAIR (F eund
and Jones 2015) aims o suppo manage s in making be e
decisions by unde s anding o ganiza ional isk. The e o e,
FAIR p o ides ools o unde s anding, measu ing, and
analyzing in o ma ion isks. The app oach is co e ed by
di e en a eas like isk heo y, isk calcula ion, scena io
modeling, and communica ing isk wi hin he o ganiza ion.
Based on his in o ma ion, he isk is quan i ied acco ding
o h ea ac o s, ulne abili ies, and inciden impac .
In con as , PASTA (Mo ana and Uceda Ve
´lez 2015)
was designed wi h IT, secu i y, compliance, and isk
leade s in mind, suppo ing hem in mi iga ing isks and
easoning abou di e en h ea s. Acco dingly, i is a isk-
cen ic h ea modeling amewo k. PASTA leads he isk
assesso wi h an i e a i e, adap i e p ocess ocusing on
business impac , h ea esea ch, and coun e measu es.
Simila ly, TRIKE (Sai a e al. 2005) ollows a p ocess
ha s a s wi h de ining he sys em ia a da a low diag am
and i s elemen s like ac o s, esou ces, in ended ac ions,
and ules. Nex , h ea s a e iden i ied based on wo ca e-
go ies: ele a ion o p i ilege o denial o se ice. Finally,
he isk o ce ain h ea s is de e mined acco ding o hei
impac on business objec s and he h ea ’s p obabili y.
A popula and widesp ead me hod o assess di e en
h ea s o a sys em is STRIDE (Shos ack 2014). STRIDE
uses da a low diag ams o ep esen he sys em and a ach
di e en h ea s ha could impac he sys em. The h ea s
a e g ouped in o six di e en ca ego ies, which gi e
STRIDE i s name: Spoo ing iden i y, Tampe ing wi h da a,
Repudia ion, In o ma ion disclosu e, Denial o se ice, and
Ele a ion o p i ilege. STRIDE has been u he de eloped
in o DREAD (Shos ack 2008) o be e e alua e h ea s
while conside ing Damage po en ial, Rep oducibili y,
Exploi abili y, A ec ed use s, and Disco e abili y. The e-
o e, each ca ego y has di e en alues assigned and, hus,
enables he calcula ion o an a e age alue ep esen ing he
o e all sys em’s isk.
On he mo e de ailed le el o so wa e sys ems design,
he so wa e enginee ing communi y elies on model-based
secu i y analysis o suppo a manual secu i y assessmen
(e.g., CORAS (Lund e al. 2010), secu eTROPOS
(Mou a idis e al. 2002), and SecDSVL (Almo sy and
G undy 2014)) o au oma ed secu i y assessmen . The
au oma ed app oaches (e.g., UMLsec (Ju
¨ jens 2002,2005),
Secu eUML (Basin e al. 2006,2011), SECTET (Alam
e al. 2007; Ha ne e al. 2006), and STS-ml (Paja e al.
2015)) allow o speci y a so wa e sys em’s se o com-
ponen s and hei in e ac ions. Secu i y p ope ies en ich
his speci ica ion, enabling he au oma ed analysis based on
o mal easoning, hus allowing s a emen s abou he
so wa e sys em’s secu i y.
Besides he a o emen ioned app oaches o secu i y
analysis, which end o be gene al pu pose, simila wo k
o SCADA sys ems and CPS exis s, which is some imes
amed in he ligh o he ISO 31000:2009 isk manage-
men p ocess. Ou con ibu ion ocuses on achie ing
secu i y by design as a undamen al p inciple wi hin
mode n isk managemen o add ess po en ial isks as ea ly
as possible a he han ea ing hem as an a e hough .
Rega ding SCADA sys ems, Che dan se a e al. (2016)
e iewed 24 di e en me hods o assess he cybe -secu i y
o SCADA sys ems and sugges a ca ego iza ion
scheme o such me hods. They iden i ied i e challenges
o u u e esea ch, which also guide ou wo k: (1) he
me hods ei he ocus on a holis ic assessmen while
neglec ing SCADA-speci ic de ails o on ce ain pa s
while alling sho o he big pic u e, (2) mos me hods
concen a e on singula ulne abili ies, no he sys em
i sel , (3) da a on secu i y a acks on SCADA sys ems is
missing, (4) he p esen ed me hods miss a p ope alida-
ion, and inally, (5) he me hods a e lacking ool-suppo .
When i comes o CPS, o ins ance, Tan awy e al.
(2020) de elop a model-based app oach o he isk
assessmen o CPS and e alua e he app oach in a es bed
wi h eal-wo ld indus ial con olle s and communica ion
p o ocols. The assessmen is guided by iden i ying physical
ulne abili ies, modeling he en i onmen , and es ing he
ulne abili ies ound in he es bed. The au ho s ecognize
wi hin hei wo k he bene i s o au oma izing he analysis
i sel . Finally, Jiang e al. (2023) employ concep ual
modeling in gene al and mul i-le el modeling in pa icula
o secu i y analysis ocusing on he elec ici y sec o .
Jiang e al. (2023) aim a speci ic ulne abili ies, a acks,
123
514 S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025)
and ailu e p opaga ion. This app oach is eac i e, ocusing
on ulne abili ies and a acks o exis ing in as uc u e.
3 Vision and Mo i a ing Scena io
Ou solu ion is designed o o ganiza ions ha alue
secu i y as an inhe en pa o he design o new solu ions,
and is demons a ed o o ganiza ions ac i e in he sma
g id domain, bo h o ensu e hei p ocesses’ unc ionali y
and p o ec hei cus ome s’ sensi i e da a. To illus a e ou
goals and a ge ed ou comes, conside he ollowing
exempla y scena io. A u ili y company, ACM-e, wishes o
digi alize i s p ocesses. They ha e deployed adi ional
analog me e s o hei cus ome s, which a e supposed o be
exchanged wi h mode n sma me e s o enable, in e alia, a
ully digi alized billing p ocess. Simul aneously, ACM-e is
awa e ha secu i y aspec s a e impo an o he new
a chi ec u e o ensu e hei p ocesses’ unc ionali y and
p o ec hei cus ome s’ sensi i e da a.
Conside ing he abo e, he scena io o in e es e e s o
he billing in sma g ids, which ela e o he cap u ing and
p ocessing o ime-based ene gy consump ion da a om
cus ome s’ sma me e s (B own e al. 2008). The au o-
ma ed da a collec ion enables ACM-e o ans o m hei
billing p ocesses and o e ime-based a es o hei cus-
ome s. Fu he , hey can emo ely ini ia e o e mina e
se ices wi hou sending a echnician. Finally, he mo e
de ailed a ailable da a can ease he op imal planning,
design, main enance, and de elopmen o ailo ed se ices.
Mo eo e , ACM-e desi es o educe i s cos s associa ed
wi h me e eadings and inc ease i s billing accu acy and
dis ibu ion planning. The billing p ocess elies on sma
me e s, a cus ome ga eway, and a me e ing da a man-
agemen sys em, which uses a Home A ea Ne wo k (HAN)
and Wide A ea Ne wo k (WAN) o communica ion.
As his digi aliza ion enables a acke s o pene a e he
in as uc u e, he e is a need o accoun o cybe -secu i y
aspec s. The e o e, a p ojec eam mus be es ablished o
add ess secu i y issues om he e y beginning o he
p ojec . Al hough he p ojec membe s a e amilia wi h he
basic secu i y- ela ed concep s and sma g id-speci ic
aspec s, hey do no conside hemsel es secu i y expe s.
The e o e, hey decided o use a me hod based on exis ing
e e ence models o ensu e ha secu i y and domain-
speci ic aspec s we e add essed. Based on his scena io, as
well as on he analysis conduc ed o exis ing body o
knowledge, we iden i y he ollowing equi emen s which
he me hod o choice should mee :
Requi emen 1 Guide h oughou he en i e li e-cycle o
he sys em.
Ra ionale: In line wi h he co e ideas o cybe -secu i y
by design, e.g., see (Geismann e al. 2018), he guiding
p ocess model should accoun o he en i e li e-cycle o
he sys em unde design o co e bo h p oac i e design
s eps du ing ea ly ac i i ies such as he iden i ica ion o
equi emen s, o mo e eac i e design s eps, like assess-
men o he sys em.
Requi emen 2 P o ide an in eg a ed concep ual co e -
age o a sys em’s li e-cycle phases.
Ra ionale: As we in end o co e all s eps h oughou a
sys em’s li e-cycle, in line wi h Geismann and Bodden
(2020), i na u ally ollows ha he en isioned modeling
me hod should p o ide an in eg a ed concep ual co e age
o associa ed domains and o ganiza ional pe spec i es.
Fo ins ance, o iden i ying secu i y equi emen s, con-
cep s such as use case and secu i y equi emen a e nec-
essa y (Na ional Ins i u e o S anda ds and Technology
2010); on he o he hand, o secu i y assessmen , concep s
such as asse s, hei associa ions, h ea s, and ulne abili-
ies would need o be accoun ed o (Hacks e al. 2020).
Requi emen 3 Accoun ing o bo h high-le el and
speci ic aspec s.
Ra ionale: Di e en ypes o analysis equi e in o ma-
ion on di e en g anula i y le els (A kinson and Ku
¨hne
2001). Fo example, one can concep ualize gene ic
dependencies be ween he concep o asse and a ack, and
make hese dependencies mo e speci ic o conc e e h ea s
o a pa icula asse , such as di e en h ea s ha migh
exis o a pa icula me e .
Requi emen 4 Suppo o analysis, documen a ion, and
communica ion.
Ra ionale: In line wi h some o he key aims o con-
cep ual modeling (Thalheim 2011), he models c ea ed
should (1) p o ide in o ma ion o he needs o a ge ed
analyses, bu also (2) se e as documen a ion o he pe -
o med s eps and esul s achie ed (e.g., unco e ed ul-
ne abili ies and isks), as well as (3) suppo
communica ion among in ol ed s akeholde s. Rega ding
he la e , we equi e domain-speci ic concep s close o he
p o essional e minology he in ol ed domain s akeholde s
use.
Requi emen 5 Accoun ing o exis ing up- o-da e
domain in o ma ion.
Ra ionale: The app oach shall enable secu i y and
domain expe s o conduc secu i y- ela ed analysis.
The e o e, i is impo an o in eg a e he model wi h
ex e nal da a sou ces ha p o ide ope a ional-le el in o -
ma ion and up- o-da e in o ma ion on ulne abili ies
(Hamle and Keliiaa 2010; Rosa e al. 2017).
123
S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025) 515
Requi emen 6 Re lec s anda ds and cu en p ac ices on
cybe -secu i y.
Ra ionale: In o de o no ein en he wheel and o also
o e a modeling me hod ha is in line wi h no ions (p e-
sumably) amilia o end use s (F ank 2014), he concep-
ual unde pinnings o ou modeling me hod shall e lec he
s a e o he a in cybe -secu i y, as e lec ed in s anda ds
and cu en p ac ices.
On he one hand, e lec ing on he ul illmen o he
equi emen s by he ele an app oaches discussed by
She chenko e al. (2018) (e.g., no conside ing LINDDUN
as i is p i acy ocused), and on he o he hand also con-
side ing he NIST cybe -secu i y amewo k (Na ional
Ins i u e o S anda ds and Technology 2024), and (Jiang
e al. 2023) as addi ionally ele an app oaches, we can see
ha he me hods cope well wi h achie ing concep ual
co e age and suppo he analysis, documen a ion, and
communica ion (c . Table 1). Rega ding he analysis, he
au oma ion suppo is limi ed, e en i he app oaches allow
some au oma ion in he o m o sp eadshee s. Mo eo e ,
mos app oaches s uggle o add ess a high-le el assess-
men o he en i e o ganiza ion while accoun ing o
speci ic aspec s. This is also e lec ed in he ac ha solely
he app oach o Jiang e al. (2023) accoun s o domain-
speci ic aspec s. Finally, s anda ds and cu en p ac ices a e
o mino impo ance and a e only e lec ed i he used
me hod is i sel a de- ac o s anda d.
Due o, on he one hand, he impo ance o cybe -se-
cu i y and he challenges o cybe -secu i y by design
analysis, and on he o he hand, a lack o a comp ehensi e
modeling solu ion o suppo o ganiza ions h ough di -
e en s ages o c ea ing secu e sys ems (c . Sec . 2), we
aim o p o ide o ganiza ions wi h a mul i-le el modeling
me hod o e ing he equi ed suppo .
4 Resea ch App oach
As discussed in he in oduc ion, ou wo k i s squa ely
wi hin design science (He ne e al. 2004) and ollows
enginee ing cycles as de ined by Wie inga (2014), c .
Table 2. The a ge ed modeling me hod, i.e., he a i ac we
design, encompasses (1) a mul i-le el ( e e ence) model
(c . Sec . 5), (2) a co esponding p ocess model guiding
he usage o he mul i-le el model (c . Sec . 6), as well as
(3) suppo ing ools and mechanisms.
In he i s enginee ing cycle, see de Kinde en e al.
(2022), we p oposed a e e ence model o cybe -secu i y
by design o sma g ids, which combines he NISTIR
7628 (Na ional Ins i u e o S anda ds and Technology
2010) emphasizing secu i y equi emen s, use cases and
asse s, wi h a modeling language o ulne abili ies,
a acks, and coun e measu es (Ka sikeas e al. 2020). The
p oposed e e ence model suppo ed op-down secu i y
analysis and ecei ed posi i e eedback om domain
expe s.
In he second enginee ing cycle (Hacks e al. 2022), we
(1) ex ended he e e ence model wi h he aspec s equi ed
o he ulne abili y analysis, such as asse s’ ulne abili ies
o de enses; (2) enabled simula ions and h ea s analysis,
based on he ex ended model; and (3) p o ided ini ial
suppo o analyze he business impac o he iden i ied
h ea s. We pe o m his ex ension because iden i ying
ulne abili ies h ough secu i y es ing is widely applied o
assess and imp o e he secu i y o sys ems (Xiong and
Lage s o
¨m2019). Also, by conduc ing a ack simula ions
one can de ec h ea s and e alua e al e na i e secu i y
designs enabling p oac i e iden i ica ion o h ea s (Eks ed
e al. 2015).
In he hi d enginee ing cycle we aim o design a p ocess
model which is guided by he c ea ed e e ence model.
Table 1 Rela ed wo k ul illmen o equi emen s
Na ional Ins i u e o S anda ds
and Technology (2024)
Mo ana and Uceda
Ve
´lez (2015)
Sai a e al.
(2005)
Shos ack
(2014)
Shos ack
(2008)
Jiang e al.
(2023)
R1 Accoun o en i e li e-cycle X X O X
R2 In eg a ed concep ual
co e age
OXXXXX
R3 Accoun ing o high-le el
and speci ic aspec s
OX
R4 Suppo analysis,
documen a ion, communica ion
XXXXXX
R5 Up- o-da e, domain
in o ma ion
X
R6 S anda ds and cu en
p ac ices
XO
Legend: X – Requi emen ul illed; O – Requi emen pa ially ul illed
123
516 S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025)
Mo eo e , we p esen an adap a ion o he e e ence model
based on he ecei ed eedback om domain expe s.
Finally, he h ee domain expe s we e asked o e alua e
he newly de eloped p ocess model.
In line wi h he esea ch app oach ollowed, we ha e
ensu ed he in ol emen o domain expe s a di e en
s ages o ou wo k. This in ol emen o domain s ake-
holde s was aimed o assess he po en ial bene i s o ou
wo k. Du ing he i s enginee ing cycle, we employed
semi-s uc u ed in e iews wi h wo expe s om he
secu i y and elec ici y sec o espec i ely, and one expe
o secu i y in he elec ici y sec o (c . Table 3, Pa ici-
pan s 1-3). Du ing hese in e iews we gained eedback on
he i s e sion o ou mul i-le el e e ence model as well
as on he o e all goals and ision o ou p ojec . Du ing he
hi d enginee ing cycle, we engaged wi h h ee domain
expe s o e alua e he c ea ed modeling me hod (c .
Table 3, Pa icipan s 4-6). No e ha he second enginee -
ing cycle did no in ol e domain expe s, as i ocused on
de eloping a so wa e ool chain.
5 Mul i-le el Secu i y By Design Me hod: Mul i-le el
Re e ence Model
5.1 Language A chi ec u e and Ra ionale o Selec ion
Conside ing he equi emen s discussed in Sec . 3, i ol-
lows ha he language a chi ec u e used o design he a -
ge ed e e ence model shall (1) allow o he na u al
modeling o domain hie a chies and allow o exp essing
bo h gene ic and speci ic knowledge; i should also
(2) allow o inco po a ing domain knowledge (among
o he s, cu en knowledge abou equi emen s, possible
h ea s, coun e measu es, e ec s, as well as asse s) in o he
e e ence model. In addi ion, (3) he language a chi ec u e
used o c ea e any e e ence model should also suppo
exp essing a iabili y while a oiding edundancy. This
means ha a e e ence model should dis inguish be ween
hose pa s o he sys em ha a e in a ian wi hin he g oup
o in ended use s, and o he pa s ha may need indi idual
adap a ion, see also (de Kinde en and Kaczma ek-Heß
Table 2 Pe o med enginee ing cycles
1s Enginee ing cycle 2nd Enginee ing cycle 3 d Enginee ing cycle
Main ou come A mul i-le el e e ence model, suppo
o op-down app oach
An ex ended mul i-le el model, suppo
o bo om-up analysis, ool suppo
A p ocess model guiding usage o he
(ex ended) mul i-le el model
P oblem
Iden i ica ion
U ilizing concep ual a gumen a i e
explo a ion and con on a ion o ou
ision and goals o he s a e o he a ,
we iden i y a esea ch gap o which ou
e e ence model is a esponse
Whe eas he p o ided e e ence model
suppo s he op-down analysis, he
capabili y o suppo ulne abili y
analysis is s ill missing
A p ocess model ha sui s he demands
o a mul i-le el h ea model while
accoun ing o bi-di ec ional op-down
and bo om-up secu i y design is
missing
T ea men
design
Based on d i ing goals and an
illus a i e scena io, we iden i y a se o
equi emen s ha ou e e ence model
should ul ill
A se o equi emen s poin ing o he
equi ed ex ensions o he mul i-le el
model; based on he ela ed wo k, we
decide o build on he simula ion
capabili ies o a selec ed a ack
modeling language, icsLang
A se o equi emen s s emming om
insigh s gene a ed by p e ious
enginee ing cycles
T ea men
implemen a ion
We p o ide a i s ske ch o a mul i-
le el e e ence model and implemen i
in a suppo ing ool
We ex end he ea lie e sion o he
mul i-le el model in line wi h he
equi emen s and he selec ed modeling
language, and, o capi alize upon he
simula ion capabili ies o icsLang, we
ealize a oolchain be ween (Hacks
e al. 2022)
The design o he new p ocess model,
oge he wi h he se o suppo ing
a i ac s, an ex ended e sion o he
mul i-le el model, in line wi h he
equi emen s. The p ocess is based on:
cu en p ocesses o secu i y by
design
expe eedback om he i s
enginee ing cycle (especially aking in o
conside a ion he IT in as uc u e
p esen a an o ganiza ion, nex o he
e e ence model)
T ea men
alida ion
An e alua ion using a con on a ion o
he equi emen s, as well as eedback
ga he ed om expe in e iews
A ligh weigh e alua ion o ou
ex ended model and oolchain in e ms
o a ealis ic a ack scena io o check he
applicabili y and u ili y o he p oposed
solu ion
A ligh weigh demons a ion o ou
ex ended model and he p ocess by
applying hem in wo kshops wi h h ee
domain expe s
123
S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025) 517
2021). Mo eo e , (4) while suppo ing adap a ion (and
ex ensions o a model), compliance and in eg i y o he
sys em should be ensu ed. Finally, (5) in o de o suppo
di e en ypes o (also au oma ed) analysis, he e e ence
model and i s unde lying language a chi ec u e shall sup-
po no only a s a ic pe spec i e on he domain a hand, bu
also a unc ional one.
Conside ing he abo e equi emen s owa ds he lan-
guage a chi ec u e, o he needs o he modeling me hod,
we de elop a e e ence model using a selec ed mul i-le el
modeling app oach, namely he Flexible Me a Modeling
and Execu ion Language (FMML
x
) (F ank 2014). We
adop mul i-le el modeling (A kinson and Ku
¨hne 2001)as
in opposi ion o con en ional me a-modeling (1) one can
de ine an a bi a y numbe o classi ica ion le els in he
same body o a model. Acco dingly, one can employ as
many classi ica ion le els as needed o exp essing he
domain knowledge a hand (A kinson and Ku
¨hne 2008),
and no only wo (M
2
and M
1
) as in con en ional me a-
modeling. Please no e ha by employing an a bi a y
numbe o classi ica ion le els one may accoun o bo h
high-le el in o ma ion (e.g., gene ic ypes o h ea s, gen-
e ic ypes o asse s), as well as mo e speci ic ones ( ypi-
cally accoun ed o on lowe classi ica ion le els, e.g., a
speci ic h ea o a speci ic asse ), see Requi emen 3;
(2) one can de e ins an ia ion, meaning ha one can
cons ain he ins an ia ion o a model elemen a a speci ic
classi ica ion le el (F ank 2014). This is opposed o shal-
low ins an ia ion o con en ional me a-modeling, whe eby
one can ins an ia e only o he di ec ly p oceeding le el;
(3) one can elax he s ic sepa a ion be ween ype and
ins ance (A kinson and Ku
¨hne 2001), allowing one o
popula e and use a model wi h ins ance-le el da a, and
hus, inco po a e ele an in o ma ion in o he model (see
Requi emen s 5 and 6). Al hough a numbe o mul i-le el
modeling app oaches ha e been p oposed, o he bes o
ou knowledge only he FMML
x
comes wi h an in eg a ed
modeling and execu ion engine (F ank 2014), which we
need in o de o accoun o bo h s a ic and unc ional iew.
Thus we selec he FMML
x
oge he wi h he XModele o
c ea e ou mul i-le el e e ence model.
Table 4p o ides a summa ized compa ison be ween
using con en ional me a modeling (on he example o
UML) and mul i-le el modeling (on he example o
FMML
x
) o c ea e a e e ence model, conside ing h ee
aspec s: possibili y o accoun o gene ic and speci ic
aspec s, a suppo o a iabili y, as well as suppo o
consis ency-p ese ing adap a ion. As can be obse ed,
UML o e s se e al mechanisms which a leas pa ly may
add ess ou equi emen s. Especially, he combined use o
Table 3 Backg ound o he six in e iew pa icipan s
Pa icipan 1 Pa icipan 2 Pa icipan 3 Pa icipan 4 Pa icipan 5 Pa icipan 6
Job and
esponsibili ies
Cybe -secu i y
expe ;
ad ising,
analyzing,
p ojec
managemen
Enginee o
elecommunica ion;
consul ancy o and
ope a ions o cybe -
secu i y
Visi ing
assis an
p o esso ,
wo king on
sma
in as uc u e
Senio so wa e a chi ec ;
managing p ojec s o
cybe -secu i y, hos ing
pla o ms, and da a
managemen in he powe
domain
Senio so wa e
enginee ,
wo king on
cybe secu i y
ela ed aspec s
PhD s uden wi h
a ocus on
en e p ise
modeling
Yea s o job
expe ience and
educa ional
backg ound
10 yea s in a
job wi h a
ocus on
secu i y,
s udied
compu e
science
5 yea s expe ience
in cybe -secu i y
and powe g ids,
s udied elec ical
enginee ing
10 yea s o
expe ience in
he elec ici y
sec o , s udied
compu e
science
7 yea s o expe ience in
powe and wo king wi h
secu i y be o e, PhD in
so wa e enginee ing
PhD in cybe
secu i y, mas e s
in ne wo k and
sys ems
enginee ing
Mas e s in
Linguis ics and
Compu e and
Sys em Sciences
wi h ocus on isk
analysis
O ganiza ion
cha ac e and
size
EU ins i u ion,
no o p o i ,
abou 950
pe sonnel
Eu opean
T ansmission
Sys em Ope a o
(TSO), mo e han
2000 pe sonnel
P i a e
uni e si y, no
o p o i ,
a ound 250
pe sonnel
Eu opean T ansmission
Sys em Ope a o (TSO),
mo e han 1000 pe sonnel
In e ne
echnology
o ganiza ion,
mo e han
150000
employees
in e na ionally
Uni e si y, mo e
han 5000
employees
Modeling
expe ience
Fo mal
on ologies,
UML,
en e p ise
a chi ec u e
modeling
UML, BPMN, ARIS P ocess
modeling,
en e p ise
(a chi ec u e)
modeling,
UML
UML, DSLs, en e p ise
a chi ec u e modeling
Expe ience wi h
en e p ise
modeling
Expe ience wi h
en e p ise
modeling
123
518 S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025)
Subsequen ly, we iden i y he o de in which hese
a ack s eps occu . This is so since a ack s eps o en occu
in sequence (Hacks e al. 2022), wi h one a ack s ep (e.g.,
sma me e in usion) o en aking place be o e ano he
a ack s ep (e.g., da a he o a sma me e , a e i s
in usion). Once a ack s eps ha e been iden i ied, o each
a ack s ep, we iden i y co esponding coun e measu es as
hey a e encoded in he e e ence model.
No e ha in he e e ence model, we iden i y a ack
s eps, hei ela ions, and coun e measu es pe abs ac ion
le el in he mul i-le el model (as exp essed in he mic o
p ocess in Fig. 8). Fu he mo e, we p oceed wi h said
iden i ica ion in a op-down manne . This means ha we
s a wi h iden i ying a ack s eps o asse s esiding a
highe abs ac ion le els ( o example, a sma me e ) and
p oceed o iden i y po en ial a ack s eps o asse s a lowe
le els o abs ac ion (e.g., SM 230 as a pa icula sma
me e , c . Figu e 7). Please no e ha any addi ional a ack
s eps iden i ied while mo ing down he abs ac ion hie -
a chy a e added by mono onic ex ension, in he sense ha
a ack s eps o mo e speci ic asse s do no modi y o
eplace a ack s eps o asse s esiding on a highe le el o
abs ac ion.
A e analyzing he exis ing mul i-le el model, ou
me hod o e s he possibili y o a simula ion o a ack
s eps. The basic idea o his simula ion is o employ
Fig. 7 The sys ems design and analysis iew: an exce p
Fig. 8 The secu i y analysis mic o p ocess
123
S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025) 525
mul iple simula ion uns o iden i y key ulne abili ies
along a pa h o a ack s eps o suppo he p io i iza ion o
coun e measu es. A de ailed explana ion o said simula ion
capabili ies can be ound in Ka sikeas e al. (2020).
Finally, we can p io i ize coun e measu es. This p io i-
iza ion can happen acco ding o (1) he secu i y equi e-
men s iden i ied in S ep 1, (2) he loca ion o he a ack s ep
in he o e all sequence o a ack s eps so iden i ied, and (3)
he esul s o he simula ion o a ack s eps.
The ou pu o his s ep is a se o p io i ized coun e -
measu es, as hey a e ele an o a ack s eps o pa icula
asse s.
EXAMPLE: F om ou secu i y analysis iew (Fig. 7),
we i s ly ind ha , o he combina ion o he asse s
Communica ion Ne wo k, Sma Me e , and Me e ing Da a
Managemen Sys em ( oge he o ming a di ec commu-
nica ion a chi ec u e, c . (Shok y e al. 2022, p. 361)),
Impe sona ion can be pe o med as an a ack s ep. This
a ack s ep exploi s he bidi ec ional communica ion ul-
ne abili y in which an a acke can impe sona e he
me e ing da a managemen sys em o gain access o he
sma me e (Shok y e al. 2022, p. 361). Once gaining
access o he Sma Me e h ough Impe sona ion, he
a acke can pe o m he nex a ack s ep o ins iga e a
emo e shu down o he Sma Me e .
To coun e he wo men ioned a ack s eps ACMe can
employ he ollowing coun e measu es. Fi s ly, con o ming
o he secu i y analysis iew, au hen ica ion can be
employed as a coun e measu e o sa egua d he iden i y o
he me e ing da a managemen sys em and hus coun e he
a ack s ep o impe sona ion. Secondly, one can disable he
emo e shu down o he sma me e as a coun e measu e
so ha in case o in usion, he a acke ’s op ions a e
limi ed.
Mo ing down he abs ac ion hie a chy, we also dis-
co e mo e speci ic a ack s eps ele an o mo e speci ic
asse s. Speci ically, o a wi eless a ea ne wo k being a
speci ic ype o communica ion ne wo k, a po en ial jam-
ming a ack can become ele an (A a in han e al. 2011;
Shok y e al. 2022). Wi h jamming, an a acke dis up s he
wi eless communica ion by sending ou signals on a sha ed
medium (A a in han e al. 2011), hus dis up ing commu-
nica ion needed o , e.g., moni o ing and es ima ion unc-
ions (Zhang e al. 2019). While a jamming a ack is
gene ally di icul o de end agains , a po en ial coun e -
measu e encoded in ou e e ence model, as p oposed by
A a in han e al. (2011), is o mo e h ough a lis o p e-
de ined channels o p e en an a acke om a acking
jamming one pa icula signal.
Finally, we p io i ize coun e measu es and selec
au hen ica ion based upon (1) he secu i y equi emen
iden i ied du ing he s ep secu i y equi emen s analysis.
Recall ha , acco ding o NISTIR In e ace 13, in eg i y and
con iden iali y we e p io i ized o e a ailabili y. This i s
well wi h au hen ica ion since he needed ex a compu a-
ional capabili y migh un coun e o a ailabili y;
au hen ica ion does i nicely o achie ing he p io i ized
in eg i y and con iden iali y equi emen s; (2) he loca ion
o he a ack s eps. He e again, au hen ica ion seems o i
well since i aims o make sma me e access mo e di i-
cul , hus p e en ing a ack s eps ha can be ca ied ou
once sma me e access has been gained.
7 E alua ion and Discussion
We now e lec on he ex en o which ou modeling
me hod ul ills he equi emen s discussed in Sec . 3,as
well as i s u ili y, as poin ed ou by he domain expe s.
7.1 Requi emen s Ful illmen
In line wi h he cybe -secu i y by design philosophy, ou
me hod p o ides comp ehensi e co e age o a sys em’s
design, bo h p oac i ely du ing ea ly s ages, like secu i y
equi emen s analysis, and in la e phases, such as secu i y
analysis, whe e he ocus is on a acks and coun e measu es
o gi en asse s. This comp ehensi e co e age is ca e ed
o in e ms o he s ages co e ed (Requi emen 1) and he
used concep s (Requi emen 2). Addi ionally, by adop ing
FMML
x
as a mul i-le el modeling app oach, we enable he
exp ession o in o ma ion a a high le el o abs ac ion and
he exp ession o speci ic in o ma ion (Requi emen 3).
The lexibili y in selec ing a le el o abs ac ion, combined
wi h he domain-speci ic na u e o he (secu i y, elec ici y
sec o ) concep s in ou e e ence model, also allows he use
o e minology amilia o end use s, hus suppo ing
communica ion and documen a ion (Requi emen 4).
Ne e heless, as isualiza ion and model managemen a e
s ill known esea ch issues o mul i-le el modeling in
gene al and o FMML
x
speci ically, he ac i e use o ou
e e ence model o documen a ion and communica ion
pu poses is s ill a poin o u he esea ch.
Addi ionally, by bene i ing om he elaxed ype-in-
s ance dicho omy o FMML
x
(again, see Sec . 5) we can
keep he model up o da e conce ning domain in o ma ion
(Requi emen 5). Finally, by adop ing well-es ablished
concep s om NISTIR 7628, powe Lang, and om mod-
eling app oaches o cybe secu i y by design (Geismann
and Bodden 2020), ou modeling me hod is based on s a e-
o - he-a s anda ds and p ac ices in (cybe -) secu i y by
design (Requi emen 6).
123
526 S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025)
7.2 Feedback om Domain Expe s and Expec ed
U ili y o he Me hod
F om he conduc ed in e iews (c . Sec . 4), we mainly
gained eedback on he u ili y o he designed a i ac s, he
co e age, and unde s andabili y, and also obse ed a need
o a clea e u n-on-modeling-e o (Guizza di and
P ope 2022).
Rega ding u ili y, he e e ence model is pe cei ed as a
use ul knowledge base o non-domain expe s. Fo
example, Pa icipan 3 (see Table 3) men ions how he
e e ence model could help iden i y secu i y conce ns o a
cu en ly unning p ojec on de eloping a pla o m o
sou cing in e e s o sola panels. In ac , while he
elec ici y sec o has he expe ise o de elop his pla o m,
he ela ed secu i y conce ns a e less well unde s ood.
Howe e , he u ili y mus p o ide conc e e and up- o-da e
co e age o asse s, h ea s, and hei mi iga ion. When i
comes o he u ili y o ou me hod’s basis in s anda ds, he
pa icipan s men ioned using he ISO 2700X se ies (Pa -
icipan 1) and NISTIR 7628 (Pa icipan 4) as ypical
sou ces o in o ma ion. The e o e, hey posi i ely assessed
he co e age o he e e ence model. Ne e heless, o he
s anda ds such as MODBUS and IEC 61850 we e also
men ioned (by Pa icipan 3) and ecommended o inclu-
sion in he e e ence model. The pa icipan s also men-
ioned he need o adjus he s anda ds o local needs,
suppo ed by he e e ence model. Finally, Pa icipan 5
ema ked ha choosing an app op ia e le el o abs ac ion
is a pe inen issue in he secu i y domain. The e o e his
pa icipan app ecia ed ou modeling me hod’s inhe en
lexibili y, allowing one o choose an abs ac ion le el as
needed. Ne e heless, i was ecommended ha he mod-
eling e o s should s a om he abs ac iew o an
o ganiza ion, c ea ed by people wi h a good o e iew o
he sys em, and hen le s akeholde s comple e he de ails
wi h de ailed knowledge abou single pa s o he sys em.
In e ms o unde s andabili y, pa icipan s indica ed ha
hey could unde s and he concep s wi hin he mul i-le el
model a e explana ion, e en hose concep s ha we e no
om hei domain (see he pa icipan backg ounds
Table 3). Howe e , he idea o mul i-le el modeling nee-
ded u he explana ion o he pa icipan s, as i is no easy
o g asp ini ially, e en o hose amilia wi h concep ual
modeling. Pa icipan 3 ini ially in e p e ed he di e en
le els in a mul i-le el model as e lec ing hei impo ance.
Fo example, o Pa icipan 3, a equi emen would be
mo e impo an han a use case because a equi emen
esides on le el L3, whe eas a use case esides on le el L2.
Only a e explana ion did he domain expe unde s and
ha he le els pe ain o he o ganiza ion o classi ica ion
le els. Addi ionally, Pa icipan 5 ema ked on he com-
plexi y o he mul i le el hie a chies. He poin ed ou ha a
il e ing mechanism o hide unnecessa y in o ma ion would
be and add o he unde s andabili y o ou mul i-le el
models. Finally, Pa icipan 4 poin ed ou a po en ial lan-
guage ba ie in he inhe en eliance o ou modeling
me hod on English, since on a day- o-day basis, po en ial
use s o he me hod may be mo e likely o use hei na i e
language. Rega ding he p ocess model, he p o ided s eps
we e o e all assessed as easonable and logical by he
pa icipan s o he hi d design science cycle, in pa icula
by Pa icipan s 4 and 6.
The eedback o domain s akeholde s poin s o he need
o a clea Re u n-on-Modeling-E o (RoME). Such a
RoME in ol es, on he one hand, ha he applica ion o he
me hod should p o ide non- i ial in o ma ion o end use s
so ha he in es ed e o (e.g., he e o in es ed in c e-
a ing models and using hem in he analysis p ocess) is
pe cei ed as jus i ied by he use s. On he o he hand, o a
clea RoME, addi ional mechanisms and incen i es a e
needed. Rega ding he la e , we gained eedback om he
hi d enginee ing cycle in e iew mainly on ou aspec s,
discussed subsequen ly.
(1) Au oma ed model c ea ion: Due o he conside able
complexi y o he sys ems, i is i al o suppo modele s in
hei wo k whe e possible. This includes he au oma ed
gene a ion o he model based on exis ing in o ma ion o
au oma ized scans o he in as uc u e. Howe e , i was
poin ed ou ha his migh be challenging in cybe -physical
en i onmen s as au oma ized scans could c ash hose.
(2) Accoun ing o changing secu i y equi emen s: The
h ea landscape is con inuously changing. The e o e, he
mul i-le el model mus add ess he la es ulne abili ies
by, e.g., including up- o-da e da abases like he Na ional
Vulne abili y Da abase (NVD). Mo eo e , i was s essed
ha he de i ed ecommenda ions o add ess hese ul-
ne abili ies mus go beyond he ob ious, such as keeping
he la es pa ch le el.
(3) Mul i-le el model managemen : The mul i-le el
model co e s di e en le els o abs ac ion and domains in
he o ganiza ion. None o his in o ma ion is a ailable om
a single pe son in an o ganiza ion. Acco dingly, i is nec-
essa y o p o ide di e en iews o s akeholde s in bo h
capaci ies: o analyze and main ain he model.
(4) Incen i es o modele s: No all model c ea ion
aspec s can be au oma ed. The e o e, i is impo an o
con inuously mo i a e he ela ed s akeholde s o sha e
hei knowledge o he mul i-le el model. This could be
achie ed by easing he p o ision o he ela ed in o ma ion
and c ea ing di ec ly pe cei ed added alue o he
s akeholde s.
Thus, o ensu e he p ac ical adop ion o he modeling
me hod, we un in o he classical issues o (1) modeling o
he masses (Sandkuhl e al. 2018), which e lec s on
es ablishing a b idge be ween ‘‘model like’’ a i ac s like
123
S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025) 527
sp eadshee s which con ain aluable domain knowledge,
and a concep ual (en e p ise) model, as well as (2) he
Re u n on Modeling E o (Guizza di and P ope 2022),
he highligh o which is ha he e o pu in o domain
modeling should be me by bene i s ha one can eap om
i .
7.3 Posi ioning Towa ds Rela ed Wo k
As al eady men ioned in Sec . 3, no comp ehensi e solu-
ion exis s ha add esses all equi emen s. Closes o ou
me hod comes he wo k o Jiang e al. (2023). Simila o
ou wo k, Jiang e al. (2023) employ concep ual modeling
in gene al and mul i-le el modeling in pa icula o
secu i y analysis ocusing on he elec ici y sec o . Besides
hese simila i ies, subs an ial di e ences exis . Fi s , he e
exis di e ences ega ding he main goals and scena ios
suppo ed. Especially, Jiang e al. (2023) aim a speci ic
ulne abili ies, a acks, and ailu e p opaga ion. Thei
model is hus eac i e, ocusing on ulne abili ies and
a acks in exis ing in as uc u e. In con as , ou modeling
me hod a ge s a secu i y-by-design app oach and hus is
p oac i e by explici ly conside ing secu i y as pa o he
design p ocess. The second di e ence lies in he abili y o
keep he model up o da e wi h da a om he unning
o ganiza ion. FMML
x
, he language on which ou e e ence
model is buil , inhe en ly can keep a model synch onized
wi h da a om, e.g., he unning o ganiza ion. To he bes
o ou knowledge, while Jiang e al. (2023) ce ainly ben-
e i om ool suppo ( h ough Concep Base), compa ed o
ou app oach, he e is a less na u al capabili y o keep
model and da a in synch oniza ion; Thi d, he le el o
p o ided guidance di e s. Jiang e al. (2023) in oduce
h ee a i ac s: a gene al axonomy o sys ems modeling
(bo h in o ma ion echnology and ope a ional echnology,
he la e ouching on he cybe -physical sys ems side,
c . Jiang e al. (2023)), an a i ac o easing ou unc ional
dependence, and an ins an ia ion o he wo men ioned
a i ac s o he powe domain. Howe e , use guidance o
he p esen ed a i ac s is missing. Ou modeling me hod
o e s a mul i-le el model p ocess, accompanied by ypical
me hod elemen s such as ele an s akeholde s, inpu s,
ou pu s, and mo e (see Table 6).
8 Conclusions
In his pape , we p esen a modeling me hod o cybe -
secu i y by design. As a con inua ion o ea lie wo k, we
pa icula ly ocused on he p ocedu al guidance o ou
modeling me hod, as well as i s comp ehensi e p esen a-
ion in e ms o h ee iews ha complemen he p ocedu al
guidance. In addi ion o an ex a ound o alida ion ( he
hi d design science cycle), we also conduc ed a comp e-
hensi e alida ion o he me hod.
Fo u u e wo k, we in end o, i s , add ess he usabili y
o ou mul i-le el model. As s a ed in Sec . 7, while con-
cep ually appealing, we s ill need o add ess he lack o
isualiza ion and model managemen inhe en in he use o
mul i-le el modeling. As a i s s ep, he use o iewpoin s
wi h ele an in o ma ion ailo ed o speci ic oles would
be p omising. Second, in e ms o alida ion, a u he
e alua ion in a eal-li e se ing may be use ul o lea n om.
In line wi h he u he e alua ion, hi d, we also in end o
make simula ion capabili ies an inhe en pa o ou mod-
eling me hod. In ea lie wo k, we ha e al eady achie ed
encou aging esul s by ela ing he mul i-le el e e ence
models o a ack g aph-based easoning, bu due o scoping
and space cons ain s we could no ully u ilize hese
esul s o he p esen pape .
Open Access This a icle is licensed unde a C ea i e Commons
A ibu ion 4.0 In e na ional License, which pe mi s use, sha ing,
adap a ion, dis ibu ion and ep oduc ion in any medium o o ma , as
long as you gi e app op ia e c edi o he o iginal au ho (s) and he
sou ce, p o ide a link o he C ea i e Commons licence, and indica e
i changes we e made. The images o o he hi d pa y ma e ial in his
a icle a e included in he a icle’s C ea i e Commons licence, unless
indica ed o he wise in a c edi line o he ma e ial. I ma e ial is no
included in he a icle’s C ea i e Commons licence and you in ended
use is no pe mi ed by s a u o y egula ion o exceeds he pe mi ed
use, you will need o ob ain pe mission di ec ly om he copy igh
holde . To iew a copy o his licence, isi h p://c ea i ecommons.
o g/licenses/by/4.0/.
Re e ences
Ab aham C, Cha e jee D, Sims RR (2019) Muddling h ough
cybe secu i y: insigh s om he US heal hca e indus y. Bus
Ho iz 62(4):539–548
Alam M, B eu R, Ha ne M (2007) Model-d i en secu i y enginee ing
o us managemen in SECTET. J So w 2(1):47–59
Almo sy M, G undy J (2014) Secds l: a domain-speci ic isual
language o suppo en e p ise secu i y modelling. In: 23 d
Aus alian so wa e enginee ing con e ence (ASWEC),
pp 152–161
A a in han V, Namboodi i V, Sunku S, Jewell W (2011) Wi eless
AMI applica ion and secu i y o con olled home a ea ne wo ks.
In: 2011 IEEE powe and ene gy socie y gene al mee ing. IEEE,
pp 1–8
A kinson C, Ku
¨hne T (2001) The essence o mul ile el me amodel-
ing. In: P oceedings o he 4 h in e na ional con e ence on he
uni ied modeling language, modeling languages, concep s, and
ools. Sp inge , Heidelbe g, pp 19–33
A kinson C, Ku
¨hne T (2008) Reducing acciden al complexi y in
domain models. SoSyM 7(3):345–359
Basin D, Dose J, Lodde s ed T (2006) Model d i en secu i y: om
UML models o access con ol in as uc u es. ACM T ansac
So w Eng Me hod (TOSEM) 15(1):39–91
Basin D, Cla el M, Egea M (2011) A decade o model-d i en
secu i y. In: P oceedings o he 16 h ACM symposium on Access
con ol models and echnologies, pp 1–10
123
528 S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025)
B own B, Single a y B, Willke B, Benne C, High ill D, Houseman
D, Cle eland F, Lipson H, I e s J, Gooding J e al (2008) AMI
sys em secu i y equi emen s. AMI-SEC TF
Byg a e LA (2022) Secu i y by design: aspi a ions and eali ies in a
egula o y con ex . Oslo Law Re 3:126–177
Case DU (2016) Analysis o he cybe a ack on he Uk ainian powe
g id. In: Elec ici y in o ma ion sha ing and analysis cen e (E-
ISAC), ol 388, pp 1–29
Chan ACF, Zhou J (2013) On sma g id cybe secu i y s anda diza-
ion: issues o designing wi h NISTIR 7628. IEEE Commun Mag
51(1):58–65
Che dan se a Y, Bu nap P, Bly h A, Eden P, Jones K, Soulsby H,
S odda K (2016) A e iew o cybe secu i y isk assessmen
me hods o SCADA sys ems. Compu Secu 56:1–27. h ps://
doi.o g/10.1016/j.cose.2015.09.009
Cozzi L, Tu k D, Abe gel T, Ba os J, Belle a E, Benne S, Be ly T,
Bouckae S, Dulac J, Al a ez CF e al (2017) Digi aliza ion and
Ene gy. OECD
Da eh OF, Liu Q, Liu X, Bah I, Nako y FM, Acakpo i A (2022)
Eme ging simula ion amewo ks o analyzing sma g id
cybe a ack: a li e a u e e iew. In: 2022 IEEE In l con on
dependable, au onomic and secu e compu ing, in l con on
pe asi e in elligence and compu ing, in l con on cloud and big
da a compu ing, in l con on cybe science and echnology
cong ess (DASC/PiCom/CBDCom/Cybe SciTech), pp 1–7.
h ps://doi.o g/10.1109/DASC/PiCom/CBDCom/Cy55231.2022.
9927892
de Kinde en S, Kaczma ek-Heß M (2021) Making a case o mul i-
le el e e ence modeling – a compa ison o con en ional and
mul i-le el language a chi ec u es o e e ence modeling chal-
lenges. In: Wi scha sin o ma ik 2021, aisne
de Kinde en S, Kaczma ek-Heß M, Hacks S (2022) Towa ds
cybe secu i y by design: a mul i-le el e e ence model o
equi emen s-d i en sma g id cybe secu i y. In: 30 h Eu opean
con e ence on in o ma ion sys ems, ECIS 2022, Timisoa a
Doughe y C, Say e K, Seaco d RC, S oboda D, Togashi K (2009)
Secu e design pa e ns. Ca ne gie-Mellon Uni e si y Pi sbu gh
PA So wa e Enginee ing Ins i u e, Technical epo
Dunn Ca el y M (2014) B eaking he cybe -secu i y dilemma:
aligning secu i y needs and emo ing ulne abili ies. Sci Eng
E hic 20:701–715
Eks ed M, Johnson P, Lage s o
¨m R, Go on D, Nyd e
´n J, Shahzad K
(2015) secu iCAD by o esee i: a CAD ool o en e p ise cybe
secu i y managemen . In: En e p ise dis ibu ed objec compu -
ing wo kshop. IEEE, pp 152–155
ENISA (2022) Compendium o isk managemen amewo ks wi h
po en ial in e ope abili y. Technical epo , Eu opean Union
Agency o Cybe secu i y
F ank U (2014) Mul ile el modeling— owa d a new pa adigm o
concep ual modeling and in o ma ion sys ems design. Bus In
Sys Eng 6(6):319–337
F ank U (2018) The lexible mul i-le el modelling and execu ion
language (FMMLx). e sion 2.0: Analysis o equi emen s and
echnical e minology. Technical Repo 66, ICB-Resea ch
Repo
F eund J, Jones J (2015) Measu ing and managing in o ma ion isk.
Bu e wo h-Heinemann, Wal ham. h ps://doi.o g/10.1016/
C2013-0-09966-5
Geismann J, Bodden E (2020) A sys ema ic li e a u e e iew o
model-d i en secu i y enginee ing o cybe -physical sys ems.
J Sys So w 169:110697. h ps://doi.o g/10.1016/j.jss.2020.
110697
Geismann J, Ge king C, Bodden E (2018) Towa ds ensu ing secu i y
by design in cybe -physical sys ems enginee ing p ocesses. In:
P oceedings o he 2018 in e na ional con e ence on so wa e
and sys em p ocess, pp 123–127
Go schalk M, Usla M, Del s C (2017) The use case and sma g id
a chi ec u e model app oach: he IEC 62559–2 use case empla e
and he SGAM applied in a ious domains, 1s edn. Sp inge ,
Be lin
Guizza di G, P ope HA (2022) On unde s anding he alue o
domain modeling. EMISA
Hacks S, Ka sikeas S, Ling E, Lage s o
¨m R, Eks ed M (2020)
powe Lang: a p obabilis ic a ack simula ion language o he
powe domain. Ene gy In o m 3:1–17
Hacks S, Kaczma ek-Heß M, de Kinde en S, To
¨pel D (2022) A mul i-
le el cybe -secu i y e e ence model in suppo o ulne abili y
analysis. In: Almeida JPA, Ka as oyano a D, Guizza di G,
Mon ali M, Maggi FM, Fonseca CM (eds) En e p ise design,
ope a ions, and compu ing. Sp inge , Cham, pp 19–35
Ha ne M, B eu R, Ag ei e B, Nowak A (2006) SECTET: an
ex ensible amewo k o he ealiza ion o secu e in e -o gani-
za ional wo k lows. In e ne Res 16(5):491–506
Hamle JR, Keliiaa CM (2010) Assessmen o cu en cybe secu i y
p ac ices in he public domain: cybe indica ions and wa nings
domain. Technical epo . h ps://doi.o g/10.2172/992337,
h ps://www.os i.go /biblio/992337. Accessed 29 July 2024
Ha zog W (2018) P i acy’s bluep in : he ba le o con ol he design
o new echnologies. Ha a d Uni e si y P ess, Camb idge
He mann D, P ido
¨hl H (2020) Basic concep s and models o
cybe secu i y. Sp inge , Cham, pp 11–44. h ps://doi.o g/10.
1007/978-3-030-29053-5_2
He ne AR, Ma ch ST, Pa k J e al (2004) Design science in
in o ma ion sys ems esea ch. MIS Q 28(1):75–105
Jiang Y, Jeus eld MA, Ding J, Sandahl E (2023) Model-based
cybe secu i y analysis: ex ending en e p ise modeling o c i ical
in as uc u e cybe secu i y. Bus In Sys Eng 1–34
Johnson P, Lage s o
¨m R, Eks ed M (2018) A me a language o
h ea modeling and a ack simula ions. In: P oceedings o he
13 h in e na ional con e ence on a ailabili y, eliabili y and
secu i y, pp 1–8
Ju
¨ jens J (2002) UMLsec: ex ending UML o secu e sys ems
de elopmen . In: Je
´ze
´quel J, Hußmann H, Cook S (eds) UML
2002- he uni ied modeling language, 5 h in e na ional con e -
ence, D esden, Ge many, 2002, p oceedings, Sp inge , Heidel-
be g, LNCS, ol 2460, pp 412–425
Ju
¨ jens J (2005) Secu e sys ems de elopmen wi h UML. Sp inge ,
Heidelbe g
Kahn RE, McConnell M, Nye JS, Schwa z P, Daly NJ, Fick N,
Finnemo e M, Fon aine R, Gee DE, G oss DA, Healey J, Lewis
JA, Luca elli ME, Mahnken TG, McG aw G, Miksad RH,
Ra ay GJ, Roge s W, Sch oede CM (2011) Ame ica’s cybe
u u e: secu i y and p ospe i y in he in o ma ion age. Technical
epo , Cen e o a New Ame ican Secu i y. h p://www.js o .
o g/s able/ es ep06319.7. Accessed 24 May 2023
Ka sikeas S, Hacks S, Johnson P, Eks ed M, Lage s o
¨mR,
Jacobsson J, Wa
¨lls ed M, Eliasson P (2020) An a ack
simula ion language o he IT domain. In: Eades H III,
Gadya skaya O (eds) G aMSec. Sp inge , Heidelbe g, pp 67–86
K aus S, Du s S, Fe ei a JJ, Veiga P, Kaile N, Weinmann A (2022)
Digi al ans o ma ion in business and managemen esea ch: an
o e iew o he cu en s a us quo. In J In Manag 63:102466.
h ps://doi.o g/10.1016/j.ijin omg .2021.102466
Liu S, T i edi A, Yin X, Zamani M (2022) Secu e-by-cons uc ion
syn hesis o cybe -physical sys ems. Ann Re Con ol 53:30–50.
h ps://doi.o g/10.1016/j.a con ol.2022.03.004
Lund MS, Solhaug B, S ølen K (2010) Model-d i en isk analysis: he
CORAS app oach. Sp inge , Heidelbe g
Mo
¨lle DPF (2023) Cybe secu i y in digi al ans o ma ion. Sp inge ,
Cham, pp 1–70. h ps://doi.o g/10.1007/978-3-031-26845-8_1
123
S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025) 529
Mo ana MM, Uceda Ve
´lez T (2015) Risk cen ic h ea modeling:
p ocess o a ack simula ion and h ea analysis. Wiley,
Hoboken
Mou a idis H, Gio gini P, Manson G, Philp I e al (2002) A na u al
ex ension o opos me hodology o modelling secu i y. In:
P oceedings agen o ien ed me hodologies wo kshop, annual
ACM con e ence on objec o ien ed p og amming, sys ems,
languages (OOPSLA), Sea le
Mylopoulos J (1992) Concep ual modelling and Telos. Concep ual
modelling, da abases, and CASE: an in eg a ed iew o in o -
ma ion sys em de elopmen . Wiley, Hoboken, pp 49–68
Na ional Ins i u e o S anda ds and Technology (2010) NISTIR
7628-guidelines o sma g id cybe secu i y ol. 1-3. Technical
Repo NISTIR 7628, Na ional Ins i u e o S anda ds and
Technology (NIST), Gai he sbu g, MD, USA. h ps://n lpubs.
nis .go /nis pubs/i /2010/NIST.IR.7628.pd . Accessed 29 July
2024
Na ional Ins i u e o S anda ds and Technology (2024) The NIST
cybe secu i y amewo k 2.0
Nies en E, Alkemade F (2016) How is alue c ea ed and cap u ed in
sma g ids? a e iew o he li e a u e and an analysis o pilo
p ojec s. Renew Sus ain Ene gy Re 53:629–638
Paja E, Dalpiaz F, Gio gini P (2015) Modelling and easoning abou
secu i y equi emen s in socio- echnical sys ems. Da a Knowl
Eng 98:123–143
Pauks ad U, Becke J (2021) Unco e ing he business alue o he
in e ne o hings in he ene gy domain—a e iew o sma
ene gy business models. Elec on Ma ke 31:51–66
Paye e J, Anegbe E, Cace es E, Muegge S (2015) Secu e by design:
cybe secu i y ex ensions o p ojec managemen ma u i y models
o c i ical in as uc u e p ojec s. Technol Inno Manag Re
5:26–34
Rosa F, Bonacin R, Jino M (2017) The secu i y assessmen domain: a
su ey o axonomies and on ologies. A Xi . h ps://doi.o g/10.
13140/RG.2.2.12437.73441
Sai a P, La com B, Edding on M (2005) T ike 1 me hodology
documen . h ps://www.oc o ike.o g/pape s/T ike_ 1_Me hodol
ogy_Documen -d a .pd . Accessed 09 Oc 2023
Sandkuhl K, Fill HG, Hoppenb ouwe s S, K ogs ie J, Ma hes F,
Opdahl A, Schwabe G, Uludag O
¨, Win e R (2018) F om expe
discipline o common p ac ice: a ision and esea ch agenda o
ex ending he each o en e p ise modeling. Bus In Sys Eng
60:69–80
San os JC, Ta i K, Mi akho li M (2017) A ca alog o secu i y
a chi ec u e weaknesses. In: 2017 IEEE in e na ional con e ence
on so wa e a chi ec u e wo kshops (ICSAW). IEEE,
pp 220–223
SGAM (2012) Sma g id e e ence a chi ec u e. Technical epo ,
CEN-CENELEC-ETSI Sma G id Coo dina ion G oup. h ps://
www.cencenelec.eu/media/CEN-CENELEC/A easO Wo k/
CEN-CENELEC_Topics/Sma %20G ids%20and%20Me e s/
Sma %20G ids/ e e ence_a chi ec u e_sma g ids.pd . Acces-
sed 09 Oc 2023
She chenko N, Chick TA, O’Rio dan P, Scanlon TP, Woody C
(2018) Th ea modeling: a summa y o a ailable me hods.
Ca negie Mellon Uni e si y So wa e Enginee ing Ins i u e
Pi sbu gh, Technical epo
Shok y M, Awad AI, Abd-Ellah MK, Khala AA (2022) Sys ema ic
su ey o ad anced me e ing in as uc u e secu i y: ulne abil-
i ies, a acks, coun e measu es, and u u e ision. Fu u Gen
Compu Sys 136:358–377. h ps://doi.o g/10.1016/j. u u e.2022.
06.013
Shos ack A (2008) Expe iences h ea modeling a Mic oso .
Technical epo , Mic oso
Shos ack A (2014) Th ea modeling: designing o secu i y. Wiley,
Hoboken
S ellios I, Ko zanikolaou P, Psa akis M, Alca az C, Lopez J (2018) A
su ey o IoT-enabled cybe a acks: assessing a ack pa hs o
c i ical in as uc u es and se ices. IEEE Commun Su Tu o
20(4):3453–3495
S om BE, Applebaum A, Mille DP, Nickels KC, Penning on AG,
Thomas CB (2018) Mi e ATT &CK: design and philosophy.
Technical epo , The MITRE Co po a ion
Tan awy A, Abdelwahed S, E adi A, Shaban K (2020) Model-based
isk assessmen o cybe physical sys ems secu i y. Compu
Secu 96:101864. h ps://doi.o g/10.1016/j.cose.2020.101864
Thalheim B (2011) The heo y o concep ual models, he heo y o
concep ual modelling and ounda ions o concep ual modelling.
Handbook o concep ual modeling: heo y, p ac ice, and esea ch
challenges. Sp inge , Heidelbe g, pp 543–577
Vial G (2019) Unde s anding digi al ans o ma ion: a e iew and a
esea ch agenda. J S a eg In Sys 28(2):118–144. h ps://doi.
o g/10.1016/j.jsis.2019.01.003
Wa e W (1970) Secu i y con ols o compu e sys ems: epo o
de ense science boa d ask o ce on compu e secu i y. Technical
epo , Rand Co po a ion. h ps://www. and.o g/pubs/ epo s/
R609-1.h ml#ix- esea ch-needed. Accessed 09 Oc 2023
Wie inga RJ (2014) Design science me hodology o in o ma ion
sys ems and so wa e enginee ing. Sp inge , Heidelbe g
Wya M (2017) Cybe secu i y sys ems: acquisi ion. De elopmen ,
and main enance, ol 23. Wiley, Hoboken, pp 335–346. h ps://
doi.o g/10.1002/9781119309741.ch23
Xiong W, Lage s o
¨m R (2019) Th ea modeling—a sys ema ic
li e a u e e iew. Compu Secu 84:53–69
Zhang T, Ji X, Zhuang Z, Xu W (2019) JamCa che : a mobile jamme
localiza ion scheme o ad anced me e ing in as uc u e in
sma g id. Sens 19(4):909
123
530 S. de Kinde en e al.: A Mul i-Le el Re e ence Model..., Bus In Sys Eng 67(4):511–530 (2025)