Tomada de Decisão em Segurança Cibernética: Modelo para Identificação de Joias da Coroa

• Edvan Gomes da Silva ^[1] ; Marcus Aurélio Carvalho Georg ^[1] ; Luiz Antônio Ribeiro Júnior ^[1] ; Leonardo Rodrigo Ferreira ^[2] ; Rafael Rabelo Nunes ^[3]
  1. [1] Universidade de Brasília

     Universidade de Brasília

     Brasil

     
  2. [2] Secretaria de Governo Digital do Ministério da Gestão e da Inovação em Serviços Públicos (MGI), Brasil.
  3. [3] Centro Universitário UniAtenas, Paracatu-MG, Brasil – Zipcode 38602-108 .

  Mostrar afiliaciones +
• Localización: RISTI: Revista Ibérica de Sistemas e Tecnologias de Informação, ISSN-e 1646-9895, Nº. Extra 77, 2025, págs. 60-73
• Idioma: portugués
• Títulos paralelos:
  • Decision-Making in Cybersecurity: A Model for Identifying Crown Jewels
• Enlaces
  • Texto completo (pdf)
• Resumen
  • English

    The increasing reliance of organizations on critical information technology systems, known as “Crown Jewels,” underscores the need for effective methods for their identification and evaluation. This study presents a structured approach to classifying critical IT assets within the Brazilian Federal Executive Branch. The methodology involved a literature review, surveys with 57 System for the Administration of Information Technology Resources (SISP) managers, and collaborative brainstorming sessions to define and validate criteria and subcriteria.

    The findings identified five key criteria: Organizational Mission, Image and Reputation, Affected User Volume, Financial Impact, and Legal/Regulatory Impact, organized into a hierarchical model. The main contribution of this study is the development of a structured methodology that integrates theoretical foundations with empirical validation, providing an adaptable model for various organizational contexts while enhancing risk management and cybersecurity practices.

  • português

    A crescente dependência de organizações em sistemas críticos de tecnologia da informação, conhecidos como “Joias da Coroa”, torna essencial o desenvolvimento de métodos eficazes para sua identificação e avaliação. Este estudo propõe uma abordagem estruturada para classificar ativos críticos no contexto dos órgãos do Poder Executivo Federal brasileiro. A metodologia adotada envolveu revisão de literatura, aplicação de questionários a 57 gestores do Sistema de Administração dos Recursos de Tecnologia da Informação (SISP) e sessões colaborativas de brainstorming para definir e validar critérios e subcritérios. Como resultado, foram identificados cinco critérios principais: Missão da Organização, Imagem e Reputação, Volume de Usuários Afetados, Impacto Financeiro e Impacto Legal/Regulatório, organizados em um modelo hierárquico. A principal contribuição deste estudo é a formulação de uma metodologia estruturada que integra bases teóricas e validação empírica, proporcionando um modelo adaptável a diferentes contextos organizacionais e aprimorando a gestão de riscos e segurança cibernética.

• Referencias bibliográficas
  • Aal, A., & Martin, A. (2012). Discussion group: Mission critical systems influence of component reliability on design decisions w.r.t....
  • Antoni, Marc, and Nadia Ammad. (2018). “Argus project-harnessing asset management to do cyber security to an uic guideline for railways.”...
  • Baginda, Y. P., Affandi, A., & Pratomo, I. (2018). Analysis of RTO and RPO of a Service Stored on Amazon Web Service (AWS) and Google...
  • Barclay, C. (2014). Sustainable Security Advantage In A Changing Environment: The Cybersecurity Capability Maturity Model (CM2). IEEE, 6858466.
  • Bennett, R. H., Fadil, P. A., & Greenwood, R. T. (1994). Cultural Alignment in Response to Strategic Organizational Change: New Considerations...
  • Bisogni, F., & Cavallini, S. (2010). Assessing the Economic Loss and Social Impact of Information System Breakdowns. https://doi.org/10.1007/978-3-642-16806- 2_13. Bologna,...
  • Breaz, T. O., & Jaradat, M. (2024). Strategic human resource management: aligning hr practices with organizational goals. https://doi.org/10.24818/imc/2023/04.01.
  • Brumfield, Cynthia and Bo Haugli. (2023). Cybersecurity Risk Management: Mastering the fundamentals using the NIST Cybersecurity Framework....
  • Brunner, E., & Suter, M. (2008). International CIIP Handbook 2008/2009: An Inventory of 25 National and 7 International Critical Infrastructure...
  • Burnett, R. (1996). Anticipate and Prevent — Managing the Legal Risks in Safety Critical Systems. https://doi.org/10.1007/978-1-4471-1480-2_9
  • Center for Threat-Informed Defense. (2025). Threat Modeling with ATT&CK: Question 1 - What are we working on? Disponível em: https://center-for-threat-informeddefense.github.io/threat-modeling-with-attack/question-1/...
  • Cox, R. G., & Robinson, D. G. (2004). Vulnerability of critical infrastructures: identifying critical nodes (No. SAND2004-2696). Sandia...
  • Davis, D. (1995). Legal Aspects of Safety Critical Systems. In Safe Comp 95: The 14th International Conference on Computer Safety, Reliability...
  • Emergency Management Australia. (2003). Critical Infrastructure Emergency Risk Management and Assurance Handbook, Mount Macedon, Australia.
  • European Commission. (2006). Proposal for a Directive of the Council on the Identification and Designation of European Critical Infrastructure...
  • Faria, N. C. (2022). Estratégia de Cibersegurança. Dissertação de Mestrado. Universidade do Minho, Portugal. https://repositorium.sdum.um...
  • Fekete, A. (2011). Common Criteria for the Assessment of Critical Infrastructures.*International Journal of Disaster Risk Science, 2*(1),...
  • Ficco, M. (2016). security and reliability of critical systems. Journal of Ambient Intelligence and Humanized Computing, 7, 149-151.
  • Georg, M. A. C., Rodrigues, W. M. S., de Melo Alves, C. A., Júnior, A. S., & Nunes, R. R. (2022). Os desafios da Segurança Cibernética...
  • Gil, A. C. (2009). Como elaborar projetos de pesquisa (4a ed.). São Paulo, Atlas.
  • Glenn, C., Sterbentz, D., & Wright, A. (2016). Cyber threat and vulnerability analysis of the US electric sector. Idaho National Lab....
  • Hardy, T. L. (2014). Resilience: A holistic safety approach. In 2014 Reliability and Maintainability Symposium (pp. 1-6). IEEE.
  • Hinchey, M., & Margaria, T. (2014). Evolving Critical Systems-Track Introduction. In Leveraging Applications of Formal Methods, Verification...
  • Hyatt, D., & Santos, J. R. (2022). An Input-Output Model to Determine the Operability and Economic Impacts of IT on Interdependent Industries....
  • Jonkeren, O. E., Dorneanu, B., Ward, D., & Giannopoulos, G. (2012). Regional economic assessment of Critical Infrastructure failure in...
  • Kissoon, Troy. (2022). Optimal spending on cybersecurity measures: Risk Management. Routledge, Abingdon, Oxon.
  • Kraven Security. (2024). Crown Jewel Analysis: How To Figure Out What To Protect. Disponível em: https://kravensecurity.com/crown-jewel-analysis/.
  • Langemeier, M. (2016). Identification of Unique Resources.” farmdoc daily (6): 105. Department of Agricultural and Consumer Economics, University...
  • Leirvik. (2023). Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program. Apress L. P., Berkeley,...
  • Li, N. X., Wang, F., Magoua, J. J., & Fang, D. (2022). Interdependent effects of critical infrastructure systems under different types...
  • Lima, E. D. O., Moreira, F. R., de Deus, F. E. G., Nze, G. D. A., de Sousa Júnior, R. T., & Nunes, R. R. (2022). Avaliação da Rotina Operacional...
  • Lis, P., & Mendel, J. (2019). Cyberattacks on critical infrastructure: An economic perspective. Economics & Business Review, 5(2).
  • Marconi, M. A., & Lakatos, E. M. (2003). Fundamentos de metodologia científica (5ª ed.). Atlas.
  • Matsumoto, N., Fujita, J., Endoh, H., Yamada, T., Sawada, K., & Kaneko, O. (2021). Asset management method of industrial IoT systems for...
  • Minayo, M. C. D. S. (2002). Pesquisa Social: Teoria, Método e Criatividade. 21ª Edição. Petrópolis: Editora Vozes.
  • Ministry of the Interior and Kingdom Relations. (2008). National Risk Assessment Method Guide 2008. The Hague, Países Baixos.
  • MITRE. (2025). Mitre crown jewels analysis (CJA). Disponível em: https://www.mitre. org/publications/systems-engineering-guide/enterprise-engineering/systemsengineering-for-mission-assurance/crown-jewels-analysis.
  • Moteff, J., Copeland, C. & Fischer, J. (2003). Critical Infrastructures: What Makes an Infrastructure Critical?, Washington: The Library...
  • Musman, S., Tanner, M., Temin, A., Elsaesser, E., & Loren, L. (2011). A systems engineering approach for crown jewels estimation and mission...
  • National Cyber Security Centre. (2024). Asset management. https://www.ncsc. gov.uk/ collection/10-steps/asset-management.
  • Onwubiko, C. (2012). Challenges to Managing Privacy Impact Assessment of Personally Identifiable Data. In Information Assurance and Security...
  • Pang, A. (2017). Product Safety Failure and Restoring Reputation Across Markets: Fonterra’s Management of the 2013 Bacterial Contamination...
  • Panzieri, S., & Setola, R. (2008). Failures propagation in critical interdependent infrastructures. International Journal of Modelling,...
  • Rao, G. V., & Krishna, D. J. (2015). Alignment of HR practices with organizational strategies. The Indian Journal of Industrial Relations,...
  • Reeder, J. R., & Hall, T. (2021). Cybersecurity’s pearl harbor moment. The Cyber Defense Review, 6(3), 15-40.
  • Schweikert, A., L’Her, G. F., & Deinert, M. (2021). Simple method for identifying interdependencies in service delivery in critical infrastructure...
  • Shoniregun, C. A. (2004). An investigation of information systems project failure and its implication on organisations. International Journal...
  • Singh, Sandeep. (2024). From NIST to Risk Model to Crown Jewels: The Evolution of Cybersecurity Models. LinkedIn. Disponível em: https://www.linkedin.com/pulse/ from-nist-risk-model-crown-jewels-evolution-models-sandeep-singh.
  • Tervo, H., & Wiander, T. (2010). Failures and Image. European Conference on Information Systems.
  • Theoharidou, M., Kotzanikolaou, P., and Gritzalis, D. (2009). Risk-Based Criticality Analysis. In Critical Infrastructure Protection III....
  • U.S. Department of Homeland Security. (2009). National Infrastructure Protection Plan 2009. Washington, DC, EUA.
  • Varga, S., Brynielsson, J., & Franke, U. (2021). Cyber-threat perception and risk management in the Swedish financial sector. Computers...
  • Walls, J., & Harley, B. (2022). Call for papers: Special issue of strategic organization: Impact driven strategy research for grand challenges....