Filtreler

20262
Filtreleri Sıfırla

Ayarlar

Bölüm: Işık Üniversitesi, Lisansüstü Eğitim Enstitüsü, Siber Güvenlik Yüksek Lisans Programı × WoS Q: Q2 ×

Arama Sonuçları

Listeleniyor 1 - 2 / 2
  • Küçük Resim
    Yayın
    From policy to practice: a sector-agnostic operational framework for post-quantum cryptography transition
    (Institute of Electrical and Electronics Engineers Inc., 2026-03-02) Birgin, Berat; Çeliktaş, Barış
    The pace of quantum computing development necessitates not only the adoption of post-quantum cryptographic algorithms, but also the establishment of an executable and auditable institutional transition process. Although guidance documents published by the National Institute of Standards and Technology (NIST) and roadmaps proposed by the Post-Quantum Cryptography Coalition (PQCC) articulate strategic objectives, they largely remain procedural constructs lacking a concrete operational execution model. This paper presents an industry-neutral operational framework that translates policy-level post-quantum cryptography (PQC) guidance into deterministic, proof-producing process flows encompassing cryptographic asset discovery, classification, risk modeling, algorithm selection, deployment, monitoring, and governance enforcement. Central to the framework is a deterministic Quantum Risk Scoring (QRS) function, calibrated using the Analytical Hierarchy Process (AHP), which enables reproducible asset prioritization and policy-driven enforcement decisions. Framework executability is further strengthened through cryptography-aware continuous integration/continuous deployment (CI/CD) validation gates and downgrade protection mechanisms, ensuring the generation of verifiable and immutable audit artifacts. A scenario-based operational validation, implemented using open-source toolchains, demonstrates the framework’s operability, auditability, and governance alignment without relying on empirical cryptographic performance benchmarks, confirming that PQC transition can be operationalized as a verifiable lifecycle process bridging policy guidance with enforceable technical actions. Rather than introducing new cryptographic primitives, this work formalizes PQC transition as an operational systems-engineering problem centered on governance-enforced execution and lifecycle verifiability.
  • Küçük Resim
    Yayın
    Automating cyber risk assessment with public LLMs: an expert-validated framework and comparative analysis
    (Institute of Electrical and Electronics Engineers Inc., 2026-03-26) Ünal, Nezih Mahmut; Çeliktaş, Barış
    Traditional cyber risk assessment methodologies face a critical dilemma: they are either quantitative yet static and context-agnostic (e.g., CVSS), or context-aware yet highly labor-intensive and subjective (e.g., NIST SP 800-30). Consequently, organizations struggle to scale risk assessment to match the pace of evolving threats. This paper presents an automated, context-aware risk assessment framework that leverages the reasoning capabilities of publicly available Large Language Models (LLMs) to operationalize expert knowledge. Rather than positioning the LLM as the final decision-maker, the framework decouples semantic interpretation from risk scoring authority through a transparent, deterministic Dynamic Metric Engine. Unlike complex closed box machine learning models, our approach anchors the AI's reasoning to this expert-validated metric schema, with weights derived using the Rank Order Centroid (ROC) method from a survey of 101 cybersecurity professionals. We evaluated the framework through a comparative study involving 15 diverse real-world vulnerability scenarios (C1-C15) and three supplementary sensitivity stress tests (C16-C18). The validation scenarios were independently assessed by a cohort of ten senior human experts and two state-of-the-art LLM agents (GPT-4o and Gemini 2.0 Flash). The results show that the LLM-driven agents achieve scoring consistency closely aligned with the human median (Pearson r ranging from 0.9390 to 0.9717, Spearman ρ from 0.8472 to 0.9276) against a highly reliable expert baseline (Cronbach's α =0.996), while reducing the assessment cycle time by more than 100× (averaging under 4 seconds per case vs. a human average of 6 minutes). Furthermore, a dedicated context sensitivity analysis (C13-C15) indicates that the framework adapts risk scores based on organizational context (e.g., SME vs. Critical Infrastructure) for identical technical vulnerabilities. Importantly, the system is designed not merely to replicate expert intuition, but to enforce bounded, policy-consistent risk evaluation under predefined governance constraints. Overall, these findings suggest that commercially available LLMs, when constrained by expert-validated metric schemas, can support reproducible, transparent, and real-time risk assessments.