http://iet.metastore.ingenta.com
1887

New method for assets sensitivity calculation and technical risks assessment in the information systems

New method for assets sensitivity calculation and technical risks assessment in the information systems

For access to this article, please select a purchase option:

Buy article PDF
$19.95
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Name:*
Email:*
Your details
Name:*
Email:*
Department:*
Why are you recommending this title?
Select reason:
 
 
 
 
 
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

One of the most important components constructing the information security management system is the risk assessment process. Information technology system risks have a direct impact on the mission of organisations. Risk assessment allows organisations to identify weaknesses and security threats, and adopt appropriate solutions to deal with risks. The risk identification and assessment is the most important and complex part of the risk management process. In this study, a method has been presented to asset technical risks with regard to the sensitivity of each of the assets. In this research, the cyber battlefield framework has been presented to analyse the assets' sensitivity and then to determine the risk of each. The cyber battlefield contains exact information about cyber environment, including a vulnerability of knowledge repository, tangible and intangible components of cyber environment, and the relationships between them. Cyber-attacks are performed using vulnerabilities in the cyber environment components, so the present study focuses on the provision of a method to determine the risk due to the vulnerabilities. Considering the cost of risks treatment, the risks have been prioritised.

References

    1. 1)
      • 1. Ponemon Institute: ‘2015 global cyber impact report’ (Ponemon, NY, USA, 2015).
    2. 2)
      • 2. Saleh, Z.I., Refai, H., Mashhour, A.: ‘Proposed framework for security risk assessment’, J. Inf. Secur., 2011, 2, (2), p. 85.
    3. 3)
      • 3. Huang, D.-L., Rau, P.-L.P., Salvendy, G.: ‘Perception of information security’, Behav. Inf. Technol., 2010, 29, (3), pp. 221232.
    4. 4)
      • 4. Tounsi, W., Rais, H.: ‘A survey on technical threat intelligence in the age of sophisticated cyber attacks’, Comput. Secur., 2018, 72, pp. 212233.
    5. 5)
      • 5. Fernando Maymi, S.H.: ‘All-in-one CISSP exam guide’ (McGraw-Hill Osborne, Emeryville, CA, USA, 2016, 7th edn.).
    6. 6)
      • 6. ‘ISO/IEC 27005:2011, Information Security Risk Managment’, 2011.
    7. 7)
      • 7. Arora, A., Krishnan, R., Telang, R., et al: ‘An empirical analysis of software vendors’ patch release behavior: impact of vulnerability disclosure’, Inf. Syst. Res., 2010, 21, (1), pp. 115132.
    8. 8)
      • 8. Joh, H., Malaiya, Y.K.: ‘Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics’. The 2011 Int. Conf. on Security and Management (SAM), Las Vegas, NV, USA, 2011.
    9. 9)
      • 9. Shameli-Sendi, A., Ezzati-Jivan, N., Jabbarifar, M., et al: ‘Intrusion response systems: survey and taxonomy’, Int. J. Comput. Sci. Netw. Secur., 2012, 12, (1), pp. 114.
    10. 10)
      • 10. Kholidy, H.A., Erradi, A., Abdelwahed, S., et al: ‘A risk mitigation approach for autonomous cloud intrusion response system’, Computing, 2016, 98, (11), pp. 11111135.
    11. 11)
      • 11. Ayoub, R.: ‘An analysis of vulnerability discovery and disclosure: keeping one step ahead of the enemy’, A Frost Sullivan, 2007, 5.
    12. 12)
      • 12. Beattie, S., Arnold, S., Cowan, C., et al: ‘Timing the application of security patches for optimal uptime’. LISA, Berkley, CA, USA, 2002.
    13. 13)
      • 13. Frei, S.: ‘Security econometrics’ (ETH Zurich, 2009).
    14. 14)
      • 14. ‘Sp 800-30 Rev. 1. Guide for Conducting Risk Assessments’, September 2012.
    15. 15)
      • 15. ‘The Security Risk Management Guide, Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence’, 2006.
    16. 16)
      • 16. Lo, C.-C., Chen, W.-J.: ‘A hybrid information security risk assessment procedure considering interdependences between controls’, Expert Syst. Appl., 2012, 39, (1), pp. 247257.
    17. 17)
      • 17. Samantra, C., Datta, S., Mahapatra, S.S.: ‘Risk assessment in it outsourcing using fuzzy decision-making approach: an Indian perspective’, Expert Syst. Appl., 2014, 41, (8), pp. 40104022.
    18. 18)
      • 18. Hulitt, E., Vaughn, R.B.: ‘Information system security compliance to FISMA standard: a quantitative measure’, Telecommun. Syst., 2010, 45, (2–3), pp. 139152.
    19. 19)
      • 19. Wheeler, E.: ‘Security risk management: building an information security risk management program from the ground up’ (Elsevier, Rockland, MA, USA, 2011).
    20. 20)
      • 20. Houmb, S.H., Franqueira, V.N.L., Engum, E.A.: ‘Quantifying security risk level from CVSS estimates of frequency and impact’, J. Syst. Softw., 2010, 83, (9), pp. 16221634.
    21. 21)
      • 21. Nguyen, P.H., Ali, S., Yue, T.: ‘Model-based security engineering for cyber-physical systems: a systematic mapping study’, Inf. Softw. Technol., 2017, 83, pp. 116135.
    22. 22)
      • 22. Bertoglio, D.D., Zorzo, A.F.: ‘Overview and open issues on penetration test’, J. Braz. Comput. Soc., 2017, 23, (1), p. 2.
    23. 23)
      • 23. Wang, L., Islam, T., Long, T., et al: ‘An attack graph-based probabilistic security metric’ (Springer, Berlin, Heidelberg, Germany, 2008).
    24. 24)
      • 24. Poolsappasit, N., Dewri, R., Ray, I.: ‘Dynamic security risk management using Bayesian attack graphs’, IEEE Trans. Dependable Secur. Comput., 2012, 9, (1), pp. 6174.
    25. 25)
      • 25. Ralston, P.A.S., Graham, J.H., Hieb, J.L.: ‘Cyber security risk assessment for SCADA and DCS networks’, ISA Trans., 2007, 46, (4), pp. 583594.
    26. 26)
      • 26. ‘Cramm User Guide, Risk Analysis and Management Method, United Kingdom Central Computer and Telecommunication Agency (CCTA)’, 2001.
    27. 27)
      • 27. Piya, S., Rens, S., Wally, S., et al: ‘Incorporating a knowledge perspective into security risk assessments’, VINE, 2011, 41, (2), pp. 152166.
    28. 28)
      • 28. Asosheh, A., Dehmoubed, B., Khani, A.: ‘A new quantitative approach for information security risk assessment’. 2009 2nd IEEE Int. Conf. on Computer Science and Information Technology, Dallas, TX, USA, 2009.
    29. 29)
      • 29. Jones, A.: ‘A framework for the management of information security risks’, BT Technol. J., 2007, 25, (1), pp. 3036.
    30. 30)
      • 30. Sendi, A.S., Jabbarifar, M., Shajari, M., et al: ‘Femra: fuzzy expert model for risk assessment’. 2010 Fifth Int. Conf. on Internet Monitoring and Protection, Barcelona, Spain, 2010.
    31. 31)
      • 31. ‘Cobit 5: A Business Framework for the Governance and Management of Enterprise It’, 2012.
    32. 32)
      • 32. ‘ISO/IEC 27002:2013, Code of Practice for Information Security Controls’, 2013.
    33. 33)
      • 33. Ekelhart, A., Fenz, S., Klemen, M., et al: ‘Security ontologies: improving quantitative risk analysis’. 2007 40th Annual Hawaii Int. Conf. on System Sciences (HICSS 2007), Waikoloa, HI, USA, 2007.
    34. 34)
      • 34. Rezvani, M., Sekulic, V., Ignjatovic, A., et al: ‘Interdependent security risk analysis of hosts and flows’, IEEE Trans. Inf. Forensics Sec., 2015, 10, (11), pp. 23252339.
    35. 35)
      • 35. Qamar, S., Anwar, Z., Rahman, M.A., et al: ‘Data-driven analytics for cyber-threat intelligence and information sharing’, Comput. Secur., 2017, 67, pp. 3558.
    36. 36)
      • 36. Mavroeidis, V., Bromander, S.: ‘Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence’. European Intelligence and Security Informatics Conf., Athens, Greece, 2017.
    37. 37)
      • 37. Saripalli, P., Walters, B.: ‘QUIRC: a quantitative impact and risk assessment framework for cloud security’. 2010 IEEE 3rd Int. Conf. on Cloud Computing, Miami, FL, USA, 2010.
    38. 38)
      • 38. Shakibazad, M.R., Jabar, A.: ‘Presenting a method to perform cyber maneuvers’, Turk. J.Electr. Eng. Comput. Sci., 2018, 26, (4).
    39. 39)
      • 39. Shakibazad, M.R., Jabar, A.: ‘A new method for maneuvering in cyber space’, Comptes Rendus L'Acade'mie Bulgare des Sci., 2018, 71, (5), pp. 669674.
    40. 40)
      • 40. Rashidi, A.J., Shakibazad, M.: ‘Modeling and simulation of cyber battlefield’, J. Inf. Technol. Manage., 2017, 9, (4), pp. 809828.
    41. 41)
      • 41. Yang, S.J., Holsopple, J., Liu, D.: ‘Elements of impact assessment: a case study with cyber attacks’, ‘SPIE defense, security, and sensing’ (International Society for Optics and Photonics, 2009), pp. 73520D-73520D.
    42. 42)
      • 42. Kotenko, I., Chechulin, A.: ‘A cyber attack modeling and impact assessment framework’. 5th Int. Conf. on Cyber Conflict (NATO CCD COE), Tallinn, Estonia, 2013.
    43. 43)
      • 43. O'Reilly, P.D.: ‘National vulnerability database (NVD)’, 2009.
    44. 44)
      • 44. ‘Common Vulnerability Scoring System (Cvss) V3.0 Specification Document V.1.8’, 2015.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2018.5390
Loading

Related content

content/journals/10.1049/iet-ifs.2018.5390
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
This is a required field
Please enter a valid email address