A risk assessment method for power internet of things information security based on multi‐objective hierarchical optimisation

This paper describes the theoretical hierarchy of information security risk assessment, which includes the models, standards and methods. Firstly, this paper generalizes and analyzes the security risk assessment models on the macro scale and proposes a common security risk assessment model by reviewing the development history of the models. Secondly, this paper compares different security risk assessment standards and classifies them into information security risk assessment standards, information security risk assessment management standards and information security risk assessment management implementation guidelines on the mesoscale. Then, on the micro scale, this paper generalizes security risk assessment methods and analyzes the security risk assessment implementation standards, which is the specific implementation method of security assessment work. Finally, this paper proposes a cloud security event description and risk assessment analysis framework based on the cloud environment and the common security risk assessment model we proposed.KeywordsAssessment modelsSecurity riskSecurity standard

Nowadays the security risk assessment play a crucial role, which is applied to the entire life cycle of information systems and communication technologies but still so many models for security risk assessment are non practical, therefore, it should be measured and improved. In this paper, a novel approach, in which Analytic Hierarchy Process (AHP) and Particles Swarm Optimization (PSO) can be combined with some changes, is presented. The method consists of; firstly, the analytic hierarchy structure of the risk assessment is constructed and the method of PSO comprehensive judgment is improved according to the actual condition of the information security. Secondly, the risk degree put forward is PSO estimation of the risk probability, the risk impact severity and risk uncontrollability. Finally, it gives examples to prove that this method Multi Objectives Programming Methodology (MOPM) can be well applied to security risk assessment and provides reasonable data for constituting the risk control strategy of the information systems security. Based on the risk assessment results, the targeted safety measures are taken, and the risk is transferred and reduced, which is controlled within an acceptable range.

At present, companies rely on information technology systems to achieve their business objectives, making them vulnerable to cybersecurity threats. Information security risk assessments help organisations to identify their risks and vulnerabilities. An accurate identification of risks and vulnerabilities is a challenge, because the input data is uncertain. So-called ’vulnerability identification errors‘ can occur if false positive vulnerabilities are identified, or if vulnerabilities remain unidentified (false negatives). ‘Accurate identification’ in this context means that all vulnerabilities identified do indeed pose a risk of a security breach for the organisation. An experiment performed with German IT security professionals in 2011 confirmed that vulnerability identification errors do occur in practice. In particular, false positive vulnerabilities were identified by participants. In information security (IS) risk assessments, security experts analyze the organisation’s assets in order to identify vulnerabilities. Methods such as brainstorming, checklists, scenario-analysis, impact-analysis, and cause-analysis (ISO, 2009b) are used to identify vulnerabilities. These methods use uncertain input data for vulnerability identification, because the probabilities, effects and losses of vulnerabilities cannot be determined exactly (Fenz and Ekelhart, 2011). Furthermore, business security needs are not considered properly; the security checklists and standards used to identify vulnerabilities do not consider company-specific security requirements (Siponen and Willison, 2009). In addition, the intentional behaviour of an attacker when exploiting vulnerabilities for malicious purposes further increases the uncertainty, because predicting human behaviour is not just about existing vulnerabilities and their consequences (Pieters and Consoli, 2009), rather than preparing for future attacks. As a result, current approaches determine risks and vulnerabilities under a high degree of uncertainty, which can lead to errors. This thesis proposes an approach to resolve vulnerability identification errors using security requirements and business process models. Security requirements represent the business security needs and determine whether any given vulnerability is a security risk for the business. Information assets’ security requirements are evaluated in the context of the business process model, in order to determine whether security functions are implemented and operating correctly. Systems, personnel and physical parts of business processes, as well as IT processes, are considered in the security requirement evaluation, and this approach is validated in three steps. Firstly, the systematic procedure is compared to two best-practice approaches. Secondly, the risk result accuracy is compared to a best-practice risk-assessment approach, as applied to several real-world examples within an insurance company. Thirdly, the capability to determine risk more accurately by using business processes and security requirements is tested in a quasi-experiment, using security professionals. This thesis demonstrates that risk assessment methods can benefit from explicit evaluation of security requirements in the business context during risk identification, in order to resolve vulnerability identification errors and to provide a criterion for security.

To access information system security risk assessment is very important even in presence of uncertainty of the system. In this paper, we propose a method of AHP/D-S evidence theory to handle the uncertainty of the system. Compared with other methods, the analysis of hierarchy process (AHP) method has been widely used in security risk assessment, for this method can change from the qualitative index into quantitative index. Realistic risk assessment involves many uncertainty factors, some of which are even unknown. Considering the Dempster-Shafer theory of evidence (D-S) which is able to treat those uncertainties very well, this paper proposed a risk assessment model which is generated by combining AHP method with D-S method to solve these problems. Not only does the AHP/D-S method combine the advantages of both, but also can solve uncertain problems more scientifically. Finally, a sample of how to use AHP/D-S method in security risk assessment is given to prove our method.

With the rapid evolution of information technology, enterprise information security management and risk assessment have gained paramount importance. The objective of this study is to offer a comprehensive solution aimed at bolstering the accuracy, security, and efficiency of information security management. This is achieved through the integration of big data and Internet of Things (IoT) technologies, thereby safeguarding critical enterprise data and private information. Effective management of enterprise information security systems is imperative for upholding confidentiality, integrity, and availability, necessitating a holistic approach. This study, through in-depth theoretical analysis, proposes the combination of blockchain technology with big data to enhance the security and trustworthiness of enterprise IoT systems. Starting with practical issues, the study stores identification cards for IoT sensor devices and related information’s hash values in the blockchain, thus establishing an integrated enterprise information security IoT system model that combines big data and blockchain. Finally, the model is tested and subjected to risk assessment. The results show that the model achieves an identification accuracy of 90.941% for system information security management, with stable data transmission latency at around 192 milliseconds, significantly outperforming other algorithms. This research carries significant implications for the field of enterprise information security management by presenting an innovative solution that demonstrates lower communication overhead and higher throughput than alternative algorithms. It not only pioneers a novel approach to managing enterprise information security but also establishes a robust experimental groundwork for the future evolution of intelligent enterprise information security management systems. By enhancing the efficiency of information security and risk assessments, this study aims to propel forward advancements in enterprise information security management, potentially mitigating risks to businesses and individuals alike, thereby contributing to the stability and security of the digital society.

Keywords: risk management framework; risk assessment; cloud migration; security; analytic hierarchy process (AHP); business value

Internet of Things (IoT for short) is an emerging Internet-based global information architecture that promotes the exchange of goods and services in the global supply chain network. IoT not only brings a lot of convenience to society but also faces a growing number of complex security risks. The basis of solving risk is accurate assessment of the possibility and the loss of the risk occurrence. However, in fact, when assess the risk, most companies still rely on personal work experience and knowledge to carry out emotional qualitative judgments, making the assessment results are not accurate. Through the combination of Analytic Hierarchy Process (AHP) and the practice of risk assessment, forming the risk assessment method using AHP, and the simulation experiment is carried out on the typical application of positioning system in IoT. The results show that the risk assessment method can be used to solve the risk assessment method which is combined with qualitative and quantitative analysis, which makes the result of risk assessment more scientific and accurate.

The construction of information security management system (ISMS), complex system of information security and other security systems require carrying out the analysis and security risk assessment. The existing assessment tools in its majority are based on statistical approaches. In many countries, both at the enterprise level and at the State level such statistics is not conducted. This limits the ability of existing tools, such as the use of different input data types for assessment. A known tool gives no the administration opportunity for risks analysis and risk assessment of a wide range of initial parameters. On t he basis of the proposed risk analysis and assessment method, which based on the use of the integrated model representation of the risk parameters allow to conduct an assessment in the deterministic and fuzzy conditions using ten parameters, which can be represented as numeric and linguistic form, it was implemented the software system of risk analysis and assessment of information resources losses. To verify the developed software product there were designed various situations connected with the information security resources. The received results confirm the adequacy of software response on value changes of estimated component under different environment conditions, while the risk value does not change significantly when the basis of estimated components is changed.

Introduction. The instability of the global economy, caused by the macroeconomic and geopolitical uncertainty, put forward new information security (IS) requirements applicable to enterprises operating in various industries. The result is a different vision of the problem of IS risk assessment. Systems of IS risk assessment used in international practice were analyzed; their weaknesses were identified in this article. These weaknesses were used by the author as the basis for choosing an approach to IS risk assessment. The approach chosen to assess the IS risk in accordance with the international FAIR standard was based on the factor analysis of the IS risk.
 Materials and methods. The author used the research techniques that belong to the group of analytical methods (analysis, classification, and comparative analysis). They allow developing an integrated solution in terms of the choice of an approach to the IS risk assessment for a construction enterprise in accordance with the FAIR international standard. The Russian IS risk assessment regulatory and legal framework, international IS risk assessment standards, as well as information taken from open-access Russian and foreign sources were used.
 Results. A consistent solution contributed to the choice of an approach to the IS risk assessment in accordance with the international FAIR standard and the formation of a set of factors needed for a factor analysis of IS risks typical for a construction enterprise. The proposed system of factors takes into account the practical experience, accumulated by IS enterprises operating in various industries and relevant theoretical developments presented in research papers.
 Conclusions. In the course of analyzing the problem in question, the author succeeded at choosing an approach to IS risk assessment at construction enterprises. This approach encompasses a qualitative and quantitative assessment of factors triggering IS risks in accordance with the international FAIR standard.

The development of information technology makes the government and military departments put forward higher request to the information system security problem. Its uniqueness, classified information system security risk assessment differs from the common information security system. Based on classified information system as the research object, firstly, the characteristics of the classified information system, for its uniqueness to the existing information security risk assessment method for analysis and evaluation. Then evaluation model based on the AHP (analytic hierarchy process) and grey theory is introduced into the classified information system security risk assessment. For classified information system safety risk assessment provides a new thought of technology. Finally through the model validation, confirmed this model suitable for practically classified information system security risk assessment.

The spread of invasive species (IS) has the potential to upset ecosystem balances. In extreme cases, this can hinder economical utilization of both aquatic (fisheries) and terrestrial (agricultural) systems. As a result, many countries regard risk assessment of IS as an important process for solving the problem of biological invasion. Yet, some IS are purposefully introduced for what is seen as their potential economic benefits. Thus, conducting IS risk assessments and then formulating policies based on scientific information will allow protocols to be developed that can reduce problems associated with IS incursions, whether occurring purposefully or not. However, the risk assessment methods currently adopted by most countries use qualitative or semiquantitative methodologies. Currently, there is a mismatch between qualitative and quantitative assessments. Moreover, most assessment systems are for terrestrial animals. What is needed is an assessment system for aquatic animals; however, those currently available are relatively rudimentary. To fill this gap, we used the analytic hierarchy process (AHP) to build a risk assessment model system for aquatic IS. Our AHP has four primary indexes, twelve secondary indexes, and sixty tertiary indexes. We used this AHP to conduct quantitative risk assessments on five aquatic animals that are typically introduced in China, which have distinct biological characteristics, specific introduction purposes, and can represent different types of aquatic animals. The assessment results show that the risk grade for Pterygoplichthys pardalis is high; the risk grade for Macrobrachium rosenbergii, Crassostrea gigas, and Trachemys scripta elegans is medium; and the grade risk for Ambystoma mexicanum is low. Risk assessment of the introduction of aquatic animals using our AHP is effective, and it provides support for the introduction and healthy breeding of aquatic animals. Thus, the AHP model can provide a basis for decision-making risk management concerning the introduction of species.

In order to reduce the subjectivity of information security risk assessment process and improve assessment efficiency, we propose a new method of information security risk assessment based on improved FAHP (Fuzzy Analytic Hierarchy Process) to analyse the information security-related standards for domestic and international risk assessment. We establish a Hierarchical Security Assessment Model and introduce refinement indicators and Intuitionistic Fuzzy Sets to reduce subjective judgment factors in the assessment of traditional risk. We then applied an e-commerce company in case analyse the security risk and the results are satisfactory and in line with the actual situation of the company. The indicator system of this method is more objective and comprehensive and the evaluation process is more efficient, which provide new ideas for risk assessment of existing information security companies.

This paper analyzed the characteristics of vicarious management projects and their requests to the vicarious management work, discussed the significance of the risk assessment of the vicarious management corporation (VMC), identified the risk of the VMC using the risk breakdown structure method, and brought forward a risk assessment method based on the analytic hierarchy process (AHP) method, Delphi method and fuzzy mathematics theory. The paper established the risk factors set and assessment set, and determined the weight and the assessment matrix of each factor, and constructed the fuzzy assessment model. The paper validated the risk assessment method through a vicarious management project as an example in Xuzhou City, Jiangsu Province of China, and drew the conclusion finally that this risk assessment method is easy to operate and implement, the assessment results have reference values, and the method can be widely used.

The work on Airlines security risk assessment at home and abroad is mainly confined to safety evaluation, and the research on security risk assessment is very few. Taking an example of flight safety system of an airline, fuzzy comprehensive evaluation and analytic hierarchy process (AHP) is used to calculate the value of the risk of flight safety system based on risk assessment matrix. Flight safety risk assessment index system is established, and weights of the index system are determined by analytic hierarchy process. The indicators relevant values of risk probability and severity are calculated respectively by using fuzzy evaluation. And ultimately the values of flight safety risk assessment are gotten. Example calculations demonstrate the feasibility, effectiveness and practicality.

With the rapidly development of computer and network technology, information technology has been widely used in many energy systems, such as power system. Power system is a very important sector and energy industry in China, but it presents more and more weakness in its information systems along with the increasing dependence on information and network system. Information security has threatened the security and steady operation of the power system which means that the grid information security will face great threats and challenges. Therefore, information security risk assessment is vital important for state grid whose electric power information level is very deep. Risk assessment of power system provides the data of current risks and points out the future risks and potential impact of these risks in power system. Therefore, the risk assessment supports very important analysis methods and assessment tools for power system. In currently, grid system is lack of effective information security assessment. In this paper, we carried out an improved theoretical model using analytic hierarchy process (AHP) method based on the current state in power system. Finally, we simplified the situation and evaluate the terminals’ risk in details using the data in power system through another simplified model. We can conclude that both of the models are effective in evaluate the assessment risk in power systems. Index Terms information security risk assessment, power system, Analytic Hierarchy Process