Information Security Risk Assessment Research Articles

CAESAR8: An agile enterprise architecture approach to managing information security risks

In theory, implementing an Enterprise Architecture (EA) should enable organizations to increase the accuracy of information security risk assessments. In reality, however, organizations struggle to fully implement EA frameworks because the requirements for implementing an EA and the benefits of commercial frameworks are unclear, and the overhead of maintaining EA artifacts is unacceptable, especially for smaller organizations. In this paper, we describe a novel approach called CAESAR8 (Continuous Agile Enterprise Security Architecture Review in 8 domains) that supports dynamic and holistic reviews of information security risks in IT projects. CAESAR8’s nonlinear design supports continuous reassessment of information security risks, based on a checklist that assesses the maturity of security considerations in eight domains that often cause information security failures. CAESAR8 assessments can be completed by multiple stakeholders independently, thus ensuring consideration of their tacit knowledge while preventing groupthink. Our evaluation with experienced industry professionals showed that CAESAR8 successfully addresses real-world problems in information security risk management, with significant benefits particularly for smaller organizations.

Asset Identification in Information Security Risk Assessment Using Process Mining

Information security risk assessment (ISRA) currently has gaps in inadequate asset identification. This activity is still manual, depending on the approach adopted and used, thus leading to subjectivity and inaccuracies. Whereas incorrect identification will lead to inaccurate results. The need to consider the dependency of assets within ISRA, which is still not resolved by ISRA, complicates this. A process perspective that can view assets based on their role in organizational processes rather than physical connections should be able to bridge this gap. Unfortunately, Small and Medium Enterprises (SME) find it difficult to take advantage of this opportunity due to time and cost constraints. This research bridges this gap by providing a process-oriented perspective that uses process mining. It automates asset identification based on historically derived organizational workflows using Legacy Information Systems (LIS) triggers. For rigor and relevance, this research uses a series of design research evaluation stages: problem, design, construct, and usage. Problem evaluation is through the study of related literature. For design evaluation, it made comparisons with asset and process-oriented ISRA and preprocessing of process mining. The construct evaluation by testing the system before and after method implementation. It also considers the method's maximum capability. Meanwhile, usage evaluation through a case study on an inventory system. The contribution offered: (1) integrating process mining with ISRA, (2) making the process-aware LIS without disturbing the running process, (3) preparing an artifact to generate an event log using database trigger, and (4) automating ISRA's asset identification which also considers asset dependency.

Knowledge Transfer in Information Security Capacity Building for Community-Based Organizations

Community-based organizations (CBOs) in the health and human services sector handle very sensitive client information, such as psychiatric, HIV testing, criminal justice, and financial records. With annual revenue often in the range of $1 to $10 million, these organizations typically lack the financial, labor, and technical resources to identify and manage information security risks within their environment. Therefore, information security risk assessments were conducted at CBOs as part of a university service learning course intended to ultimately improve security within participating CBOs. Knowledge transfer between trainees and trainers is essential in order for security improvements to be realized. Therefore, this paper constructs a theoretical model of knowledge transfer that is used as a lens through which to examine initial study results of the CBO interventions as part of an exploratory study.

Perancangan Manajemen Risiko Keamanan Sistem Informasi Manajemen Sumber Daya dan Perangkat Pos dan Informatika (SIMS) Menggunakan Metode NIST 800-30

The development of an information system used in a government institution becomes very important if the system is part of storing data that is a state asset. SIMS contains data on frequency spectrum users who already have permits and contribute to Non-Tax State Revenue (PNBP). SIMS consists of public service applications and non-public service applications. In this study, an evaluation of SIMS risk management was developed using the NIST 800-30 framework. This research begins with risk identification, risk mitigation and evaluation of existing risks then provides recommendations for the control needed for SIMS.The results of the documentation of the information security risk assessment stages on SIMS using the NIST 800-30 method, it is necessary to take risk control and risk mitigation actions

The concept of assessing the risks of cybersecurity of the information system of the critical infrastructure object

Ensuring cyber and information security for critical infrastructure is achieved through the implementation of an appropriate set of information security management measures, which can be provided in the form of software policies, methods, procedures, organizational structures and functions. Information security requirements are determined, in particular, by systematic risk assessment of information security, which can be one of the elements of the predicted approach to identifying hazards in the provision of services to service participants in the information interaction of the information system. The paper presents conceptual provisions for assessing and managing cybersecurity risks of the critical infrastructure information system. The proposed concept involves the definition of: areas of security threats to the information system; involved information assets and calculation of their value; assessment of the probability of attacks on the information system; assessment of the probability of success of attacks on the information system and more. Risk assessment methods are proposed that take into account the probability of success of an attack and the probability of an attack occurring, which makes it possible to eliminate the shortcomings inherent in known approaches and provide more accurate identification of attack methods associated with the attacker's behavior. The concept of cybersecurity risk assessment and the methodology for analyzing and assessing security threats that are presented in the work correspond to approaches to building risk-oriented information security management systems and can become the basis for developing an information security system in the information system of a critical infrastructure object.

Computer Network Information System Security Prevention Methods under the Background of Big Data

With the rapid development of modern society, the administrative information content rapid growth of e-government information resource sharing becomes the key of the government departments for effective social management. The cloud technology Internet big data are widely used and popular, which enable information resources to be shared among government data and are both an opportunity and challenge for effective e-government information resource sharing. It is of great significance to enhance government credibility. Information security risk assessment is a comprehensive evaluation of the potential risk of an uncertain stochastic process, traditional evaluation methods are deterministic models, and it is difficult to measure the security risk of uncertainty. On the other hand, with the opening and complexity of information system business functions, the nonlinearity and complexity of evaluation calculation also increase. By studying the relatively mature assessment criteria and methods in the field of information security, this study analyzes the information security status of small Internet of Things system based on the characteristics of Internet of Things information security. Combining the latest research results of information entropy neural network and other fields with the original risk assessment methods, the improved AHP information security risk assessment model is verified by simulation examples.

DEVELOPING A FUZZY RISK ASSESSMENT MODEL FOR ERPSYSTEMS

Context. Because assessing information security risks is a complex and complete uncertainty process, and uncer-tainties are a major factor influencing valuation performance, it is advisable to use fuzzy methods and models that are adaptive to non-calculated data. The formation of vague assessments of risk factors is subjective, and risk assessment depends on the practical results obtained in the process of processing the risks of threats that have already arisen during the functioning of the organization and experience of information security professionals. Therefore, it will be advisable to use models that can adequately assess fuzzy factors and have the ability to adjust their impact on risk assessment. The greatest performance indicators for solving such problems are neuro-fuzzy models that combine methods of fuzzy logic and artificial neural networks and systems, i.e. “human-like” style of considerations of fuzzy systems with training and simulation of mental phenomena of neural networks. To build a model for calculating the risk assessment of information security, it is proposed to use a fuzzy product model. Fuzzy product models (Rule-Based Fuzzy Models/Systems) this is a common type of fuzzy models used to describe, analyze and simulate complex systems and processes that are poorly formalized.
 Objective. Development of the structure of a fuzzy model of quality of information security risk assessment and protection of ERP systems through the use of fuzzy neural models.
 Method. To build a model for calculating the risk assessment of information security, it is proposed to use a fuzzy product model. Fuzzy product models are a common kind of fuzzy models used to describe, analyze and model complex systems and processes that are poorly formalized.
 Results. Identified factors influencing risk assessment suggest the use of linguistic variables to describe them and use fuzzy variables to assess their qualities, as well as a system of qualitative assessments. The choice of parameters is substantiated and the structure of the fuzzy product model of risk assessment and the basis of the rules of fuzzy logical conclusion is developed. The use of fuzzy models for solving problems of information security risk assessment, as well as the concept and construction of ERP systems and analyzed problems of their security and vulnerabilities are considered.
 Conclusions. A fuzzy model has been developed risk assessment of the ERP system. Selected a list of factors affecting the risk of information security. Methods of risk assessment of information resources and ERP-systems in general, assessment of financial losses from the implementation of threats, determination of the type of risk according to its assessment for the formation of recommendations on their processing in order to maintain the level of protection of the ERP-system are proposed. The list of linguistic variables of the model is defined. The structure of the database of fuzzy product rules – MISO-structure is chosen. The structure of the fuzzy model was built. Fuzzy variable models have been identified.

Assessing system of systems information security risk with OASoSIS

The term System of Systems (SoS) is used to describe the coming together of independent systems, collaborating to achieve a new or higher purpose. However, the SoS concept is often misunderstood within operational environments, providing challenges towards the secure design and operation of SoSs. Limitations in existing literature indicates a need for discovery towards identifying a combination of concepts, models, and techniques suitable for assessing SoS security risk and related human factor concerns for SoS Requirements Engineering. In this article, we present OASoSIS, representing an information security risk assessment and modelling process to assist risk-based decision making in SoS Requirements Engineering. A characterisation process is introduced to capture the SoS context, supporting a SoS security risk assessment process that extends OCTAVE Allegro towards a SoS context. Resulting risk data provides a focused means to assess and model the SoS information security risk and related human factors, integrating tool-support using CAIRIS. A medical evacuation SoS case study scenario was used to test, illustrate, and validate the alignment of concepts, models, and techniques for assessing SoS information security risks with OASoSIS, where findings provide a positive basis for future work.

Information security risk analysis in the networks of the industrial internet of things

With the rapid development of the Industrial Internet of Things (IIoT), there has been a need to respond quickly, detect and prevent intrusions. These problems are especially relevant due to the projected growth in IIoT users. Risk assessment is an important part of the process of creating information security systems, including industrial complexes. The aim of this work is to develop a practical model for assessing information security risks in industrial Internet of Things networks. The proposed model is based on a simple additive weighting method and fuzzy logic. Fuzzy logic is appropriate for risk assessment and represents practical results. The implementation of the process of fuzzy modeling of the rule base is carried out by using the specialized package Fuzzy Logic Toolbox of the MATLAB software tool.

ОБ УСТОЙЧИВОСТИ ЛОГИСТИЧЕСКИХ СТРУКТУР НА ОСНОВЕ СМАРТ-КОНТРАКТОВ

One of the most promising solutions for optimizing logistics processes is the creation of automated supply management systems based on distributed registry technology, in particular a smart contract. However, in addition to the well-known economic advantages of such a technology, the expediency of its practical application will largely be determined by the stability of the functioning of these control systems in modern conditions of the threat of destabilizing influences. Currently, the solution to the security issues of smart contracts as programs are reduced to checking the source code of applications. Obviously, this is clearly not enough to ensure the reliability of logistics management, the stability of which can be determined on the basis of known methods for assessing the complex security of the corresponding IT system. This study adapts existing methods for auditing and assessing information security risks for an IT system using a smart contract, and the subject is to substantiate the applicability of such an approach to assessing the security of logistics processes, considering the features of smart contracts. The paper considers the features of the use of smart contracts in logistics processes, outlines appropriate approaches to audit and risk assessment of the functioning of the logistics management system based on smart contracts. Recommendations have been developed for the practical implementation of specific methods for assessing the security of an IT system using a smart contract, which is set by the authors as the goal of further work. The results of the study can be useful to specialists in the field of optimization of logistics processes and information security when developing new logistics schemes based on smart contracts.

Lightweight Cyber Security for Decision Support in Information Security Risk Assessment

Cyber-Security in the Internet of Things (IoT) is a major concern for information exploitation which hinder the growth of information system. To address security levels and issues, security risk assessment is considered an effective tool for system security, products, process, and readiness. Effective system vulnerabilities guidance is involved in the prioritization of security risk assessment. At present, the differential equation provides a significant tool for risk assessment. However, for second-order derivatives, the error rate is higher which impacts on overall risk assessment model. To overcome those limitations, this paper presented Decision Support Light Weight Risk Assessment Model (DSLiRAM). The proposed DSLiRAM is the domain-specific framework for security assessment. The proposed DSLiRAM is adopted in four stages for the specification of practices applied for cybersecurity and organizational characteristics. The proposed DSLiRAM includes a fuzzy differential equation with a second-order derivative. To minimize error rate Taylor series expansion is integrated with Fredholm for risk assessment. The proposed DSLiRAM is examined in three scenarios, RT server, BPCS, and HMI. Analysis of results stated that the proposed DSLiRAM significantly predicts risk and prevents the attack.

A fuzzy DRBFNN-based information security risk assessment method in improving the efficiency of urban development.

The rapid development of urban informatization is an important way for cities to achieve a higher pattern, but the accompanying information security problem become a major challenge restricting the efficiency of urban development. Therefore, effective identification and assessment of information security risks has become a key factor to improve the efficiency of urban development. In this paper, an information security risk assessment method based on fuzzy theory and neural network technology is proposed to help identify and solve the information security problem in the development of urban informatization. Combined with the theory of information ecology, this method establishes an improved fuzzy neural network model from four aspects by using fuzzy theory, neural network model and DEMATEL method, and then constructs the information security risk assessment system of smart city. According to this method, this paper analyzed 25 smart cities in China, and provided suggestions and guidance for information security control in the process of urban informatization construction.

Методический подход к комплексному описанию объекта информационной защиты

Purpose: on the basis of analysis of a comprehensive approach to the assessment of threats to information security to substantiate a methodological approach to a comprehensive description of the object of information protection with an assessment of its risks. Offer a tool for building private models and information security management system. Research method: use of partial integral index of security, which reflects the average risk of damage during the implementation of a threat of a certain type and characterizes the degree of danger. Analysis of the architecture of the object of assessment in relation to possible violations of information security, information security risk assessment using the apparatus of the theory of fuzzy sets when considering the methodological approach to a comprehensive description of the object of information security with an assessment of its risks. Result: proposed a comprehensive approach to assessing threats to the security of information. The assessment of the state of the protection object in case of violation of security is carried out with the help of particular integral index of security, which characterizes the possibility of inflicting damage in its implementation, according to which the ranking is made. On the basis of this methodical approach to complex description of the object of information protection with an assessment of its risks, using analysis of architecture of the object in application to possible violations of information security, and also making an assessment of risk using the apparatus of the theory of fuzzy sets is substantiated. This methodical approach is a formal tool for building private models and information security management system as a whole. On the basis of these models, it is possible to develop: methods of quantitative estimation of security; methods and approaches to the description of the factors influencing security; methods of security estimation of operating systems with use of the methodological approach to information systems security.

Comparative Framework for Information Security Risk Assessment Model

Comparative Framework for Information Security Risk Assessment Model

Methodology for Assessing the Risks of Information Enterprise Security Using Case Technologies

Purpose of the study. Creating an effective information security system of an enterprise is impossible without an adequate assessment of the risks to which its assets are exposed. The results of such an assessment should become the basis for making decisions in the field of information security of the enterprise. Identification of information assets and assessment of their value, determination of the level of threats to the security of assets allow planning measures to create an enterprise information security system.This paper discusses a methodology for assessing the risks of information security of an enterprise, a distinctive feature and novelty of which is the use of modern tools and methods for constructing and analyzing business processes in order to identify the information assets of an enterprise to be protected.Materials and methods. It is proposed to identify information assets based on the model of business processes of the enterprise, performed using the IDEF0 methodology. Modeling of business processes was carried out in the Business Studio environment of the “Modern Management Technologies” company.The activity of a typical IT-industry company was considered as an example for the risk analysis.Results. The methodology for assessing the risks of information security of an enterprise described in the article has been successfully tested in the educational process. Its use in conducting laboratory classes in the discipline “Designing the information security system of enterprises and organizations” for masters studying in the direction of “Information security” allowed, according to the authors of the article, to increase the effectiveness of the formation of students’ professional competencies.Conclusion. The paper proposes a methodology for assessing information security risks for objects of an enterprise’s information infrastructure, which makes it possible to identify priority areas of information security at an enterprise. As a result of the application of the technique, a loss matrix is formed, showing the problem areas in the organization of information protection, which should be given priority attention when planning information security measures. Based on the data obtained, it is possible to form an economically justified strategy and tactics for the development of an enterprise information security system.

From rationale to lessons learned in the cloud information security risk assessment: a study of organizations in Sweden

PurposeThis study aims to address the issue of practicing information security risk assessment (ISRA) on cloud solutions by studying municipalities and large organizations in Sweden.Design/methodology/approachFour large organizations and five municipalities that use cloud services and conduct ISRA to adhere to their information security risk management practices were studied. Data were gathered qualitatively to answer the study’s research question: How is ISRA practiced on the cloud? The Coat Hanger model was used as a theoretical lens to study and theorize the practices.FindingsThe results showed that the organizations aimed to follow the guidelines, in the form of frameworks or their own experience, to conduct ISRA; furthermore, the frameworks were altered to fit the organizations’ needs. The results further indicated that one of the main concerns with the cloud ISRA was the absence of a culture that integrates risk management. Finally, the findings also stressed the importance of a good understanding and a well-written legal contract between the cloud providers and the organizations using the cloud services.Originality/valueAs opposed to the previous research, which was more inclined to try out and evaluate various cloud ISRA, the study provides insights into the practice of cloud ISRA experienced by the organizations. This study represents the first attempt to investigate cloud ISRA that organizations practice in managing their information security.

Information Security Risk Assessment

Information security risk assessment is an important part of enterprises’ management practices that helps to identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Risk management refers to a process that consists of identification, management, and elimination or reduction of the likelihood of events that can negatively affect the resources of the information system to reduce security risks that potentially have the ability to affect the information system, subject to an acceptable cost of protection means that contain a risk analysis, analysis of the “cost-effectiveness” parameter, and selection, construction, and testing of the security subsystem, as well as the study of all aspects of security.

Research on Information Security Risk Analysis and Prevention Technology of Network Communication Based on Cloud Computing Algorithm

Data communication network must use telephone, cable or optical fiber as transmission medium and computer as information receiving, output and communication tool. Customers can not only process the received information, but also realize information sharing through the network. With the wide application of network communication in daily life, network security issues have higher requirements. In order to solve the problems of subjectivity, long modeling time and low classification accuracy of information security risk assessment methods, this paper first proposes an intelligent information security risk assessment method based on decision tree. Compared with other classification algorithms such as support vector machine, the decision tree classification algorithm has no requirement for data category distribution, and has good classification effect and fast speed. Finally, this paper introduces the security measures in network data communication for reference only.

Research on classification method of new energy vehicle information security risk assessment

With the rapid development and popularization of intelligent Internet connected vehicle, the automobile and the physical world are combined together, which makes users have strong technology experience and life convenience. While enjoying the convenience and experience brought by the intelligent Internet connected vehicle, we are also faced with the risk of information security in the network world, even the security problems of the network world directly affect the security of the physical world. With the improvement of automobile ‘four modernizations’, the research on information security has become an important topic and research hotspot in the field of automobile. Risk assessment is one of the important research and work contents of automobile information security. Impact valuation is an important indicator of risk assessment. It is very important to determine the optimal cluster number for risk assessment model and risk assessment. In this paper, the fuzzy clustering impact estimates are divided into 2-12 categories during Evergrande’s risk assessment of an electric vehicle. The optimal number of clusters is determined by calculating the mixed F-statistics of each type of data. Conclusion shows that the best clustering number of impact estimates is 5.

Penilaian Risiko Keamanan Informasi Menggunakan Octave Allegro: Studi Kasus pada Perguruan Tinggi

Currently the need for the use of information systems has become important for institution and organizations. The use of information systems has also expanded to various fields, namely educational institutions. However, on the other hand information can be an important security gap. The important information that falls to other parties can result in loss to the owner of the information. This study aims to conduct an internal assessment of information security risks from the use of information systems, so that it can be seen what risks are very high and need to be mitigated. In this study, the Octave Allegro framework was used to conduct an internal assessment. The steps taken in conducting an information security risk assessment consist of 8 steps. Each step produces an output that is used as the basis for evaluating the next step. There are 2 areas that need attention and become the focus of improvement. Information security risk management needs to be carried out and monitored closely and regularly against risks that are determined to be important and have a high risk probability.