Search

Your search keyword '"Dobrovoljc, Andrej"' showing total 6 results
Start Over Author "Dobrovoljc, Andrej"
6 results on '"Dobrovoljc, Andrej"'

2. Odkrivanje potencialnih groženj za informacijski sistem

Author

Dobrovoljc, Andrej

Subjects
information system, lcsh:Personnel management. Employment management, attacker, information security, lcsh:HF5549-5549.5, risk assessment, threat
Abstract

Research Question (RQ): Can the information system characteristics help us identify potential future threats? Purpose: We want to examine the relationship of ordinary users and different groups of attackers to the properties of the information system. At the same time, we focus on measuring the importance of the information system properties for each population. Method: We conducted a quantitative survey using a questionnaire. Descriptions of the information systems used in the questionnaire were defined on the basis of the available data on the web. Results: We have confirmed the assumption that attackers mostly evaluate the same properties of the information system differently from the usual users. As a rule, attackers recognize in most properties more value than normal users, and in some cases these differences are obvious. Differences are also among the attackers. The results are a good basis for further research, namely checking which elements of the human threat are contributed by individual characteristics. Organization: The properties of the observed information system where ordinary users and attackers experience obvious differences in valuation can be a good indicator of risk. By identifying such features, we can improve decision-making in risk assessment. Society: The research aims to strengthen the belief that it is important to take into account the aspect of the attacker druring risk assessment, and to create a model of future human threats before they start designing the information system. Originality: The survey confirms the idea that the aspect of the attacker should be taken into account in the risk assessment. The experiment showed that attackers give higher value to most of the information system properties than ordinary users. Limitations/Future Research: We could include information security experts in the survey, rather than real attackers who are in fact a hidden population. In further research, we want to check how the characteristics of the information system contribute to individual elements of the human threat (motivation, recognition of opportunities, ability testing).

Published
2018

3. Proaktivno obvladovanje tveganj v informacijskih sistemih

Author

DOBROVOLJC, ANDREJ and Trček, Denis

Subjects
metoda določanja prioritet, grožnja, kvantitativna ocena, quantitative assessment, vulnerability, threat, napadalec, prioritization policy, threat agent, tveganje, ranljivost, risk
Abstract

Obvladovanje varnostnih tveganj je eden večjih izzivov v sodobnih informacijskih sistemih. Grožnje pogosto prihajajo preko svetovnega spleta in jih je težko predvideti. Napadalci so tako lahko vedno korak pred nami in ukrepanje zgolj na osnovi znanih incidentov ni zadostno. S stalnim aktivnim odkrivanjem in odstranjevanjem ranljivosti v programski opremi lahko dosežemo precej višjo raven varnosti. Kadar je v sistemu prisotno večje število ranljivosti, se moramo odločati, kateri bomo dali prednost pri odstranjevanju. S proaktivnim pristopom, kjer predvidevamo, katere ranljivosti bodo v praksi bolj verjetno izkoriščene, lahko zagotovimo najvišjo raven varnosti. Najpogosteje uporabljena metoda določanja prioritet, ki temelji na oceni CVSS (Common Vulnerability Scoring System), je pogosto tarča kritik zaradi slabe učinkovitosti. Zgolj na osnovi ocene CVSS namreč ne moremo sklepati o verjetnosti izkoriščanja. Eden ključnih izzivov na tem področju je torej prepoznati indikatorje izkoriščanja. Ker je izkoriščanje ranljivosti v osnovi človeška grožnja, je pri predvidevanju izkoristljivih ranljivosti smiselno upoštevati značilnosti tipičnih napadalcev. Opredelili smo več metod določanja prioritet, ki to upoštevajo. Učinkovitost metod želimo med seboj primerjati glede na uspešnost pri omejevanju tveganja. V ta namen smo razvili model vrednotenja, ki omogoča takšne primerjave. Predlagane metode določanja prioritet, ki upoštevajo človeške grožnje, smo primerjali z najbolj priljubljenimi obstoječimi metodami. Ob tem smo uporabili podatke o ranljivostih iz javno dostopnih podatkovnih zbirk. Eksperimentalni rezultati kažejo, da so metode določanja prioritet, ki upoštevajo značilnosti napadalcev, v splošnem učinkovitejše od obstoječih metod. Učinkovitost se je potrdila tudi na nekaterih realnih primerih informacijskih sistemov v praksi. Managing security risks is one of the major challenges in modern information systems. Threats often come via the World Wide Web and are therefore difficult to predict. Thus, attackers can always be a step ahead of us and reactive approach based on known security incidents is not sufficient. A much higher security level can be achieved by active detection and neutralization of software vulnerabilities. When a large number of vulnerabilities are present in the system, they have to be prioritized for removal according to their severity. With a proactive approach, where we foresee which vulnerabilities will be more likely exploited in practice, the highest level of security can be assured. A widely used prioritization policy based upon a CVSS (Common Vulnerability Scoring System) score is frequently criticised for bad effectiveness. The main reason is that the CVSS score alone is not a good predictor of vulnerability exploitation in the wild. One of the key challenges in this area is therefore to identify the indicators of exploitation. Since the exploitation of vulnerability is basically a human threat, it is reasonable to take into account the characteristics of typical attackers. We propose several methods for setting priorities that take this into account. Methods have to be compared according to their effectiveness in risk mitigation. To this end, we have developed a valuation model that allows such comparisons. Proposed methods, which take into account human threats, were compared with the most popular existing methods. In the experiment we used vulnerability data from publicly available databases. Experimental results show that methods which take into account the characteristics of attackers are generally more effective than existing methods. The effectiveness was also confirmed in some real cases of information systems in practice.

Published
2018

4. Proactive risk management in information systems

Author

Dobrovoljc , Andrej

Subjects
Computer and Information Science
Abstract

Managing security risks is one of the major challenges in modern information systems. Threats often come via the World Wide Web and are therefore difficult to predict. Thus, attackers can always be a step ahead of us and reactive approach based on known security incidents is not sufficient. A much higher security level can be achieved by active detection and neutralization of software vulnerabilities. When a large number of vulnerabilities are present in the system, they have to be prioritized for removal according to their severity. With a proactive approach, where we foresee which vulnerabilities will be more likely exploited in practice, the highest level of security can be assured. A widely used prioritization policy based upon a CVSS (Common Vulnerability Scoring System) score is frequently criticised for bad effectiveness. The main reason is that the CVSS score alone is not a good predictor of vulnerability exploitation in the wild. One of the key challenges in this area is therefore to identify the indicators of exploitation. Since the exploitation of vulnerability is basically a human threat, it is reasonable to take into account the characteristics of typical attackers. We propose several methods for setting priorities that take this into account. Methods have to be compared according to their effectiveness in risk mitigation. To this end, we have developed a valuation model that allows such comparisons. Proposed methods, which take into account human threats, were compared with the most popular existing methods. In the experiment we used vulnerability data from publicly available databases. Experimental results show that methods which take into account the characteristics of attackers are generally more effective than existing methods. The effectiveness was also confirmed in some real cases of information systems in practice.

Published
2018

5. Učinkovitost obvladovanja procesov v organizaciji.

Author

Dobrovoljc, Andrej

Subjects
AREA measurement, SCIENTIFIC literature, POINT processes, COMPUTER software management, DECISION making
Abstract

Copyright of Journal of Universal Excellence (JUE) / Revija za Univerzalno Odličnost (RUO) is the property of Fakulteta za Organizacijske Studije v Novem mestu and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published
2019

Catalog

Books, media, physical & digital resources
See catalog results