Search

Your search keyword '"security risk assessment"' showing total 208 results
Start Over Descriptor "security risk assessment"
208 results on '"security risk assessment"'

2. How do professionals assess security risks in practice? An exploratory study.

Author

Harris, William and Sadok, Moufida

Subjects
OPERATIONAL risk, PROFESSIONAL practice, RISK assessment, SECURITY management, STANDARDS
Abstract

There are a number of standards and frameworks for security risk assessment; however, it appears that their application and adaptation to real organisational practices are rather limited. This paper reports some results from inquiries into risk assessment practices of security professionals in Ireland. The key findings show a lack of consensus on basic terminology when it comes to defining risk and risk assessment. The interviewed security professionals have developed varied approaches in practice and rather refer to their intuition and previous experiences. While the paper focuses on Ireland, the lack of consensus regarding the definition, and use of security terminology and practices, especially in the area of security risk management, is not necessarily limited to Ireland. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

3. Security Risk Assessment for Patient Portals of Hospitals: A Case Study of Taiwan

Author

Yeh PC, Yeh KW, and Huang JL

Subjects
security risk assessment, healthcare information system, electronic health record, electronic medical record, emr exchange center, vulnerability scanner, Public aspects of medicine, RA1-1270
Abstract

Pei-Cheng Yeh,1,2 Kuen-Wei Yeh,3– 5 Jiun-Lang Huang6,7 1Graduate Institute of Clinical Dentistry, School of Dentistry, College of Medicine, National Taiwan University, Taipei, Taiwan, Republic of China; 2Division of Endodontics, Department of Stomatology, Taichung Veterans General Hospital, Taichung, Taiwan, Republic of China; 3Investigation Bureau, Ministry of Justice, New Taipei City, Taiwan, Republic of China; 4Department of Electrical Engineering, Chinese Culture University, Taipei, Taiwan, Republic of China; 5Department of Information, Chinese Culture University, Taipei, Taiwan, Republic of China; 6Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan, Republic of China; 7Graduate Institute of Electronics Engineering, National Taiwan University, Taipei, Taiwan, Republic of ChinaCorrespondence: Kuen-Wei Yeh, Email m49009@mjib.gov.twBackground: Growing cyberattacks have made it more challenging to maintain healthcare information system (HIS) security in medical institutes, especially for hospitals that provide patient portals to access patient information, such as electronic health record (EHR).Objective: This work aims to evaluate the patient portal security risk of Taiwan’s EEC (EMR Exchange Center) member hospitals and analyze the association between patient portal security, hospital location, contract category and hospital type.Methods: We first collected the basic information of EEC member hospitals, including hospital location, contract category and hospital type. Then, the patient portal security of individual hospitals was evaluated by a well-known vulnerability scanner, UPGUARD, to assess website if vulnerable to high-level attacks such as denial of service attacks or ransomware attacks. Based on their UPSCAN scores, hospitals were classified into four security ratings: absolute low risk, low to medium risk, medium to high risk and high risk. Finally, the associations between security rating, contract category and hospital type were analyzed using chi-square tests.Results: We surveyed a total of 373 EEC member hospitals. Among them, 20 hospital patient portals were rated as “absolute low risk”, 104 hospital patient portals as “low to medium risk”, 99 hospital patient portals as “medium to high risk” and 150 hospital patient portals as “high risk”. Further investigation revealed that the patient portal security of EEC member hospitals was significantly associated with the contract category and hospital type (P< 0.001).Conclusion: The analysis results showed that large-scale hospitals generally had higher security levels, implying that the security of low-tier and small-scale hospitals may warrant reinforcement or strengthening. We suggest that hospitals should pay attention to the security risk assessment of their patient portals to preserve patient information privacy.Keywords: security risk assessment, healthcare information system, electronic health record, electronic medical record, EMR Exchange Center, vulnerability scanner

Published
2024

4. Ecological and geological security risk assessment of underground space development in cold and arid canyon cities—Taking Ping'an District, Haidong City, Qinghai Province, as an example.

Author

Wang, Shuaiwei, Sun, Weichao, Peng, Hongming, Yuan, Youjing, Wang, Xiuyan, and Liu, Changli

Subjects
*UNDERGROUND areas, *CITIES & towns, *HUMAN settlements, *WATER table, *GEOTECHNICAL engineering
Abstract

The ecological and geological problems caused by the rise of groundwater level due to the development of underground space in cold and arid canyon cities are particularly typical. Reasonably assessing the ecological and geological security risks of utilizing underground space is conducive to reducing the occurrence of ecological and geological problems during the construction and operation of underground engineering projects. Taking Ping'an District of Haidong City as an example, the topography and geomorphology of the research area were investigated in the field, and the distribution of topography and geomorphology in the research area was understood; through geological drilling and geotechnical engineering testing, the distribution of different strata in the research area was obtained; through pumping and seepage experiments, the recharge, runoff, and discharge relationship between surface water and groundwater in the research area and the water abundance of different strata are obtained, and the causes and mechanisms of geological safety risks in forest and grassland ecosystems, farmland ecosystems, and human settlements ecosystems were analyzed based on literature. Corresponding ecological geological safety risk assessment index systems and methods were established, and the ecological geological safety risks before and after the development of underground rail transit projects along both banks of the Huangshui River in the study area were evaluated. Practitioner Points: The development of underground space in canyon type cities can easily lead to ecological and geological problems.Taking Haidong City, Qinghai Province, as an example, this study investigates the causes of ecological and geological problems caused by the development of underground spaces in canyon type cities.An ecological geological security risk assessment index system and method for canyon‐type cities were established.An evaluation was conducted on the ecological and geological safety risks before and after the development of the underground rail transit projects on both sides of the research area. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

5. A neuro-fuzzy security risk assessment system for software development life cycle

Author

Olayinka Olufunmilayo Olusanya, Rasheed Gbenga Jimoh, Sanjay Misra, and Joseph Bamidele Awotunde

Subjects
Security risk assessment, Software development life cycle, Software development, Neuro-fuzzy modeling, Science (General), Q1-390, Social sciences (General), H1-99
Abstract

This study aims to protect software development by creating a Software Risk Assessment (SRA) model for each phase of the Software Development Life Cycle (SDLC) using an Adaptive Neuro-Fuzzy Inference System (ANFIS) model. Software developers discovered and validated the risk variables affecting each SDLC phase, following which relevant data about risk factors and associated SRA for each SDLC phase were collected. To create the SRA model for SDLC phases, risk factors were used as inputs, and SRA was used as an output. The formulated model was simulated using 70 % and 80 % of the data for training, while 30 % and 20 % were used for testing the model. The performance of the SRA models using the test datasets was evaluated based on accuracy. According to the study findings, many risk variables were discovered and confirmed for the requirement, design, implementation, integration, and operation phases of SDLC 11, 8, 9, 4, and 6, respectively. The SRA model was formulated using the risk factors using 2048, 256, 512, 16, and 64 inference rules for the requirement, design, implementation, integration, and operation phases, respectively. The study concluded that using the SRA model to assess security risk at each SDLC phase provided a secured software development process.

Published
2024
Full Text
View/download PDF

7. Early CSS Innovations in Risk Analysis

Author

Friesen, Shaye K., Masys, Anthony J., Editor-in-Chief, Bichler, Gisela, Advisory Editor, Bourlai, Thirimachos, Advisory Editor, Johnson, Chris, Advisory Editor, Karampelas, Panagiotis, Advisory Editor, Leuprecht, Christian, Advisory Editor, Morse, Edward C., Advisory Editor, Skillicorn, David, Advisory Editor, and Yamagata, Yoshiki, Advisory Editor

Published
2023
Full Text
View/download PDF

8. 基于AHP和FCE的桥梁无辅助墩顶推施工安全风险评估.

Author

廖泳华, 陈甫君, 于建华, and 张谢东

Subjects
BOX beams, STEEL girders, ANALYTIC hierarchy process, BOX girder bridges, CONSTRUCTION equipment, BRIDGE maintenance & repair
Abstract

Copyright of Transportation Science & Technolgy is the property of Transportation Science & Technology Editorial Office and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published
2023
Full Text
View/download PDF

10. Cybersecurity Risk Management Framework for Blockchain Identity Management Systems in Health IoT.

Author

Alamri, Bandar, Crowley, Katie, and Richardson, Ita

Subjects
*IDENTITY management systems, *BLOCKCHAINS, *INTERNET of things, *INTERNET security, *DATA security
Abstract

Blockchain (BC) has recently paved the way for developing Decentralized Identity Management (IdM) systems for different information systems. Researchers widely use it to develop decentralized IdM systems for the Health Internet of Things (HIoT). HIoT is considered a vulnerable system that produces and processes sensitive data. BC-based IdM systems have the potential to be more secure and privacy-aware than centralized IdM systems. However, many studies have shown potential security risks to using BC. A Systematic Literature Review (SLR) conducted by the authors on BC-based IdM systems in HIoT systems showed a lack of comprehensive security and risk management frameworks for BC-based IdM systems in HIoT. Conducting a further SLR focusing on risk management and supplemented by Grey Literature (GL), in this paper, a security taxonomy, security framework, and cybersecurity risk management framework for the HIoT BC-IdM systems are identified and proposed. The cybersecurity risk management framework will significantly assist developers, researchers, and organizations in developing a secure BC-based IdM to ensure HIoT users' data privacy and security. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

11. Security Risk Assessment Approach for Distribution Network Cyber Physical Systems Considering Cyber Attack Vulnerabilities.

Author

Zhou, Buxiang, Sun, Binjie, Zang, Tianlei, Cai, Yating, Wu, Jiale, and Luo, Huan

Subjects
*CYBERTERRORISM, *CYBER physical systems, *ANALYTIC hierarchy process, *RISK assessment, *BAYESIAN analysis
Abstract

With the increasing digitalization and informatization of distribution network systems, distribution networks have gradually developed into distribution network cyber physical systems (CPS) which are deeply integrated with traditional power systems and cyber systems. However, at the same time, the network risk problems that the cyber systems face have also increased. Considering the possible cyber attack vulnerabilities in the distribution network CPS, a dynamic Bayesian network approach is proposed in this paper to quantitatively assess the security risk of the distribution network CPS. First, the Bayesian network model is constructed based on the structure of the distribution network and common vulnerability scoring system (CVSS). Second, a combination of the fuzzy analytic hierarchy process (FAHP) and entropy weight method is used to correct the selectivity of the attacker to strike the target when cyber attack vulnerabilities occur, and then after considering the defense resources of the system, the risk probability of the target nodes is obtained. Finally, the node loads and node risk rates are used to quantitatively assess the risk values that are applied to determine the risk level of the distribution network CPS, so that defense strategies can be given in advance to counter the adverse effects of cyber attack vulnerabilities. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

12. Security risk assessment and visualization study of key nodes of sea lanes: case studies on the Tsugaru Strait and the Makassar Strait.

Author

Xiao, Li, Chen, Shaoyang, Xiong, Shun, Qi, Peixin, Wang, Tingting, Gong, Yanwei, and Liu, Na

Subjects
HAZARD mitigation, GREY relational analysis, RISK assessment, ANALYTIC hierarchy process, STRAITS, MARITIME shipping, VISUALIZATION
Abstract

Key nodes of sea lanes are important hubs for global trade and cargo transportation and play important roles in ensuring the safety of maritime transportation and maintaining the stability of the global supply chain. The safety guarantee of key nodes of sea lanes is facing more risks and higher requirements currently because the global shipping industry is gradually recovering. This paper focuses on key nodes of sea lanes, conducting regional security risk assessment and risk spatial scale visualization. A set of security risk assessment and visualization study methods for key nodes of sea lanes is constructed, which includes constructing a security risk assessment index system of key nodes of sea lanes with 25 indicators selected from three risk categories (hazard, vulnerability and exposure, and mitigation capacity) and using geospatial analysis to form the multi-criteria spatial mapping layers and then creating comprehensive risk layers to realize the risk visualization in the strait area by weighted overlaying based on the combined weights calculated by Analytic Hierarchy Process and Grey Relational Analysis. After taking the Tsugaru Strait and Makassar Strait as case studies, the results show that the comprehensive risk layers can effectively present the spatial distribution of security risks of key nodes of sea lanes, reflecting the spatial changes of risk levels (i.e., very low, low, medium, high and very high) and the methods can precisely identify and analyze crucial factors affecting the security risk of key nodes. These findings may strengthen the risk prevention and improve the safety of the navigation environment in the strait to ensure the safety and stability of maritime trade. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

13. A Network-Based Importance Measurement Index for Bridge Security Risk Assessment and Prioritisation

Author

Mehdi Dezfuli Nezhad, Reza Raoufi, and Ahmad Dalvand

Subjects
bridge, disaster, resilience, security risk assessment, transportation network, Highway engineering. Roads and pavements, TE1-450, Bridge engineering, TG1-470
Abstract

In the related literature, conventional approaches to assessing security risk and prioritising bridges have focused on unique characteristics. Although the unique characteristics appropriately reflect the economic and social consequences of failure, they neglect the consequences of a bridge failure at the network level. If network owners and operators prioritise bridges solely based on their unique characteristics, bridges with low object-level importance and high network-level importance have very low chances to get priority. In this paper, a bridge importance measurement index α(e) has been presented, prioritising bridges based on their unique characteristics, location and network topology. To describe how to use this index α(e), three numerical examples were provided. While the first example was related to a simple hypothetical network, the second and third examples were real networks related to the bridges of Wroclaw city. Using these examples, the results of bridge prioritisation obtained in the unique-characteristics-only state were compared to the state in which α(e) had been used. Results showed that considering the location of the bridge and the topological characteristics of the network change the bridges prioritisation. For instance, in the second example, it was observed that the use of the α(e), made bridge Bolesława Krzywoustego the essential bridge, while bridge Grunwaldzki was the essential bridge under the previous prioritisation made by researchers. However, the results of the third example showed that bridge Milenijny, which was considered the essential network bridge as stated in the previous prioritisation made by researchers, was again selected as the most critical bridge based on the α(e).

Published
2022
Full Text
View/download PDF

14. Improving cyber security in industrial control system environment

Author

Ani, Uchenna Daniel, He, Hongmei, and Tiwari, Ashutosh

Subjects
Industrial cyber security, cyber-physical system security, cyber security evaluation, security impact analysis, operational security metrics, human-factor security, functional dependency analysis, security criticality analysis, security risk assessment
Abstract

Integrating industrial control system (ICS) with information technology (IT) and internet technologies has made industrial control system environments (ICSEs) more vulnerable to cyber-attacks. Increased connectivity has brought about increased security threats, vulnerabilities, and risks in both technology and people (human) constituents of the ICSE. Regardless of existing security solutions which are chiefly tailored towards technical dimensions, cyber-attacks on ICSEs continue to increase with a proportionate level of consequences and impacts. These consequences include system failures or breakdowns, likewise affecting the operations of dependent systems. Impacts often include; marring physical safety, triggering loss of lives, causing huge economic damages, and thwarting the vital missions of productions and businesses. This thesis addresses uncharted solution paths to the above challenges by investigating both technical and human-factor security evaluations to improve cyber security in the ICSE. An ICS testbed, scenario-based, and expert opinion approaches are used to demonstrate and validate cyber-attack feasibility scenarios. To improve security of ICSs, the research provides: (i) an adaptive operational security metrics generation (OSMG) framework for generating suitable security metrics for security evaluations in ICSEs, and a list of good security metrics methodology characteristics (scope-definitive, objective-oriented, reliable, simple, adaptable, and repeatable), (ii) a technical multi-attribute vulnerability (and impact) assessment (MAVCA) methodology that considers and combines dynamic metrics (temporal and environmental) attributes of vulnerabilities with the functional dependency relationship attributes of the vulnerability host components, to achieve a better representation of exploitation impacts on ICSE networks, (iii) a quantitative human-factor security (capability and vulnerability) evaluation model based on human-agent security knowledge and skills, used to identify the most vulnerable human elements, identify the least security aspects of the general workforce, and prioritise security enhancement efforts, and (iv) security risk reduction through critical impact point assessment (S2R-CIPA) process model that demonstrates the combination of technical and human-factor security evaluations to mitigate risks and achieve ICSE-wide security enhancements. The approaches or models of cyber-attack feasibility testing, adaptive security metrication, multi-attribute impact analysis, and workforce security capability evaluations can support security auditors, analysts, managers, and system owners of ICSs to create security strategies and improve cyber incidence response, and thus effectively reduce security risk.

Published
2018

16. The risk assessment on the security of industrial internet infrastructure under intelligent convergence with the case of G.E.'s intellectual transformation

Author

Jiang Zhao and Dan Wu

Subjects
industrial internet, fundamental infrastructure, intelligent integration, security risk assessment, knowledge workflow, Biotechnology, TP248.13-248.65, Mathematics, QA1-939
Abstract

The industrial internet depends on the development of cloud computing, artificial intelligence, and big data analysis. Intelligent fusion is dependent on the architecture and security features of the industrial internet. Firstly, the paper studies the infrastructure mode that needs to be solved urgently in the industrial internet and provides a possible infrastructure mode and related security evaluation system. Secondly, it analyses the digital transformation process with the case of G.E.os industrial nternet development practice. It clarifies that G.E. is forming a new value closed-loop through digital and strategy mixed channels. Thirdly, industrial internet security research is described within multiple viewpoints based on industrial internet applications, the security service and security assurance defense systemos architecture, and the non-user entrance probability model. Finally, the paper illustrates the changes in knowledge workflow and social collaboration caused by the industrial internet under intelligent manufacture.

Published
2022
Full Text
View/download PDF

17. Identification of Risk Factors Using ANFIS-Based Security Risk Assessment Model for SDLC Phases.

Author

Jimoh, Rasheed Gbenga, Olusanya, Olayinka Olufunmilayo, Awotunde, Joseph Bamidele, Imoize, Agbotiname Lucky, and Lee, Cheng-Chi

Subjects
RISK assessment, MEMBERSHIP functions (Fuzzy logic), COMPUTER software development, SECURITY management, IDENTIFICATION, FUZZY logic
Abstract

In the field of software development, the efficient prioritizing of software risks was essential and play significant roles. However, finding a viable solution to this issue is a difficult challenge. The software developers have to adhere strictly to risk management practice because each phase of SDLC is faced with its individual type of risk rather than considering it as a general risk. Therefore, this study proposes an adaptive neuro-fuzzy inference system (ANFIS) for selection of appropriate risk factors in each stages of software development process. Existing studies viewed the SDLC's Security risk assessment (SRA) as a single integrated process that did not offer a thorough SRA at each stage of the SDLC process, which resulted in unsecure software development. Hence, this study identify and validate the risk factors needed for assessing security risk at each phase of SDLC. For each phase, an SRA model based on an ANFIS was suggested, using the identified risk factors as inputs. For the logical representation of the fuzzification as an input and output variables of the SRA risk factors for the ANFIS-based model employing the triangular membership functions. The proposed model utilized two triangular membership functions to represent each risk factor's label, while four membership functions were used to represent the labels of the target SRA value. Software developers chose the SRA risk factors that were pertinent in their situation from the proposed taxonomy for each level of the SDLC process as revealed by the results. As revealed from the study's findings, knowledge of the identified risk factors may be valuable for evaluating the security risk throughout the SDLC process. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

18. Security Risk Assessment for Trusted Chain Optimizing Based on Grey Fixed Weight Clustering.

Author

Guna Duan, Lizhong Duan, and Wenan Zhou

Subjects
*TRUST, *RISK assessment, *COMPUTING platforms, *SYSTEMS theory, *INFORMATION storage & retrieval systems
Abstract

Trusted computing has received further attention as an effective technique to safeguani information systems, and it has been widely applied in various fields. Trusted chain establishment, as an essential model of trusted comptiting technology that ensures the credibility of the computing platform, still brings poor system elficiency due to the complex environment of the platform. To optimize the procedure of trusted chain establishment for trusted computing platforms, our research improved traditional trusted chain establishment from static to dynamic with innovative security risk level assessment step during trusted chain establishment. First, we comprehensively analyzed threats and their source for platforms. Based on the main indicators of the platform, the fixed weight clustering evaluation method in the grey system theory was used to evaluate the security risk level for platforms. With the recorded data of software and hardware changes for the platform, we assessed the security risk level for this platform and demonstrated the clustering results and improved measurement strategy for the platform during trusted chain establishment. It is more systematic and more efficient than the traditional static trusted chain establishment method, which could find more files tampered during the measurement procedure. [ABSTRACT FROM AUTHOR]

Published
2022

19. FIRE: A Finely Integrated Risk Evaluation Methodology for Life-Critical Embedded Systems.

Author

Rao, Aakarsh, Carreón, Nadir A., Lysecky, Roman, and Rozenblit, Jerzy

Subjects
*RISK assessment, *EVALUATION methodology, *INSULIN pumps, *TRUST, *MEDICAL equipment, *PATIENT safety, *SECURITY management
Abstract

Life-critical embedded systems, including medical devices, are becoming increasingly interconnected and interoperable, providing great efficiency to the healthcare ecosystem. These systems incorporate complex software that plays a significantly integrative and critical role. However, this complexity substantially increases the potential for cybersecurity threats, which directly impact patients' safety and privacy. With software continuing to play a fundamental role in life-critical embedded systems, maintaining its trustworthiness by incorporating fail-safe modes via a multimodal design is essential. Comprehensive and proactive evaluation and management of cybersecurity risks are essential from the very design to deployment and long-term management. In this paper, we present FIRE, a finely integrated risk evaluation methodology for life-critical embedded systems. Security risks are carefully evaluated in a bottom-up approach from operations-to-system modes by adopting and expanding well-established vulnerability scoring schemes for life-critical systems, considering the impact to patient health and data sensitivity. FIRE combines a static risk evaluation with runtime dynamic risk evaluation to establish comprehensive risk management throughout the lifecycle of the life-critical embedded system. We demonstrate the details and effectiveness of our methodology in systematically evaluating risks and conditions for risk mitigation with a smart connected insulin pump case study. Under normal conditions and eight different malware threats, the experimental results demonstrate effective threat mitigation by mode switching with a 0% false-positive mode switching rate. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

20. A Security Risk Assessment Method Based on Improved FTA-IAHP for Train Position System.

Author

Yang, Yang, Chen, Guangwu, and Wang, Di

Subjects
FAULT trees (Reliability engineering), ANALYTIC hierarchy process, RISK assessment, ARTIFICIAL satellites in navigation, DYNAMIC positioning systems, DESIGN protection, MAINTENANCE costs
Abstract

The positioning system based on satellite navigation can meet the requirements of CTCS-4 train control, improve the transportation efficiency, reduce the operation and maintenance costs, which is the trend of train positioning system in the future, and the security risk assessment is of great significance to the future application of this system. In this paper, combined with the self-developed train positioning system based on satellite navigation, and an improved fault tree-interval analytic hierarchy process (FTA-IAHP) method for evaluating the safety risk of train positioning system is proposed. Firstly, a security risk assessment model based on FTA-IAHP is established by combining FTA and IAHP. Secondly, two judgment matrices are constructed by using the basic events and structural importance based on FTA, and the IAHP model based on expert scoring, the difference between FTA and IAHP is adjusted by combining the weighting factor. The new method of trial of weighting can determine the degree of each factor in the system fault. This method has great significance to the safety design and protection of the new train positioning system based on satellite navigation. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

21. On the Automation of Security Testing for IoT Constrained Scenarios

Author

Matheu, Sara N., Pérez, Salvador, Ramos, José L. Hernández, Skarmeta, Antonio, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, and You, Ilsun, editor

Published
2020
Full Text
View/download PDF

23. Security Risk Intelligent Assessment of Power Distribution Internet of Things via Entropy-Weight Method and Cloud Model.

Author

Cai, Siyuan, Wei, Wei, Chen, Deng, Ju, Jianping, Zhang, Yanduo, Liu, Wei, and Zheng, Zhaohui

Subjects
*INTERNET of things, *COMPUTER network security, *RISK assessment, *CURRENT distribution, *ELECTRIC power distribution grids, *POWER resources
Abstract

The current power distribution Internet of Things (PDIoT) lacks security protection terminals and techniques. Network security has a large exposure surface that can be attacked from multiple paths. In addition, there are many network security vulnerabilities and weak security protection capabilities of power distribution Internet of Things terminals. Therefore, it is crucial to conduct a scientific assessment of the security of PDIoT. However, traditional security assessment methods are relatively subjective and ambiguous. To address the problems, we propose to use the entropy-weight method and cloud model theory to assess the security risk of the PDIoT. We first analyze the factors of security risks in PDIoT systems and establish a three-layer PDIoT security evaluation index system, including a perception layer, network layer, and application layer. The index system has three first-level indicators and sixteen second-level indicators. Then, the entropy-weight method is used to optimize the weight of each index. Additionally, the cloud model theory is employed to calculate the affiliation degree and eigenvalue of each evaluation index. Based on a comprehensive analysis of all evaluation indexes, we can achieve the security level of PDIoT. Taking the PDIoT of Meizhou Power Supply Bureau of Guangdong Power Grid as an example for empirical testing, the experimental results show that the evaluation results are consistent with the actual situation, which proves that the proposed method is effective and feasible. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

24. Lebanon's Single Most Destructive Explosion – Terrorists Plan to Copy and Provision against Such Accidents.

Author

Chun-lin, Liu and Gunaratna, Rohan

Subjects
*COLOR codes, *INVESTMENT policy, *TERRORISTS, *RISK assessment, *INVESTMENT management
Abstract

Explosives continue to be the primary tactic used by terrorists across the world and given the high security risk faced by mega infrastructure, a systematic security risk assessment framework is proposed in this paper. Classification and rating criteria are established for this framework pertaining to threat/vulnerability and impact/consequence assessment, based on which asset risk rating can be calculated. The proposed risk assessment framework refines the author's previous work of risk rating criteria and evaluates risks in both qualitative and quantitative ways. Risk ratings are classified both numerically and in color codes for the ease of analysis and application. This framework is validated in a case study of risk assessment of a mega infrastructure facility and can support further risk management and investment policy. A case study of a chemical facility utilizing the risk assessment framework is provided. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

25. Information Security Risk Assessment

Author

Ievgeniia Kuzminykh, Bogdan Ghita, Volodymyr Sokolov, and Taimur Bakhshi

Subjects
information risk management, security risk assessment, risk classification, OCTAVE, CRAMM, RiskWatch, Science
Abstract

Information security risk assessment is an important part of enterprises’ management practices that helps to identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Risk management refers to a process that consists of identification, management, and elimination or reduction of the likelihood of events that can negatively affect the resources of the information system to reduce security risks that potentially have the ability to affect the information system, subject to an acceptable cost of protection means that contain a risk analysis, analysis of the “cost-effectiveness” parameter, and selection, construction, and testing of the security subsystem, as well as the study of all aspects of security.

Published
2021
Full Text
View/download PDF

26. Assessment of Security Risks by FEMA and Fuzzy FEMA Methods, A Case Study: Combined Cycle Power Plant

Author

Iraj Mohammadfam and Kamran Gholamizadeh

Subjects
fema, security risk assessment, terrorist attacks, topsis, Industrial medicine. Industrial hygiene, RC963-969
Abstract

Background and Objective: In today's world, intentional accidents occur in many organizations due to numerous reasons. These intentional accidents usually aim to cause substantial damages to industries. To minimize the risk of these threats, it is essential to design and implement risk identification and risk assessment programs. The present study aimed to assess the risk associated with conscious threats with Federal Emergency Management Agency (FEMA) and fuzzy FEMA and compare the results of these two methods. Materials and Methods: In the present study, FMEA and fuzzy FMEA methods were used to identify and assess terrorist threats in a combined cycle power plant. The risks were identified using FEMA checklist. Risk assessment was performed through field observation, the examination of documents, and expert opinion. The Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) method was used for prioritizing and selecting the optimum approach. Data were analyzed in SPSS software (version 21). Results: Based on the results, although the fuzzy FEMA method requires more time, as well as higher cost of implementation and educational needs, this method allows a more accurate estimation of risk levels due to the high level of accuracy of the results, and therefore, it prioritizes the units more efficiently. Therefore, the fuzzy FEMA was introduced as the preferred method. Conclusion: As evidenced by the results of the current study, the fuzzy FEMA method could be applied to overcome the weakness of the traditional method of FEMA. Moreover, it reduces uncertainty and increases the efficiency of organizations.

Published
2021

27. Expert-Guided Security Risk Assessment of Evolving Power Grids.

Author

Borenius, Seppo, Gopalakrishnan, Pavithra, Bertling Tjernberg, Lina, and Kantola, Raimo

Subjects
*ELECTRIC power distribution grids, *INFRASTRUCTURE (Economics), *RISK assessment, *ELECTRIC power, *INFORMATION & communication technologies, *RANSOMWARE, *MICROGRIDS
Abstract

Electric power grids, which form an essential part of the critical infrastructure, are evolving into highly distributed, dynamic networks in order to address the climate change. This fundamental transition relies on extensive automation solutions based on communications and information technologies. Thus, it also gives rise to new attack points for malicious actors and consequently, increases the vulnerability of the electric energy system. This study presents a qualitative assessment of power grid cybersecurity through expert interviews across countries in Europe and the U.S. to gain understanding of the latest developments and trends in the cybersecurity of future electric energy systems. The horizon of the assessment is 10 years spanning until the early 2030s. Thereafter, the study identifies how and to which extent the risks identified to be most significant are understood and addressed in the latest research and industry publications aiming at identifying areas deserving specific further attention. The most significant threats based on the assessment are False Data Injection (FDI), Denial of Service (DoS) supply chain, and ransomware and malware attacks. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

28. Security Risk Level Prediction of Carbofuran Pesticide Residues in Chinese Vegetables Based on Deep Learning.

Author

Jiang, Tongqiang, Liu, Tianqi, Dong, Wei, Liu, Yingjie, and Zhang, Qingchuan

Subjects
PESTICIDE residues in food, DEEP learning, ARTIFICIAL neural networks, PESTICIDE pollution, CARBOFURAN, RECURRENT neural networks, CONVOLUTIONAL neural networks, CLINICAL supervision
Abstract

The supervision of security risk level of carbofuran pesticide residues can guarantee the food quality and security of residents effectively. In order to predict the potential key risk vegetables and regions, this paper constructs a security risk assessment model, combined with the k-means++ algorithm, to establish the risk security level. Then the evaluation index value of the security risk model is predicted to determine the security risk level based on the deep learning model. The model consists of a convolutional neural network (CNN) and a long short-term memory network (LSTM) optimized by an arithmetic optimization algorithm (AOA), namely, CNN-AOA-LSTM. In this paper, a comparative experiment is conducted on a small sample data set of independently constructed security risk assessment indicators. Experimental results show that the accuracy of the CNN-AOA-LSTM prediction model based on attention mechanism is 6.12% to 18.99% higher than several commonly used deep neural network models (gated recurrent unit, LSTM, and recurrent neural networks). The prediction model proposed in this paper provides scientific reference to establish the priority order of supervision, and provides forward-looking supervision for the government. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

29. Risk Prediction of IoT Devices Based on Vulnerability Analysis.

Author

OSER, PASCAL, VAN DER HEIJDEN, RENS W., LÜDERS, STEFAN, and KARGL, FRANK

Subjects
INTERNET of things, SMART cities, HETEROGENEITY, COMPUTER firmware, COMPUTER security
Abstract

Internet of Things (IoT) devices are becoming more widespread not only in areas such as smart homes and smart cities but also in research and office environments. The sheer number, heterogeneity, and limited patch availability provide significant challenges for the security of both office networks and the Internet in general. The systematic estimation of device risks, which is essential for mitigation decisions, is currently a skillintensive task that requires expertise in network vulnerability scanning, as well as manual effort in firmware binary analysis. This article introduces SAFER, the Security Assessment Framework for Embedded-device Risks, which enables a semi-automated risk assessment of IoT devices in any network. SAFER combines information from network device identification and automated firmware analysis to estimate the current risk associated with the device. Based on past vulnerability data and vendor patch intervals for devicemodels, SAFER extrapolates those observations into the future using different automatically parameterized prediction models. Based on that, SAFER also estimates an indicator for future security risks. This enables users to be aware of devices exposing high risks in the future. One major strength of SAFER over other approaches is its scalability, achieved through significant automation. To demonstrate this strength, we apply SAFER in the network of a large multinational organization, to systematically assess the security level of hundreds of IoT devices on large-scale networks. Results indicate that SAFER successfully identified 531 out of 572 devices leading to a device identification rate of 92.83 %, analyzed 825 firmware images, and predicted the current and future security risk for 240 devices. [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

30. Quantitative Evaluation Model for Information Security Risk of Wireless Communication Networks Under Big Data

Author

Jiang, Bin-bin, Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin (Sherman), Editorial Board Member, Stan, Mircea, Editorial Board Member, Jia, Xiaohua, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Gui, Guan, editor, and Yun, Lin, editor

Published
2019
Full Text
View/download PDF

31. Security Risk Assessment for Miniature Internet of Thing Systems with 5G

Author

Chen, Wei, Wang, Lei, Bi, Fangming, Tang, Chaogang, Li, Senyu, Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin (Sherman), Editorial Board Member, Stan, Mircea, Editorial Board Member, Xiaohua, Jia, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Leung, Victor C. M., editor, Zhang, Haijun, editor, Hu, Xiping, editor, Liu, Qiang, editor, and Liu, Zhi, editor

Published
2019
Full Text
View/download PDF

32. Software Requirements for an Ultra Large Scale System to Compute Multi Dimension Mean Failure Cost

Author

Jouini, Mouna, Ben Arfa Rabai, Latifa, Khedri, Ridha, Barbosa, Simone Diniz Junqueira, Series Editor, Filipe, Joaquim, Series Editor, Kotenko, Igor, Series Editor, Washio, Takashi, Series Editor, Yuan, Junsong, Series Editor, Zhou, Lizhu, Series Editor, Ghosh, Ashish, Series Editor, Park, Jong Hyuk, editor, Shen, Hong, editor, Sung, Yunsick, editor, and Tian, Hui, editor

Published
2019
Full Text
View/download PDF

34. A NETWORK-BASED IMPORTANCE MEASUREMENT INDEX FOR BRIDGE SECURITY RISK ASSESSMENT AND PRIORITISATION.

Author

NEZHAD, MEHDI DEZFULI, RAOUFI, REZA, and DALVAND, AHMAD

Subjects
RISK assessment, SOCIAL impact, BRIDGES, ECONOMIC impact, SOLE proprietorship, SECURITY management
Abstract

In the related literature, conventional approaches to assessing security risk and prioritising bridges have focused on unique characteristics. Although the unique characteristics appropriately reflect the economic and social consequences of failure, they neglect the consequences of a bridge failure at the network level. If network owners and operators prioritise bridges solely based on their unique characteristics, bridges with low object-level importance and high network-level importance have very low chances to get priority. In this paper, a bridge importance measurement index a(e) has been presented, prioritising bridges based on their unique characteristics, location and network topology. To describe how to use this index a(e), three numerical examples were provided. While the first example was related to a simple hypothetical network, the second and third examples were real networks related to the bridges of Wroclaw city. Using these examples, the results of bridge prioritisation obtained in the unique-characteristics-only state were compared to the state in which a(e) had been used. Results showed that considering the location of the bridge and the topological characteristics of the network change the bridges prioritisation. For instance, in the second example, it was observed that the use of the a(e), made bridge Bolesława Krzywoustego the essential bridge, while bridge Grunwaldzki was the essential bridge under the previous prioritisation made by researchers. However, the results of the third example showed that bridge Milenijny, which was considered the essential network bridge as stated in the previous prioritisation made by researchers, was again selected as the most critical bridge based on the a(e). [ABSTRACT FROM AUTHOR]

Published
2022
Full Text
View/download PDF

35. Security Risk Assessment of Healthcare Web Application Through Adaptive Neuro-Fuzzy Inference System: A Design Perspective

Author

Kaur J, Khan AI, Abushark YB, Alam MM, Khan SA, Agrawal A, Kumar R, and Khan RA

Subjects
healthcare web application, security risk assessment, fuzzy systems, neural network, adaptive neuro-fuzzy inference system., Public aspects of medicine, RA1-1270
Abstract

Jasleen Kaur,1 Asif Irshad Khan,2 Yoosef B Abushark,2 Md Mottahir Alam,3 Suhel Ahmad Khan,4 Alka Agrawal,1 Rajeev Kumar,1 Raees Ahmad Khan1 1Department of Information Technology, Babasaheb Bhimrao Ambedkar University, Lucknow, UP, India; 2Computer Science Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah, Saudi Arabia; 3Department of Electrical & Computer Engineering, Faculty of Engineering, King Abdulaziz University, Jeddah, Saudi Arabia; 4Department of Computer Science, Indira Gandhi National TribalUniversity, Amarkantak, MP, IndiaCorrespondence: Rajeev Kumar Email rs0414@gmail.comIntroduction: The imperative need for ensuring optimal security of healthcare web applications cannot be overstated. Security practitioners are consistently working at improvising on techniques to maximise security along with the longevity of healthcare web applications. In this league, it has been observed that assessment of security risks through soft computing techniques during the development of web application can enhance the security of healthcare web applications to a great extent.Methods: This study proposes the identification of security risks and their assessment during the development of the web application through adaptive neuro-fuzzy inference system (ANFIS). In this article, firstly, the security risk factors involved during healthcare web application development have been identified. Thereafter, these security risks have been evaluated by using the ANFIS technique. This research also proposes a fuzzy regression model.Results: The results have been compared with those of ANFIS, and the ANFIS model is found to be more acceptable for the estimation of security risks during the healthcare web application development.Conclusion: The proposed approach can be applied by the healthcare web application developers and experts to avoid the security risk factors during healthcare web application development for enhancing the healthcare data security.Keywords: healthcare web application, security risk assessment, fuzzy systems, neural network, adaptive neuro-fuzzy inference system

Published
2020

36. CloudStrike: Chaos Engineering for Security and Resiliency in Cloud Infrastructure

Author

Kennedy A. Torkura, Muhammad I. H. Sukmana, Feng Cheng, and Christoph Meinel

Subjects
Cloud security, security chaos engineering, resilient architectures, security risk assessment, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Most cyber-attacks and data breaches in cloud infrastructure are due to human errors and misconfiguration vulnerabilities. Cloud customer-centric tools are imperative for mitigating these issues, however existing cloud security models are largely unable to tackle these security challenges. Therefore, novel security mechanisms are imperative, we propose Risk-driven Fault Injection (RDFI) techniques to address these challenges. RDFI applies the principles of chaos engineering to cloud security and leverages feedback loops to execute, monitor, analyze and plan security fault injection campaigns, based on a knowledge-base. The knowledge-base consists of fault models designed from secure baselines, cloud security best practices and observations derived during iterative fault injection campaigns. These observations are helpful for identifying vulnerabilities while verifying the correctness of security attributes (integrity, confidentiality and availability). Furthermore, RDFI proactively supports risk analysis and security hardening efforts by sharing security information with security mechanisms. We have designed and implemented the RDFI strategies including various chaos engineering algorithms as a software tool: CloudStrike. Several evaluations have been conducted with CloudStrike against infrastructure deployed on two major public cloud infrastructure: Amazon Web Services and Google Cloud Platform. The time performance linearly increases, proportional to increasing attack rates. Also, the analysis of vulnerabilities detected via security fault injection has been used to harden the security of cloud resources to demonstrate the effectiveness of the security information provided by CloudStrike. Therefore, we opine that our approaches are suitable for overcoming contemporary cloud security issues.

Published
2020
Full Text
View/download PDF

37. Enhancing maritime transportation security: A data-driven Bayesian network analysis of terrorist attack risks.

Author

Mohsendokht M, Li H, Kontovas C, Chang CH, Qu Z, and Yang Z

Abstract

Maritime terrorist accidents have a significant low-frequency-high-consequence feature and, thus, require new research to address the associated inherent uncertainty and the scarce literature in the field. This article aims to develop a novel method for maritime security risk analysis. It employs real accident data from maritime terrorist attacks over the past two decades to train a data-driven Bayesian network (DDBN) model. The findings help pinpoint key contributing factors, scrutinize their interdependencies, ascertain the probability of different terrorist scenarios, and describe their impact on different manifestations of maritime terrorism. The established DDBN model undergoes a thorough verification and validation process employing various techniques, such as sensitivity, metrics, and comparative analyses. Additionally, it is tested against recent real-world cases to demonstrate its effectiveness in both retrospective and prospective risk propagation, encompassing both diagnostic and predictive capabilities. These findings provide valuable insights for the various stakeholders, including companies and government bodies, fostering comprehension of maritime terrorism and potentially fortifying preventive measures and emergency management., (© 2024 The Author(s). Risk Analysis published by Wiley Periodicals LLC on behalf of Society for Risk Analysis.)

Published
2024
Full Text
View/download PDF

38. Security Risk Assessment Approach for Distribution Network Cyber Physical Systems Considering Cyber Attack Vulnerabilities

Author

Buxiang Zhou, Binjie Sun, Tianlei Zang, Yating Cai, Jiale Wu, and Huan Luo

Subjects
security risk assessment, cyber physical systems, Bayesian network, common vulnerability scoring system, fuzzy analytic hierarchy process, entropy weight method, Science, Astrophysics, QB460-466, Physics, QC1-999
Abstract

With the increasing digitalization and informatization of distribution network systems, distribution networks have gradually developed into distribution network cyber physical systems (CPS) which are deeply integrated with traditional power systems and cyber systems. However, at the same time, the network risk problems that the cyber systems face have also increased. Considering the possible cyber attack vulnerabilities in the distribution network CPS, a dynamic Bayesian network approach is proposed in this paper to quantitatively assess the security risk of the distribution network CPS. First, the Bayesian network model is constructed based on the structure of the distribution network and common vulnerability scoring system (CVSS). Second, a combination of the fuzzy analytic hierarchy process (FAHP) and entropy weight method is used to correct the selectivity of the attacker to strike the target when cyber attack vulnerabilities occur, and then after considering the defense resources of the system, the risk probability of the target nodes is obtained. Finally, the node loads and node risk rates are used to quantitatively assess the risk values that are applied to determine the risk level of the distribution network CPS, so that defense strategies can be given in advance to counter the adverse effects of cyber attack vulnerabilities.

Published
2022
Full Text
View/download PDF

39. Cybersecurity Risk Management Framework for Blockchain Identity Management Systems in Health IoT

Author

Bandar Alamri, Katie Crowley, and Ita Richardson

Subjects
Blockchain, Health IoT, identity management, privacy impact assessment, security risk assessment, security risk management, Chemical technology, TP1-1185
Abstract

Blockchain (BC) has recently paved the way for developing Decentralized Identity Management (IdM) systems for different information systems. Researchers widely use it to develop decentralized IdM systems for the Health Internet of Things (HIoT). HIoT is considered a vulnerable system that produces and processes sensitive data. BC-based IdM systems have the potential to be more secure and privacy-aware than centralized IdM systems. However, many studies have shown potential security risks to using BC. A Systematic Literature Review (SLR) conducted by the authors on BC-based IdM systems in HIoT systems showed a lack of comprehensive security and risk management frameworks for BC-based IdM systems in HIoT. Conducting a further SLR focusing on risk management and supplemented by Grey Literature (GL), in this paper, a security taxonomy, security framework, and cybersecurity risk management framework for the HIoT BC-IdM systems are identified and proposed. The cybersecurity risk management framework will significantly assist developers, researchers, and organizations in developing a secure BC-based IdM to ensure HIoT users’ data privacy and security.

Published
2022
Full Text
View/download PDF

40. A neuro-fuzzy security risk assessment system for software development life cycle.

Author

Olusanya OO, Jimoh RG, Misra S, and Awotunde JB

Abstract

This study aims to protect software development by creating a Software Risk Assessment (SRA) model for each phase of the Software Development Life Cycle (SDLC) using an Adaptive Neuro-Fuzzy Inference System (ANFIS) model. Software developers discovered and validated the risk variables affecting each SDLC phase, following which relevant data about risk factors and associated SRA for each SDLC phase were collected. To create the SRA model for SDLC phases, risk factors were used as inputs, and SRA was used as an output. The formulated model was simulated using 70 % and 80 % of the data for training, while 30 % and 20 % were used for testing the model. The performance of the SRA models using the test datasets was evaluated based on accuracy. According to the study findings, many risk variables were discovered and confirmed for the requirement, design, implementation, integration, and operation phases of SDLC 11, 8, 9, 4, and 6, respectively. The SRA model was formulated using the risk factors using 2048, 256, 512, 16, and 64 inference rules for the requirement, design, implementation, integration, and operation phases, respectively. The study concluded that using the SRA model to assess security risk at each SDLC phase provided a secured software development process., Competing Interests: The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper., (© 2024 The Authors.)

Published
2024
Full Text
View/download PDF

41. A Survey of Cybersecurity Certification for the Internet of Things.

Author

MATHEU, SARA N., HERNÁNDEZ-RAMOS, JOSÉ L., SKARMETA, ANTONIO F., and BALDINI, GIANMARCO

Subjects
*INTERNET of things, *INTERNET security, *CERTIFICATION, *SCIENTIFIC community, *RISK assessment
Abstract

In recent years, cybersecurity certification is gaining momentum as the baseline to build a structured approach to mitigate cybersecurity risks in the Internet of Things (IoT). This initiative is driven by industry, governmental institutions, and research communities, which have the goal to make IoT more secure for the end-users. In this survey, we analyze the current cybersecurity certification schemes, as well as the potential challenges to make them applicable for the IoT ecosystem. We also examine current efforts related to risk assessment and testing processes, which are widely recognized as the processes to build a cybersecurity certification framework. Our work provides a multidisciplinary perspective of a possible IoT cybersecurity certification framework by integrating research and technical tools and processes with policies and governance structures, which are analyzed against a set of identified challenges. This survey is intended to give a comprehensive overview of cybersecurity certification to facilitate the definition of a framework that its in emerging scenarios, such as the IoT paradigm. [ABSTRACT FROM AUTHOR]

Published
2021
Full Text
View/download PDF

42. Information Security Risk Assessment.

Author

Kuzminykh, Ievgeniia, Ghita, Bogdan, Sokolov, Volodymyr, and Bakhshi, Taimur

Subjects
*INFORMATION technology security, *RISK management in business, *RISK assessment, *FUZZY logic, *INFORMATION processing, *QUALITATIVE research
Abstract

Definition: Information security risk assessment is an important part of enterprises' management practices that helps to identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Risk management refers to a process that consists of identification, management, and elimination or reduction of the likelihood of events that can negatively affect the resources of the information system to reduce security risks that potentially have the ability to affect the information system, subject to an acceptable cost of protection means that contain a risk analysis, analysis of the "cost-effectiveness" parameter, and selection, construction, and testing of the security subsystem, as well as the study of all aspects of security. [ABSTRACT FROM AUTHOR]

Published
2021
Full Text
View/download PDF

43. A Method for Developing Qualitative Security Risk Assessment Algorithms

Author

Erdogan, Gencer, Refsdal, Atle, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Cuppens, Nora, editor, Cuppens, Frédéric, editor, Lanet, Jean-Louis, editor, Legay, Axel, editor, and Garcia-Alfaro, Joaquin, editor

Published
2018
Full Text
View/download PDF

44. Sequential Pattern Mining for ICT Risk Assessment and Prevention

Author

D’Andreagiovanni, Michele, Baiardi, Fabrizio, Lipilini, Jacopo, Ruggieri, Salvatore, Tonelli, Federico, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Cerone, Antonio, editor, and Roveri, Marco, editor

Published
2018
Full Text
View/download PDF

45. Analysis of Assets for Threat Risk Model in Avatar-Oriented IoT Architecture

Author

Kuzminykh, Ievgeniia, Carlsson, Anders, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Galinina, Olga, editor, Andreev, Sergey, editor, Balandin, Sergey, editor, and Koucheryavy, Yevgeni, editor

Published
2018
Full Text
View/download PDF

46. Identification of Risk Factors Using ANFIS-Based Security Risk Assessment Model for SDLC Phases

Author

Rasheed Gbenga Jimoh, Olayinka Olufunmilayo Olusanya, Joseph Bamidele Awotunde, Agbotiname Lucky Imoize, and Cheng-Chi Lee

Subjects
fuzzy logic, software product, software development life cycle, inference systems, security risk assessment, adaptive neuro-fuzzy, Information technology, T58.5-58.64
Abstract

In the field of software development, the efficient prioritizing of software risks was essential and play significant roles. However, finding a viable solution to this issue is a difficult challenge. The software developers have to adhere strictly to risk management practice because each phase of SDLC is faced with its individual type of risk rather than considering it as a general risk. Therefore, this study proposes an adaptive neuro-fuzzy inference system (ANFIS) for selection of appropriate risk factors in each stages of software development process. Existing studies viewed the SDLC’s Security risk assessment (SRA) as a single integrated process that did not offer a thorough SRA at each stage of the SDLC process, which resulted in unsecure software development. Hence, this study identify and validate the risk factors needed for assessing security risk at each phase of SDLC. For each phase, an SRA model based on an ANFIS was suggested, using the identified risk factors as inputs. For the logical representation of the fuzzification as an input and output variables of the SRA risk factors for the ANFIS-based model employing the triangular membership functions. The proposed model utilized two triangular membership functions to represent each risk factor’s label, while four membership functions were used to represent the labels of the target SRA value. Software developers chose the SRA risk factors that were pertinent in their situation from the proposed taxonomy for each level of the SDLC process as revealed by the results. As revealed from the study’s findings, knowledge of the identified risk factors may be valuable for evaluating the security risk throughout the SDLC process.

Published
2022
Full Text
View/download PDF

47. FIRE: A Finely Integrated Risk Evaluation Methodology for Life-Critical Embedded Systems

Author

Aakarsh Rao, Nadir A. Carreón, Roman Lysecky, and Jerzy Rozenblit

Subjects
security risk assessment, security risk management, threat mitigation, modeling and simulation, life-critical embedded systems, medical device security, Information technology, T58.5-58.64
Abstract

Life-critical embedded systems, including medical devices, are becoming increasingly interconnected and interoperable, providing great efficiency to the healthcare ecosystem. These systems incorporate complex software that plays a significantly integrative and critical role. However, this complexity substantially increases the potential for cybersecurity threats, which directly impact patients’ safety and privacy. With software continuing to play a fundamental role in life-critical embedded systems, maintaining its trustworthiness by incorporating fail-safe modes via a multimodal design is essential. Comprehensive and proactive evaluation and management of cybersecurity risks are essential from the very design to deployment and long-term management. In this paper, we present FIRE, a finely integrated risk evaluation methodology for life-critical embedded systems. Security risks are carefully evaluated in a bottom-up approach from operations-to-system modes by adopting and expanding well-established vulnerability scoring schemes for life-critical systems, considering the impact to patient health and data sensitivity. FIRE combines a static risk evaluation with runtime dynamic risk evaluation to establish comprehensive risk management throughout the lifecycle of the life-critical embedded system. We demonstrate the details and effectiveness of our methodology in systematically evaluating risks and conditions for risk mitigation with a smart connected insulin pump case study. Under normal conditions and eight different malware threats, the experimental results demonstrate effective threat mitigation by mode switching with a 0% false-positive mode switching rate.

Published
2022
Full Text
View/download PDF

48. A model-based approach for self-adaptive security in CPS: Application to smart grids.

Author

Chehida, Salim, Rutten, Eric, Giraud, Guillaume, and Mocanu, Stéphane

Subjects
*SELF-adaptive software, *CYBER physical systems, *CONSTRAINT programming, *STATISTICAL decision making, *COMPUTER software security, *SOFTWARE architecture
Abstract

Security risk assessment is an important challenge in the design of Cyber Physical Systems (CPS). Even more importantly, the intrinsically dynamical nature of these systems, due to changes in their environment, as well as evolutions in their infrastructures, makes them self-adaptive systems, where security aspects have to be considered in terms of management of detections and reactions for self-protection. In this work, we propose an approach to autonomously mitigate the threats in each reconfiguration at application or infrastructure levels of CPS. We propose and implement a framework for self-adaptive security: software architecture, design method, and integration with model-based decision. We use Attack-Defense Trees for modeling threats, and our approach involves security risk assessment, taking into account its balancing and coordination with quality-of-service aspects. We formulate and formalize the on-line decision problem to be solved at each cycle of the self-adaptation control loop in terms of Constraint Programming (CP) modeling and resolution. The CP model implements a set of constraints that allow to specify secure configurations, evaluated regarding their impact on system performance to pinpoint the most relevant one portraying a good balance between the security and quality of service. We perform validation of our approach with its application to Smart Grids, more particularly to an industrial case study from RTE (the French Energy Transmission company). • We propose and implement a framework for self-adaptive security in CPS. • Our approach involves Security Risk Assessment, taking into account QoS aspects. • We formalize the on-line decision problem to be solved using Constraint Programming. • We perform the validation of our approach on RTE's Smart Grids case study. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

49. Information security risk assessment of industrial Internet of coal mine

Author

MENG Qingyong and GU Chuang

Subjects
industrial internet of coal mine, smart mine, information system, information security, security risk assessment, security protectio, Mining engineering. Metallurgy, TN1-997
Abstract

For problems that information security protection measures of industrial Internet of coal mine were mostly applied to small areas and it was difficult to assess the whole information security risk, an information security risk assessment method of industrial Internet of coal mine was proposed which was based on static and dynamic dimensions. In the method, security protection regulations carried out in coal mine information systems are feature-transformed according to Information Security Technology-baseline for Classified Protection of Cybersecurity and GB/T 34679-2017 General Technical Specifications for Smart Mine Information Systems, and a correlation coefficient matrix of security protection requirements for each system is established, so as to calculate the number of security protection regulations which are actually carried out in the system. Then, a security risk assessment model is established by combining with risk number and probability of higher risk category, so as to assess information security risk of industrial Internet of coal mine. The test result shows that the method can effectively assess information security status of industrial Internet of coal mine, and guide coal mine enterprise to analyze information security risk and design and carry out security protection plan, so as to decrease information security risk of industrial Internet of coal mine.

Published
2019
Full Text
View/download PDF

50. Stochastic Security Assessment for Power Systems With High Renewable Energy Penetration Considering Frequency Regulation

Author

Yu Huang, Qingshan Xu, Sajjad Abedi, Tong Zhang, Xianqiang Jiang, and Guang Lin

Subjects
Security risk assessment, numerical method, renewable energy integration, frequency regulation, probability, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

With the deepening penetration of renewable resources worldwide, power system operators are faced with emerging challenges, e.g., the increase of operating risks due to the volatility and uncertainty of wind and solar power. To efficiently identify the operational limit violations, a switch from deterministic to stochastic framework for assessing the system security, which could manage various types of uncertainties, has been advocated in this paper. The established model is based on an improved probabilistic load flow, which is adapted to incorporate the steady-state behavior of frequency regulation. An efficient importance sampling (IS) technique is also developed to speed up the crude Monte Carlo (MC) simulation in estimating the low probability of violations of security constraints. Extensive computational experiments on both the IEEE 14-bus test case and a simplified regional system show that the proposed IS estimator makes significant enhancement to the crude MC in the computational efficiency and has better numerical performance as compared with other IS schemes.

Published
2019
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results