王桢珍,武小悦,刘忠

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.06.011

2009-01-01

Computer Science

Abstract:A planning exploit graph model that can be used in information security risk process was proposed.The domain and problem of risk process was described in PDDL language,and the system information,vulnerabilities,threats and defenders were modeled based on intelligent planning,a modified planner engine was used to reason all exploit paths using relative algorithms and draw the planning exploit graph with Graphviz Tootkit.

Ming-rui Xiao,Yun-wei Dong,Qian-wen Gou,Feng Xue,Yong-hua Chen

DOI: https://doi.org/10.1631/FITEE.2000428

IF: 2.526

2020-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Cyber-physical systems (CPSs) are becoming increasingly important in safety-critical systems. Particular risk analysis (PRA) is an essential step in the safety assessment process to guarantee the quality of a system in the early phase of system development. Human factors like the physical environment are the most important part of particular risk assessment. Therefore, it is necessary to analyze the safety of the system considering human factor and physical factor. In this paper, we propose a new particular risk model (PRM) to improve the modeling ability of the Architecture Analysis and Design Language (AADL). An architecture-based PRA method is presented to support safety assessment for the AADL model of a cyber-physical system. To simulate the PRM with the proposed PRA method, model transformation from PRM to a deterministic and stochastic Petri net model is implemented. Finally, a case study on the power grid system of CPS is modeled and analyzed using the proposed method.

Yu Zhiwei,Tang Rengzhong,Jia Dongjiao,Ye Fanbo

DOI: https://doi.org/10.3321/j.issn:1004-132X.2007.04.021

2007-01-01

Abstract:To identify the security requirements of information systems, a business process-based security requirement analysis method was presented. Focused on the business process security, the related assets which affect the business process security were identified by security tree model. The security requirements of assets were identified by risk packet and risk transferring model, and then the security requirements list was formed after coverage analysis. Finally, a case was studied to illustrate the proposed method.

REN Pei,ZHOU Jing-lun,ZHENG Long,YAN Zhao-lin

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.06.027

2007-01-01

Abstract:With respect to the requirements of the dynamic system safety analysis,this paper designed and implemented a new risk assessment system.The PRA-based new system synthesizes various techniques of safety modeling and hazard analysis in the risk assessment process,which meets the requirements of dynamic system risk assessment.

DING Li-jie,CHEN Wei-hua,BAO Zhe-jing

2009-01-01

Abstract:To ensure the static security of the power system,which is one of the key factors in power system operation,a method of risk assessment and preventive control was proposed based on the risk of line overload and voltage exceeding.In this method,the probabilistic power flow(PPT) and cumulant method were used to analyze the randomness of system statuses,and the severity function was applied to describing the impact and outcome of line overhead and voltage exceeding.Moreover,the product of probability and severity of line overload and voltage exceeding was defined as the risk index of the system.Finally,a preventive control model for static security,based on optimal power flow and particle swarm optimization method,was developed and used to optimize the outputs of the system active and reactive resources,which reduced the risks of overload and voltage exceeding and increased system security.The method was proved effective through testing.

Weilan Suo,Lin Wang,Jianping Li

DOI: https://doi.org/10.1016/j.ress.2021.107730

2021-10-01

Abstract:<p>Critical infrastructures (CIs) are becoming increasingly important in social public services; however, various CI risk events emerge constantly with potential damages. Probabilistic risk assessment (PRA) is a quantitative measurement of risk occurrence probability that is used to support risk profile judgment and weakness identification. However, the inherent features of risk factor multiplicity, CI interdependency, and dynamic stochasticity render PRA for CIs more challenging. The purpose of this study is to investigate a PRA model for CIs with a comprehensive consideration of the inherent features and an integrated utilization of multisource data. A multidimensional PRA scenario analysis is first conducted from the perspectives of scenario elements, scenario evolution, and scenario effect. Subsequently, to support PRA for interdependent CIs, a scenario-driven dynamic stochastic model is developed based on a three-stage solution with accurate feature quantification, and effective utilization of objective factual records and subjective expert judgment. Furthermore, the applicability and effectiveness of the proposed model are demonstrated through a case study. It is indicated that the PRA results obtained using the proposed model are beneficial for decision makers to clarify the overall risk profile and determine the risk-alert periods, high-frequency risk factors, and high-risk CIs to support CI risk prevention.</p>

engineering, industrial,operations research & management science

杨洋,姚淑珍

DOI: https://doi.org/10.3778/j.issn.1002-8331.2009.03.027

2009-01-01

Computer Engineering and Applications Journal

Abstract:In the field of information security,risk assessment is the core of the risk management and control,also is the founda- tion and premises that builds up the safe system of the information system.This paper analyses the standards and process of in- formation security risk assessment,and proposes a quantitative security risk method ISSREM(Information System Security Risk E- valuation Method),based on threat analysis.ISSREM has features such as easily operative,independent,practical and the evalua- tion results comparable.And the sensitivity analysis of threaten frequency is presented,which makes the evaluation results more objective.This paper gives the calculation model of the method and the main procedures of risk evaluation using the method.Fi- nally,with examples to analyze the quantitative assessment method,this paper validates the rationality and effectiveness of the method.

Yue Chi,Yongzheng Zhang,Xiaochun Yun

2005-01-01

Abstract:With the rapid development of Internet technology, malicious attacks to network or host information systems become diversification and complication. An active security technology-risk assessment is developed to feedback the confidence on information system security, and to eliminate the hidden trouble in time. Therefore, this paper firstly illuminates the basic conceptions in risk assessment, then establishes a general risk assessment model (GRAM) using Petri Net, analyzes each process and the run mechanism of this model, and finally proves that this model is bounded and active. This model has the generality, so contributes to understanding the risk assessment technology on the whole, and further guiding researches for special assessment methods.

Jeb Webb,Atif Ahmad,Sean B. Maynard,Graeme Shanks

DOI: https://doi.org/10.1016/j.cose.2014.04.005

2014-07-01

Abstract:Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley&#x27;s situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

computer science, information systems

Xiang GAO,Yue-fei ZHU,Sheng-li LIU,Jin-long FEI,Long LIU

2013-01-01

Abstract:Aiming at the complex in the process of network security risk assessment, the asset, vulnerability and threat were used as the major factors in security assessment to establish the hierarchical index system for security assessment. The concept of credibility was introduced, and the security risk assessment model and fuzzy reasoning algorithm based on fuzzy Petri net were also proposed, making use of fuzzy Petri nets method joined together with the AHP to analyze the question, and combining qualitative analysis and quantitative analysis together. The example analysis shows that the ob-tained results are more accurate and scientific compared with traditional assessment methods. Therefore, this method is an effective network system risk assessment method.

Aleksandar Šijan,Dejan Viduka,Luka Ilić,Bratislav Predić,Darjan Karabašević

DOI: https://doi.org/10.3390/electronics13214209

IF: 2.9

2024-10-27

Electronics

Abstract:This paper presents a comprehensive model for cyber security risk assessment using the PIPRECIA-S method within decision theory, which enables organizations to systematically identify, assess and prioritize key cyber threats. The study focuses on the evaluation of malware, ransomware, phishing and DDoS attacks, using criteria such as severity of impact, financial losses, ease of detection and prevention, impact on reputation and system recovery. This approach facilitates decision making, as it enables the flexible adaptation of the risk assessment to the specific needs of an organization. The PIPRECIA-S model has proven to be useful for identifying the most critical threats, with a special emphasis on ransomware and DDoS attacks, which represent the most significant risks to businesses. This model provides a framework for making informed and strategic decisions to reduce risk and strengthen cyber security, which are critical in a digital environment where threats become more and more sophisticated.

engineering, electrical & electronic,computer science, information systems,physics, applied

WANG Wei,LI Chun-ping,LI Jian-bin

DOI: https://doi.org/10.16208/j.issn1000-7024.2007.14.060

2007-01-01

Abstract:Safe field in the information,the risk assessment is foundation and premises that builds up the safe system of the information system,but the risk assessment method rises to the usefulness of the assessment prominent function.The risk assessment method contain a lot of kinds,each method have it the place of the shortage.The risk assessment method adopted threat tree model and analytical hierarchy process that method combine together,made use of two kinds of vantages that assessment method,made up the shortage of the one risk assessment method,the aim is search into a kind of more valid,more reasonable and more accurate risk assessment method.

Oluwasefunmi 'Tale Arogundade,Olusola J. Adeniran,Zhi Jin,Xiaoguang Yang

DOI: https://doi.org/10.4018/ijsse.2016070101

2016-01-01

International Journal of Secure Software Engineering

Abstract:Resource allocation decisions can be enhanced by performing risk assessment during the early development phase. In order to improve and maintain the security of the Information System IS, hereafter, there is need to build risk analysis model that can dynamically analyze threat data collected during the operational lifetime of the IS. In this paper the authors propose an ontological approach to accomplishing this goal. They present analyzer model and architecture, an agent-based risk analysis system ARAS which gathers identified threats events, probe them and correlates those using ontologies. It explores both quantitative and qualitative risk analysis techniques using real events data for probability predictions of threats based on an existing designed security ontology. To validate the feasibility of the approach a case study on e-banking system has been conducted. Simulated IDS output serves as input into the risk analysis system. The authors used JADE to implement the agents, protégé OWL to create the ontology and ORACLE 11g SQL developer for the database. Optimistic results were obtained.

Ji Yi,Wen Danyan,Wang Haiquan,Xia Chunhe

DOI: https://doi.org/10.1109/CCCM.2009.5267887

2009-01-01

Abstract:An important problem in network security risk assessment is to uncover network threats due to current software vulnerabilities and misconfigurations. This paper proposes a logic-programming approach to conduct this risk assessment automatically. We use Datalog to specify network security property states and attack rules. The threat analysis could be conducted by a logic-programming engine that can evaluate Datalog efficiently (such as XSB [1]). We analyze trace proofs produced by the reasoning engine, and get threat information of evaluated network system. After identifying the threats, we apply game theory to compute threat risks. A simple network attack has been simulated to illuminate the appliance of the new approach. Results on how the approach has been able to help the system administrator understand the threat risks of attacks and take countermeasures accordingly are also analyzed. ©2009 IEEE.

Shancang Li,Shanshan Zhao,Yong Yuan,Qindong Sun,Kewang Zhang

DOI: https://doi.org/10.1109/tcss.2018.2858440

2018-01-01

IEEE Transactions on Computational Social Systems

Abstract:Cyber-physical social system (CPSS) plays an important role in both the modern lifestyle and business models, which significantly changes the way we interact with the physical world. The increasing influence of cyber systems and social networks is also a high risk for security threats. The objective of this paper is to investigate associated risks in CPSS, and a hybrid Bayesian risk graph (HBRG) model is proposed to analyze the temporal attack activity patterns in dynamic cyber-physical social networks. In the proposed approach, a hidden Markov model is introduced to model the dynamic influence of activities, which then be mapped into a Bayesian risks graph (BRG) model that can evaluate the risk propagation in a layered risk architecture. Our numerical studies demonstrate that the framework can model and evaluate risks of user activity patterns that expose to CPSSs.

GAO Song,WANG Yan,CAO Yu-lei,CHEN Chu-Xin

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.09.018

2013-01-01

Abstract:Along with the direction change of uninterrupted network attacks,application security issue is increasingly prominent,while from R&D process to enhance the security of information system becomes the industry consensus. Based on analysis and comparison of the several major software security development models,the common features of software security development model are summarized,and in combination of the risk characteristics of commercial banking information system,the security R&D model based on security activities for commercial banks information systems is proposed,thus to enhance implementation of security activities and reduce the risk of commercial bank information system.

Wang Peng,Chen Yingwu,Chen Sen,Ye Guoqing

DOI: https://doi.org/10.1109/iccsn.2011.6014739

2011-01-01

Abstract:Nowadays, information has become the fundamental element in our society, and the security of information asset has been paid more and more attentions. Recently, people try to resolve information security management problem using new technologies in artificial intelligence, such as agent and ontology. However, existing studies mainly focus on how to perform access control task using agents or formalize knowledge about information security using ontology, and problems like information security risk management has been overlooked. In this paper, we provide an information security risk management oriented multi-agent system (namely ISRMDSS) to fill this gap.

Jun-Jie Lv,Wan-Hua Qiu,Yuan-Zhuo Wang,Na Zou

DOI: https://doi.org/10.1109/icmlc.2006.258989

2006-01-01

Abstract:Information security has drawn much concern nowadays. However, the fact that information risks are related to interrelationships and dependencies among tasks, activities, processes and people is not realized and emphasized. To solve the problem, we extend the design structure matrix (DSM) method proposed by Steward and Eppinger to the field of information security to eliminate waste and shorten the information flows. We define a systematic approach MFDSM based on information availability, integrity and confidentiality and introduce information entropy into the model to represent the information amount in the flows. Aiming at optimizing the operational procedures within enterprises and alleviating the interdependent risks, we proposed the optimized steps in detail to give application instructions

Joachim Draeger,Stefan Hahndel

DOI: https://doi.org/10.48550/arXiv.1709.00567

2017-09-02

Systems and Control

Abstract:The manifold interactions between safety and security aspects makes it plausible to handle safety and security risks in an unified way. The paper develops a corresponding approach based on the discrete event systems (DEVS) paradigm. The simulation-based calculation of an individual system evolution path provides the contribution of this special path of dynamics to the overall risk of running the system. Accidentally and intentionally caused failures are distinguished by the way, in which the risk contributions of the various evolution paths are aggregated to the overall risk. The consistency of the proposed risk assessment method with 'traditional' notions of risk shows its plausibility. Its non-computability, on the other hand, makes the proposed risk assessment better suitable to the IT security domain than other concepts of risk developed for both safety and security. Power grids are discussed as an application example and demonstrates some of the advantages of the proposed method.

Zefan Huang,Wilko Schwarting,Alyssa Pierson,Hongliang Guo,Marcelo Ang,Daniela Rus

DOI: https://doi.org/10.1109/iros45743.2020.9341084

2020-01-01

Abstract:This paper investigates the safe path planning problem for an autonomous vehicle operating in unstructured, cluttered environments. While some objects may be accurately with canonical perception algorithms, other objects and clutter may be harder to track. We present an approach that combines two methods of risk assessment: for objects with reliable tracking, we use a Gaussian Process (GP) regulated risk map to describe the risk map information; for unknown objects that we fail to accurately track, we compute a Dynamic Risk Density (DRD) from the overall occupancy and velocity field from LiDAR scan snapshots. Several methods are proposed for combining the GP risk map and DRD, and the resultant hybrid risk map is used for the proposed safe path planning algorithm. Experimental results on an autonomous buggy show that the hybrid risk map is able to yield a safe path planner to navigate the autonomous testbed within the cluttered environments.