Ihor Dobrynin,Tamara Radivilova,Nadiia Maltseva,Dmytro Ageyev

DOI: https://doi.org/10.48550/arXiv.1904.08384

2019-04-16

Cryptography and Security

Abstract:The paper suggests methods to the assessment of information risks, which makes the transition from a qualitative assessment of information risks (according to the factor analysis of information risks methodology) to a quantitative assessment. The development factor analysis of information risks methodology of the methodology was carried out using the mathematical apparatus of probability theory, namely Bayesian networks. A comparative analysis of the standard factor analysis of information risks methodology and the developed methodology using statistical data was carried out. During the analysis, the cause and effect relationships of the confidentiality violation have been formed, defined and given in the corresponding table and in the form of the Ishikawa diagram. As an example, it was calculated the amount of risk the company may be exposed to in case of violation of information confidentiality according to the standard factor analysis of information risks methodology and the developed methodology. It is shown that the use of proposed technique allows quantifying the risk assessment that can be obtained using the factor analysis of information risks methodology.

XIAO Jing-hong,MIAO Bai-qi,WU Zhen-xiang

DOI: https://doi.org/10.3969/j.issn.1007-3221.2005.01.011

2005-01-01

Abstract:Value-at-Risk(VaR) is a commonly used tool to measure market risk, and also the basic tool of risk management. There are many methods for computing VaR. In this paper we consider the correlation of data, through overlapping data to group all the data to compute VaR. The calculated VaR is more approximate to the fact. In addition, the size of group is studied and it follows power-law. The Hang Seng Index is analyzed to find the reasonable size of data grouping.

Fei Ren,Sanjeev Dewan

DOI: https://doi.org/10.1080/07421222.2015.1063281

IF: 7.582

2015-01-01

Journal of Management Information Systems

Abstract:Motivated by the wide dispersion in the returns on the use of information technology (IT) across industries, we conduct an industry-level examination of IT return and risk, focusing on the moderating role of industry competition, regulation, and technological change. We address the following research questions: What is the impact of IT investment on the return and risk dimensions of industry financial performance? How do industry characteristics moderate the relationship between IT investment and industry performance? Our analysis of these questions finds that higher levels of industry competition are associated with higher IT productivity (contribution of IT to value-added output), lower IT profitability (contribution of IT to industry average return on assets [ROA]), and higher IT risk (contribution of IT to ex ante variability of ROA). This is consistent with the notion that competition induces riskier IT investments, despite the fact that returns tend to be competed away. Higher levels of industry regulation are associated with lower IT returns in both productivity and profitability, but also lower IT risk. Finally, a higher rate of technological change induces both higher IT returns and higher IT risk. A variety of tests indicate that our results are robust. Our results shed light on factors that drive variation in IT performance across industries, and provide useful industry-level performance benchmarks of the return and risk impacts of IT investments.

Muriel Figueredo Franco,Aiatur Rahaman Mullick,Santosh Jha

2024-05-06

Abstract:Quantifying cyber risks is essential for organizations to grasp their vulnerability to threats and make informed decisions. However, current approaches still need to work on blending economic viewpoints to provide insightful analysis. To bridge this gap, we introduce QBER approach to offer decision-makers measurable risk metrics. The QBER evaluates losses from cyberattacks, performs detailed risk analyses based on existing cybersecurity measures, and provides thorough cost assessments. Our contributions involve outlining cyberattack probabilities and risks, identifying Technical, Economic, and Legal (TEL) impacts, creating a model to gauge impacts, suggesting risk mitigation strategies, and examining trends and challenges in implementing widespread Cyber Risk Quantification (CRQ). The QBER approach serves as a guided approach for organizations to assess risks and strategically invest in cybersecurity.

Cryptography and Security,Computational Engineering, Finance, and Science

Jan von der Assen,Muriel F. Franco,Muyao Dong,Burkhard Stiller

DOI: https://doi.org/10.48550/arXiv.2402.14140

2024-02-22

Abstract:Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a real-world case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.

Cryptography and Security

Fazleena Badurdeen,Mohannad Shuaib,Ken Wijekoon,Adam Brown,William Faulkner,Joseph Amundson,I.S. Jawahir,Thomas J. Goldsby,Deepak Iyengar,Brench Boden

DOI: https://doi.org/10.1108/jmtm-10-2012-0097

2014-05-27

Journal of Manufacturing Technology Management

Abstract:Purpose – Globally expanding supply chains (SCs) have grown in complexity increasing the nature and magnitude of risks companies are exposed to. Effective methods to identify, model and analyze these risks are needed. Risk events often influence each other and rarely act independently. The SC risk management practices currently used are mostly qualitative in nature and are unable to fully capture this interdependent influence of risks. The purpose of this paper is to present a methodology and tool developed for multi-tier SC risk modeling and analysis. Design/methodology/approach – SC risk taxonomy is developed to identify and document all potential risks in SCs and a risk network map that captures the interdependencies between risks is presented. A Bayesian Theory-based approach, that is capable of analyzing the conditional relationships between events, is used to develop the methodology to assess the influence of risks on SC performance Findings – Application of the methodology to an industry case study for validation reveals the usefulness of the Bayesian Theory-based approach and the tool developed. Back propagation to identify root causes and sensitivity of risk events in multi-tier SCs is discussed. Practical implications – SC risk management has grown in significance over the past decade. However, the methods used to model and analyze these risks by practitioners is still limited to basic qualitative approaches that cannot account for the interdependent effect of risk events. The method presented in this paper and the tool developed demonstrates the potential of using Bayesian Belief Networks to comprehensively model and study the effects or SC risks. The taxonomy presented will also be very useful for managers as a reference guide to begin risk identification. Originality/value – The taxonomy developed presents a comprehensive compilation of SC risks at organizational, industry, and external levels. A generic, customizable software tool developed to apply the Bayesian approach permits capturing risks and the influence of their interdependence to quantitatively model and analyze SC risks, which is lacking.

engineering, manufacturing, industrial,management

Nishani Edirisinghe Vincent,Robert Pinsker

DOI: https://doi.org/10.1108/ijaim-08-2019-0093

2020-03-18

International Journal of Accounting and Information Management

Abstract:Purpose Risk management is an under-explored topic in information systems (IS) research that involves complex and interrelated activities. Consequently, the authors explore the importance of interrelated activities by examining how the maturity of one type of information technology risk management (ITRM) practice is influenced by the maturity of other types of ITRM practices. The purpose of this paper is to explore these relationships, the authors develop a model based on organizational strategy implementation theory and the COBIT framework. The model identifies four types of ITRM practices, namely, IT governance (ITG); communications; operations; and monitoring. Design/methodology/approach The authors use a survey methodology to collect data on senior information technology (IT) executives' perceptions on ITRM practices. The authors use an exploratory factor analysis (EFA) to identify four dimensions of ITR M practices and conduct a structural equation model to observe the associations. Findings The survey of senior IT executives' perceptions suggests that the maturity of ITRM practices related to ITG, communications and monitoring positively influence the maturity of operations-related ITRM practices. Further, the maturity of communications-related ITRM practices mediates the relationship between ITG and operations-related ITRM practices. The aggregate results demonstrate the inter-relatedness of ITRM practices and highlight the importance of taking a holistic view of ITRM. Research limitations/implications Given the content and complexity of the study, it is difficult to obtain senior executives’ responses in large firms. Therefore, this study did not use a separate sample to conduct the EFA to obtain the underlying four constructs. Also, the ITRM practices identified are perceptions. Even though the authors consider this to be a limitation, it also communicates the pressing areas that senior IT professionals are expected to focus given various external and internal pressures. This study focuses on large firms, hence, small to midsize firms are not well represented. Practical implications Given the demanding regulatory and financial reporting requirements and the complexity of IT, there is an increasing possibility that the accounting profession will require IT professionals to focus on operations-related ITRM practices, such as security, availability and confidentially of data and IS are closely related to internal controls. However, as this study demonstrates, the maturity of operations-related ITRM practices cannot be achieved by focusing solely on operations-related IT risks. Therefore, IT practitioners can use this study to raise awareness of the complex interrelationships among ITRM practices among managers to improve the overall ITRM practices in a firm. Social implications The study also shows the importance of establishing proper communication channels among various business functions with regard to ITRM. Extant IT research identifies the importance of the firm’s communication structure on various firm performance measures. For example, Krotov (2015) mentions the importance of communication in improving trust between the Chief Executive Officer and Chief Financial Officer. Firms with established communication channels have the necessary medium to educate and involve other departments with regard to the security of data. Thus, such firms are more likely to have mature risk management practices because of increased awareness of risks and preventive techniques. Originality/value The study contributes to ITG and risk management literature by identifying the role of monitoring-related ITRM practices on improving other areas of risk management. The study also extends the existing ITRM literature by providing an organizational strategy perspective to ITRM practices and showing how ITRM practices follow organizational strategy implementation. Further, the authors identify four underlying ITRM categories. Consequently, researchers could choose between two factors (Vincent et al. , 2017) or four factors based on the level of detail required for the particular study.

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

Alan Raveling,Yanzhen Qu

DOI: https://doi.org/10.24018/ejece.2023.7.4.546

2023-07-12

European Journal of Electrical Engineering and Computer Science

Abstract:This paper has examined the application of the Common Vulnerability Scoring System applied to operational technology or industrial control system-based cybersecurity controls and demonstrated that the unique considerations and aspects of these environments are more accurately captured when compared against a traditional IT based evaluation. Multiple business drivers are compelling consumer goods manufacturers to augment and connect their manufacturing systems bringing with it increases in potential for experiencing a cybersecurity incident [1]. While other business verticals are able to utilize cybersecurity standards and control documents tailored for their industry, manufacturers do not have a set of materials that directly correlate to the operational technology environments in which their systems reside [2]. Cybersecurity practitioners face additional challenges in developing an understanding of the severity of the risks within these environments due to the lack of current quantifiable methods of evaluating the risks. The findings from this research provide cybersecurity practitioners with a repeatable and extensible method to derive the operational risk present to an organization due to the technologies and business strategies employed in the pursuit of business objectives.

Sarah Ali Siddiqui,Chandra Thapa,Rayne Holland,Wei Shao,Seyit Camtepe

2024-08-06

Abstract:Considering the ever-evolving threat landscape and rapid changes in software development, we propose a risk assessment framework SRiQT (Software Risk Quantification through Trust). This framework is based on the necessity of a dynamic, data-driven, and adaptable process to quantify risk in the software supply chain. Usually, when formulating such frameworks, static pre-defined weights are assigned to reflect the impact of each contributing parameter while aggregating these individual parameters to compute resulting risk scores. This leads to inflexibility, a lack of adaptability, and reduced accuracy, making them unsuitable for the changing nature of the digital world. We adopt a novel perspective by examining risk through the lens of trust and incorporating the human aspect. Moreover, we quantify risk associated with individual software by assessing and formulating risk elements quantitatively and exploring dynamic data-driven weight assignment. This enhances the sensitivity of the framework to cater to the evolving risk factors associated with software development and the different actors involved in the entire process. The devised framework is tested through a dataset containing 9000 samples, comprehensive scenarios, assessments, and expert opinions. Furthermore, a comparison between scores computed by the OpenSSF scorecard, OWASP risk calculator, and the proposed SRiQT framework has also been presented. The results suggest that SRiQT mitigates subjectivity and yields dynamic data-driven weights as well as risk scores.

Software Engineering

Weili Han,Chenguang Shen,Yuliang Yin,Yun Gu,Chen Chen

DOI: https://doi.org/10.1145/2046707.2093492

2011-01-01

Abstract:Risk and benefit are two implicit key factors to determine accesses in secure information sharing. Recent researches have shown that they can be explicitly quantified and used to improve the flexibility in information systems. This paper introduces the motivation and a technical design of Quantified riSk and Benefit adaptive Access Control (QSBAC) to strengthen the security of information sharing. The paper also introduces the key issues to design policies in QSBAC.

Ling Xue,Cheng Zhang,Hong Ling,Xia Zhao

2011-01-01

Abstract:The objective of this study is to understand how the company's risk-taking decisions in IT adoption are influenced by the decision right of its IT unit. The study builds a theoretical framework capturing how the IT unit's decision right influences two determinants of risk taking, perceived risk and risk propensity. This framework also illustrates how the impacts of these two determinants on the actual actions of IT adoption are moderated by the IT unit's decision right. The framework is empirically tested using a dataset on the adoption of electronic supply chain management e-SCM) systems. The findings suggest that the IT unit's decision right is not associated with the decrease in perceived risk. However, it is associated with the increase in risk propensity. Moreover, the IT unit's decision right strengthens the positive association between risk propensity and e-SCM adoption, and weakens the negative association between perceived risk and e-SCM adoption. © (2011) by the AIS/ICIS Administrative Office All rights reserved.

Yukasa Murakami,Masateru Tsunoda,Eduardo C. Campos

DOI: https://doi.org/10.48550/arXiv.2209.03518

2022-09-08

Software Engineering

Abstract:In software project management, risk management is a critical factor. Project managers use existing lists of risk or perform brainstorming to identify the risks. However, it is not easy to perceive all the risks objectively. As a result, some risks are perceived based on subjective impression, which leads to risk biases. So, our goals are (i) We clarify the risk perception of developers to enhance the reliability of the brainstorming, and (ii) we calibrate the risk assessment based on a mathematical model to make more accurate risk list. In the analysis, we collected data concerning the risk perception of 69 professional software developers via a questionnaire. The average number of years of experience among these professionals was 18.3. Using the dataset, we applied factor analysis to clarify the factors that affect the evaluation of risk impact. The questionnaire was based on the risk perception theory established by Slovic, in which "dread" and "unknown" are the major factor of risk perception. The analysis result shows that (i) risk experience (i.e., whether a developer actually faced the risk or not) sometimes affects risk assessment (evaluation of risk impact), (ii) risk perception is considered to be based on unknown and dread factors, and (iii) risk assessment can be calibrated by a mathematical model (the average absolute error was 0.20).

Peng Zhang,Ning Li,Xueqin Liu,Wei Xie,Zhonghui Ji

2011-01-01

Abstract:With the development of social economic and technology, a lot of uncertainty risks become one of the important factors which disturb the human life. Thus the research of risk problem has become an important part of the risk management. Risk classification is the basis of risk insurance, risk management, and the establishment of risk information database. The objective of this paper is to classify the risk which affecting human life from the respective of risk cognition. It builds the 0-1 judgment matrix by means of analysis the current 41 kinds and 6 categories of risks that people concerned about. Using the Hayashi's qualification theory 111, with the support of Matlab program, to calculate the risk score and clustering the risk and finally get the results of risk classification. By analysis the effect of risk matrix design to risk category results, we find that the results of risk clustering is objective, the risk categories do not change with the single property of risk matrix, risk quantity, the arrangement of risk properties. The research result of this paper analysis the objection of risk quantity classification, which make the methods of risk quantification effectively applied to practice of risk classification, and in accordance with the actual needs of risk management.

Paul J. Krause,John Fox,Philip Judson

DOI: https://doi.org/10.48550/arXiv.1302.4970

2013-02-20

Abstract:Classically, risk is characterized by a point value probability indicating the likelihood of occurrence of an adverse effect. However, there are domains where the attainability of objective numerical risk characterizations is increasingly being questioned. This paper reviews the arguments in favour of extending classical techniques of risk assessment to incorporate meaningful qualitative and weak quantitative risk characterizations. A technique in which linguistic uncertainty terms are defined in terms of patterns of argument is then proposed. The technique is demonstrated using a prototype computer-based system for predicting the carcinogenic risk due to novel chemical compounds.

Artificial Intelligence

G. Qu,S. Hariri,M. Yousif

DOI: https://doi.org/10.1109/tkde.2005.136

IF: 9.235

2005-09-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:The quality of the data being analyzed is a critical factor that affects the accuracy of data mining algorithms. There are two important aspects of the data quality, one is relevance and the other is data redundancy. The inclusion of irrelevant and redundant features in the data mining model results in poor predictions and high computational overhead. This paper presents an efficient method concerning both the relevance of the features and the pairwise features correlation in order to improve the prediction and accuracy of our data mining algorithm. We introduce a new feature correlation metric Q/sub Y/(X/sub i/,X/sub j/) and feature subset merit measure e(S) to quantify the relevance and the correlation among features with respect to a desired data mining task (e.g., detection of an abnormal behavior in a network service due to network attacks). Our approach takes into consideration not only the dependency among the features, but also their dependency with respect to a given data mining task. Our analysis shows that the correlation relationship among features depends on the decision task and, thus, they display different behaviors as we change the decision task. We applied our data mining approach to network security and validated it using the DARPA KDD99 benchmark data set. Our results show that, using the new decision dependent correlation metric, we can efficiently detect rare network attacks such as User to Root (U2R) and Remote to Local (R2L) attacks. The best reported detection rates for U2R and R2L on the KDD99 data sets were 13.2 percent and 8.4 percent with 0.5 percent false alarm, respectively. For U2R attacks, our approach can achieve a 92.5 percent detection rate with a false alarm of 0.7587 percent. For R2L attacks, our approach can achieve a 92.47 percent detection rate with a false alarm of 8.35 percent.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Raisa Dzhamtyrova,Carsten Maple

DOI: https://doi.org/10.1007/s10618-021-00814-z

Abstract:The increasing value of data held in enterprises makes it an attractive target to attackers. The increasing likelihood and impact of a cyber attack have highlighted the importance of effective cyber risk estimation. We propose two methods for modelling Value-at-Risk (VaR) which can be used for any time-series data. The first approach is based on Quantile Autoregression (QAR), which can estimate VaR for different quantiles, i. e. confidence levels. The second method, we term Competitive Quantile Autoregression (CQAR), dynamically re-estimates cyber risk as soon as new data becomes available. This method provides a theoretical guarantee that it asymptotically performs as well as any QAR at any time point in the future. We show that these methods can predict the size and inter-arrival time of cyber hacking breaches by running coverage tests. The proposed approaches allow to model a separate stochastic process for each significance level and therefore provide more flexibility compared to previously proposed techniques. We provide a fully reproducible code used for conducting the experiments.

Anting Zhang,Bin Wu,Yinsheng Li

DOI: https://doi.org/10.26599/ijcs.2022.9100032

2023-01-01

International Journal of Crowd Science

Abstract:Obtaining a high-precision risk warning service, which can improve trading efficiency and legality, by reducing sampling proportion and customs clearance time dramatically is critical for cross-border trades. However, existing anti-fraudulent services are weak either in the precision or the mining capacity of discovering hidden risks. Among the reasons are incomplete data, untrustworthy resources, and old analysis models. On the basis of these observations, this article makes a combined technical solution for a risk warning service to address data resource, integrity, and mining capacity issues. The provided risk warning service is featured with a correlation analysis approach, which is advanced and efficient at addressing multisource and heterogeneous data to identify deep-seated risks with cross-border products, such as fake documents, price concealment, epidemic events, and ingredient pollution. To reveal the hidden correlation risks in cross-border clearance, a set of correlation-oriented data models and multi-attribute, multi-object, and multi-level methods are developed. The involved data sources and objects can be collected from inside businesses and public resources. Data are further structured to depict the whole portrait of a trade. The correlation analysis approach proves to be feasible and efficient in processing multisource and heterogeneous data to discover deep-seated risks with cross-border products. The risk warning service and the used correlation analysis approach have been studied and developed on the basis of a pilot project at an exit-and-entry port in Shanghai.

Lu, X.N.,Ma, Q.G.

DOI: https://doi.org/10.1109/iemc.2004.1407488

2004-01-01

Abstract:Risk analysis is a set of techniques used to investigate problems created by uncertainty and to assess their effects. Today it is used in many areas, especially where safety is important. Now the project management in the area of IT (information technology) is becoming hot topic. And the risk problems in IT projects, especially in software development projects become more and more concentrated in software project management. So risk analysis in the area of software development project becomes increasingly important. This work analyses systematically the characteristics of project management for software itself, then the paper analyses the risk of software development projects in the following two aspects: one for owners and another for contractors. To owners the paper identifies and analyses the risk in software development projects according to lifecycle of a project. To contractors the paper identifies and assesses the risk of managing software development project on the basis of investigation of software development project in the IT enterprises of China. Some conclusions are obtained with the statistical analysis of this questionnaire-data by SPSS (statistics package for social science).

Yu Zhao,Huaming Du,Qing Li,Fuzhen Zhuang,Ji Liu,Gang Kou

DOI: https://doi.org/10.48550/arXiv.2211.14997

2023-05-05

Abstract:Enterprise financial risk analysis aims at predicting the future financial risk of enterprises. Due to its wide and significant application, enterprise financial risk analysis has always been the core research topic in the fields of Finance and Management. Based on advanced computer science and artificial intelligence technologies, enterprise risk analysis research is experiencing rapid developments and making significant progress. Therefore, it is both necessary and challenging to comprehensively review the relevant studies. Although there are already some valuable and impressive surveys on enterprise risk analysis from the perspective of Finance and Management, these surveys introduce approaches in a relatively isolated way and lack recent advances in enterprise financial risk analysis. In contrast, this paper attempts to provide a systematic literature survey of enterprise risk analysis approaches from Big Data perspective, which reviews more than 250 representative articles in the past almost 50 years (from 1968 to 2023). To the best of our knowledge, this is the first and only survey work on enterprise financial risk from Big Data perspective. Specifically, this survey connects and systematizes the existing enterprise financial risk studies, i.e. to summarize and interpret the problems, methods, and spotlights in a comprehensive way. In particular, we first introduce the issues of enterprise financial risks in terms of their types,granularity, intelligence, and evaluation metrics, and summarize the corresponding representative works. Then, we compare the analysis methods used to learn enterprise financial risk, and finally summarize the spotlights of the most representative works. Our goal is to clarify current cutting-edge research and its possible future directions to model enterprise risk, aiming to fully understand the mechanisms of enterprise risk generation and contagion.

Risk Management,Artificial Intelligence,Machine Learning