Yong Zhang,Xiaobin Tan,Hongsheng Xi,Xin Zhao

DOI: https://doi.org/10.1109/wcica.2008.4593320

2008-01-01

Abstract:Real-time risk assessment, forecasting risk trend and dynamic risk management are main contents of the real-time risk management. It is a new research field of information security technology. This paper proposes a novel approach to real-time risk management framework. The framework consists of real-time risk assessment, risk prediction and dynamic risk management. The real-time risk assessment module adopts a multi-perspective evaluation model and it uses the description of system assets, security attacks, vulnerabilities and security services to assess the current risk. The risk prediction module studies the changes of risk and forecasts the future risk with time series model. Risk monitor and security strategy implement dynamic risk management. Risk monitor module monitors the system current risk and its trend. According to the relationship between future risk and risk threshold, it supervises security strategy module to dynamically adjust system security strategy. Security strategy module implements various security strategies and schemas. Simulation results show that the framework is suitable and efficient

WANG Wei,LI Chun-ping,LI Jian-bin

DOI: https://doi.org/10.16208/j.issn1000-7024.2007.14.060

2007-01-01

Abstract:Safe field in the information,the risk assessment is foundation and premises that builds up the safe system of the information system,but the risk assessment method rises to the usefulness of the assessment prominent function.The risk assessment method contain a lot of kinds,each method have it the place of the shortage.The risk assessment method adopted threat tree model and analytical hierarchy process that method combine together,made use of two kinds of vantages that assessment method,made up the shortage of the one risk assessment method,the aim is search into a kind of more valid,more reasonable and more accurate risk assessment method.

June Wei,Yuan Liu,June Lu,Milos Slaninka,Kristie Abston

DOI: https://doi.org/10.1504/ijmc.2021.114313

2021-01-01

International Journal of Mobile Communications

Abstract:This paper proposed an indexed matrix to assess information security risks' impacts on mobile social media to help organisations address security risks effectively and efficiently. It developed and integrated a static social media information security risk model and a dynamic social media information flow model in the mobile environment to investigate the potential security risks in social networks. The pattern of security risks with three levels was identified using cluster analysis. An indexed matrix is also proposed to assess the information security impacts on social media via the relative-weigh quantitative method. The results can help to develop an effective and safe way to transmit information through social media. This research is the first attempt to integrate static information security threats into the dynamic social media information flow processes to assess the information security risk levels by developing a new indexed method. The theoretical and practical implications are presented.

Yu Zhiwei,Tang Rengzhong,Jia Dongjiao,Ye Fanbo

DOI: https://doi.org/10.3321/j.issn:1004-132X.2007.04.021

2007-01-01

Abstract:To identify the security requirements of information systems, a business process-based security requirement analysis method was presented. Focused on the business process security, the related assets which affect the business process security were identified by security tree model. The security requirements of assets were identified by risk packet and risk transferring model, and then the security requirements list was formed after coverage analysis. Finally, a case was studied to illustrate the proposed method.

Xiaobin Tan,Yong Zhang,Xiaolin Cui,Hongsheng Xi

DOI: https://doi.org/10.1109/kamw.2008.4810531

2008-01-01

Abstract:Different from traditional risk management, real-time risk management describes system risk dynamically. It includes three phases: risk analysis, risk evaluation and risk prediction. This paper proposes a practical framework to real-time risk management. Risk evaluation is a quantitative analysis process of system security and risk, and it is a basis of real-time risk, management. This paper adopts continuous time hidden Markov model to evaluate system risk. The model evaluates system risk via the integrated analysis of system assets, threats, vulnerabilities and safety measures. Simulation results show that the model is suitable and efficient. The framework will be tested in actual network environment and improve it.

刘新东,江全元,曹一家,陈为化

DOI: https://doi.org/10.3969/j.issn.1006-6047.2009.02.004

2009-01-01

Abstract:Based on probability theory,risk theory and fuzzy reasoning are applied to the transient security risk assessment of power system.Quantified risk indices are achieved by using specified severity function to quantify the maximal offsets of frequency and voltage and the margins of angle rotor stability and fault clearing time.The quantified frequency and voltage risk index are used to calculate the steady index by the steady fuzzy controller while the quantified margins of angle rotor stability and fault clearing time are used to calculate the transient index by the transient fuzzy controller.The system transient stability index is calculated by the weighted integration of steady index and transient index.Based on it,the software of transient security risk assessment is developed.Case study of risk indices calculation for a permanent three-phase grounding fault of New England 39-bus test system shows its effectiveness and rationality.

LI Bing,WANG Shengyuan,BAO Xuhua,SHA Hailiang

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.012

2009-01-01

Abstract:An information security risk assessment method was developed to accurately measure information securlty risks using business process state analysis.The method defines the key performance indicator of the business process (the process period) as the risk scale, so changes in the process period indicate the risk.The occurrence of threads affects the operation of the information system, eventually resulting in state transitions of business process/activities hosted by the information system.The changes in the process period(i.e., risk)are obtained by analyzing the state transitions.Therefore, information security risk calculation is converted into solving for changes of the business process period.Test using this algorithm show that the influence of threats to the information svstem on the business system can be calculated, thereby confirming the accuracy and validity of the algorithm.

Hui Guan,Weiru Chen,Lin Liu,Hongji Yang

2012-01-01

Abstract:Risk assessment has been getting increased attention as the new vulnerabilities and threats are emerging on daily basis. The popularity and complexity of web application present challenges to the security implementation for web engineering. It is well known that the earlier to perform risk assessment for software, the less cost needed to mitigate the security risks. However, quantitative estimation of security in the earlier stage of software development life cycle is largely missing. In this paper, we propose a quantitative approach to perform risk assessment at design stage for web application which is based on multiple security vectors of asset, threat and vulnerability. An environment-driven method is proposed to elicit threats to the system. In the end, the risk assessment methodology is applied on a customer goods case study.

Jian Chen,Mingyuan Yang

DOI: https://doi.org/10.1145/3523181.3523192

2022-01-01

Abstract:Network security situation assessment is a research hotspot in the field of information security, which is strong in real-time performance. However, most of the current real-time situation assessment technologies are very complicated and do poorly in real-time performance. Hence, this paper puts forward a real-time situation assessment method based on the threat propagation model. This method establishes a threat propagation model of real-time situation assessment, in order to calculate the threat degree of threat propagation source to target network, and to evaluate the real-time situation assessment from two layers which includes the network node layer and the whole network layer. The results of simulation experiment show that the method proposed in this paper can evaluate the potential threats according to the current attack scenarios, and can achieve a real-time assessment on the attacks in the network since the situation of real-time network attacks change obviously. In short, the effectiveness, accuracy and real-time performance of the proposed method are verified by comparative experiments.

Sayed Amir Reza Mortazavi,Faramarz Safi-Esfahani

DOI: https://doi.org/10.1007/s41870-019-00302-0

2019-04-22

International Journal of Information Technology

Abstract:Today, information is rapidly increasing. For most of this information, data security and protection from unauthorized access are of great importance. Maybe information is created by an individual or a few people, but creating security for the information should be done by all assets of hardware, software and people. This entails organizing all elements of the system, and training and monitoring the performance of the people. One of the standards provided for the creation of security is ISMS. This standard is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a system in terms of security. ISMS receives several parameters from users, assesses the risks and offers some controls (guidelines) to improve them. Collecting primary parameters is also very important in ISMS. Usually these parameters are collected personally, which result in getting inaccurate outcomes. The most important parameters include confidentiality, integrity, availability, threat and vulnerability. This paper tries to provide a method based on checklists so that by assessing the users’ responses to these checklists, one can more accurately insert the vulnerability parameter value as a standard input of ISMS, in order to gain better outcomes, and more accurately perform choice of controls. In the assessment, the standard deviation method is calculated, and comparison between the common mode of ISMS and the proposed method shows that the latter works 30% better than the conventional method. People may refuse to respond sincerely due to different reasons, and the percentage of the results may differ, since the results are obtained as cross-sectional at a certain time.

CHEN Wei-hua,JIANG Quan-yuan,CAO Yi-jia,HAN Zhen-xiang

DOI: https://doi.org/10.3321/j.issn:1000-3673.2005.04.004

2005-01-01

Abstract:Based on probability theory the risk theory was applied to the vulnerability assessment of power system. Here, the power system was defined as a vulnerable system and a set of risk indices to assess the power system vulnerability and corresponding algorithm were built, thus the defects of traditional determinsistic security assessment method, which cannot satisfy the requirement of electricity market and complicated power grid, could be overcome. On this basis, a risk theory and risk indices based power system vulnerability assessment software was developed. Taking the New England test system for example, the effectiveness and advanced property of the presented method were proved.

XiaoLin Cui,Xiaobin Tan,Yong Zhang,Hongsheng Xi

DOI: https://doi.org/10.1109/CSSE.2008.949

2008-01-01

Abstract:Risk assessment is a very important tool to acquire a present and future security status of the network information system. Many risk assessment approaches consider the present system security status, while the future security status, which also has an impact on assessing the system risk, is not taken into consideration. In this paper we propose a novel risk assessment model based on Markov game theory. In this model, all of the possible risk in the future will impact on the present risk assessment. The farther away from now, the smaller impact on the risk assessment it has. After acquiring the system security status, we proposed an automatic generated reinforcement scheme which will provide a great convenience to the system administrator. A software tool is developed to demonstrate the performance of the risk assessment of a network information system and a simulation example shows the effectiveness of the proposed model. © 2008 IEEE.

Chen,Gang Chen

DOI: https://doi.org/10.1109/aiipcc57291.2022.00077

2022-01-01

Abstract:With the rapid development and popular utilization of computer network system, the proportion of attacks against computer network system has been increasing year by year. The traditional security vulnerability assessment method only evaluates individual vulnerabilities in isolation, and the assessment results do not reflect the degree of impact of vulnerabilities on the whole network. To address this problem this paper proposes a computer network system security assessment method, which uses the CVSSv3 evaluation index to assess vulnerabilities based on vulnerability association graph and risk matrix, while taking into account the association relationship between the fore-order vulnerability nodes, back-order vulnerability nodes and the vulnerability itself. The vulnerability correlation hazard calculated by the method can accurately reflect the degree of impact of the vulnerability on the whole computer network system, and the accuracy and effectiveness of the method is proved through experiments.

Feng Li,Mozhong Zhu,Ling Lin

DOI: https://doi.org/10.3233/jifs-234686

2024-01-24

Journal of Intelligent & Fuzzy Systems

Abstract:Once industrial control systems are targeted by cyber-attacks, the consequences can be severe, including asset loss, environmental pollution, and public security risks. Risk assessment is an important way to ensure that industrial control systems operate efficiently, steadily and safely. The purpose of this paper is to develop a risk assessment model for industrial control systems based on asymmetric connection cloud and Choquet integral, which fully takes into account the fact that values of risk indicators are often fuzzy, random, asymmetrically distributed in finite intervals, and there are interactions among different indicators. To do so, we first establish a risk assessment index system to ensure the full reflection of availability, integrity, and confidentiality in the results of risk assessment for industrial control systems. Then we establish classification standards for each evaluation indicator based on the importance of assets, vulnerabilities, and threats in evaluating the risk of industrial control systems. Next we develop a risk assessment model based on asymmetric connection cloud and Choquet integral to determine the risk level of industrial control systems. In the following, an example is provided to demonstrate the feasibility and reliability of this proposed model. The experimental results have demonstrated a high level of credibility in assessing cyber-attacks by the proposed model, indicating its potential for analyzing the current security and risk posture of industrial control systems.

Yong li Tang,Yi qi Dai

DOI: https://doi.org/10.1109/WICOM.2009.5302149

2009-01-01

Abstract:it has attracted more attention to the researchers about how to build an appropriate model to assess the risk of information systems. Aimed at this issue, a measurement framework of combining qualitative analysis with quantitative computation is proposed. From the implementation of information security management measurement (ISMM), the model, factors, indices, means and implementation flow are also given in detail. At last, the implementation flow of ISMM is depicted.

WANG Qiu-zhen

DOI: https://doi.org/10.3969/j.issn.1007-7634.2005.09.025

2005-01-01

Abstract:The failure rate of information systems(IS) development projects is high .Most IS projects can't be completed on time,within budget,and meet users'needs.From the view that the process of system development is a socio-technical system,this paper systematicly analyzes the common risk factors of information systems development projects based on the socio-technical model of organizational change,which helps IS project managers to identify and control project risks effectively.

Sabarathinam Chockalingam,Dina Hadziosmanovic,Wolter Pieters,Andre Teixeira,Pieter van Gelder

DOI: https://doi.org/10.48550/arXiv.1707.02140

2017-07-07

Abstract:Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future.

Cryptography and Security

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

SHA Hailiang,ZHENG Guizhou,WANG Shengyuan,CHEN Zhong

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.10.061

2011-01-01

Computer Engineering and Applications Journal

Abstract:In order to accurately evaluate the impact to business,which is from the risk of information security,this paper provides a method based on the state changes of business activities.This method explains the impact that the state transition of information system makes the delay of business procedure when this risk is being solved,and makes the delay as a benchmark to evaluate the impact of risk to business.The business procedure delay is one of the most critical indicators.In the end,this paper proves the accuracy of this method by the analysis of example.

Yiyang Jia,Hanyan Wu,Dongxing Jiang

DOI: https://doi.org/10.1109/CyberC.2015.47

2015-01-01

Abstract:Security situation assessment is an effective way to analyze the situation of an information system, which helps administrator understand the current system risk status and make policy to response in time. However, the existing researches for security situation assessment mostly focus on network. The proposed methods for network are not so suitable for information systems. This paper proposes a hierarchical security situation analysis framework for information system, based on a classical NSSA [1] (network security situation analysis) model. The framework provides a standard flow for analyzing the security situation of information system. It consists a security situation analysis model of information system, an index system used in the model proposed, and a quantitative index fusion method to calculate a security situational value. We divided information system into 3 levels: sub-system level, composition level and index level. The collected information from the index level can be combined with grey model to determine the correlation degree between each major index and secondary index. Finally we calculate the whole system security situational value level by level. We use data from Tsinghua University information system to verify the proposed model and method. The result shows that this model can reflect the current security situation of information system comprehensively.