Zhiwen Zou,Changqian Chen,Shiguang Ju,Jiming Chen

DOI: https://doi.org/10.1007/978-3-642-12189-0_26

2010-01-01

Abstract:The Spatial Role-Based Access Control (SRBAC) model was discussed in this paper. Firstly, the formal definition of SRBAC Model was given; then the region coverage constraint of spatial object, duration constraint of spatial object, various spatial object separations of duty constraints and spatial object cardinality constraint of role activation were researched; after extending the traditional session, the strategy of eliminating the conflictive session was presented; Finally, the role hierarchy has been discussed under the spatial environment. Combined with practical application, the theory of secure DBMS was optimized and afforded to build the stricter system.

Weili Han,Chen Sun,Chenguang Shen,Chang Lei,Sean Shen

DOI: https://doi.org/10.1002/sec.729

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:ABSTRACTBy combining multiple factors during authentication, a service can provide better assurance of security. However, the users are likely to feel inconvenient, or even discard the service. This paper, therefore, addresses this issue and introduces a novel method, referred to as the Quantified riSk and Benefit adaptive Authentication Factors combination (QSBAF). QSBAF balances the requirements for both security and usability in the authentication of an information system and improves the system's ability to respond quickly to emerging risky events. In QSBAF, the authentication factors can be dynamically combined on the basis of quantified risk, benefit measurements, and combination policies. Furthermore, QSBAF provides an adaptive mechanism, which is driven by history data to justify the measurements of risk and benefit. In this paper, we use the online banking system as a typical scenario to demonstrate the usage of QSBAF. We also implement a prototype of QSBAF to evaluate the performance of its feasibility in real application scenarios. Copyright © 2013 John Wiley & Sons, Ltd.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Chen,Weili Han,Jianming Yong

DOI: https://doi.org/10.1109/cscwd.2010.5471991

2010-01-01

Abstract:XACML and its reference implementation can not directly support quantified risk adaptive access control, because there are several special requirements to specify and enforce the policies in risk adaptive access control: the elements in these policies, such as risk, risk level, are not covered; and risk in quantified risk adaptive access control would be mutable, accumulated and required to be continuously controlled. This paper, therefore, extends XACML and its reference implementation to support quantified risk adaptive access control. This paper makes two contributions: design a risk adaptive policy language extended from XACML; and propose a framework to enforce the policies. To the best of our knowledge, this paper is the first research work to discuss this topic.

HU Yan,XIE Xiao-rong,XIN Yao-zhong

DOI: https://doi.org/10.3321/j.issn:1000-3673.2006.02.002

2006-01-01

Abstract:At present there are not quantitative security architecture design methods and computer-aided design tools for power information system. The authors propose a pattern based quantitative security architecture design method, in which the aggressive behavior and safeguard are modeled by aggressive pattern and safeguard pattern respectively and the quantitative indices to select several safeguards are strictly defined with set theory. The advantages of the proposed method over the traditional risk management method are demonstrated in detail in security policy, system modeling, attack modeling, safeguard modeling, risk measurement, risk analysis and selection of safeguards. In order to decrease the cost of security architecture design and implement computer-aided design tools, the security architecture design process is further abstracted into a mathematical model of 0-1-integer programming.

Zhang Yongzheng,FANG Binxing,YUN Xiaochun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.14.053

2005-01-01

Abstract:With increasing security problems of information technology, developers of information security products seek for the trusted security assessment by the third part. But there are some defects in present assessment methods for host software systems. This paper proposes a quantitative risk assessment approach for host system security, combining with the vulnerability information in software system. An assessment instance is given to analyze the assessment algorithm. Finally, this paper illuminates the advantages of this assessment approach.

Muriel Figueredo Franco,Aiatur Rahaman Mullick,Santosh Jha

2024-05-06

Abstract:Quantifying cyber risks is essential for organizations to grasp their vulnerability to threats and make informed decisions. However, current approaches still need to work on blending economic viewpoints to provide insightful analysis. To bridge this gap, we introduce QBER approach to offer decision-makers measurable risk metrics. The QBER evaluates losses from cyberattacks, performs detailed risk analyses based on existing cybersecurity measures, and provides thorough cost assessments. Our contributions involve outlining cyberattack probabilities and risks, identifying Technical, Economic, and Legal (TEL) impacts, creating a model to gauge impacts, suggesting risk mitigation strategies, and examining trends and challenges in implementing widespread Cyber Risk Quantification (CRQ). The QBER approach serves as a guided approach for organizations to assess risks and strategically invest in cybersecurity.

Cryptography and Security,Computational Engineering, Finance, and Science

Wendy Yu,Zachary A. Collier,Shital Thekdi

DOI: https://doi.org/10.1111/risa.14267

2024-01-23

Risk Analysis

Abstract:Recent history has shown both the benefits and risks of information sharing among firms. Information is shared to facilitate mutual business objectives. However, information sharing can also introduce security‐related concerns that could expose the firm to a breach of privacy, with significant economic, reputational, and safety implications. It is imperative for organizations to leverage available information to evaluate security related to information sharing when evaluating current and potential information‐sharing partnerships. The "fine print" or privacy policies of firms can provide a signal of security across a wide variety of firms being considered for new and continued information‐sharing partnerships. In this article, we develop a methodology to gauge and benchmark information security policies in the partner‐selection process that can help direct risk‐based investments in information sharing security. We develop a methodology to collect and interpret firm privacy policies, evaluate characteristics of those policies by leveraging natural language processing metrics and developing benchmarking metrics, and understand how those characteristics relate to one another in information‐sharing partnership situations. We demonstrate the methodology on 500 high‐revenue firms. The methodology and managerial insights will be of interest to risk managers, information security professionals, and individuals forming information sharing agreements across industries.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Y Hu,XR Xie,YZ Xin

DOI: https://doi.org/10.1109/pes.2004.1372957

2005-01-01

Abstract:This paper presents a modeling language and a quantitative evaluation approach for the security of power information systems. We firstly design a security architecture design trace language to universally describe system structures, services, security policies, attack behaviors and countermeasures. Next an automated risk analysis algorithm is proposed to get attack traces of power information systems. Then, based on the concept of relative security degree, security architecture can be quantitatively evaluated. Finally, with a case study in a real power information system, the effectiveness of the presented approach is demonstrated. In practice, the approach can be employed for assessing various kinds of countermeasures, such as increasing a new security function, adjusting system self structure, and changing customer operation requirements. And it can greatly decrease the subjectivity of counter-measure selection.

Mahdieh Safarzadehvahed,Farzaneh Abazari,Afsaneh Madani,Fatemeh Shabani

DOI: https://doi.org/10.48550/arXiv.2304.14952

2023-04-28

Cryptography and Security

Abstract:When a threat is observed, one of the most important challenges is to choose the most appropriate and adequate timely decisions in response to the current and near future situation in order to have the least consequences and costs. Making the appropriate and sufficient decisions requires knowing what situations the threat has engendered or may engender. In this paper, we propose a quantitative risk-based method called QR-SACP to calculate and project situational awareness in a network based on threat information sharing. In this method, we investigate a threat from different aspects and evaluate the threat's effects through dependency weight among a network's services. We calculate the definite effect of a threat on a service and the cascading propagation of the threat's definite effect on other dependent services to that service. In addition, we project the probability of a threat propagation or recurrence of the threat in other network services in three ways: procedurally, network connections and similar infrastructure or services. Experimental results demonstrate that the QR-SACP method can calculate and project definite and probable threats' effects across the entire network and reveal more details about the threat's current and near future situations.

Pau-Chen Cheng,Pankaj Rohatgi,Claudia Keser,Paul A. Karger,Grant M. Wagner,Angela Schuett Reninger

DOI: https://doi.org/10.1109/sp.2007.21

2007-05-01

Abstract:This paper presents a new model for, or rather a new way of thinking about adaptive, risk—based access control. Our basic premise is that there is always inherent uncertainty and risk in access control decisions that is best addressed in an explicit way. We illustrate this concept by showing how the rationale of the well—known, Bell—Lapadula model based, Multi-Level Security (MLS) access control model could be used to develop a risk-adaptive access control model. This new model is more like a Fuzzy Logic control system [9] than a traditional access control system and hence the name “Fuzzy MLS”. The long version of this paper is published as an IBM Research Report [3].

Zhihui Wang,Siqin Li,Xuchen Zhou,Yu Wang,Wenbiao Xing,Yun Zhu,Zijing Tan,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-59419-0_59

2020-01-01

Abstract:The wide spread and sharing of considerable information promotes the development of many industries such as the health care and so on. However, data owners should pay attention to the problem of privacy preservation during the sharing of data. A risk assessment system is presented in this paper. The system can assess the risk of privacy disclosure due to the sharing of data, and help data owners to evaluate whether it is safe or not to share the data.

Liang Cheng,Yang Zhang,Zhihui Han

DOI: https://doi.org/10.1109/SERE.2013.12

2013-01-01

Abstract:Access control mechanisms (ACM) play a critical role in protecting operating systems from malicious attacks. A variety of ACMs have been proposed till date, including discretionary access control (DAC) and mandatory access control (MAC). However, it is often challenging to evaluate and compare the quality of protection (QoP) of ACMs, especially when they are deployed on different platforms. In this paper, we propose an approach to quantitatively measure and compare the quality of ACMs. We introduce the notion of vulnerability profiles to capture the weakness of ACMs in protecting against attacks, and the notion of vulnerability coefficients as a numeric and platform-independent measurement of the protection quality of ACMs. Based on these two notions, our approach applies the Grey System Theory and an independent vulnerability scoring system to infer complete vulnerability profiles and to calculate fair and objective vulnerability coefficients for ACMs. To our knowledge, our approach is the first attempt for quantitative measurement and comparison of ACMs across different operating systems. Based on our approach, we implement a prototype tool called ACVAL that leverages logic programming to characterize, evaluate, and compare access control mechanisms. We apply ACVAL to three mainstream ACMs, and results that ACVAL is effective in evaluating access control mechanisms across different operating systems, a feature particularly useful to administrators of heterogenous IT systems.

Parinaz Naghizadeh,Mingyan Liu

DOI: https://doi.org/10.48550/arXiv.1604.04871

2020-01-17

Abstract:Information sharing among organizations has been gaining attention as a method for improving cybersecurity. However, the associated disclosure costs act as deterrents for firms' voluntary cooperation. In this work, we take a game-theoretic approach to understanding firms' incentives in these agreements. We propose the design of inter-temporal incentives (i.e. conditioning future cooperation on past interactions). Specifically, we show that incentives for full cooperation can be designed if firms share their private assessments of other firms' disclosure decisions through a common communication platform. We further show that similar incentives can be designed based on outcomes of a public rating/assessment system.

Computer Science and Game Theory,Cryptography and Security

Lihua Yu,Gang Chen,Ke Chen,Jinxiang Dong

DOI: https://doi.org/10.1109/cscwd.2006.253101

2006-01-01

Abstract:Collaborative design and application integration emphasize the demand for database security. Database encryption is widely adopted to ensure data privacy, which can prevent attacks from both outside intruders and inside malicious users. Current researches on this area are mainly focusing on encryption algorithms, key management and encryption efficiency. However, data sharing nature of database system is usually neglected. In this paper, we propose an access control model, 3S-RBAC, which enables data sharing while guaranteeing privacy. The model has many features: the novel concept of strong permission and weak permission; the hierarchy of database objects and keys; the permission and key inheritance; the binding of keys and permissions. Implementation in OSCAR Secure DBMS shows that the model is flexible, secure, practical, and can be integrated easily into existing enterprise applications.

S Mayukha,R Vadivel,Mayukha S

DOI: https://doi.org/10.1016/j.compeleceng.2024.109135

2024-05-01

Abstract:As organizations grapple with an ever-evolving threat landscape, the need for effective security risk quantification methodologies becomes paramount. This research paper introduces and explores a novel approach to security risk quantification through the application of a hexagram model. Drawing inspiration from the I Ching, an ancient Chinese divination text, this hexagram model encompasses six key elements: Threat Landscape, Vulnerability Analysis, Asset Criticality, Control Effectiveness, Incident Response Capability, and Business Impact. By dividing these elements into two trigrams, a comprehensive view of external and internal factors influencing security risk emerges. The literature review examines existing security risk quantification methods, highlighting their strengths and limitations. The hexagram model's uniqueness lies in its holistic representation, integrating technical and organizational facets. The paper details the methodology, providing a clear framework for application. A practical case study demonstrates the model's implementation, showcasing its efficacy in real-world security assessments. Results and analysis reveal valuable insights into the security risk landscape, with comparisons to traditional quantification methods illustrating the hexagram model's added depth. The discussion interprets findings in the context of the security domain, addressing implications and areas for improvement. The paper concludes by summarizing key contributions, emphasizing the significance of the hexagram model in providing a nuanced understanding of security risk. Recommendations for future research underscore the potential for further refinement and broader adoption of this innovative approach.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

刘芳,戴葵,王志英,吴丹

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.007

2004-01-01

Abstract:In this paper, the necessity and feasibility of quantitative security evaluation are analyzed, in particular with regard to nowadays security requirements. Based on the probability and statistics, the quantitative security model is brought forward. And then a complete quantitative evaluating system is introduced, which is based on the modularization and the quantitative security model. Finally, the rationality and validity of this system are verified through experiments.

Liu Xia,Cai Jiani,Jiang Jianhui,Hong Xiang,Yang Genxing

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.06.085

2010-01-01

Abstract:Information security risk assessment is an important part of information security risk management.To assess the risk of an information system,not only the risks of its independent subsystems,but also the risks caused by the interactions among subsystems should be taken into consideration.Based on the analytic hierarchy process,a quantitative risk assessment method combining entropy weight with triangular fuzzy number is proposed.Triangular fuzzy numbers are used to describe the information that estimated by the information security experts,and the entropy weight is introduced to decrease the subjectivity of conventional weights.Moreover,the effect caused by the complexity of the system on risk occurrence probability is considered as well,that makes the assessment results more reasonable.An example based on Metro information systems is introduced to illustrate the application of the proposed method.

Li Hetian,Liu Yun,He Dequan

DOI: https://doi.org/10.1007/bf02831895

2006-01-01

Wuhan University Journal of Natural Sciences

Abstract:A fuzzy set-based evaluation approach is demonstrated to assess the security risks for Internet-banking System. The Internet-banking system is semi-formally described using Unified Modeling Language (UML) to specify the behavior and state of the system on the base of analyzing the existing qualitative risk assessment methods. And a quantitative method based on fuzzy set is used to measure security risks of the system. A case study was performed on the WEB server of the Internet-banking System using fuzzy-set based assessment algorithm to quantitatively compute the security risk severity. The numeric result also provides a method to decide the most critical component which should arouse the system administrator enough attention to take the appropriate security measure or controls to alleviate the risk severity. The experiments show this method can be used to quantify the security properties for the Internet-banking System in practice.

Wei Jie,Alistair Young,Junaid Arshad,June Finch,Rob Procter,Andy Turner

DOI: https://doi.org/10.1109/edocw.2008.6

2008-01-01

Abstract:An e-Social Science infrastructure generally has security requirements to protect their restricted resources or services. As a widely accepted authentication and authorization technology, Shibboleth supports the sharing of resources on inter-institutional federation. Guanxi is an open source implementation of the Shibboleth protocol and architecture. In this paper, we propose a security infrastructure for e-social science based on the Guanxi Shibboleth. This security infrastructure presents two main features. Firstly, Guanxi Shibboleth is integrated into the user-friendly Sakai collaborative and learning environment which provides an ideal place for users to access a variety of federation resources in line with the Shibboleth authentication model. Secondly, PERMIS technology is used to enhance the authorization mechanisms thus enabling a policy-driven, role-based, fine-grained access control. As a result, the security infrastructure presents the advantages of Guanxi Shibboleth, PERMIS and Sakai, and it has been applied to e-Social Science application. We believe this security infrastructure provides a promising authentication and authorization solution for e-social science applications as well as applications in other domains.