Jhon Arista Alarcon

DOI: https://doi.org/10.47909/dtr.05

2023-05-16

Abstract:A risk management model makes it possible to explore the organizational factors and risk management practices that affect or delay the achievement of the objectives that are considered strategic. The purpose of managing risks is to develop a detailed analysis of the organization, its operations, assets, processes and their existing interrelationships in order to establish a complete list of risks, which implies identifying, analyzing and providing alternative treatment to risks. actual and potential. Therefore, a risk management model obtains too much importance when focusing on the needs of the organization in a specific way, since it is not only about copying norms or policies of one organization to mitigate the risks of another, but each of these has different scenarios or contexts.

Jakub Breier,Adrian Baldwin,Helen Balinsky,Yang Liu

DOI: https://doi.org/10.48550/arXiv.2012.04884

2020-12-09

Cryptography and Security

Abstract:Adversarial attacks for machine learning models have become a highly studied topic both in academia and industry. These attacks, along with traditional security threats, can compromise confidentiality, integrity, and availability of organization's assets that are dependent on the usage of machine learning models. While it is not easy to predict the types of new attacks that might be developed over time, it is possible to evaluate the risks connected to using machine learning models and design measures that help in minimizing these risks. In this paper, we outline a novel framework to guide the risk management process for organizations reliant on machine learning models. First, we define sets of evaluation factors (EFs) in the data domain, model domain, and security controls domain. We develop a method that takes the asset and task importance, sets the weights of EFs' contribution to confidentiality, integrity, and availability, and based on implementation scores of EFs, it determines the overall security state in the organization. Based on this information, it is possible to identify weak links in the implemented security measures and find out which measures might be missing completely. We believe our framework can help in addressing the security issues related to usage of machine learning models in organizations and guide them in focusing on the adequate security measures to protect their assets.

Ayse KUCUK YILMAZ,Konstantinos N. MALAGAS,Triant G. FLOURIS

DOI: https://doi.org/10.1108/aeat-07-2023-0178

2024-03-20

Aircraft Engineering and Aerospace Technology

Abstract:Purpose This study aims to develop an inclusive, multidisciplinary, flexible and organizationally adaptable safety risk management framework, including diversity management, that will be implemented to ensure safety is and remains at the desired level. If the number of incidents and potential incidents that could lead to accidents and their impact rates are to be reduced operationally and administratively, aviation safety risks and sources of risk must be better understood, sources of risk identified, and the safety risk management framework designed in an organization-specific and organization-wide sustainable way. At this point, it is necessary to draw the conceptual framework well and to define the boundaries of the concepts well. In this study, a framework model that can be adapted to the organization is proposed to optimize the management of risks and provide both efficient and effective resource allocation and organizational structure design in its operations and management functions. Design/methodology/approach The qualitative research method – triple techniques – was deemed appropriate for this study, which aims to identify, examine, interpret and develop the situations of safety management models. In this context, document analysis, business process modeling technique and Delphi techniques from qualitative research methods were used via integration as the methodology of this research. Findings To manage dynamic civil aviation management activities and business processes effectively and efficiently, the risk management process is the building block of the “Proposed Process Model” that supports the decision-making processes of aviation organizations and managers. This “Framework Conceptual Model” building block also helps build capacity and resilience by enabling continuous development, organizational learning, and flexible structuring. Research limitations/implications This research is limited to air transportation and aviation safety management issues. This research is limited specifically to a safety-based risk management framework for the aviation industry. This research may have social implications as source saving, optimum resource use and capacity building will make a contribution to society and add value besides operational and practical implementation. Social implications This research may contribute to more safe operations and functions in the aviation industry. Originality/value Management and academia may gain considerable support from this research to manage their safety risks via a corporate-tailored risk management framework, both improving resilience and developing corporate capacity. With this model presented, decision-makers will have a guiding structure that can optimally manage the main risk types that may be encountered in the safety risk in the fields of suppliers, manufacturers, demand changes, logistics, information management, environmental, legal and regulatory. Existing studies in the literature are generally in the form of algorithms and cannot be used as a decision-making support tool. This model aims to fill the gap in the literature. In addition, added value may be created by applying this model to optimum management safety risks in the real aviation industry and its related sectors.

engineering, aerospace

Verreydt, Stef,Landuyt, Dimitri Van,Joosen, Wouter

DOI: https://doi.org/10.1007/s10270-024-01242-5

2024-12-07

Software & Systems Modeling

Abstract:Threat modeling involves systematically assessing the likelihood and potential impact of diverse security threat scenarios. Existing threat modeling approaches and tools act at the level of a software architecture or design (e.g., a data flow diagram), at the level of abstract system elements. These approaches, however, do not allow more in-depth analysis that takes into account concrete instances and configurations of these elements. This lack of expressiveness—as threats that require articulation at the level of instances cannot be expressed nor managed properly—hinders systematic risk calculation—as risks cannot be expressed and estimated in terms of instance-level properties. In this paper, we present a novel threat modeling approach that supports modeling complex systems at two distinct levels: (i) the design model defines the classes and entity types in the system, and (ii) the instance model specifies concrete instances and their properties. This innovation allows systematically calculating broader risk estimates at the design level, yet also performing more refined analysis in terms of more precise risk values at the instance level. Moreover, the ability to assess instance-level risks serves as an enabler for run-time continuous threat and risk (re-)assessment, and risk-adaptive security in general. We evaluate this approach in a prototype and through simulation of the dynamics of a realistic IoT-based system, a smart traffic application that involves vehicles and other infrastructural elements such as smart traffic lights. In these efforts, we demonstrate the practical feasibility of the approach, and we quantify the performance cost of maintaining a threat model at run-time, taking into account the time to perform risk assessment.

computer science, software engineering

Athanasios Dimitriadis,Jose Luis Flores,Boonserm Kulvatunyou,Nenad Ivezic,Ioannis Mavridis

DOI: https://doi.org/10.3390/s20164617

2020-08-17

Abstract:Industry 4.0 adoption demands integrability, interoperability, composability, and security. Currently, integrability, interoperability and composability are addressed by next-generation approaches for enterprise systems integration such as model-based standards, ontology, business process model life cycle management and the context of business processes. Security is addressed by conducting risk management as a first step. Nevertheless, security risks are very much influenced by the assets that the business processes are supported. To this end, this paper proposes an approach for automated risk estimation in smart sensor environments, called ARES, which integrates with the business process model life cycle management. To do so, ARES utilizes standards for platform, vulnerability, weakness, and attack pattern enumeration in conjunction with a well-known vulnerability scoring system. The applicability of ARES is demonstrated with an application example that concerns a typical case of a microSCADA controller and a prototype tool called Business Process Cataloging and Classification System. Moreover, a computer-aided procedure for mapping attack patterns-to-platforms is proposed, and evaluation results are discussed revealing few limitations.

Sergej Japs,Harald Anacker

DOI: https://doi.org/10.1017/pds.2021.517

2021-07-27

Proceedings of the Design Society

Abstract:Abstract Cyber-physical systems (CPS), like autonomous vehicles, are intelligent and networked. The development of such systems and its components requires interdisciplinary cooperation between different stakeholders. A lack of system understanding between stakeholders can lead to unidentified and unresolved security threats & safety hazards in early engineering phases, resulting in high costs in product development and potentially compromises compliance with the safety of CPS. Model-based systems engineering (MBSE) improves the system understanding between stakeholders by using models. However, MBSE approaches only partially address security threats & safety hazards. In particular, their integrative consideration is not taken into account. Established security & safety approaches are either only applicable to specific disciplines or only partially consider security threats & safety hazards. In the context of this paper we present a method for the resolution of safety relevant security threats in the system architecture design phase using design patterns. We illustrate our approach with the example of the automotive sector. Finally, we present an evaluation of the method, based on an 8 week project with 67 master students.

Christophe Ponsard

2024-09-12

Abstract:Nowadays, companies are highly exposed to cyber security threats. In many industrial domains, protective measures are being deployed and actively supported by standards. However the global process remains largely dependent on document driven approach or partial modelling which impacts both the efficiency and effectiveness of the cybersecurity process from the risk analysis step. In this paper, we report on our experience in applying a model-driven approach on the initial risk analysis step in connection with a later security testing. Our work rely on a common metamodel which is used to map, synchronise and ensure information traceability across different tools. We validate our approach using different scenarios relying domain modelling, system modelling, risk assessment and security testing tools.

Cryptography and Security,Software Engineering

Fu-Hong Yang,Chi-Hung Chi,Lin Liu

DOI: https://doi.org/10.1007/11839569_28

2006-01-01

Abstract:A formal model of security risk assessment for an enterprise information security is developed. The model, called the Graph Model, is constructed based on the mapping of an enterprise IT infrastructure and networks/systems onto a graph. Components of the model include the nodes which represent hosts in enterprise network and their weights of importance and security, the connections of the nodes, and the safeguards used with their costs and effectiveness. The model can assist to identify inappropriate, insufficient or waste protector resources like safeguards that are relative to the needs of the protected resources, and then reallocates the funds or protector resources to minimize security risk. An example is provided to represent the optimization method and process. The goal of using Graph Model is to help enterprise decision makers decide whether their security investment is consistent with the expected risks and how to allocate the funds or protector resources.

Annarita Drago,Stefano Marrone,Nicola Mazzocca,Roberto Nardone,Annarita Tedesco,Valeria Vittorini

DOI: https://doi.org/10.1007/s10270-016-0572-7

2016-12-26

Abstract:Modern physical protection systems integrate a number of security systems (including procedures, equipments, and personnel) into a single interface to ensure an adequate level of protection of people and critical assets against malevolent human actions. Due to the critical functions of a protection system, the quantitative evaluation of its effectiveness is an important issue that still raises several challenges. In this paper we propose a model-driven approach to support the design and the evaluation of physical protection systems based on (a) UML models representing threats, protection facilities, assets, and relationships among them, and (b) the automatic construction of a Bayesian Network model to estimate the vulnerability of different system configurations. Hence, the proposed approach is useful both in the context of vulnerability assessment and in designing new security systems as it enables what-if and cost–benefit analyses. A real-world case study is further illustrated in order to validate and demonstrate the potentiality of the approach. Specifically, two attack scenarios are considered against the depot of a mass transit transportation system in Milan, Italy.

computer science, software engineering

Viktoriya Prokhorova,Svitlana Mushnykova,Oleksiy Bytiak,Krystyna Slastianykova

DOI: https://doi.org/10.1051/shsconf/20196706043

2019-01-01

SHS Web of Conferences

Abstract:The state of market relations which is determined by the high level of competition, instability and environmental variability, requires from each subject of the weighted actions to manage the safe development. The risks accompanying the activities of each enterprise are the components of its management. The necessity of considering financial risks as a generalizing factor of the security system of enterprise development is substantiated. The research proposes a methodological approach within the framework of economic and legal aspects to the management of financial risks in the security system of the enterprise development, with the definition of the main theoretical positions, namely: goals, objectives, principles, legal entities and methods of managing financial risks in accordance with the stage of the life cycle enterprises The necessity of improvement of legal support of legal relations with the enterprise in the system of security of enterprise development is determined.

Sybren de Kinderen,Monika Kaczmarek-Heß,Simon Hacks

DOI: https://doi.org/10.1007/s12599-024-00899-y

2024-10-30

Business & Information Systems Engineering

Abstract:The increased reliance of organizations on information technology inherently increases their vulnerability to cyber-security attacks. As a response, a host of cyber-security approaches exists. While useful, these approaches exhibit shortcomings such as an inclination to be fragmented, not accounting for up-to-date organizational data, focusing on singular vulnerabilities only, and being reactive, i.e., focusing on patching up vulnerabilities in current systems. The paper presents and evaluates a modeling method aiming to address those shortcomings and to support security by design with a focus on the electricity sector. The proposed modeling method encompasses a multi-level reference model reconstructing and integrating existing initiatives and supporting top-down and bottom-up analyses. Compared to earlier work, the paper contributes (1) a process model for cyber-security by design, which proactively considers security as a first-class citizen during the design process, (2) a complete coverage of the multi-level model, in terms of three views complementing the introduced process model, (3) an elaborated evaluation, in terms of reporting on an additional design science cycle.

computer science, information systems

Wei T. Yue,Metin Cakanyildirim,Young U. Ryu,Dengpan Liu

DOI: https://doi.org/10.1016/j.dss.2006.08.009

IF: 6.969

2007-01-01

Decision Support Systems

Abstract:This paper considers two important issues related to security risk management. First, the presence of network externalities in security risks. Second, the distinction of general (network) and system-specific protection measures. We found the optimal allocation of security resources (investments) in protecting every system in an organization. The results show that the consideration of network externalities and layered protection changes the risk mitigation decisions significantly. In addition, accurate estimation of system risk plays a critical role in the success of risk management. Otherwise, the use of a uniform baseline protection approach may be more desirable when the misjudgment of relative system risks is likely to occur.

П.С. ИВЛИЧЕВ,Н.А. ИВЛИЧЕВА

DOI: https://doi.org/10.34925/eip.2023.159.10.192

2023-12-04

Экономика и предпринимательство

Abstract:В статье проводится анализ модели CVSS для информационных систем предприятий с одним периметром безопасности. Определяются условия, при котором угроза кибербезопасности будет являться критической. Сформулированы основные положения управления рисками безопасности информационной системы организации. Приведены рекомендации по применению методов защиты информации для нейтрализации критических угроз информационной безопасности. The article analyzes the CVSS model for enterprise information systems with a single security perimeter. The conditions under which the threat to cybersecurity will be critical are determined. The main provisions of the organization's information system security risk management are formulated. Recommendations on the use of information protection methods to neutralize critical threats to information security are given.

Etkin Getir

2024-11-10

Abstract:While there is a plethora of cybersecurity and risk management frameworks for different target audiences and use cases, micro-businesses (MBs) are often overlooked. As the smallest business entities, MBs represent a special case with regard to cybersecurity for two reasons: (1) Having fewer than 10 employees, they tend to lack cybersecurity expertise. (2) Because of their low turnover, they usually have a limited budget for cybersecurity. As a result, MBs are often the victims of security breaches and cyber-attacks every year, as demonstrated by various studies. This calls for a non-technical, simple solution tailored specifically for MBs. To address this pressing need, the SEANCE Cybersecurity Framework was developed through a 7-step methodology: (1) A literature review was conducted to explore the current state of research and available frameworks and methodologies, (2) followed by a qualitative survey to identify the cybersecurity challenges faced by MBs. (3) After analyzing the results of the literature review and the survey, (4) the relevant aspects of existing frameworks and tools for MBs were identified and (5) a non-technical framework was developed. (6) A web-based tool was developed to facilitate the implementation of the framework and (7) another qualitative survey was conducted to gather feedback. The SEANCE Framework suggests considering possible vulnerabilities and cyber threats in six hierarchical layers: (1) Self, (2) Employees, (3) Assets, (4) Network, (5) Customers and (6) Environment, with the underlying idea of a vulnerability in an inner layer propagates to the outer layers and therefore needs to be prioritized.

Cryptography and Security

Vladimír Bolek,Anita Romanová,František Korček

DOI: https://doi.org/10.4018/jgim.316833

2023-01-20

Journal of Global Information Management

Abstract:Enterprises trading on the electronic markets are exposed to security risks due to the active use of ICT in several transformation process activities. Realized risks cause particular damage to the enterprises that lack ISMS (information security management systems) or a basic process approach to IS management. In this article, the authors identify similarities and differences in information security management models from various aspects. The scientific article compares the presented models, their essence, goal, focus, and starting points. Based on advantages and disadvantages, the authors evaluate the possibilities of applying models in electronic business, which determines which models can be applied to all processes or only to specific processes of e-business. The representative data set was obtained from a sample of e-commerce enterprises using the Slovak electronic market. Research hypotheses based on scientific assumptions and statistical analysis are verified. The research conclusions provide an insight into practice of ISMS and an information security management system in e-commerce.

information science & library science

Daniel Kern,Roger Moser,Evi Hartmann,Marco Moder

DOI: https://doi.org/10.1108/09600031211202472

2012-01-27

Abstract:Purpose The purpose of this paper is to develop a model for upstream supply chain risk management linking risk identification, risk assessment and risk mitigation to risk performance and validate the model empirically. The effect of a continuous improvement process on identification, assessment, and mitigation is also included in the model. Design/methodology/approach A literature review is undertaken to derive the hypotheses and operationalize the included constructs. The paper then tests the path analytical model using partial least squares analyses on survey data from 162 large and mid‐sized manufacturing companies located in Germany. Findings All items load high on their respective constructs and the data provides robust support to all hypothesized relationships. Superior risk identification supports the subsequent risk assessment and this in turn leads to better risk mitigation. The model explains 46 percent of the variance observed in risk performance. Research limitations/implications This study empirically validates the sequential effect of the three risk management steps on risk performance as well as the influence of continuous improvement activities. Limitations of this study can be seen in the use of perceptional data from single informants and the focus on manufacturing firms in a single country. Practical implications The detailed operationalization of the constructs sheds further light on the problem of measuring risk management efforts. Clear evidence of the performance effect of risk management provides managers with a business case to invest in such initiatives. Originality/value This is one of the first large‐scale, empirical studies on the process dimensions of upstream supply chain risk management.

management

Tetyana Grynko,Tetiana Gviniashvili,Rustam Yuldashev

DOI: https://doi.org/10.35774/econa2024.02.223

2024-01-01

Economic Analysis

Abstract:As a result of the critical analysis of existing models of risk management, it should be noted that the effectiveness of risk management does not always depend exclusively on specific methods of responding to them. The decisive factor is the quality of management decisions, which should not only reduce the risk to an acceptable level, but also guarantee the achievement of the organization's goals. Risk management is closely related to both the events that occur in complex systems and the response to them by the enterprise, which is a complex multi-element system. This determines the need to use an integrated approach to risk management, which expands the methodological foundations of modern risk management. Thus, risk management at enterprises should be aimed both at identifying the causes of various risks and at using all opportunities to ensure optimal development of the enterprise in conditions of economic uncertainty. Also, based on the results of a critical analysis of existing risk management models, the article develops practical recommendations that can be used to guide the formation of a risk management system. Further scientific research should be directed to the development of an organizational and economic risk management mechanism at the enterprise, considering modern challenges and threats.

Irina Olegovna Bondareva,Sabina M. Sidagalieva,Evgeniya T. Nesterova

DOI: https://doi.org/10.24143/2072-9502-2021-2-75-88

2021-04-30

Abstract:The article considers the business processes at the transport logistics enterprises as a chain of clear regulations, where noncompliance or delay of one of them results in disruption of the whole process. Risk management is one of the key tasks requiring the development of modeling tools and prevention of undesirable situations. There has been shown a structural model of the risk of failure to achieve the strategic goal of a cargo port, supplemented by several levels of consideration. The tree of goals of the transport logistics enterprise was built. Failure to achieve a particular goal is considered as a risk situation, or a risk. A set of factors for assessing its implementation is opposed to each goal, formulas for calculating the indicators used are given. A model of scenarios of all existing significant risks has been developed. A multi-level hybrid logical-probabilistic model, a cascade logical-probabilistic model and a multi-level cascade hybrid logical-probabilistic model of the risk of failure to achieve the main strategic goal of the port/transport enterprise are proposed. The main idea is the need to link together the technology of formalizing risks using the constructed logical-probabilistic models and simulation, where the interpretation of the results is possible using logical and probabilistic models and scenarios. The proposed models make it possible to carry out a comprehensive analysis of the risk of failure to achieve the strategic goal of a cargo port based on the scenario formalization of risks of various levels of management, as well as to simplify the process of interpreting the results of simulation modeling taking into account external factors of influence. The integrated use of all these models is the basis for the development of timely management decisions. Particular attention is paid to the description of the technology for constructing logical, probabilistic and scenario models of various types.

E. Yu. Pertseva,V. Yu. Skobarev,E. E. Telenkov

DOI: https://doi.org/10.32686/1812-5220-2021-18-4-16-27

2021-08-27

Issues of Risk Analysis

Abstract:In the context of the increasing role of non-financial factors of company value creation, many organizations, when developing a development strategy, go beyond exclusively financial and economic goals and include workplace safety, energy efficiency, customer satisfaction and other non-financial goals in their performance targets. Achieving such goals involves risks, but today there is no common understanding of the composition of the relevant risks, their sources (factors of occurrence), approaches to assessing these risks, as well as universal corporate tools for managing them. In this article, we offer our vision of the place of the so-called “non-financial risks” in the risk management system and show the possibilities of integrating non-financial risk management into the risk management system and the management model of the organization.

D.A. Kurmanova,D.R. Sultangareev,L.R. Khabibullina,,,

DOI: https://doi.org/10.17122/2541-8904-2020-2-32-82-91

2020-01-01

Bulletin USPTU Science education economy Series economy

Abstract:Cyber incidents continue to move up in the rating of possible threats and occupy the second position in the ranking of risks in the activities of companies (40 %). Five years ago, they were on the fifteenth line. Like a natural disaster or pandemic, a cyber attack can have a negative impact on hundreds of companies, and the number of such incidents is growing. So-called "cyber incidents",when hackers interfere with the activities of a large number of companies, using the dependencies of their shared Internet infrastructure, occur more often. This reflects the fact that today's world of risk management is more volatile than ever. At the same time, with the upcoming entry into force of the General data protection regulation (GDPR), which has been in effect throughout Europe since may 2018, the prospects of imposing more and larger fines on companies that do not comply with it have already become real. Actions taken by the company in light of a data integrity violation directly affect the final cost of such a violation. Reputational damage is inevitable if the response to a cyber incident is inadequate. New risks require new tools to respond to their potential impacts and mitigate them. This article discusses the possible risks of financial technologies, draws attention to cyber threats, the frequency of which is increasing, and offers a model for identifying and evaluating cyber risks.