An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions

Sun, Lili; Srivastava, Rajendra P.; Mock, Theodore J.

doi:10.2753/mis0742-1222220405

Cited by 181 publications

(116 citation statements)

References 39 publications

Supporting

Mentioning

115

Contrasting

Order By: Relevance

“…There are multiple articles on methods of risk assessment, and they are widely described e.g., by Sun et al [4], Ting et al [5], and Vrabel et al [6]. The methods are focused mostly on risk estimation for particular problems (e.g., disease [7,8], cancer [9], earthquakes [10], floods [11]) or calculation of risk with the use of various techniques, e.g., Bayesian networks [12,13], attack trees [14], or the Dempster-Shafer theory of belief functions [4].…”

Section: Review Of Existing Methodologies and Algorithmsmentioning

confidence: 99%

Evaluation of Cyber Security and Modelling of Risk Propagation with Petri Nets

Szpyrka

Jasiul

2017

Symmetry

View full text Add to dashboard Cite

This article presents a new method of risk propagation among associated elements. On the basis of coloured Petri nets, a new class called propagation nets is defined. This class provides a formal model of a risk propagation. The proposed method allows for model relations between nodes forming the network structure. Additionally, it takes into account the bidirectional relations between components as well as relations between isomorphic, symmetrical components in various branches of the network. This method is agnostic in terms of use in various systems and it can be adapted to the propagation model of any systems' characteristics; however, it is intentionally proposed to assess the risk of critical infrastructures. In this paper, as a proof of concept example, we show the formal model of risk propagation proposed within the project Cyberspace Security Threats Evaluation System of the Republic of Poland. In the article, the idea of the method is presented as well as its use case for evaluation of risk for cyber threats. With the adaptation of Petri nets, it is possible to evaluate the risk for the particular node and assess the impact of this risk for all related nodes including hierarchic relations of components as well as isomorphism of elements.

show abstract

Section: Review Of Existing Methodologies and Algorithmsmentioning

confidence: 99%

Evaluation of Cyber Security and Modelling of Risk Propagation with Petri Nets

Szpyrka

Jasiul

2017

Symmetry

View full text Add to dashboard Cite

show abstract

“…The renormalization constant K for the above case is given by 7 7 7 Plausibility that the assertion "Customer information is protected from unauthorized internal access and is used in ways associated with the entity's business" is not true represents the risk related to this assertion. Sun et al (2004) discuss information security risk in great detail.…”

Section: Applications To Business Decisionsmentioning

confidence: 99%

“…Numerical Example: Information Systems Security Risk Sun et al (2004) have recently developed an evidential reasoning approach to assessing information systems security risk. They use the Dempster-Shafer theory of belief functions to model the uncertainties involved in the evidence.…”

Section: Applications To Business Decisionsmentioning

confidence: 99%

Alternative form of Dempster's rule for binary variables

Srivastava¹

2005

Int. J. Intell. Syst.

Self Cite

View full text Add to dashboard Cite

Abstract:This article develops an alternative form of Dempster's rule of combination for binary variables. This alternative form does not only provide a closed form formulae for efficient computation but also enables researchers to develop closed form analytical formulae for assessing risks such as information security risk, fraud risk, audit risk, independence risk, etc., involved in assurance services. We demonstrate the usefulness of the alternative form in calculating the overall information security risk and also in developing an analytical model for assessing fraud risk.

show abstract

“…Baudrit et al (2006) proposed a risk assessment method of node transmission and possibility exposure. Sun et al (2006) introduced a risk assessment model based on DS evidence reasoning. The disadvantages of all those methods are related to the strong subjectivity of premises.…”

Section: Related Workmentioning

confidence: 99%

A new lightweight method for security risk assessment based on fuzzy cognitive maps

Szwed

Skrzynski

2014

International Journal of Applied Mathematics and Computer Science

View full text Add to dashboard Cite

For contemporary software systems, security is considered to be a key quality factor and the analysis of IT security risk becomes an indispensable stage during software deployment. However, performing risk assessment according to methodologies and standards issued for the public sector or large institutions can be too costly and time consuming. Current business practice tends to circumvent risk assessment by defining sets of standard safeguards and applying them to all developed systems. This leads to a substantial gap: threats are not re-evaluated for particular systems and the selection of security functions is not based on risk models. This paper discusses a new lightweight risk assessment method aimed at filling this gap. In this proposal, Fuzzy Cognitive Maps (FCMs) are used to capture dependencies between assets, and FCM-based reasoning is performed to calculate risks. An application of the method is studied using an example of an e-health system providing remote telemonitoring, data storage and teleconsultation services. Lessons learned indicate that the proposed method is an efficient and low-cost approach, giving instantaneous feedback and enabling reasoning on the effectiveness of the security system.

show abstract

An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions

Cited by 181 publications

References 39 publications

Evaluation of Cyber Security and Modelling of Risk Propagation with Petri Nets

Evaluation of Cyber Security and Modelling of Risk Propagation with Petri Nets

Alternative form of Dempster's rule for binary variables

A new lightweight method for security risk assessment based on fuzzy cognitive maps

Contact Info

Product

Resources

About