Model-based risk assessment to improve enterprise security

Aagedal, Jan Øyvind; Braber, Folker den; Dimitrakos, Theo; Gran, Bjørn Axel; Raptis, Dimitris; Stølen, Ketil

doi:10.1109/edoc.2002.1137696

Cited by 69 publications

(50 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…CRAMM (Bornman and Labuschagne, 2004;Yazar, 2002;Sarkheyli and Ithnin, 2010;Enterprise, 2005) ii. CORAS (Braber et al, 2007;Vorster and Labuschagne, 2005;Bornman and Labuschagne, 2004;Aagedal et al, 2002;Fredriksen et al, 2002;Raymond, 1993;Lund et al, 2011;Dahl, 2008;Refsdal, 2011a,b) iii. OCTAVE (Vorster and Labuschagne, 2005;Bornman and Labuschagne, 2004;Alberts et al, 2003;Sarkheyli and Ithnin, 2010;Albert and Dorofee, 2001;Alberts et al, 2001;Elky, 2006;Visintine, 2003) The reason for the selection of various types of methods for comparison is because they have been well documented.…”

Section: Information Security Risk Management Methodologiesmentioning

confidence: 99%

A conceptual framework of info structure for information security risk assessment (ISRA)

Shamala

Ahmad

Yusoff

2013

Journal of Information Security and Applications

View full text Add to dashboard Cite

Section: Information Security Risk Management Methodologiesmentioning

confidence: 99%

A conceptual framework of info structure for information security risk assessment (ISRA)

Shamala

Ahmad

Yusoff

2013

Journal of Information Security and Applications

View full text Add to dashboard Cite

“…The same way to build the NPTs for nodes in the standard BBNs, we use description function to assign the probabilities covering all of the possible combinations of its parents. Residual_Vulnerability(v) (5) in Figure 6 (6) in Figure 6 In this situation, the instances of CM_Effectiveness(c,v) depend on the number of countermeasures which can mitigate this vulnerability in the given scenario, therefore, we must take the number of countermeasures into account. For example, as shown in Figure 10, if there are two countermeasures !C0 (entity identifier, begins with an exclamation point, represent an instance of an entity) and !C1 can mitigate the vulnerability !V.…”

Section: ) Building Mebn Model For Risk Assessmentmentioning

confidence: 99%

“…CORAS [5] and RiskManagement Framework [32] propose their own methodological steps, but lack specific guidelines to interoperate with C&A activities and appropriately utilize the evidences gathered for C&A requirements into the risk assessment process.…”

Section: Related Workmentioning

confidence: 99%

Probabilistic Risk Assessment for Security Requirements: A Preliminary Study

Lee

2011

2011 Fifth International Conference on Secure Software Integration and Reliability Improvement

View full text Add to dashboard Cite

-Risk assessment is a critical decision making process during the Security Certification and Accreditation (C&A) process. However, existing infrastructure-wide C&A processes in real world are challenged by the ever increasing complexity of information systems and their diverse socio-technical operational environments. The lack of an explicit model and the associated uncertainties of software behavior are two main reasons that directly impact the effectiveness of risk assessment as well as the subjective decisions made based on the different level of domain expertise. In this paper, we propose a method for a probabilistic modeldriven risk assessment on security requirements. The security requirements and their causal relationships are represented using MEBN (Multi-Entities Bayesian Networks) logic that constructs an explicit formal risk assessment model that supports evidence-driven arguments. The proposed approach is described by using real-world C&A scenarios to show not only its feasibility for security requirements risk assessment but also its effectiveness for the sensitivity analysis to identify critical influences among information entities in a complex and uncertain operational environment.

show abstract

“…Another proposal is that of Aagedal et al [1], who developed the CORAS framework to produce an improved methodology for precise, unambiguous, and efficient risk analysis of security critical systems. CORAS focuses on the tight integration of viewpoint-oriented visual modelling in the risk assessment process, using an UML-based approach in the context of security and risk assessment.…”

Section: Related Workmentioning

confidence: 99%

“…The Business Layer consist of business related events and communications. This is the layer where the value of information assets is defined 1 . The IT Layer is the layer where the interconnections between IT assets are defined.…”

Section: Modelling Architecturementioning

confidence: 99%

IT confidentiality risk assessment for an architecture-based approach

Morali

Zambon

Etalle

2008

2008 3rd IEEE/IFIP International Workshop on Business-Driven IT Management

View full text Add to dashboard Cite

Abstract-Information systems require awareness of risks and a good understanding of vulnerabilities and their exploitations. In this paper, we propose a novel approach for the systematic assessment and analysis of confidentiality risks caused by disclosure of operational and functional information. The approach is modeldriven integrating information assets and the IT infrastructure that they rely on for distributed systems. IT infrastructures enable one to analyse risk propagation possibilities and calculate the impact for confidentiality incidents. Furthermore, depending on the monetary value of an information asset, we bridge the technical and business-oriented views of information security.

show abstract

Model-based risk assessment to improve enterprise security

Cited by 69 publications

References 1 publication

A conceptual framework of info structure for information security risk assessment (ISRA)

A conceptual framework of info structure for information security risk assessment (ISRA)

Probabilistic Risk Assessment for Security Requirements: A Preliminary Study

IT confidentiality risk assessment for an architecture-based approach

Contact Info

Product

Resources

About