Towards Empirical Evaluation of Automated Risk Assessment Methods

Gadyatskaya, Olga; Labunets, Katsiaryna; Paci, Federica

doi:10.1007/978-3-319-54876-0_6

Cited by 3 publications

(3 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Despite the need for adaptive risk management in the area of maritime sector, currently very few approaches support, to some extent, real-time and ‘live’ risk assessments. These include MEDUSA [ 4 ], MITIGATE [ 5 , 6 ] and TREsPASS [ 10 ], which partially automate the risk assessment process, by enabling users and stakeholders to collaboratively and asynchronously provide their input for conducting dynamic reassessments. Although some automation is supported, they cannot be considered as autonomous risk assessment systems.…”

Section: Related Workmentioning

confidence: 99%

An Adaptive, Situation-Based Risk Assessment and Security Enforcement Framework for the Maritime Sector

Grigoriadis

Laborde

Verdier

et al. 2021

Sensors

View full text Add to dashboard Cite

Maritime processes involve actors and systems that continuously change their underlying environment, location and threat exposure. Thus, risk mitigation requires a dynamic risk assessment process, coupled with an adaptive, event driven security enforcement mechanism, to efficiently deal with dynamically evolving risks in a cost efficient manner. In this paper, we propose an adaptive security framework that covers both situational risk assessment and situational driven security policy deployment. We extend MITIGATE, a maritime-specific risk assessment methodology, to capture situations in the risk assessment process and thus produce fine-grained and situation-specific, dynamic risk estimations. Then, we integrate DynSMAUG, a situation-driven security management system, to enforce adaptive security policies that dynamically implement security controls specific to each situation. To validate the proposed framework, we test it based on maritime cargo transfer service. We utilize various maritime specific and generic systems employed during cargo transfer, to produce dynamic risks for various situations. Our results show that the proposed framework can effectively assess dynamic risks per situation and automate the enforcement of adaptive security controls per situation. This is an important improvement in contrast to static and situation-agnostic risk assessment frameworks, where security controls always default to worst-case risks, with a consequent impact on the cost and the applicability of proper security controls.

show abstract

Section: Related Workmentioning

confidence: 99%

An Adaptive, Situation-Based Risk Assessment and Security Enforcement Framework for the Maritime Sector

Grigoriadis

Laborde

Verdier

et al. 2021

Sensors

View full text Add to dashboard Cite

show abstract

“…In Gadyatskaya et al, the authors qualitatively evaluate the TREsPASS methodology, considering four criteria based on the outcomes of pre‐existing empirical evaluations (see later, in Section 8.2.2): process clarity, visualization of risk models, existence of catalogs of threats and security controls, tool support, help in identifying threats and controls, change management, and scalability. These criteria correlate well to the concrete criteria and metrics in our framework—as indeed some of Gadyatskaya et al's criteria are in reality metrics, such as the existence of catalogs of threats—except that in Gadyatskaya et al these criteria are evaluated in an ad hoc fashion, without structure or supporting quality‐related artifacts.…”

Section: Related Workmentioning

confidence: 99%

“…Considerations of (security) methodology quality, often tangentially and not under the designated term or using the relevant quality‐related concepts, can only be found in the context of literature surveys on security methodologies (eg, Uzunov et al, Jayaram and Mathur, and Uzunov et al), a small portion of work concerned with security metrics (Jaatun and Khan and Zulkernine) and metrics for security assurance processes (Ouedraogo et al), and methodology comparisons (Khan and Zulkernine, Gregoire et al, and El Rhaffari and Roudies)—none of which offers independent or self‐contained treatments of the subject. Complementary concepts and approaches can be found in work on security‐oriented maturity models and empirical methodology evaluations; however, the latter focus on one specific quality attribute only, while the former focus on organizational, not technical, aspects, and are not suitable for security methodologies as such. It is not surprising, therefore, that, besides supportive artifacts, the literature also entirely lacks concrete, specifically designed approaches for comprehensive security methodology assessment and improvement.…”

Section: Introductionmentioning

confidence: 99%

Assessing and improving the quality of security methodologies for distributed systems

Uzunov

Fernández

Falkner

2018

J Software Evolu Process

View full text Add to dashboard Cite

Security methodologies represent systematic approaches for introducing security attributes into a system throughout the development lifecycle. While isolated attempts have been made to demonstrate the value of particular security methodologies, the “quality” of security methodologies, as such, has never been given due consideration; indeed, it has never been studied as a self‐standing topic. The literature therefore entirely lacks supportive artifacts that can provide a basis for assessing, and hence for improving, a security methodology's quality. In this paper, we fill the aforementioned gap by proposing a comprehensive quality framework and accompanying process, within the context of an existing approach to engineering security methodologies, which can be used for both (bottom‐up) quality assessment and (top‐down) quality improvement. The main framework elements can be extended and customized to allow an essentially arbitrary range of methodology features to be considered, thus forming a basis for flexible, fine‐grained quality control. We demonstrate the bottom‐up application of the latter framework and process on three real‐life security methodologies for distributed systems, taken as case studies. Based on the assessment results, we subsequently show in detail (for one) and briefly discuss (for the remaining set) how the case study methodologies can be re‐engineered to improve their quality.

show abstract

Managing Security and Compliance Risks of Outsourced IT Projects

Almutairi¹

2017

Computer Science &Amp; Information Technology (CS &Amp; IT)

View full text Add to dashboard Cite

show abstract

Towards Empirical Evaluation of Automated Risk Assessment Methods

Cited by 3 publications

References 23 publications

An Adaptive, Situation-Based Risk Assessment and Security Enforcement Framework for the Maritime Sector

An Adaptive, Situation-Based Risk Assessment and Security Enforcement Framework for the Maritime Sector

Assessing and improving the quality of security methodologies for distributed systems

Managing Security and Compliance Risks of Outsourced IT Projects

Contact Info

Product

Resources

About