Conference Paper

The near real time statistical asset priority driven (NRTSAPD) risk assessment methodology

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

The NRTSAPD Risk Assessment methodology offers two key advantages over other risk assessments. The first advantage is that the NRTSAPD risk assessment methodology provides management with a simple, quick, and easy to use risk assessment methodology based on an organizational mission critical asset priority. The second advantage of using this NRTSAPD risk assessment is to integrate several organizational databases such as network helpdesk, asset management, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), firewall and incident response report databases with the management's decision on the mission critical asset priorities. Having the most current asset management with the integrated security incident response databases, the management asset priority driven risk assessment would be answered in a near real time or as current as the asset management inventory; which can sometimes be scanned in real time. Consequently, it produces a realistic Information Systems (IS) production environment risk assessment report in a near real time manner.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... Online risk assessment is very important in terms of minimizing the performance cost incurred. In the dynamic model, we can dynamically evaluate attack cost by propagating the impact of confidentiality, integrity and availability through dependencies model or attack graph [6][7][8][9][10][11][12]. (2) Offline: in Information security management system we use offline risk assessment. ...
Article
Full-text available
Iterative and incremental mechanisms are not usually considered in existing approaches for information security management System (ISMS). In this paper, we propose SUP (security unified process) as a unified process to implement a successful and high-quality ISMS. A disciplined approach can be provided by SUP to assign tasks and responsibilities within an organization. The SUP architecture comprises static and dynamic dimensions; the static dimension, or disciplines, includes business modeling, assets, security policy, implementation, configuration and change management, and project management. The dynamic dimension, or phases, contains inception, analysis and design, construction, and monitoring. Risk assessment is a major part of the ISMS process. In SUP, we present a risk assessment model, which uses a fuzzy expert system to assess risks in organization. Since, the classification of assets is an important aspect of risk management and ensures that effective protection occurs, a Security Cube is proposed to identify organization assets as an asset classification model. The proposed model leads us to have an offline system health monitoring tool that is really a critical need in any organization.
Article
The increased need for constant connectivity and complete automation of existing systems fuels the popularity of Cyber Physical Systems (CPS) worldwide. Increasingly more, these systems are subjected to cyber attacks. In recent years, many major cyber‐attack incidents on CPS have been recorded and, in turn, have been raising concerns in their users' minds. Unlike in traditional IT systems, the complex architecture of CPS consisting of embedded systems integrated with the Internet of Things (IoT) requires rather extensive planning, implementation, and monitoring of security requirements. One crucial step to planning, implementing, and monitoring of these requirements in CPS is the integration of the risk management process in the CPS development life cycle. Existing studies do not clearly portray the extent of damage that the unattended security issues in CPS can cause or have caused, in the incidents recorded. An overview of the possible risk management techniques that could be integrated into the development and maintenance of CPS contributing to improving its security level in its actual environment is missing. In this paper, we are set out to highlight the security requirements and issues specific to CPS that are discussed in scientific literature and to identify the state‐of‐the‐art risk management processes adopted to identify, monitor, and control those security issues in CPS. For that, we conducted a systematic mapping study on the data collected from 312 papers published between 2000 and 2020, focused on the security requirements, challenges, and the risk management processes of CPS. Our work aims to form an overview of the security requirements and risks in CPS today and of those published contributions that have been made until now, towards improving the reliability of CPS. The results of this mapping study reveal (i) integrity authentication and confidentiality as the most targeted security attributes in CPS, (ii) model‐based techniques as the most used risk identification and assessment and management techniques in CPS, (iii) cyber‐security as the most common security risk in CPS, (iv) the notion of “mitigation measures” based on the type of system and the underline internationally recognized standard being the most used risk mitigation technique in CPS, (v) smart grids being the most targeted systems by cyber‐attacks and thus being the most explored domain in CPS literature, and (vi) one of the major limitations, according to the selected literature, concerns the use of the fault trees for fault representation, where there is a possibility of runtime system faults not being accounted for. Finally, the mapping study draws implications for practitioners and researchers based on the findings.
Article
Today's fast moving technologies create innovative ideas, products, and services, but they also bring with them new security risks. The gap between new technologies and the security needed to keep them from opening up new risks in information systems (ISs) can be difficult to close completely. Changes in ISs are inevitable because computing environments, intentionally or unintentionally, are always changing. These changes bring with them vulnerabilities on new or existing ISs, which cause security states to move between mitigated, vulnerable, and compromised states. In previous work, we introduced the near real-time risk assessment using hidden Markov models (HMMs). This paper applies that theory to a prototype MatLab™ environment.
Conference Paper
Conducting risk assessment on organizational assets can be time consuming, burdensome, and misleading in many cases because of the dynamically changing security states of assets. Risk assessments may present inaccurate or false data if the organizational assets change in their security postures. Each asset can change its security status from secure, mitigated, vulnerable, or compromised states. The secure state is only temporary and imaginary; it may never exist. Therefore, it is accurate to say that each asset changes its security state within its mitigated, vulnerable, or compromised, state. If we can predict each asset's security state prior to its actual state, we would have a good risk indicator for the organization's mission-critical assets. In this paper, we explore possible security states from the insider's perspective, as there are more security incidents initiated from inside than outside an organization. However, we are in a continuous loop of mitigating dynamically changing assets caused by both internal and external threats.
Article
Full-text available
The Computer Security Institute has started a joint survey on Computer Crime and Security Survey with San Francisco Federal Bureau of Investigation's Computer Intrusion Squad. The survey is in its 11th year and is the longest-running continuous survey in the information security field. The 2006 survey addresses the issues considered in earlier CSI/FBI surveys such as unauthorized use of computer systems, the number of incidents in an organization, types of detected misuse or attacks and response actions. Other issues include the techniques organizations use to evaluate the performance of computer security investments, security training needs and the use of security audits and external insurance. The survey has found that virus attacks are the source of greatest financial loss. Unauthorized use of computer systems and the total financial loss due to security breaches has decreased this year. Use of cyber insurance remains low, but may increase in coming years.
Conference Paper
Full-text available
This focus of this paper is on the assessment of student performance in an information security risk assessment, service learning course. The paper provides a brief overview of the information security risk assessment course as background information and a review of relevant educational assessment theory with a focus on outcomes assessment. An example of how assessment theory was applied to this service learning course to assess student performance outcomes is described with the aim of sharing performance assessment methods with other educators. This material is based upon work supported by the National Science Foundation under Grant No. 0313871. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Article
Full-text available
The development of a microcosm system whereby hackers can try their hacking skills and the provision of incentives for reducing malware attacks are discussed. The purpose of the proposed microcosm system is to provide an environment close enough to the Internet in structure, software platforms, and end-host patterns of usage that the behavior of a virus introduced into the system approximates the virus's behavior on the real Internet. Economic motivations are possible where the detrimental side effects of malware can be exploited by developers for gain. Human behavior can be altered by training, by inculcating moral codes to make individuals appreciate the implications of their actions, or by instituting incentives and rewards.
Article
Full-text available
Various aspects related to the use of recently developed cyber-risk insurance policies aimed at providing coverage against losses from internet related breaches in information security are discussed. A generic framework for using cyber-risk insurance for helping to manage information security risk is described. The framework is based on the entire risk management process and includes a comprehensive four-step cyber-risk insurance decision plan. Various aspects related to pricing of such insurance policies, and the effects that may arise out of adverse selection are also discussed.
Article
Full-text available
One critical legal issue seriously threatening the continued growth of the Internet as a commerce medium concerns the exposure of Internet businesses to the long-arm jurisdiction of courts in 50 different states of the U.S. For those whose businesses rely on the Internet, an increasing amount of legal conflict is also arising in reaction to this new business medium. It is imperative that information system professionals become aware of how evolving Internet law will affect the medium they are charged with administrating. Differences in liability, criminal law, right to privacy and so forth all make it very dangerous for a business to be exposed to some states long-arm jurisdiction. Although no set of guidelines can completely eliminate the risk of exposure to long-arm jurisdiction, these should provide some direction to organizations currently operating or considering Web operations. Understanding risks and how some of them can be avoided will allow information system professionals to help their clientele minimize unnecessary exposure to jurisdiction in an unfavorable court.
Article
Full-text available
The use of one-minute risk assessment tool in software development is discussed. The one-minute risk assessment tool can be used to perform intuitive 'what-if' analyses to guide managers how they can proactively reduce software project risks. The tool can also be given to each of the key stakeholders in a project, allowing the project manager to bring out differences in perception. It has been suggested that formal project management practices have the power to reduce software project risk. The value of such practices lies largely in the well-defined patterns and directives that they create for coordinating interactions and integrating inputs from various project constituents.
Article
Full-text available
The likelihood that the firm's information systems are insufficiently protected against certain kinds of damage or loss is known as "systems risk." Risk can be managed or reduced when managers are aware of the full range of controls available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be. This is one viable explanation for why losses from computer abuse and computer disasters today are uncomfortably large and still so potentially devastating after many years of attempting to deal with the problem. Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with the problem. This theory-based security program includes (1) use of a security risk planning model, (2) education/training in security awareness, and (3) Countermeasure Matrix analysis.
Article
Full-text available
Over 10 years ago, the issue of whether IS researchers were rigorously validating their quantitative, positivist instruments was raised (Straub 1989). In the years that have passed since that time, the profession has undergone many changes. Novel technologies and manage- ment trends have come and gone. New profes- sional societies have been formed and grown in prominence and new demands have been placed on the field's research and teaching obligations. But the issue of rigor in IS research has persisted throughout all such changes. Without solid valida- tion of the instruments that are used to gather data upon which findings and interpretations are based, the very scientific basis of positivist, quan- titative research is threatened.
Article
Full-text available
Information systems security remains high on the list of key issues facing information systems executives. Traditional concerns range from forced entry into computer and storage rooms to destruction by fire, earthquake, flood, and hurricane. Recent attention focuses on protecting information systems and data from accidental or intentional unauthorized access, disclosure, modification, or destruction. The consequences of these events can range from degraded or disrupted service to customers to corporate failure. This article reports on a study investigating MIS executives' concern about a variety of threats. A relatively new threat, computer viruses, was found to be a particular concern. The results highlight a gap between the use of modem technology and the understanding of the security implications inherent in its use. Many of responding information systems managers have migrated their organizations into the highly interconnected environment of modem technology but continue to view threats from a perspective of a pre-connectivity era. They expose their firms to unfamiliar risks of which they are unaware, refuse to acknowledge, or are often poorly equipped to manage.
Conference Paper
Full-text available
Conducting cost-benefit analyses of architectural attributes such as security has always been difficult, because the benefits are difficult to assess. Specialists usually make security decisions, but program managers are left wondering whether their investment in security is well spent. The paper summarizes the results of using a cost-benefit analysis method called SAEM to compare alternative security designs in a financial and accounting information system. The case study presented starts with a multi-attribute risk assessment that results in a prioritized list of risks. Security specialists estimate countermeasure benefits and how the organization's risks are reduced. Using SAEM, security design alternatives are compared with the organization's current selection of security technologies to see if a more cost-effective solution is possible. The goal of using SAEM is to help information-system stakeholders decide whether their security investment is consistent with the expected risks.
Article
This work challenges the conventional wisdom about risk analysis. It emphasizes that in order to put security art on a firm footing, organizations must eliminate risk from their information security concepts. The objective of reducing risk should be replaced with a new, more positive one of achieving due care and good practice by applying safeguards consistent with the new concept of information security as a business enabling function.
Article
The "Computer Crime and Security Survey", now on its 7th year, is conducted to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. For this year's survey, responses came from 503 computer security practitioners in the U.S. corporations, government agencies, financial institutions, medical institutions and universities. Data obtained indicate that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting.
Article
With the increased dependence on networks and the near ubiquitous availability of the Internet, there is a new paradigm in place for the proliferation of spyware, viruses, and other malware. In fact, much attention has been given to spyware in popular literature with reports from multiple sources indicating that spyware has perhaps reached 90% home user PCs [2].
Article
A firm can build more effective security strategies by identifying and ranking the severity of potential threats to its IS efforts.
Article
Calls for new directions in MIS research bring with them a call for renewed methodological rigor. This article offers an operating paradigm for renewal along dimensions previously unstressed. The basic contention is that confirmatory empirical findings will be strengthened when instrument validation precedes both internal and statistical conclusion validity and that, in many situations, MIS researchers need to validate their research instruments. This contention is supported by a survey of instrumentation as reported in sample IS journals over the last several years. A demonstration exercise of instrument validation follows as an illustration of some of the basic principles of validation. The validated instrument was designed to gather data on the impact of computer security administration on the incidence of computer abuse in the U.S.A.
Article
An abstract is not available.
Article
A majority of computer crimes occur because a current employee of an organization has subverted existing controls. By considering two case studies, this paper analyzes computer crimes resulting because of violations of safeguards by employees. The paper suggests that various technical, procedural and normative controls should be put in place to prevent illegal and malicious acts from taking place. Ultimately a good balance between various kinds of controls would help in instituting a cost-effective means to make both accidental and intentional misconduct difficult. This would also ensure, wherever possible, individual accountability for all potentially sensitive negative actions.
Article
The popular press is replete with information about attacks on information systems. Viruses, worms, hackers, and employee abuse and misuse have created a dramatic need for understanding and implementing quality information security. In order to accomplish this, an organization must begin with the identification and prioritization of the threats it faces, as well as the vulnerabilities inherent in the systems and methods within the organization. This study seeks to identify and rank current threats to information security, and to present current perceptions of the level of severity these threats present. It also seeks to provide information on the frequency of attacks from these threats and the prioritization for expenditures organizations are placing in order to protect against them. The study then will compare these findings with those of previous surveys.
Article
Over the past 15 years, the Society for Information Management (SIM) has periodically surveyed its members to determine the most critical issues in IS management. Again in 1994-95, SIM institutional and board members were asked to consider what they felt were the most critical issues facing IS executives over the next three to five years. Signaling an evolutionary shift in IS management, this study shows that business relationship issues have declined in importance compared to technology infrastructure issues. For IS executives and general managers, the key issue framework suggests some general directions for emphasis and provides a coarse measure for benchmarking their own concerns against those of their peers. The results df this study also impact educational missions in teaching and research to the extent that they need to be sensitive to the views of practicing IS executives.
Article
The authors propose a life cycle model for system vulnerabilities, then apply it to three case studies to reveal how systems often remain vulnerable long after security fixes are available. For each case, we provide background information about the vulnerability, such as how attackers exploited it and which systems were affected. We then tie the case to the life-cycle model by identifying the dates for each state within the model. Finally, we use a histogram of reported intrusions to show the life of the vulnerability, and we conclude with an analysis specific to the particular vulnerability.
OCTAVE-S Implementation Guide Carnegie Mellon Software Engineering Institute
  • Cert Carnegie Mellon
The Microsoft Solutions for Security and Compliance group (MSSC) and the Microsoft Security Center of Excellence (SCOE)
  • S Ryan
Risk analysis and control: Vital to records protection
  • Saffady W.