23,047 research outputs found

    Run-time risk management in adaptive ICT systems

    No full text
    We will present results of the SERSCIS project related to risk management and mitigation strategies in adaptive multi-stakeholder ICT systems. The SERSCIS approach involves using semantic threat models to support automated design-time threat identification and mitigation analysis. The focus of this paper is the use of these models at run-time for automated threat detection and diagnosis. This is based on a combination of semantic reasoning and Bayesian inference applied to run-time system monitoring data. The resulting dynamic risk management approach is compared to a conventional ISO 27000 type approach, and validation test results presented from an Airport Collaborative Decision Making (A-CDM) scenario involving data exchange between multiple airport service providers

    An Overview of Economic Approaches to Information Security Management

    Get PDF
    The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

    Model Driven Information Security Management - Evaluating and Applying the Meta Model of ISO 27001

    Get PDF
    Information technology has had a significant impact on business operations and allowed the emergence of new business models. These IT-enabled processes and businesses however depend on secure information systems which need to be managed. The management of information systems security (ISS) is a highly dynamic and complex task due to constant change in the information technology domain. In this paper we propose the use of a meta model to aid ISS managers in setting up a holistic information security management system (ISMS). For this we describe how an adapted meta model of ISO 27001, a security standard for ISMS, can be used to aid with general phases of ISS management. We demonstrate how models can support ISS managers in their endeavors. The paper concludes with a pragmatic evaluation by providing an example of how such a meta model can be operationalized for vulnerability identification, before discussing potential future research

    Threat Modeling the Enterprise

    Get PDF
    Current threat modeling methodologies and tools are biased toward systems under development. While, organizations whose IT portfolio is made up of a large number of legacy systems, that run on fundamentally different and incongruous platforms and with little or no documentation, are left with few options. Rational, objective analysis of threats to assets and exploitable vulnerabilities requires, the portfolio to be represented in a consistent and understandable way based on a systematic, prescriptive, collaborative process that is usable but not burdensome. This paper describes a way to represent an IT portfolio from a security perspective using UML deployment diagrams and, subsequently, a process for threat modeling within that portfolio. To accomplish this, the UML deployment diagram was extended, a template created, and a process defined

    A Threat Analysis Methodology for Security Evaluation and Enhancement Planning

    Get PDF

    Architecture-based Qualitative Risk Analysis for Availability of IT Infrastructures

    Get PDF
    An IT risk assessment must deliver the best possible quality of results in a time-effective way. Organisations are used to customise the general-purpose standard risk assessment methods in a way that can satisfy their requirements. In this paper we present the QualTD Model and method, which is meant to be employed together with standard risk assessment methods for the qualitative assessment of availability risks of IT architectures, or parts of them. The QualTD Model is based on our previous quantitative model, but geared to industrial practice since it does not require quantitative data which is often too costly to acquire. We validate the model and method in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results w.r.t. the goals of the stakeholders of the system. We also perform a review of the most popular standard risk assessment methods and an analysis of which one can be actually integrated with our QualTD Model
    corecore