7,887 research outputs found

    The threat nets approach to information system security risk analysis

    Get PDF

    The threat nets approach to information system security risk analysis

    Get PDF
    The growing demand for healthcare services is motivating hospitals to strengthen outpatient case management using information systems in order to serve more patients using the available resources. Though the use of information systems in outpatient case management raises patient data security concerns, it was established that the current approaches to information systems risk analysis do not provide logical recipes for quantifying threat impact and determining the cost-effectiveness of risk mitigation controls. Quantifying the likelihood of the threat and determining its potential impact is key in deciding whether to adopt a given information system or not. Therefore, this thesis proposes the Threat Nets Approach organized into 4 service recipes, namely: threat likelihood assessment service, threat impact evaluation service, return on investment assessment service and coordination management. The threat likelihood assessment service offers recipes for determining the likelihood of a threat. The threat impact evaluation service offers techniques of computing the impact of the threat on the organization. The return on investment assessment service offers recipes of determining the cost-effectiveness of threat mitigation controls. To support the application of the approach, a ThreNet tool was developed. The approach was evaluated by experts to ascertain its usability and usefulness. Evaluation of the Threat Nets Approach by the experts shows that it provides complete, usable and useful recipes for the assessment of; threat likelihood, threat impact and cost-effectiveness of threat mitigation controls. The results suggest that the application of Threat Nets approach is effective in quantifying risks to information system

    The threat nets approach to information system security risk analysis

    Get PDF
    The growing demand for healthcare services is motivating hospitals to strengthen outpatient case management using information systems in order to serve more patients using the available resources. Though the use of information systems in outpatient case management raises patient data security concerns, it was established that the current approaches to information systems risk analysis do not provide logical recipes for quantifying threat impact and determining the cost-effectiveness of risk mitigation controls. Quantifying the likelihood of the threat and determining its potential impact is key in deciding whether to adopt a given information system or not. Therefore, this thesis proposes the Threat Nets Approach organized into 4 service recipes, namely: threat likelihood assessment service, threat impact evaluation service, return on investment assessment service and coordination management. The threat likelihood assessment service offers recipes for determining the likelihood of a threat. The threat impact evaluation service offers techniques of computing the impact of the threat on the organization. The return on investment assessment service offers recipes of determining the cost-effectiveness of threat mitigation controls. To support the application of the approach, a ThreNet tool was developed. The approach was evaluated by experts to ascertain its usability and usefulness. Evaluation of the Threat Nets Approach by the experts shows that it provides complete, usable and useful recipes for the assessment of; threat likelihood, threat impact and cost-effectiveness of threat mitigation controls. The results suggest that the application of Threat Nets approach is effective in quantifying risks to information system

    The threat nets approach to information system security risk analysis

    Get PDF

    Cyber-Physical Threat Intelligence for Critical Infrastructures Security

    Get PDF
    Modern critical infrastructures comprise of many interconnected cyber and physical assets, and as such are large scale cyber-physical systems. Hence, the conventional approach of securing these infrastructures by addressing cyber security and physical security separately is no longer effective. Rather more integrated approaches that address the security of cyber and physical assets at the same time are required. This book presents integrated (i.e. cyber and physical) security approaches and technologies for the critical infrastructures that underpin our societies. Specifically, it introduces advanced techniques for threat detection, risk assessment and security information sharing, based on leading edge technologies like machine learning, security knowledge modelling, IoT security and distributed ledger infrastructures. Likewise, it presets how established security technologies like Security Information and Event Management (SIEM), pen-testing, vulnerability assessment and security data analytics can be used in the context of integrated Critical Infrastructure Protection. The novel methods and techniques of the book are exemplified in case studies involving critical infrastructures in four industrial sectors, namely finance, healthcare, energy and communications. The peculiarities of critical infrastructure protection in each one of these sectors is discussed and addressed based on sector-specific solutions. The advent of the fourth industrial revolution (Industry 4.0) is expected to increase the cyber-physical nature of critical infrastructures as well as their interconnection in the scope of sectorial and cross-sector value chains. Therefore, the demand for solutions that foster the interplay between cyber and physical security, and enable Cyber-Physical Threat Intelligence is likely to explode. In this book, we have shed light on the structure of such integrated security systems, as well as on the technologies that will underpin their operation. We hope that Security and Critical Infrastructure Protection stakeholders will find the book useful when planning their future security strategies

    Cyber-Physical Threat Intelligence for Critical Infrastructures Security

    Get PDF
    Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

    Coastal management and adaptation: an integrated data-driven approach

    Get PDF
    Coastal regions are some of the most exposed to environmental hazards, yet the coast is the preferred settlement site for a high percentage of the global population, and most major global cities are located on or near the coast. This research adopts a predominantly anthropocentric approach to the analysis of coastal risk and resilience. This centres on the pervasive hazards of coastal flooding and erosion. Coastal management decision-making practices are shown to be reliant on access to current and accurate information. However, constraints have been imposed on information flows between scientists, policy makers and practitioners, due to a lack of awareness and utilisation of available data sources. This research seeks to tackle this issue in evaluating how innovations in the use of data and analytics can be applied to further the application of science within decision-making processes related to coastal risk adaptation. In achieving this aim a range of research methodologies have been employed and the progression of topics covered mark a shift from themes of risk to resilience. The work focuses on a case study region of East Anglia, UK, benefiting from the input of a partner organisation, responsible for the region’s coasts: Coastal Partnership East. An initial review revealed how data can be utilised effectively within coastal decision-making practices, highlighting scope for application of advanced Big Data techniques to the analysis of coastal datasets. The process of risk evaluation has been examined in detail, and the range of possibilities afforded by open source coastal datasets were revealed. Subsequently, open source coastal terrain and bathymetric, point cloud datasets were identified for 14 sites within the case study area. These were then utilised within a practical application of a geomorphological change detection (GCD) method. This revealed how analysis of high spatial and temporal resolution point cloud data can accurately reveal and quantify physical coastal impacts. Additionally, the research reveals how data innovations can facilitate adaptation through insurance; more specifically how the use of empirical evidence in pricing of coastal flood insurance can result in both communication and distribution of risk. The various strands of knowledge generated throughout this study reveal how an extensive range of data types, sources, and advanced forms of analysis, can together allow coastal resilience assessments to be founded on empirical evidence. This research serves to demonstrate how the application of advanced data-driven analytical processes can reduce levels of uncertainty and subjectivity inherent within current coastal environmental management practices. Adoption of methods presented within this research could further the possibilities for sustainable and resilient management of the incredibly valuable environmental resource which is the coast

    Critical Infrastructures: Enhancing Preparedness & Resilience for the Security of Citizens and Services Supply Continuity: Proceedings of the 52nd ESReDA Seminar Hosted by the Lithuanian Energy Institute & Vytautas Magnus University

    Get PDF
    Critical Infrastructures Preparedness and Resilience is a major societal security issue in modern society. Critical Infrastructures (CIs) provide vital services to modern societies. Some CIs’ disruptions may endanger the security of the citizen, the safety of the strategic assets and even the governance continuity. The European Safety, Reliability and Data Association (ESReDA) as one of the most active EU networks in the field has initiated a project group on the “Critical Infrastructure/Modelling, Simulation and Analysis – Data”. The main focus of the project group is to report on the state of progress in MS&A of the CIs preparedness & resilience with a specific focus on the corresponding data availability and relevance. In order to report on the most recent developments in the field of the CIs preparedness & resilience MS&A and the availability of the relevant data, ESReDA held its 52nd Seminar on the following thematic: “Critical Infrastructures: Enhancing Preparedness & Resilience for the security of citizens and services supply continuity”. The 52nd ESReDA Seminar was a very successful event, which attracted about 50 participants from industry, authorities, operators, research centres, academia and consultancy companies.JRC.G.10-Knowledge for Nuclear Security and Safet
    • …
    corecore