A STATIC CODE ANALYSIS AND PATTERN RECOGNITION ALGORITHM-DRIVEN, QUANTITATIVE, MATHEMATICAL MODEL-ORIENTED RISK ASSESSMENT FRAMEWORK OF CLOUD-BASED HEALTH INFORMATION APPLICATIONS

According to a survey, the healthcare industry is one of the least cloud-adopting industries. The low adoption reflects the healthcare industry's ongoing concerns about the security of the cloud. Business applications, according to another survey, are among the most vulnerable components of business information systems. Many risk assessment frameworks available today, particularly for health information applications, require significant customization before they can be used. This study created a new framework to assess cloud risks specifically for their health information applications, utilizing data-driven risk assessment methodologies to avoid surveys, interviews, and meetings for data collection. For the feasibility study, the open-source application codes were chosen from over 190 million GitHub repositories using a decision tree method, while a purposive sampling method was used to choose for a simulated patient information database from the healthcare industry. Using these methods, the researcher discovered security warnings and privacy violation suspects and subsequently converted them into quantitative measures to calculate the risks of the cloud-based health information application and a database. The significance of this study lies in the collection of data directly from applications and databases with a quantitative approach for risk calculation

Developing Cost And Risk Assessment Tool For Hybrid Approach In Information Security Risk Analysis

Identifying potential information security risk is a challenging task which is due to modernization and new technologies which introduce possible threats to various type of digital system. Many studies proved that the current risk analysis tools are not able to analyze the threats well. It is a must for an organization to choose the suitable methods for better analysis. There are four key elements that need to be considered which are security threats, business impact, security measures and their cost. There are many existing risk analysis tools that were developed such as ISRAM and CORAS that have same purpose, which is to reduce the risk of causing a threat, however these tools used different approach to analyses the risk. The main focus of this study is to develop a new risk analysis tool based on hybrid approach and compare it with the existing tool. The proposed risk analysis tool is known as Cost and Risk Assessment tool (CARA) aims to trace the threats by combining both qualitative and quantitative methods, where both of these methods have their respective advantages for analyzing the information. CARA used Monte Carlo method where it applied probability theory in cost estimation. The results from the study show that the qualitative information could increase the dimension of risk factors and produce better accuracy in the analysis

Toward optimal multi-objective models of network security: Survey

Information security is an important aspect of a successful business today. However, financial difficulties and budget cuts create a problem of selecting appropriate security measures and keeping networked systems up and running. Economic models proposed in the literature do not address the challenging problem of security countermeasure selection. We have made a classification of security models, which can be used to harden a system in a cost effective manner based on the methodologies used. In addition, we have specified the challenges of the simplified risk assessment approaches used in the economic models and have made recommendations how the challenges can be addressed in order to support decision makers

Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems, cyber risk at the edge

The Internet of Things (IoT) triggers new types of cyber risks. Therefore, the integration of new IoT devices and services requires a self-assessment of IoT cyber security posture. By security posture this article refers to the cybersecurity strength of an organisation to predict, prevent and respond to cyberthreats. At present, there is a gap in the state of the art, because there are no self-assessment methods for quantifying IoT cyber risk posture. To address this gap, an empirical analysis is performed of 12 cyber risk assessment approaches. The results and the main findings from the analysis is presented as the current and a target risk state for IoT systems, followed by conclusions and recommendations on a transformation roadmap, describing how IoT systems can achieve the target state with a new goal-oriented dependency model. By target state, we refer to the cyber security target that matches the generic security requirements of an organisation. The research paper studies and adapts four alternatives for IoT risk assessment and identifies the goal-oriented dependency modelling as a dominant approach among the risk assessment models studied. The new goal-oriented dependency model in this article enables the assessment of uncontrollable risk states in complex IoT systems and can be used for a quantitative self-assessment of IoT cyber risk posture

Towards optimal multi-objective models of network security: survey

Information security is an important aspect of a successful business today. However, financial difficulties and budget cuts create a problem of selecting appropriate security measures and keeping networked systems up and running. Economic models proposed in the literature do not address the challenging problem of security countermeasure selection. We have made a classification of security models, which can be used to harden a system in a cost effective manner based on the methodologies used. In addition, we have specified the challenges of the simplified risk assessment approaches used in the economic models and have made recommendations how the challenges can be addressed in order to support decision makers

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Architecture-based Qualitative Risk Analysis for Availability of IT Infrastructures

An IT risk assessment must deliver the best possible quality of results in a time-effective way. Organisations are used to customise the general-purpose standard risk assessment methods in a way that can satisfy their requirements. In this paper we present the QualTD Model and method, which is meant to be employed together with standard risk assessment methods for the qualitative assessment of availability risks of IT architectures, or parts of them. The QualTD Model is based on our previous quantitative model, but geared to industrial practice since it does not require quantitative data which is often too costly to acquire. We validate the model and method in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results w.r.t. the goals of the stakeholders of the system. We also perform a review of the most popular standard risk assessment methods and an analysis of which one can be actually integrated with our QualTD Model

Applying Real Options Thinking to Information Security in Networked Organizations

An information security strategy of an organization participating in a networked business sets out the plans for designing a variety of actions that ensure confidentiality, availability, and integrity of company’s key information assets. The actions are concerned with authentication and nonrepudiation of authorized users of these assets. We assume that the primary objective of security efforts in a company is improving and sustaining resiliency, which means security contributes to the ability of an organization to withstand discontinuities and disruptive events, to get back to its normal operating state, and to adapt to ever changing risk environments. When companies collaborating in a value web view security as a business issue, risk assessment and cost-benefit analysis techniques are necessary and explicit part of their process of resource allocation and budgeting, no matter if security spendings are treated as capital investment or operating expenditures. This paper contributes to the application of quantitative approaches to assessing risks, costs, and benefits associated with the various components making up the security strategy of a company participating in value networks. We take a risk-based approach to determining what types of security a strategy should include and how much of each type is enough. We adopt a real-options-based perspective of security and make a proposal to value the extent to which alternative components in a security strategy contribute to organizational resiliency and protect key information assets from being impeded, disrupted, or destroyed

Landslide risk management through spatial analysis and stochastic prediction for territorial resilience evaluation

Natural materials, such as soils, are influenced by many factors acting during their formative and evolutionary process: atmospheric agents, erosion and transport phenomena, sedimentation conditions that give soil properties a non-reducible randomness by using sophisticated survey techniques and technologies. This character is reflected not only in spatial variability of properties which differs from point to point, but also in multivariate correlation as a function of reciprocal distance. Cognitive enrichment, offered by the response of soils associated with their intrinsic spatial variability, implies an increase in the evaluative capacity of the contributing causes and potential effects in failure phenomena. Stability analysis of natural slopes is well suited to stochastic treatment of uncertainty which characterized landslide risk. In particular, this study has been applied through a back- analysis procedure to a slope located in Southern Italy that was subject to repeated phenomena of hydrogeological instability (extended for several kilometres in recent years). The back-analysis has been carried out by applying spatial analysis to the controlling factors as well as quantifying the hydrogeological hazard through unbiased estimators. A natural phenomenon, defined as stochastic process characterized by mutually interacting spatial variables, has led to identify the most critical areas, giving reliability to the scenarios and improving the forecasting content. Moreover, the phenomenological characterization allows the optimization of the risk levels to the wide territory involved, supporting decision-making process for intervention priorities as well as the effective allocation of the available resources in social, environmental and economic contexts