Research on Personal Information Risk Assessment Model in Smart Cities

Personal information security plays fundamental and critical role in promotion of smart cities. By taking personal information, vulnerability and threat as basic elements for risk assessment, this article proposes a Markov method-based personal information security risk assessment model in smart cities with the core of threats (Li Hetian, 2007). Based on threat probability, threat consequence attribute and attribute value acquired through the Markov method, threat analysis, the multi-attribute decision-making theory and the expert grading method, this article calculates the objective threat indexes, which is then utilized for risk ranking, so as to provide scientific basis for formulating targeted personal information security risk management and control strategies

Information Security Governance Framework in Public Cloud a Case in Low Resource Economies in Uganda

The study aimed at exploring the critical enablers to the development and usage of information security governance frameworks for cloud computing in Uganda. The study was motivated by the continuous information security governance challenges in the Public Cloud.  The theoretical frameworks that underpinned this study included; Contingency management theory,  the Risk Management framework, the Technological Organisational and Environmental (TOE) model and the Information Security Governance model.  This study adopted a quantitative research approach to obtain data through a survey. Five key factors for information security governance were identified: a) Technological factors: flexibility, scalability, availability, agility, data protection governance, trust of cloud, data source, maintenance, data retention and policy.  b) Organisation: size and structure of the organisation, top management support. c) Environmental factors: governance and regulation, marketing, vendor, resource availability, obsoleteness.  d) Individual: user resistance, attitude, skills, belief and learnability. e) Risk management and control factors: risk assessment, disaster recovery, access and authorisation control, monitoring, auditing, and process risk control. The study contributes to theory and practice in information security. The developed framework and its accompanying model helped to inform public departments, organisational top management and information security strategies to avoid excessive information risks and potential regulatory compliance failures in public cloud. The study was inclined on subjective information security, which alone may not fully address all information security problems in a public cloud. Therefore, it is recommendable that future research studies on objective security in public clou

Information Security Governance Framework in Public Cloud a Case in Low Resource Economies in Uganda

The study aimed at exploring the critical enablers to the development and usage of information security governance frameworks for cloud computing in Uganda. The study was motivated by the continuous information security governance challenges in the Public Cloud. The theoretical frameworks that underpinned this study included; Contingency management theory, the Risk Management framework, the Technological Organisational and Environmental (TOE) model and the Information Security Governance model. This study adopted a quantitative research approach to obtain data through a survey. Five key factors for information security governance were identified: a) Technological factors: flexibility, scalability, availability, agility, data protection governance, trust of cloud, data source, maintenance, data retention and policy. b) Organisation: size and structure of the organisation, top management support. c) Environmental factors: governance and regulation, marketing, vendor, resource availability, obsoleteness. d) Individual: user resistance, attitude, skills, belief and learnability. e) Risk management and control factors: risk assessment, disaster recovery, access and authorisation control, monitoring, auditing, and process risk control. The study contributes to theory and practice in information security. The developed framework and its accompanying model helped to inform public departments, organisational top management and information security strategies to avoid excessive information risks and potential regulatory compliance failures in public cloud. The study was inclined on subjective information security, which alone may not fully address all information security problems in a public cloud. Therefore, it is recommendable that future research studies on objective security in public cloud

Risk based multi-objective security control and congestion management

Deterministic security criterion has served power system operation, congestion management quite well in last decades. It is simple to be implemented in a security control model, for example, security constrained optimal power flow (SCOPF). However, since event likelihood and violation information are not addressed, it does not provide quantitative security understanding, and so results in system inadequate awareness. Therefore, even if computation capability and information techniques have been greatly improved and widely applied in the operation support tool, operators are still not able to get rid of the security threat, especially in the market competitive environment.;Probability approach has shown its strong ability for planning purpose, and recently gets attention in operation area. Since power system security assessment needs to analyze consequence of all credible events, risk defined as multiplication of event probability and severity is well suited to give an indication to quantify the system security level, and congestion level as well. Since risk addresses extra information, its application for making BETTER online operation decision becomes an attractive research topic.;This dissertation focus on system online risk calculation, risk based multi-objective optimization model development, risk based security control design, and risk based congestion management. A regression model is proposed to predict contingency probability using weather and geography information for online risk calculation. Risk based multi-objective optimization (RBMO) model is presented, considering conflict objectives: risks and cost. Two types of method, classical methods and evolutionary algorithms, are implemented to solve RBMO problem, respectively. A risk based decision making architecture for security control is designed based on the Pareto-optimal solution understanding, visualization tool and high level information analysis. Risk based congestion management provides a market lever to uniformly expand a security VOLUME , where greater volume means more risk. Meanwhile, risk based LMP signal contracts ALL dimensions of this VOLUME in proper weights (state probabilities) at a time.;Two test systems, 6-bus and IEEE RTS 96, are used to test developed algorithms. The simulation results show that incorporating risk into security control and congestion management will evolve our understanding of security level, improve control and market efficiency, and support operator to maneuver system in an effective fashion

An Approach to Select Cost-Effective Risk Countermeasures Exemplified in CORAS

Risk is unavoidable in business and risk management is needed amongst others to set up good security policies. Once the risks are evaluated, the next step is to decide how they should be treated. This involves managers making decisions on proper countermeasures to be implemented to mitigate the risks. The countermeasure expenditure, together with its ability to mitigate risks, is factors that affect the selection. While many approaches have been proposed to perform risk analysis, there has been less focus on delivering the prescriptive and specific information that managers require to select cost-effective countermeasures. This paper proposes a generic approach to integrate the cost assessment into risk analysis to aid such decision making. The approach makes use of a risk model which has been annotated with potential countermeasures, estimates for their cost and effect. A calculus is then employed to reason about this model in order to support decision in terms of decision diagrams. We exemplify the instantiation of the generic approach in the CORAS method for security risk analysis.Comment: 33 page

A Model-Driven Engineering approach with Diagnosis of Non-Conformance of Security Objectives in Business Process Models

Several reports indicate that the highest business priorities include: business improvement, security, and IT management. The importance of security and risk management is gaining that even government statements in some cases have imposed the inclusion of security and risk management within business management. Risk assessment has become an essential mechanism for business security analysts, since it allows the identification and evaluation of any threats, vulnerabilities, and risks to which organizations maybe be exposed. In this work, a framework based on the concepts of Model-Driven Development has been proposed. The framework provides different stages which range from a high abstraction level to an executable level. The main contribution lie in the presentation of an extension of a business process meta-model which includes risk information based on standard approaches. The meta-model provides necessary characteristics for the risk assessment of business process models at an abstract level of the approach. The framework has been equipped with specific stages for the automatic validation of business processes using model-based diagnosis which permits the detection of the non-conformance of security objectives specified. The validation stages ensure that business processes are correct with regard to the objectives specified by the customer before they are transformed into executable processes.Junta de Andalucía P08-TIC-04095Ministerio de Ciencia e Innovación TIN2009-1371

Towards an efficient vulnerability analysis methodology for better security risk management

2010 Summer.Includes bibliographical references.Risk management is a process that allows IT managers to balance between cost of the protective measures and gains in mission capability. A system administrator has to make a decision and choose an appropriate security plan that maximizes the resource utilization. However, making the decision is not a trivial task. Most organizations have tight budgets for IT security; therefore, the chosen plan must be reviewed as thoroughly as other management decisions. Unfortunately, even the best-practice security risk management frameworks do not provide adequate information for effective risk management. Vulnerability scanning and penetration testing that form the core of traditional risk management, identify only the set of system vulnerabilities. Given the complexity of today's network infrastructure, it is not enough to consider the presence or absence of vulnerabilities in isolation. Materializing a threat strongly requires the combination of multiple attacks using different vulnerabilities. Such a requirement is far beyond the capabilities of current day vulnerability scanners. Consequently, assessing the cost of an attack or cost of implementing appropriate security controls is possible only in a piecemeal manner. In this work, we develop and formalize new network vulnerability analysis model. The model encodes in a concise manner, the contributions of different security conditions that lead to system compromise. We extend the model with a systematic risk assessment methodology to support reasoning under uncertainty in an attempt to evaluate the vulnerability exploitation probability. We develop a cost model to quantify the potential loss and gain that can occur in a system if certain conditions are met (or protected). We also quantify the security control cost incurred to implement a set of security hardening measures. We propose solutions for the system administrator's decision problems covering the area of the risk analysis and risk mitigation analysis. Finally, we extend the vulnerability assessment model to the areas of intrusion detection and forensic investigation

A Comprehensive Information Technology Risk Assessment Audit Framework for Small- and Medium-Sized Financial Institutions

Information technology audits are vital information management programs for banks and financial institutions. A plethora of laws and regulations exists, requiring financial institutions to develop an information technology audit program to support its information technology infrastructure and keep non-public customer information secure. Furthermore, banks are required to complete a risk-based audit on an annual basis to comply with regulators. This research combines two previously identified frameworks, the Comprehensive Risk-Based Auditing Framework (CRBA) and Small to Medium Entity Risk Assessment Model (SMERAM), to further develop the audit process to include the critical risk assessment process and to ensure that the audit is risk- based. Having a sound risk-based audit program will improve the overall information security posture for banks and financial institutions. Furthermore, this research utilizes an example to demonstrate the process

Assessment Of User Authentication Risks In A Healthcare Knowledge Management System

Risk management is a concept which has becomes very popular with a number of national and international businesses. Many companies often establish a risk management procedure in their projects for improving performance and increasing profits. Projects undertaken in the construction sector are widely complex, often having significant budgets; therefore, reducing risks associated with projects should be a priority for each project manager. Patient information security has become a matter of interest to healthcare professionals, governments and researchers worldwide. This paper proposes a comprehensive risk assessment methodology that provides a decision support tool, directed to a healthcare system, which can be utilized for evaluating risk involved during user authorization and authentication procedures. Within this context, a process technique was implemented to develop a risk assessment model, which is used to derive the relative priorities of the risk factors associated with a healthcare knowledge management system. The study showed risks involved when users are accessing a healthcare system. It proposes a model for assessing each risk occurring during the user authorization and authentication process. The results of the knowledge generated from the risk assessment provide a basis for deriving a system performance that is desirable for evaluating risk

Analysis of Information Security Risks and Protection Management Requirements for Enterprise Networks.

With widespread of harmful attacks against enterprises¿ electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness