An Information Systems Security Risk Assessment Model Under Dempster- Schafer Theory of Belief Functions

This is the author's final draft. The publisher's official version is available from:.This study develops an alternative methodology for the risk analysis of information systems security (ISS), an evidential reasoning approach under the Dempster-Shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant ISS risk factors, related counter measures and their interrelationships when estimating ISS risk. Secondly, the methodology employs the belief function definition of risk, that is, ISS risk is the plausibility of information system security failures. The proposed approach has other appealing features, such as facilitating cost-benefit analyses to help promote efficient ISS risk management. The paper both elaborates the theoretical concepts and provides operational guidance for implementing the method. The method is illustrated using a hypothetical example from the perspective of management and a real-world example from the perspective of external assurance providers. Sensitivity analyses are performed to evaluate the impact of important parameters on the model’s results

A Risk Assessment Framework for Inter-Organizational Knowledge Sharing

Internet-based Information, Communication and Collaboration technologies are making it easier for organizations and knowledge workers to collaborate across organizational boundaries. However, it is necessary for organizations to monitor, regulate and build appropriate security mechanisms in collaboration systems to prevent loss of strategic knowledge and competitive advantage. In this paper, we present a risk assessment framework that can help organizations identify valuable knowledge assets exposed through collaboration technologies, and assess the risk of knowledge loss, intellectual property leakage, and the subsequent loss of competitive advantage so that appropriate security mechanism can be designed to prevent such a loss. We present an illustrative scenario to demonstrate the feasibility of the framework, and describe a prototype decision support system for automating the risk assessment process

Use of evidential reasoning and AHP to assess regional industrial safety

China’s fast economic growth contributes to the rapid development of its urbanization process, and also renders a series of industrial accidents, which often cause loss of life, damage to property and environment, thus requiring the associated risk analysis and safety control measures to be implemented in advance. However, incompleteness of historical failure data before the occurrence of accidents makes it difficult to use traditional risk analysis approaches such as probabilistic risk analysis in many cases. This paper aims to develop a new methodology capable of assessing regional industrial safety (RIS) in an uncertain environment. A hierarchical structure for modelling the risks influencing RIS is first constructed. The hybrid of evidential reasoning (ER) and Analytical Hierarchy Process (AHP) is then used to assess the risks in a complementary way, in which AHP is hired to evaluate the weight of each risk factor and ER is employed to synthesise the safety evaluations of the investigated region(s) against the risk factors from the bottom to the top level in the hierarchy. The successful application of the hybrid approach in a real case analysis of RIS in several major districts of Beijing (capital of China) demonstrates its feasibility as well as provides risk analysts and safety engineers with useful insights on effective solutions to comprehensive risk assessment of RIS in metropolitan cities. The contribution of this paper is made by the findings on the comparison of risk levels of RIS at different regions against various risk factors so that best practices from the good performer(s) can be used to improve the safety of the others

Understanding and Evaluating Assurance Cases

Assurance cases are a method for providing assurance for a system by giving an argument to justify a claim about the system, based on evidence about its design, development, and tested behavior. In comparison with assurance based on guidelines or standards (which essentially specify only the evidence to be produced), the chief novelty in assurance cases is provision of an explicit argument. In principle, this can allow assurance cases to be more finely tuned to the specific circumstances of the system, and more agile than guidelines in adapting to new techniques and applications. The first part of this report (Sections 1-4) provides an introduction to assurance cases. Although this material should be accessible to all those with an interest in these topics, the examples focus on software for airborne systems, traditionally assured using the DO-178C guidelines and its predecessors. A brief survey of some existing assurance cases is provided in Section 5. The second part (Section 6) considers the criteria, methods, and tools that may be used to evaluate whether an assurance case provides sufficient confidence that a particular system or service is fit for its intended use. An assurance case cannot provide unequivocal "proof" for its claim, so much of the discussion focuses on the interpretation of such less-than-definitive arguments, and on methods to counteract confirmation bias and other fallibilities in human reasoning

Formal Safety Assessment of a Marine Seismic Survey Vessel Operation, Incorporating Risk Matrix and Fault Tree Analysis

In maritime safety research, risk is assessed usually within the framework of formal safety assessment (FSA), which provides a formal and systematic methodology to improve the safety of lives, assets, and the environment. A bespoke application of FSA to mitigate accidents in marine seismic surveying is put forward in this paper, with the aim of improving the safety of seismic vessel operations, within the context of developing an economically viable strategy. The work herein takes a close look at the hazards in North Sea offshore seismic surveying, in order to identify critical risk factors, leading to marine seismic survey accidents. The risk factors leading to undesirable events are analysed both qualitatively and quantitatively. A risk matrix is introduced to screen the identified undesirable events. Further to the screening, Fault Tree Analysis (FTA) is presented to investigate and analyse the most critical risks of seismic survey operation, taking into account the lack of historical data. The obtained results show that man overboard (MOB) event is a major risk factor in marine seismic survey operation; lack of training on safe work practice, slippery deck as a result of rain, snow or water splash, sea state affecting human judgement, and poor communication are identified as the critical risk contributors to the MOB event. Consequently, the risk control options are focused on the critical risk contributors for decision-making. Lastly, suggestions for the introduction and development of the FSA methodology are highlighted for safer marine and offshore operations in general