Research on Personal Information Risk Assessment Model in Smart Cities

Personal information security plays fundamental and critical role in promotion of smart cities. By taking personal information, vulnerability and threat as basic elements for risk assessment, this article proposes a Markov method-based personal information security risk assessment model in smart cities with the core of threats (Li Hetian, 2007). Based on threat probability, threat consequence attribute and attribute value acquired through the Markov method, threat analysis, the multi-attribute decision-making theory and the expert grading method, this article calculates the objective threat indexes, which is then utilized for risk ranking, so as to provide scientific basis for formulating targeted personal information security risk management and control strategies

Building in web application security at the requirements stage : a tool for visualizing and evaluating security trade-offs : a thesis presented in partial fulfilment of the requirements for the degree of Master of Information Science in Information Systems at Massey University, Albany, New Zealand

One dimension of Internet security is web application security. The purpose of this Design-science study was to design, build and evaluate a computer-based tool to support security vulnerability and risk assessment in the early stages of web application design. The tool facilitates risk assessment by managers and helps developers to model security requirements using an interactive tree diagram. The tool calculates residual risk for each component of a web application and for the application overall so developers are provided with better information for making decisions about which countermeasures to implement given limited resources tor doing so. The tool supports taking a proactive approach to building in web application security at the requirements stage as opposed to the more common reactive approach of putting countermeasures in place after an attack and loss have been incurred. The primary contribution of the proposed tool is its ability to make known security-related information (e.g. known vulnerabilities, attacks and countermeasures) more accessible to developers who are not security experts and to translate lack of security measures into an understandable measure of relative residual risk. The latter is useful for managers who need to prioritize security spending. Keywords: web application security, security requirements modelling, attack trees, threat trees, risk assessment

Comparison of the Efficiency of Budget Financing and the Social Security of a Region

The article deals with theoretical and economic aspects of the “security” category and draws a distinction between philosophical, sociological, and economic approaches to the concept of social security. From the perspective of a system approach, the authors define the place of the region’s social security in ensuring national security. The article describes the theoretical content of the «social security» category and provides the authors’ specification for such terms as «social risks,» «danger,» and «threat.» The authors offer methodological tools to evaluate the region’s social security based on a complex assessment of the region’s socioeconomic and budget-financing indicators to identify the risks (deviations) and factors of inefficient financing. The proposed methodological approach is based on identifying the dependencies between the social and financial security of the region. The following indicators reflecting the social security level in the territory of residence were selected as estimated indicators: the region’s consolidated budget income and expenses, gross domestic product growth rates, natural population growth ratio, unemployment level, the share of the population with income below the subsistence minimum. This approach was tested by the example of the Perm Territory and Sverdlovsk Region revealing the regularities as well as favorable and unfavorable periods for the region’s social security. The obtained estimated indicators are ranked depending on the growth (fall) time lag, resilience, and sensitivity to budget financing. The assessment results show that the Perm Territory has been entering a deep recession in terms of national security since 2012. Similar tendencies are demonstrated by the Sverdlovsk Region; however, in view of the apparent diversity and dominant influence of the Perm Territory and the Sverdlovsk Region on the socioeconomic development of the Privolzhsky and Ural Federal Districts, respectively, the provided comparison is of scientific and practical interest.The research has been supported by the Grant of the Russian Science Foundation (the Project № 14–18–00574 "Anticrisis Information Analysis System: Diagnostics of Regions, Threat Assessment, and Scenario Forecasting to Maintain and Strengthen the Economic Security and Welfare of Russia")

Defense against Insider Threat: a Framework for Gathering Goal-based Requirements

Insider threat is becoming comparable to outsider threat in frequency of security events. This is a worrying situation, since insider attacks have a high probability of success because insiders have authorized access and legitimate privileges. Despite their importance, insider threats are still not properly addressed by organizations. We contribute to reverse this situation by introducing a framework composed of a method for identification and assessment of insider threat risks and of two supporting deliverables for awareness of insider threat. The deliverables are: (i) attack strategies structured in four decomposition trees, and (ii) a matrix which correlates defense strategies, attack strategies and control principles. The method output consists of goal-based requirements for the defense against insiders

A Constructive DIREST Security Threat Modeling for Drone as a Service

The technology used in drones is similar or identical across drone types and components, with many common risks and opportunities. The purpose of this study is to enhance the risk assessment procedures for Drone as a Service (DaaS) capabilities. STRIDE is an acronym that includes the following security risks: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges. The paper presents a modified STRIDE threat model and prioritize its desired properties (i.e., authenticity, integrity, non-reputability, confidentiality, availability, and authorization) to generate an appropriate DaaS threat model. To this end, the proposed DIREST threat model better meets the overall security assessment needs of DaaS. Moreover, this paper discusses the security risks of drones, identifies best practices for security assessment, and proposes a novel software update mechanism for drones during their operations. We explore best practices related to drone penetration testing, including an effective methodology to maintain continuity of drone operation, particularly drones used for emergency, safety, and rescue operations. Moreover, this research raises awareness of DaaS and drone operation in general as well as in the forensic science community due to its focus on the importance of securely operated drones for first responders. Furthermore, we address various aspects of security concerns, including data transmission, software restrictions, and embedded system-related events. In order to propose a security assessment for drones, we incorporate digital forensics and penetration testing techniques related to drone operations. Our results show that the proposed threat model enhances the security of flying devices and provides consistency in digital forensic procedures. This work introduces modifications to the STRIDE threat model based on the firmware analysis of a Zino Hubsan brand drone

A Threat Tree for Health Information Security and Privacy

This paper begins a process of organizing knowledge of health information security threats into a comprehensive catalog.We begin by describing our risk management perspective of health information security, and then use this perspective tomotivate the development of a health information threat tree. We describe examples of three threats, breaking each downinto its key risk-related data attributes: threat source and action, the health information asset and its vulnerability, andpotential controls. The construction of such a threat catalog is argued to be useful for risk assessment and to inform publichealth care policy. As no threat catalog is ever complete, guidance for extending the health information security threat tree isgiven

Bridging the Gap between Security Competencies and Security Threats: Toward a Cyber Security Domain Model

Security incidents are increasing in a wide range of organizational types and sizes worldwide. Although various threat models already exist to classify security threats, they seem to take insufficient account of which organizational assets the threat events are targeting. Therefore, we argue that conducting more job-specific IT security training is necessary to ensure organizational IT security. This requires considering which assets employees use in their daily work and for which threat events employees need to build up IT security competencies. Subsequently, we build a framework-based Cyber Security Domain Model (CSDM) for IT-secure behavior. We follow the Evidence Centered Assessment Design (ECD) to provide a deep- dive analysis of the domain for IT-secure behavior. As the leading result relevant for research and practice, we present our CSDM consisting of 1,087 cyber threat vectors and apply it to five job specifications