Method for assessing efficiency of the information security management system

Kiedrowicz, Maciej; Stanik, Jerzy

doi:10.1051/matecconf/201821004011

Cited by 7 publications

(4 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…However, it is also possible for routinely used documents to be of low value (e.g., temporary system files), but it is viewed to be better to overstate a document's sensitivity than under. Previous work has demonstrated the use of sensitivity levels in respect to resource security (Kiedrowicz et al 2015;Stanik 2017). Furthermore, in previous research, sensitivity levels are established based on the textual contents of documents (Park et al 2011).…”

Section: Establishing Trust and Sensitivity Valuesmentioning

confidence: 99%

Identifying high-risk over-entitlement in access control policies using fuzzy logic

Parkinson

Khan

2022

Cybersecurity

View full text Add to dashboard Cite

Analysing access control policies is an essential process for ensuring over-prescribed permissions are identified and removed. This is a time-consuming and knowledge-intensive process, largely because there is a wealth of policy information that needs to be manually examined. Furthermore, there is no standard definition of what constitutes an over-entitled permission within an organisation’s access control policy, making it not possible to develop automated rule-based approaches. It is often the case that over-entitled permissions are subjective to an organisation’s role-based structure, where access is be divided and managed based on different employee needs. In this context, an irregular permission could be one where an employee has frequently changed roles, thus accumulating a wide-ranging set of permissions. There is no one size fits all approach to identifying permissions where an employee is receiving more permission than is necessary, and it is necessary to examine them in the context of the organisation to establish their individual risk. Risk is not a binary measure and, in this work, an approach is built using Fuzzy Logic to determine an overall risk rating, which can then be used to make a more informed decision as to whether a user is over-entitled and presenting risk to the organisation. This requires the exploratory use of establishing resource sensitivity and user trust as measures to determine a risk rating. The paper presents a generic solution, which has been implemented to perform experimental analysis on Microsoft’s New Technology File System to show how this works in practice. A simulation using expert knowledge for comparison is then performed to demonstrate how effective it is at helping the user identify potential irregular permissions.

show abstract

Section: Establishing Trust and Sensitivity Valuesmentioning

confidence: 99%

Identifying high-risk over-entitlement in access control policies using fuzzy logic

Parkinson

Khan

2022

Cybersecurity

View full text Add to dashboard Cite

show abstract

“…Various approaches to measuring security, which can be conditionally classified as cost, functional and based on risk analysis, with appropriate methods and metrics for evaluating the asset protection, are described in [36][37][38][39][40][41].…”

Section: Related Workmentioning

confidence: 99%

Technique for Evaluating the Security of Relational Databases Based on the Enhanced Clements–Hoffman Model

et al. 2021

View full text Add to dashboard Cite

Obtaining convincing evidence of database security, as the basic corporate resource, is extremely important. However, in order to verify the conclusions about the degree of security, it must be measured. To solve this challenge, the authors of the paper enhanced the Clements–Hoffman model, determined the integral security metric and, on this basis, developed a technique for evaluating the security of relational databases. The essence of improving the Clements–Hoffmann model is to expand it by including a set of object vulnerabilities. Vulnerability is considered as a separate objectively existing category. This makes it possible to evaluate both the likelihood of an unwanted incident and the database security as a whole more adequately. The technique for evaluating the main components of the security barriers and the database security as a whole, proposed by the authors, is based on the theory of fuzzy sets and risk. As an integral metric of database security, the reciprocal of the total residual risk is used, the constituent components of which are presented in the form of certain linguistic variables. In accordance with the developed technique, the authors presented the results of a quantitative evaluation of the effectiveness of the protection of databases built on the basis of the schema with the universal basis of relations and designed in accordance with the traditional technology of relational databases.

show abstract

“…But the implementation of these controls is not sufficient, and systems with which to manage security over time are required that will make it possible to react quickly to new risks, vulnerabilities, threats, etc. [17]. However, the security systems of most companies (and especially small and medium-sized enterprises -SMEs) have been developed without adequate guidelines, without documentation, with insufficient resources [18,19] and with a low security culture [10,20].…”

Section: Introductionmentioning

confidence: 99%

Towards an integrated risk analysis security framework according to a systematic analysis of existing proposals

Santos-Olmo,

Sánchez,

Rosado

et al. 2023

Front. Comput. Sci.

View full text Add to dashboard Cite

The information society depends increasingly on risk assessment and management systems as means to adequately protect its key information assets. The availability of these systems is now vital for the protection and evolution of companies. However, several factors have led to an increasing need for more accurate risk analysis approaches. These are: the speed at which technologies evolve, their global impact and the growing requirement for companies to collaborate. Risk analysis processes must consequently adapt to these new circumstances and new technological paradigms. The objective of this paper is, therefore, to present the results of an exhaustive analysis of the techniques and methods offered by the scientific community with the aim of identifying their main weaknesses and providing a new risk assessment and management process. This analysis was carried out using the systematic review protocol and found that these proposals do not fully meet these new needs. The paper also presents a summary of MARISMA, the risk analysis and management framework designed by our research group. The basis of our framework is the main existing risk standards and proposals, and it seeks to address the weaknesses found in these proposals. MARISMA is in a process of continuous improvement, as is being applied by customers in several European and American countries. It consists of a risk data management module, a methodology for its systematic application and a tool that automates the process.

show abstract

Method for assessing efficiency of the information security management system

Cited by 7 publications

References 4 publications

Identifying high-risk over-entitlement in access control policies using fuzzy logic

Identifying high-risk over-entitlement in access control policies using fuzzy logic

Technique for Evaluating the Security of Relational Databases Based on the Enhanced Clements–Hoffman Model

Towards an integrated risk analysis security framework according to a systematic analysis of existing proposals

Contact Info

Product

Resources

About