Taxonomy of security risk assessment approaches for researchers

Paintsil, Ebenezer

doi:10.1109/cason.2012.6412412

Cited by 2 publications

(5 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This trend can be observed more clearly in the zoomed graph for the system security (right figure), which declines at the beginning, reaches the bottom around 2, and then ascends slowly. When parameters 01 , 12 , and 23 vary simultaneously, the nonmonotonic change in the attack success probability or the system security becomes more apparent, as demonstrated in Figure 19. The curve for the system security declines quickly at the beginning, then reaches the bottom around 01 = 12 = 23 = 0.4, then starts to increase, and eventually reaches the peak value 1.…”

Section: Effects Of Shape Parametermentioning

confidence: 98%

“…Specifically, Figure 13 illustrates the graphical results when 12 (mean time to infection) varies from 1 second to 1 month. As 12 increases, the attack success probability (P 3 ) reduces or the system security (P 0 + P 1 + P 2 = 1-P 3 ) increases.…”

Section: Effects Of Scale Parametermentioning

confidence: 99%

“…These risk assessment methods can be categorized into three types, ie, qualitative assessment, quantitative assessment, and hybrid (semiquantitative) assessment methods . Different methods not only have different aims, advantages, and weaknesses, but also differ in the severity level, complexity to use, and applicability to different‐sized organization models …”

Section: Introductionmentioning

confidence: 99%

“…9 These risk assessment methods can be categorized into three types, ie, qualitative assessment, quantitative assessment, and hybrid (semiquantitative) assessment methods. 6,10,11 Different methods not only have different aims, advantages, and weaknesses, 12 but also differ in the severity level, complexity to use, and applicability to different-sized organization models. 13,14 Qualitative assessment methods involve identifying, characterizing, and ranking unwanted events primarily based on the assessor's experience, knowledge, strategies, and exceptional cases on information systems.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Probabilistic modeling and analysis of sequential cyber‐attacks

Liu

Xing

Zhou

2019

Engineering Reports

View full text Add to dashboard Cite

Security is one of the major challenges for promoting the computer industry. Existing models for assessing security have mostly assumed that different hazards causing the security breach are independent of each other. Dependencies however can exist among different hazardous actions and they may affect the system security attribute greatly. This paper advances the state of the art in quantitative security risk assessment by modeling one such dependency, where multiple sequence‐dependent hazardous actions are performed to launch a successful security cyber‐attack. Continuous‐time Markov chain and semi‐Markov process–based methods are proposed to estimate the occurrence probability of a security risk for systems undergoing the sequential cyber‐attacks. While the CTMC method is limited to the exponential state transition time, the proposed semi‐Markov process–based approach is applicable to analyzing attacks with any arbitrary types of transition time distributions. Both methods are illustrated using case studies where Trojan attacks in the banking application are modeled and analyzed.

show abstract

Section: Effects Of Shape Parametermentioning

confidence: 98%

Section: Effects Of Scale Parametermentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Probabilistic modeling and analysis of sequential cyber‐attacks

Liu

Xing

Zhou

2019

Engineering Reports

View full text Add to dashboard Cite

show abstract

“…More than 200 qualitative and quantitative methods have been proposed to simplify RM (Paintsil, 2012), such as CRAMM (Yazar, 2002), OCTAVE (Albert and Dorofee, 2003), CORAS (Soldal et al, 2011) and MAGERIT (MFPA, 2012). Most of these methods imply the importance of considering the asset interdependencies in risk assessment and cost-benefit control selection, but only a few of them have formulated these objectives in a well-defined model.…”

Section: Related Workmentioning

confidence: 99%

A comprehensive security control selection model for inter-dependent organizational assets structure

Shahpasand

Shajari

Golpaygani

et al. 2015

Information &Amp; Computer Security

View full text Add to dashboard Cite

Purpose – This paper aims to propose a comprehensive model to find out the most preventive subset of security controls against potential security attacks inside the limited budget. Deploying the appropriate collection of information security controls, especially in information system-dependent organizations, ensures their businesses' continuity alongside with their effectiveness and efficiency. Design/methodology/approach – Impacts of security attacks are measured based on interdependent asset structure. Regarding this objective, the asset operational dependency graph is mapped to the security attack graph to assess the risks of attacks. This mapping enables us to measure the effectiveness of security controls against attacks. The most effective subset is found by mapping its features (cost and effectiveness) to items’ features in a binary knapsack problem, and then solving the problem by a modified version of the classic dynamic programming algorithm. Findings – Exact solutions are achieved using the dynamic programming algorithm approach in the proposed model. Optimal security control subset is selected based on its implementation cost, its effectiveness and the limited budget. Research limitations/implications – Estimation of control effectiveness is the most significant limitation of the proposed model utilization. This is caused by lack of experience in risk management in organizations, which forces them to rely on reports and simulation results. Originality/value – So far, cost-benefit approaches in security investments are followed only based on vulnerability assessment results. Moreover, dependency weights and types in interdependent structure of assets have been taken into account by a limited number of models. In the proposed model, a three-dimensional graph is used to capture the dependencies in risk assessment and optimal control subset selection, through a holistic approach.

show abstract

Taxonomy of security risk assessment approaches for researchers

Cited by 2 publications

References 26 publications

Probabilistic modeling and analysis of sequential cyber‐attacks

Probabilistic modeling and analysis of sequential cyber‐attacks

A comprehensive security control selection model for inter-dependent organizational assets structure

Contact Info

Product

Resources

About