PL EN


Preferencje help
Widoczny [Schowaj] Abstrakt
Liczba wyników
Tytuł artykułu

Modifications of the Formal Risk Analysis and Assessment for the Information System Security

Treść / Zawartość
Identyfikatory
Warianty tytułu
Języki publikacji
EN
Abstrakty
EN
In the article, a modification of Formal Model of Risk Analysis FoMRA was proposed. The Modified FoMRA (1) method takes into account the guidelines of ISO/IEC 27001 and ISO/IEC 27005 standards. The applied modification and abstraction by resources and security controls (also called countermeasures) significantly shortened the time of risk weight calculation in comparison with the MEHARI method. An attempt was also made to further reduce the time of risk analysis using agents collecting information and data from various network nodes, from operating systems and devices, and additional agents containing information on reports on security procedures, security services, security management and organizational activities related to the information systems (maintenance, insurance, outsourcing contracts, etc.) and transfer it to the local FoMRA1 database. The obtained results indicate that the proposed method together with agents installed in various nodes enable a quick reaction to the system threats and prevention of their impacts (quasi-real-time security monitoring system).
Twórcy
autor
  • Faculty of Computer Sciences and Information Technology, West Pomeranian University of Technology
  • Faculty of Applied Informatics and Mathematics, Warsaw University of Life Sciences
Bibliografia
  • 1. Jones A., Ashenden D. Risk Management for Computer Security: Protecting Your Network & Information assets. Elsevier, Oxford, UK, 2005. https://www.amazon.com/Risk-Management-Computer-Security-Information/dp/0750677953.
  • 2. Bandyopadhyay K., Mykytyn P., Mykytyn K. A framework for integrated risk management in information technology. Management Decision 1999,
  • 37(5), 437–445. https://doi.org/ 10.1108/00251749910274216.
  • 3. Spears J. L., Barki H. User participation in information systems security risk management. MIS Quarterly 2010, 34(3), 503-522. https://doi.org/10.2307/25750689.
  • 4. Lathrop J., Ezell B. A systems approach to risk analysis validation for risk management. Safety Science 2017, 99, 187–195. https://doi.org/10.1016/j.ssci.2017.04.006.
  • 5. Sepczuk M, Kotulski Z. A new risk-based authentication management model oriented on user’s experience. Computers & Security 2018, 73, 17-33. https://doi.org/10.1016/j.cose.2017.10.002.
  • 6. Information technology - Security techniques - Information security management systems - Requirements. International Organization for Standardization, Genève, Suisse. https://www.iso.org/standard/69379.html. (Accessed: 25.01.2023).
  • 7. Information technology - Security techniques - Code of practice for information security controls. International Organization for Standardization, Genève, Suisse. https://www.iso.org/standard/69379.html. (Accessed: 27.01.2023).
  • 8. Information technology - Security techniques - Information security risk management. International Organization for Standardization, Genève, Suisse. https://www.iso.org/standard/73906.html. (Accessed: 28.01.2023).
  • 9. Risk management – Guidelines. International Organization for Standardization, Genève, Suisse. https://www.iso.org/standard/65694.html. (Accessed: 28.01.2023).
  • 10. Stoneburner G., Goguen A., Feringa A. NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg, US. 2002. https://doi.org/10.6028/nist.sp.
  • 11. Bundesamt für Sicherheit in der Informationstechnik: BSI-Standard 100-2: IT-Grundschutz Methodology, Bonn, Deutsche 2008.
  • 12. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-2_e_pdf.pdf?__blob=publication
  • 13. A Risk Management Standard. Federation of European Risk Management in Dynamic Open Systems, London, UK 2003. https://www.ferma.eu/app/uploads/2011/11/a-risk-management-standard-english-version.pdf.
  • 14. CCTA Risk Analysis and Management Method. Central Computing and Telecommunications Agency, UK 1987. https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html.
  • 15. COBRA: Consultative, Objective and Bi-functional Risk Analysis. Disaster Recovery Planning Group, UK 1991.
  • 16. Méthodologie d’Analyse des Risques Informatique et d’Optimation par Niveau. France. 1998. https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ramethods/m_marion.html.
  • 17. Expression des Besoins et Identification des Objectifs de Securite, France 2004. https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_ebios.html.
  • 18. MEthode Harmonisée d’Analyse du Risque Informatique. CLUSIF, France 2022. https://clusif.fr/services/management-des-risques/les-versions-de-mehari/mehari-standard/.
  • 19. Alberts C. J., Dorofee A. J. OCTAVE Method Implementation Guide Version 2.0. Carnegie Mellon University, Pittsburgh, Pennsylvania, US, 2001.
  • 20. https://insights.sei.cmu.edu/documents/18/2001_012_001_51572.pdf.
  • 21. MSAT: Microsoft Security Assessment Tool. US, 2008. http://technet. Microsoft.com/en-us/security/cc18512.aspx.
  • 22. Humphreys E. Information security management standards: Compliance, governance and risk management. Information Security Technical Rep. 2008, 13(4), 247–255. https://doi.org/10.1016/j.istr.2008.10.010.
  • 23. Parker D.B. Computer Security Management. Reston Publishing Company Inc., Reston VA. US, 1981. https://books.google.pl/books/about/Computer_ Security_Management.html?id=a1MkAQAAIAAJ&redir_esc=y.
  • 24. Baskerville R. Information Systems Security Design Methods: Implications for Information Systems Development. Computing Surveys, 1994, 25(4).
  • 25. Hartawan F., Suroso J.S. Information Technology Services Evaluation Based ITIL V3 2011 and COBIT 5 in Center for Data and Information. In: Nguyen N., Tojo S., Nguyen L., Trawiński B. (eds) Intelligent Information and Database Systems 2017. https://doi.org/10.1007/978-3-319-54430-4_5.
  • 26. Sardjono W., Cholik M.I. Information Systems Risk Analysis Using Octave Allegro Method Ba Deutsche Bank. International Conference on Information Management and Technology 2018. https://doi.org/10.1109/ICIMTech.2018.8528108.
  • 27. Suroso J.S., Fakhrozi M.A. Assessment of Information System Risk Management with Octave Allegro at Education Institution. Procedia Computer Science 2018, 135, 202–213. https://doi.org/10.1016/j.procs.2018.08.167.
  • 28. Awad A.I., Shokry M., Khalaf A.A.M., Abd-Ellah M.K. Assessment of potential security risks in advanced metering infrastructure using the OCTAVE Allegro approach, Computers and Electrical Engineering 2023, 108. https://research.uaeu.ac.ae/en/publications/assessment-of-potential-security-risks-in-advanced-metering-infra.
  • 29. Shamala P., Ahmad R., Zolait A., Sedek M. Integrating information quality dimensions into information security risk management (ISRM). Journal of Information Security and Applications 2017. https://doi.org/10.1016/j.jisa.2017.07.004.
  • 30. Baraforta B., Mesquidab A.L., Masb A. Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces 2017, 54, 176-185. https://doi.org/10.1016/j.csi.2016.11.010.
  • 31. Aven T. How the integration of System 1-System 2 thinking and recent risk perspectives can improve risk assessment and management. Reliability Engineering and System Safety 2018, 180, 237-244. https://doi.org/10.1016/j.ress.2018.07.031.
  • 32. Tai V.W., Lai Y-H., Yang T-H. The role of the board and the audit committee in corporate risk management. North American Journal of Economics and Finance 2018. https://doi.org/10.1016/j.najef.2018.11.008.
  • 33. Irsheid A., Murad A., AlNajdawi M., Qusef A., Information security risk management models for cloud hosted systems: A comparative study, Procedia Computer Science 2022, 204, 205-217. https://doi.org/10.1016/j.procs.2022.08.025.
  • 34. Pejaś J., El Fray I., Ruciński A. Authentication protocol for software and hardware components in distributed electronic signature creation system. Electrical Review 2012, 88(10b), 192-197. http://pe.org.pl/articles/2012/10b/51.pdf.
  • 35. Białas A., Lisek K. Integrated, Business-Oriented, Two-Stage Risk Analysis. Proceedings of the International Multiconference on Computer Science and Information Technology 2007, 617–628. https://annals-csis.org/proceedings/2007/pliks/ii_imcsit.pdf.
  • 36. El Fray I. About Some Application of Risk Analysis and Evaluation. Artificial Intelligence and Security in Computing Systems, The Springer International Series in Engineering and Computer Science 2003, 752, 283-292. https://link.springer.com/chapter/10.1007/978-1-4419-9226-0
  • 37. El Fray I., Kurkowski M., Pejaś J., Maćków W. A New mathematical model for analytical risk assessment and prediction In IT systems. Control and Cybernetics 2012, 41(1), 241-268. https://yadda.icm.edu.pl/baztech/element/bwmeta1.element.baztech-article-BATC-0009-0045?q=bwmeta1.element.baztech-volume-0324-8569-control_and_cybernetics-2012-vol__41_no_1;11&qt=CHILDREN-STATELESS.
  • 38. El Fray I. A comparative study of risk assessment methods, MEHARI & CRAMM with a new formal model of risk assessment (FoMRA) in information systems. CISIM 2012, LNCS 7564, 428–442. https://link.springer.com/content/pdf/10.1007/978-3-642-33260-9_37.pdf.
  • 39. Ghazouani M., Faris S., Medromi H., Sayouti A. Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk. International Journal of Computer Applications 2014, 103 (8). https://doi.org/10.5120/18097-9155.
  • 40. European Network and information Security Agency-Total Information Security Management 2008. http://www.enisa.europa.eu/media/press-releases/prs/201cinside-the-matrix-privacy-data-protection-challenges201d/ methods_tools.
  • 41. http//www.zabbix.com.
  • 42. Hernantes J., Gallardo G. and Serrano N. IT Infrastructure-Monitoring Tools. IEEE Software Technology 2015, 88-93. https://yadda.icm.edu.pl/yadda/element/bwmeta1.element.baztech-c7aafda9-c004-4f5f-8eec-1379d471ae94.
  • 43. Petruti C.-M., Ivanciu I.-A., Puiu B.-A., Dobrota V. Automatic Management Solution in Cloud Using NtopNG and Zabbix. IEEE 2018. https://doi.org/10.1109/ROEDUNET.2018.8514142.
  • 44. Taherizadeh S., Jones A.C., Taylor I., Zhao Z., Stankovski V. Monitoring self-adaptive applications within edge computing frameworks: A stateof-the-art review. The Journal of Systems and Software 2018, 136, 19–38. https://doi.org/10.1016/j.jss.2017.10.033.
  • 45. https://www.zabbix.com/zabbix_agent.
  • 46. http://aide.sourceforge.net/.
  • 47. https://www.zabbix.com/documentation/3.4/manual/api.
  • 48. https://www.zabbix.com/documentation/3.4/manual/concepts/sender.
  • 49. Gopal R.D. and Sanders G.L. Preventive and Deterrent Controls. Journal of Management Information Systems for Software Piracy 1997, 13(4), 29-47. https://www.jmis-web.org/keywords/998.
  • 50. https://clusif.fr/publications/mehari-2010-overview.
  • 51. Pearlson K.E., Saunders C.S., Dennis F. Galletta: Managing and Using Information Systems: A Strategic Approach, Wiley 2024.
  • 52. https://www.wiley.com/en-us/export Product/ pdf/9781119688891.
Uwagi
Opracowanie rekordu ze środków MNiSW, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2024).
Typ dokumentu
Bibliografia
Identyfikator YADDA
bwmeta1.element.baztech-edd210c7-c242-4afb-a7c7-11ad851eed7b
JavaScript jest wyłączony w Twojej przeglądarce internetowej. Włącz go, a następnie odśwież stronę, aby móc w pełni z niej korzystać.