Modifications of the Formal Risk Analysis and Assessment for the Information System Security

Fray, Imed El; Wiliński, Artur

doi:10.12913/22998624/185162

Artykuł - szczegóły

Tytuł artykułu

Modifications of the Formal Risk Analysis and Assessment for the Information System Security

Autorzy

Fray Imed El , Wiliński Artur

Treść / Zawartość

Pełne teksty:

Pobierz

Identyfikatory

DOI

10.12913/22998624/185162

Warianty tytułu

Języki publikacji

Abstrakty

In the article, a modification of Formal Model of Risk Analysis FoMRA was proposed. The Modified FoMRA (1) method takes into account the guidelines of ISO/IEC 27001 and ISO/IEC 27005 standards. The applied modification and abstraction by resources and security controls (also called countermeasures) significantly shortened the time of risk weight calculation in comparison with the MEHARI method. An attempt was also made to further reduce the time of risk analysis using agents collecting information and data from various network nodes, from operating systems and devices, and additional agents containing information on reports on security procedures, security services, security management and organizational activities related to the information systems (maintenance, insurance, outsourcing contracts, etc.) and transfer it to the local FoMRA1 database. The obtained results indicate that the proposed method together with agents installed in various nodes enable a quick reaction to the system threats and prevention of their impacts (quasi-real-time security monitoring system)

Słowa kluczowe

security monitoring risk analysis risk assessment formal model information system MEHARI method

Wydawca

Lublin University of Technology
Polish Society of Ecological Engineering (PTIE), Branch of PTIE in Lublin

Czasopismo

Advances in Science and Technology. Research Journal

Rocznik

2024

Tom

Vol. 18, no 2

Strony

317--332

Opis fizyczny

Bibliogr. 52 poz., fig., tab.

Twórcy

autor

Fray Imed El

Faculty of Computer Sciences and Information Technology, West Pomeranian University of Technology

autor

Wiliński Artur

artur_wilinski@sggw.edu.pl

Faculty of Applied Informatics and Mathematics, Warsaw University of Life Sciences

https://orcid.org/0000-0002-3774-5909

Bibliografia

1. Jones A., Ashenden D. Risk Management for Computer Security: Protecting Your Network & Information assets. Elsevier, Oxford, UK, 2005. https://www.amazon.com/Risk-Management-Computer-Security-Information/dp/0750677953.
2. Bandyopadhyay K., Mykytyn P., Mykytyn K. A framework for integrated risk management in information technology. Management Decision 1999,
37(5), 437–445. https://doi.org/ 10.1108/00251749910274216.
3. Spears J. L., Barki H. User participation in information systems security risk management. MIS Quarterly 2010, 34(3), 503-522. https://doi.org/10.2307/25750689.
4. Lathrop J., Ezell B. A systems approach to risk analysis validation for risk management. Safety Science 2017, 99, 187–195. https://doi.org/10.1016/j.ssci.2017.04.006.
5. Sepczuk M, Kotulski Z. A new risk-based authentication management model oriented on user’s experience. Computers & Security 2018, 73, 17-33. https://doi.org/10.1016/j.cose.2017.10.002.
6. Information technology - Security techniques - Information security management systems - Requirements. International Organization for Standardization, Genève, Suisse. https://www.iso.org/standard/69379.html. (Accessed: 25.01.2023).
7. Information technology - Security techniques - Code of practice for information security controls. International Organization for Standardization, Genève, Suisse. https://www.iso.org/standard/69379.html. (Accessed: 27.01.2023).
8. Information technology - Security techniques - Information security risk management. International Organization for Standardization, Genève, Suisse. https://www.iso.org/standard/73906.html. (Accessed: 28.01.2023).
9. Risk management – Guidelines. International Organization for Standardization, Genève, Suisse. https://www.iso.org/standard/65694.html. (Accessed: 28.01.2023).
10. Stoneburner G., Goguen A., Feringa A. NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg, US. 2002. https://doi.org/10.6028/nist.sp.
11. Bundesamt für Sicherheit in der Informationstechnik: BSI-Standard 100-2: IT-Grundschutz Methodology, Bonn, Deutsche 2008.
12. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-2_e_pdf.pdf?__blob=publication
13. A Risk Management Standard. Federation of European Risk Management in Dynamic Open Systems, London, UK 2003. https://www.ferma.eu/app/uploads/2011/11/a-risk-management-standard-english-version.pdf.
14. CCTA Risk Analysis and Management Method. Central Computing and Telecommunications Agency, UK 1987. https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html.
15. COBRA: Consultative, Objective and Bi-functional Risk Analysis. Disaster Recovery Planning Group, UK 1991.
16. Méthodologie d’Analyse des Risques Informatique et d’Optimation par Niveau. France. 1998. https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ramethods/m_marion.html.
17. Expression des Besoins et Identification des Objectifs de Securite, France 2004. https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_ebios.html.
18. MEthode Harmonisée d’Analyse du Risque Informatique. CLUSIF, France 2022. https://clusif.fr/services/management-des-risques/les-versions-de-mehari/mehari-standard/.
19. Alberts C. J., Dorofee A. J. OCTAVE Method Implementation Guide Version 2.0. Carnegie Mellon University, Pittsburgh, Pennsylvania, US, 2001.
20. https://insights.sei.cmu.edu/documents/18/2001_012_001_51572.pdf.
21. MSAT: Microsoft Security Assessment Tool. US, 2008. http://technet. Microsoft.com/en-us/security/cc18512.aspx.
22. Humphreys E. Information security management standards: Compliance, governance and risk management. Information Security Technical Rep. 2008, 13(4), 247–255. https://doi.org/10.1016/j.istr.2008.10.010.
23. Parker D.B. Computer Security Management. Reston Publishing Company Inc., Reston VA. US, 1981. https://books.google.pl/books/about/Computer_ Security_Management.html?id=a1MkAQAAIAAJ&redir_esc=y.
24. Baskerville R. Information Systems Security Design Methods: Implications for Information Systems Development. Computing Surveys, 1994, 25(4).
25. Hartawan F., Suroso J.S. Information Technology Services Evaluation Based ITIL V3 2011 and COBIT 5 in Center for Data and Information. In: Nguyen N., Tojo S., Nguyen L., Trawiński B. (eds) Intelligent Information and Database Systems 2017. https://doi.org/10.1007/978-3-319-54430-4_5.
26. Sardjono W., Cholik M.I. Information Systems Risk Analysis Using Octave Allegro Method Ba Deutsche Bank. International Conference on Information Management and Technology 2018. https://doi.org/10.1109/ICIMTech.2018.8528108.
27. Suroso J.S., Fakhrozi M.A. Assessment of Information System Risk Management with Octave Allegro at Education Institution. Procedia Computer Science 2018, 135, 202–213. https://doi.org/10.1016/j.procs.2018.08.167.
28. Awad A.I., Shokry M., Khalaf A.A.M., Abd-Ellah M.K. Assessment of potential security risks in advanced metering infrastructure using the OCTAVE Allegro approach, Computers and Electrical Engineering 2023, 108. https://research.uaeu.ac.ae/en/publications/assessment-of-potential-security-risks-in-advanced-metering-infra.
29. Shamala P., Ahmad R., Zolait A., Sedek M. Integrating information quality dimensions into information security risk management (ISRM). Journal of Information Security and Applications 2017. https://doi.org/10.1016/j.jisa.2017.07.004.
30. Baraforta B., Mesquidab A.L., Masb A. Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces 2017, 54, 176-185. https://doi.org/10.1016/j.csi.2016.11.010.
31. Aven T. How the integration of System 1-System 2 thinking and recent risk perspectives can improve risk assessment and management. Reliability Engineering and System Safety 2018, 180, 237-244. https://doi.org/10.1016/j.ress.2018.07.031.
32. Tai V.W., Lai Y-H., Yang T-H. The role of the board and the audit committee in corporate risk management. North American Journal of Economics and Finance 2018. https://doi.org/10.1016/j.najef.2018.11.008.
33. Irsheid A., Murad A., AlNajdawi M., Qusef A., Information security risk management models for cloud hosted systems: A comparative study, Procedia Computer Science 2022, 204, 205-217. https://doi.org/10.1016/j.procs.2022.08.025.
34. Pejaś J., El Fray I., Ruciński A. Authentication protocol for software and hardware components in distributed electronic signature creation system. Electrical Review 2012, 88(10b), 192-197. http://pe.org.pl/articles/2012/10b/51.pdf.
35. Białas A., Lisek K. Integrated, Business-Oriented, Two-Stage Risk Analysis. Proceedings of the International Multiconference on Computer Science and Information Technology 2007, 617–628. https://annals-csis.org/proceedings/2007/pliks/ii_imcsit.pdf.
36. El Fray I. About Some Application of Risk Analysis and Evaluation. Artificial Intelligence and Security in Computing Systems, The Springer International Series in Engineering and Computer Science 2003, 752, 283-292. https://link.springer.com/chapter/10.1007/978-1-4419-9226-0
37. El Fray I., Kurkowski M., Pejaś J., Maćków W. A New mathematical model for analytical risk assessment and prediction In IT systems. Control and Cybernetics 2012, 41(1), 241-268. https://yadda.icm.edu.pl/baztech/element/bwmeta1.element.baztech-article-BATC-0009-0045?q=bwmeta1.element.baztech-volume-0324-8569-control_and_cybernetics-2012-vol__41_no_1;11&qt=CHILDREN-STATELESS.
38. El Fray I. A comparative study of risk assessment methods, MEHARI & CRAMM with a new formal model of risk assessment (FoMRA) in information systems. CISIM 2012, LNCS 7564, 428–442. https://link.springer.com/content/pdf/10.1007/978-3-642-33260-9_37.pdf.
39. Ghazouani M., Faris S., Medromi H., Sayouti A. Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk. International Journal of Computer Applications 2014, 103 (8). https://doi.org/10.5120/18097-9155.
40. European Network and information Security Agency-Total Information Security Management 2008. http://www.enisa.europa.eu/media/press-releases/prs/201cinside-the-matrix-privacy-data-protection-challenges201d/ methods_tools.
41. http//www.zabbix.com.
42. Hernantes J., Gallardo G. and Serrano N. IT Infrastructure-Monitoring Tools. IEEE Software Technology 2015, 88-93. https://yadda.icm.edu.pl/yadda/element/bwmeta1.element.baztech-c7aafda9-c004-4f5f-8eec-1379d471ae94.
43. Petruti C.-M., Ivanciu I.-A., Puiu B.-A., Dobrota V. Automatic Management Solution in Cloud Using NtopNG and Zabbix. IEEE 2018. https://doi.org/10.1109/ROEDUNET.2018.8514142.
44. Taherizadeh S., Jones A.C., Taylor I., Zhao Z., Stankovski V. Monitoring self-adaptive applications within edge computing frameworks: A stateof-the-art review. The Journal of Systems and Software 2018, 136, 19–38. https://doi.org/10.1016/j.jss.2017.10.033.
45. https://www.zabbix.com/zabbix_agent.
46. http://aide.sourceforge.net/.
47. https://www.zabbix.com/documentation/3.4/manual/api.
48. https://www.zabbix.com/documentation/3.4/manual/concepts/sender.
49. Gopal R.D. and Sanders G.L. Preventive and Deterrent Controls. Journal of Management Information Systems for Software Piracy 1997, 13(4), 29-47. https://www.jmis-web.org/keywords/998.
50. https://clusif.fr/publications/mehari-2010-overview.
51. Pearlson K.E., Saunders C.S., Dennis F. Galletta: Managing and Using Information Systems: A Strategic Approach, Wiley 2024.
52. https://www.wiley.com/en-us/export Product/ pdf/9781119688891.

Uwagi

Opracowanie rekordu ze środków MNiSW, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2024).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-edd210c7-c242-4afb-a7c7-11ad851eed7b