Abstract
Although efforts have been made to standardize Supply Chain (SC) security risk assessment, there is a lack of targeted methodologies. In this paper we propose Medusa, a SC risk assessment methodology, compliant with ISO28001. Medusa can be used in order to assess the overall risk of the entire supply chain. The derived overall risk values are used in order to generate a baseline SC security policy, identifying the least necessary security controls for each participant in the SC. In addition, Medusa assesses the risk of cascading threat scenarios within a SC. This enables the SC participants to fine-tune their security policies according to their business role as well as their dependencies.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Following the ISO 28001 standard, we will call such operators as business partners.
References
Aung, Z.Z., Watanabe, K.: A framework for modeling interdependencies in Japan’s critical infrastructures. In: Palmer, C., Shenoi, S. (eds.): 3rd IFIP International Conferenceon Critical Infrastructure Protection (CIP-2009), pp. 243–257. Springer, USA (2009)
De Porcellinis, S., Oliva, G., Panzieri, S., Setola, R.: A holistic-reductionistic approach for modeling interdependencies. In Palmer, C., Shenoi, S. (eds.): 3rd IFIP International Conference on Critical Infrastructure Protection (CIP-2009), pp. 215–227, Springer, USA (2009)
Giannopoulos, G., Filippini, R., Schimmer, M.: Risk assessment methodologies for Critical Infrastructure Protection. Part I: A state of the art. Joint Research Center Publication, JRC 70046, EUR 25286 EN, ISBN 978-92-79-23839-0, ISSN 1831-9424, doi: 10.2788/22260. Publications Office of the European Union, Luxembourg (2012)
Haimes, Y., Santos, J., Crowther, K., Henry, M., Lia, N.C., Yan, Z.: Risk analysis in interdependent infrastructures. Crit. Infrastruct. Prot. 253, 297–310 (2007)
Hokstad, P., Utne, I.B., Vatn, J. (eds.): Risk and interdependencies in critical infrastructures. A Guideline for Analysis. In: Springer Series in Reliability Engineering VIII, 252 (2013)
ISO, ISO 31000: Risk Management – Principles and Guidelines. Geneva (2009)
ISO, ISO 31010: Risk management – Risk assessment techniques. Geneva (2009)
ISO, ISO 27001: Information Security Management System Requirements. Geneva, Switzerland (2013)
ISO, ISO 27005: Information security risk management, Geneva (2011)
ISO, ISO 28001: Security management systems for the supply chain — Best practices for implementing supply chain security, assessments and plans — Requirements and guidance. Geneva, Switzerland (2007)
Kotzanikolaou, P., Theoharidou, M., Gritzalis, D.: Assessing n-order dependencies between critical infrastructures. Int. J. Crit. Infrastruct. 9(1/2), 93–110 (2013)
NIST, Notional Supply Chain Risk Management Practices for Federal Information Systems. http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7622.pdf
Ntouskas, T., Polemi, N.: Collaborative security management services for port information systems. In: DCNET/ICE-B/OPTICS, pp. 305–308 (2012)
Pederson, P., Dudenhoeffer, D., Hartley, S., Permann, M.: Critical Infrastructure Interdependency Modeling: A Survey of U.S. and International Research, INL, INL/EXT-06-11464 (2006)
Peltier, T.R.: Information security risk analysis. Auerbach Publications, Boston (2001)
Polemi, N., Ntouskas, T.: Open issues and proposals in the it security management of commercial ports: the S-PORT national case. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 567–572. Springer, Heidelberg (2012)
Rinaldi, S.M., Peerenboom, J.P., Kelly, T.K.: Identifying, understanding and analyzing critical infrastructure interdependencies. IEEE Control Syst. 21, 11–25 (2001)
Theoharidou, M., Kotzanikolaou, P., Gritzalis, D.: Risk assessment methodology for interdependent critical infrastructures. Int. J. Risk Assess. Manage. 15(2/3), 128–148 (2011)
Zio, E., Sansavini, G.: Modeling interdependent network systems for identifying cascade-safe operating margins interdependency. IEEE Trans. Reliab. 60(1), 94–101 (2011)
Acknowledgements
The publication of this paper has been partly supported by the University of Piraeus Research Center. – This work is supported by the European Commission under grant agreement HOME/2013/CIPS/AG/4000005093 (MEDUSA: http://medusa.cs.unipi.gr/).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Polemi, N., Kotzanikolaou, P. (2015). Medusa: A Supply Chain Risk Assessment Methodology. In: Cleary, F., Felici, M. (eds) Cyber Security and Privacy. CSP 2015. Communications in Computer and Information Science, vol 530. Springer, Cham. https://doi.org/10.1007/978-3-319-25360-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-25360-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25359-6
Online ISBN: 978-3-319-25360-2
eBook Packages: Computer ScienceComputer Science (R0)