FC 2016: Frontier Computing pp 809-817 | Cite as
Performance Evaluation of Information Security Risk Identification
Abstract
In recent decade, information security becomes a crucial issue on protecting the benefits of business operation. Many organizations perform information security risk management in order to analysis their weakness, and ensure the security of the business processes. However, identifying the threat-vulnerability pairs for each asset during the processes of risk assessment is both difficult and time-consuming for the risk assessor. Furthermore, if the identified results diverged from the real situation, the organization may put emphasis on the unnecessary controls to prevent the non-existing risk. In order to resolve the problem mentioned above, we utilize the data mining approach to discover the relationship between asset and threat-vulnerability pair. And then, we propose a risk recommendation system for assisting user identifying threat and vulnerability . The experiment result shows that the risk recommendation system can improve the performance of efficiency and accuracy of the risk assessment. We also develop a risk assessment system in order to collect the historical selection records and measure the elapsed time for further research.
Keywords
Threat Vulnerability Risk recommendation SecurityReferences
- 1.Information technology - security techniques - information security risk management. ISO/IEC 27005:2011 pp. 1–68 (June 2011)Google Scholar
- 2.Risk management – principles and guidelines. ISO 31000:2009 pp. 1–24 (November 2009)Google Scholar
- 3.Information technology - security techniques - information security management systems – requirements. ISO/IEC 27001:2013 pp. 1–23 (September 2013)Google Scholar
- 4.Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis - The CORAS Approach. Springer Berlin Heidelberg (2011), http://dx.doi.org/10.1007/978-3-642-12323-8
- 5.Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the octave approach (2003), https://resources.sei.cmu.edu/asset_files/UsersGuide/2003_012_001_51556.pdf
- 6.Taubenberger, S., Jürjens, J., Yu, Y., Nuseibeh, B.: Resolving vulnerability identification errors using security requirements on business process models. Information Management & Computer Security 21(3), 202–223 (2013)CrossRefGoogle Scholar
- 7.Ekelhart, A., Fenz, S., Neubauer, T.: Ontology-based decision support for information security risk management. In: Systems, 2009. ICONS ’09. Fourth International Conference on. pp. 80–85 (March 2009)Google Scholar
- 8.Almorsy, M., Grundy, J., Ibrahim, A.S.: Collaboration-based cloud computing security management framework. In: Cloud Computing (CLOUD), 2011 IEEE International Conference on. pp. 364–371 (July 2011)Google Scholar
- 9.Guide for conducting risk assessments. Tech. rep. (2012), http://dx.doi.org/10.6028/NIST.SP.800-30r1
- 10.Ekelhart, A., Fenz, S., Neubauer, T.: Aurum: A framework for information security risk management. In: System Sciences, 2009. HICSS ’09. 42nd Hawaii International Conference on. pp. 1–10 (Jan 2009)Google Scholar
- 11.Webb, J., Ahmad, A., Maynard, S.B., Shanks, G.: A situation awareness model for information security risk management. Computers & Security 44, 1 – 15 (2014), http://www.sciencedirect.com/science/article/pii/S0167404814000571
- 12.Weka 3: Data mining software in java, http://www.cs.waikato.ac.nz/ml/weka/
- 13.Frank, E., Hall, M., Trigg, L., Holmes, G., Witten, I.H.: Data mining in bioinformatics using weka. Bioinformatics 20(15), 2479–2481 (2004)CrossRefGoogle Scholar
- 14.Frank, E., Hall, M., Holmes, G., Kirkby, R., Pfahringer, B., Witten, I.H., Trigg, L.: Data Mining and Knowledge Discovery Handbook, chap. Weka-A Machine Learning Workbench for Data Mining, pp. 1269–1277. Springer US, Boston, MA (2010), http://dx.doi.org/10.1007/978-0-387-09823-4_66