A new lightweight method for security risk assessment based on fuzzy cognitive maps

Abstract For contemporary software systems, security is considered to be a key quality factor and the analysis of IT security risk becomes an indispensable stage during software deployment. However, performing risk assessment according to methodologies and standards issued for the public sector or large institutions can be too costly and time consuming. Current business practice tends to circumvent risk assessment by defining sets of standard safeguards and applying them to all developed systems. This leads to a substantial gap: threats are not re-evaluated for particular systems and the selection of security functions is not based on risk models. This paper discusses a new lightweight risk assessment method aimed at filling this gap. In this proposal, Fuzzy Cognitive Maps (FCMs) are used to capture dependencies between assets, and FCM-based reasoning is performed to calculate risks. An application of the method is studied using an example of an e-health system providing remote telemonitoring, data storage and teleconsultation services. Lessons learned indicate that the proposed method is an efficient and low-cost approach, giving instantaneous feedback and enabling reasoning on the effectiveness of the security system.

[1]  Tai-Myung Chung,et al.  Risk Assessment Method Based on Business Process-Oriented Asset Evaluation for Information System Security , 2007, International Conference on Computational Science.

[2]  Piotr Szwed,et al.  Risk Assessment for SWOP Telemonitoring System Based on Fuzzy Cognitive Maps , 2013, MCSS.

[3]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[4]  Didier Dubois,et al.  Joint Propagation and Exploitation of Probabilistic and Possibilistic Information in Risk Assessment , 2006, IEEE Transactions on Fuzzy Systems.

[5]  Antonie J. Jetter,et al.  Building scenarios with Fuzzy Cognitive Maps: An exploratory study of solar energy , 2011 .

[6]  Jose Aguilar,et al.  A Survey about Fuzzy Cognitive Maps Papers (Invited Paper) , 2005 .

[7]  David Olwell,et al.  Reliability Engineering and Risk Analysis , 2001, Technometrics.

[8]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[9]  Jerzy Mikulik,et al.  Automatic Risk Control Based on FSA Methodology Adaptation for Safety Assessment in Intelligent Buildings , 2009, Int. J. Appl. Math. Comput. Sci..

[10]  Costas Lambrinoudakis,et al.  Risk analysis of a patient monitoring system using Bayesian Network modeling , 2006, J. Biomed. Informatics.

[11]  Alessandro Birolini Reliability Engineering: Theory and Practice , 1999 .

[12]  中野 一夫,et al.  自動デ-タ処理に対するリスク・アナリシス-1-〔Guideline for Automatic Data Processing Risk Analysis〕 , 1983 .

[13]  Elpiniki I. Papageorgiou,et al.  Learning Algorithms for Fuzzy Cognitive Maps—A Review Study , 2012, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[14]  Tai-Myung Chung,et al.  The Vulnerability Assessment for Active Networks; Model, Policy, Procedures, and Performance Evaluations , 2004, ICCSA.

[15]  André de Palma,et al.  Discrete Choice Theory of Product Differentiation , 1995 .

[16]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[17]  D. Kobylarz,et al.  A Common Interface for Bluetooth-based Health Monitoring Devices , 2013, 2013 29th Southern Biomedical Engineering Conference.

[18]  Piotr Szwed,et al.  Application of fuzzy ontological reasoning in an implementation of medical guidelines , 2013, 2013 6th International Conference on Human System Interactions (HSI).

[19]  Beatrice Lazzerini,et al.  Analyzing Risk Impact Factors Using Extended Fuzzy Cognitive Maps , 2011, IEEE Systems Journal.

[20]  J. B. Bowles,et al.  Software failure modes and effects analysis for a small embedded control system , 2001, Annual Reliability and Maintainability Symposium. 2001 Proceedings. International Symposium on Product Quality and Integrity (Cat. No.01CH37179).

[21]  Marcin Szpyrka,et al.  Telecommunications Networks Risk Assessment with Bayesian Networks , 2013, CISIM.

[22]  Bart Kosko,et al.  Fuzzy Cognitive Maps , 1986, Int. J. Man Mach. Stud..

[23]  Robin Braun,et al.  Self-adaptability and Vulnerability Assessment of Secure Autonomic Communication Networks , 2007, APNOMS.

[24]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[25]  Masafumi Hagiwara Extended Fuzzy Cognitive Maps , 1994 .

[26]  Manolis Tsiknakis,et al.  Risk assessment of a cardiology eHealth service in HYGEIAnet , 2003, Computers in Cardiology, 2003.

[27]  Uygar Özesmi,et al.  Ecological models based on people’s knowledge: a multi-step fuzzy cognitive mapping approach , 2004 .

[28]  Bart Kosko,et al.  Neural networks and fuzzy systems: a dynamical systems approach to machine intelligence , 1991 .

[29]  Catherine A. Meadows,et al.  One Picture Is Worth a Dozen Connectives: A Fault-Tree Representation of NPATRL Security Requirements , 2007, IEEE Transactions on Dependable and Secure Computing.

[30]  Ronald S. Ross,et al.  Guide for Conducting Risk Assessments , 2012 .

[31]  R. Axelrod Structure of decision : the cognitive maps of political elites , 2015 .

[32]  Richard L. Craft,et al.  An open framework for risk management , 1998 .

[33]  Douglas J. Landoll,et al.  The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments , 2005 .

[34]  Dylan Evans,et al.  Problems with scoring methods and ordinal scales in risk assessment , 2010, IBM J. Res. Dev..

[35]  Bo Zhou,et al.  Information Security Risk Assessment Based on Artificial Immune Danger Theory , 2009, 2009 Fourth International Multi-Conference on Computing in the Global Information Technology.

[36]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[37]  H. Schneider Failure mode and effect analysis : FMEA from theory to execution , 1996 .