A Formal Methodology for Modeling Threats to Enterprise Assets

Enterprises usually execute business processes with the help of Information Technology (IT) services which, in turn, are realized by IT assets. Enterprise IT assets contain vulnerabilities that can be exploited by threats to cause harm to business processes and breach security of information assets. Hence, detection of threats is crucial for ensuring business continuity and protection of enterprise information security. Existing threat detection mechanisms are limited in scope owing to absence of methodologies for modeling different categories of threats uniformly. This paper presents a formal methodology that can model diverse types of threats to enterprise assets. The methodology provides sufficient flexibility to enterprises for defining threshold values of threat parameters that suit their specific needs and help them to compute probability of occurrence of threats.

[1]  David Llewellyn-Jones,et al.  An event processing approach for threats monitoring of service compositions , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[2]  Kehe Wu,et al.  An Information Security Threat Assessment Model based on Bayesian Network and OWA Operator , 2014 .

[3]  Anirban Sengupta,et al.  A formal methodology for Enterprise Information Security risk assessment , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[4]  Kristian Beckers,et al.  A Problem-Based Approach for Computer-Aided Privacy Threat Identification , 2012, APF.

[5]  Dianxiang Xu,et al.  Automated Security Test Generation with Formal Threat Models , 2012, IEEE Transactions on Dependable and Secure Computing.

[6]  Ettore Francesco Bompard,et al.  Classification and trend analysis of threats origins to the security of power systems , 2013 .

[7]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[8]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[9]  Neeraj Suri,et al.  Privacy-by-design based on quantitative threat modeling , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[10]  Marianne Swanson,et al.  Recommended Security Controls for Federal Information Systems [includes updates through 4/22/05] | NIST , 2005 .

[11]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[12]  Bala Srinivasan,et al.  Information Security Threats Classification Pyramid , 2010, 2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops.

[13]  Andreas Schaad,et al.  TAM2: automated threat analysis , 2012, SAC '12.

[14]  Industrial Strategy Information security breaches survey , 2013 .

[15]  Jeffrey P. Landry,et al.  Towards Internet voting security: A threat tree for risk assessment , 2010, 2010 Fifth International Conference on Risks and Security of Internet and Systems (CRiSIS).

[16]  Quey-Jen Yeh,et al.  Threats and countermeasures for information system security: A cross-industry study , 2007, Inf. Manag..

[17]  Anirban Sengupta,et al.  A formal methodology for detection of vulnerabilities in an enterprise information system , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[18]  Marianne Swanson,et al.  Recommended Security Controls for Federal Information Systems | NIST , 2005 .

[19]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.