An ontology- and Bayesian-based approach for determining threat probabilities

Information security risk management is crucial for ensuring long-term business success and thus numerous approaches to implementing an adequate information security risk management strategy have been proposed. The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem we developed an ontology- and Bayesian-based approach to determine threat probabilities taking general information security knowledge and organization-specific knowledge about existing control implementations and attacker profiles into account. The elaborated concepts enable risk managers to comprehensibly quantify by the Bayesian threat probability determination the current security status of their organization.

[1]  Stefan Fenz,et al.  AURUM: A Framework for Information Security Risk Management , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[2]  Loren Paul Rees,et al.  Necessary measures: metric-driven information security risk assessment and decision making , 2007, CACM.

[3]  R. Likert “Technique for the Measurement of Attitudes, A” , 2022, The SAGE Encyclopedia of Research Design.

[4]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[5]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[6]  Norman Fenton,et al.  Using Bayesian Networks to Model Expected and Unexpected Operational Losses , 2005, Risk analysis : an official publication of the Society for Risk Analysis.

[7]  A Min Tjoa,et al.  Ontology-Based Generation of Bayesian Networks , 2009, 2009 International Conference on Complex, Intelligent and Software Intensive Systems.

[8]  Edgar R. Weippl,et al.  Fortification of IT Security by Automatic Security Advisory Processing , 2008, 22nd International Conference on Advanced Information Networking and Applications (aina 2008).

[9]  Ram Dantu,et al.  Risk Management Using Behavior Based Bayesian Networks , 2005, ISI.

[10]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[11]  S. Frosdick The techniques of risk analysis are insufficient in themselves , 1997 .

[12]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[13]  Svein J. Knapskog,et al.  Belief-Based Risk Analysis , 2004, ACSW.

[14]  Peter S. Browne,et al.  Bayesian probabilistic risk analysis , 1985, PERV.

[15]  Kakoli Bandyopadhyay,et al.  A framework for integrated risk management in information technology , 1999 .

[16]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[17]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[18]  Marek J. Druzdzel Qualitative Verbal Explanations in Bayesian Belief Networks , 1996 .

[19]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[20]  Costas Lambrinoudakis,et al.  Risk analysis of a patient monitoring system using Bayesian Network modeling , 2006, J. Biomed. Informatics.