论文信息 - CRAC: Confidentiality Risk Analysis and IT-Architecture Comparison of Business Networks

CRAC: Confidentiality Risk Analysis and IT-Architecture Comparison of Business Networks

The leakage of confidential information (e.g.\ industrial secrets, patient records and user credentials) is one of the risks that have to be accounted for and mitigated by organizations dealing with confidential data. Unfortunately, assessing confidentiality risk is challenging, particularly in the presence of cross- organization cooperation, like in the case of outsourcing. This is due to the complexity of business networks. This paper presents an IT-architecture based method for assessing and comparing confidentiality risks of IT-based business networks from the perspective of one of the organizations in the network.

Sandro Etalle | Roel Wieringa | Ayse Morali | Emmanuele Zambon

[1] Laura Painton Swiler,et al. A graph-based network-vulnerability analysis system , 1997, S&P 1998.

[2] Robert J. Ellison,et al. Attack Trees , 2009, Encyclopedia of Biometrics.

[3] Roel Wieringa,et al. A Mobile Ambients-Based Approach for Network Attack Modelling and Simulation , 2009, 2009 International Conference on Availability, Reliability and Security.

[4] Harold F. Tipton,et al. Handbook of Information Security Management , 1997 .

[5] Roel Wieringa,et al. Design science as nested problem solving , 2009, DESRIST.

[6] Ketil Stølen,et al. The CORAS methodology: model-based risk assessment using UML and UP , 2003 .

[7] P. Bowen,et al. Information Security Handbook: A Guide for Managers , 2006 .

[8] Gary Stoneburner,et al. SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[9] Sjouke Mauw,et al. Foundations of Attack Trees , 2005, ICISC.

[10] Indrajit Ray,et al. Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[11] Andrew P. Moore,et al. Attack Modeling for Information Security and Survivability , 2001 .

[12] Lars Grunske,et al. Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles , 2008, J. Syst. Softw..

[13] Sandro Etalle,et al. IT confidentiality risk assessment for an architecture-based approach , 2008, 2008 3rd IEEE/IFIP International Workshop on Business-driven IT Management.