DYNAMIC RISK ASSESSMENT IN INFORMATION SYSTEMS: STATE-OF- THE-ART

Nowadays Risk Management is a common practice in the Information Systems security field. It is usually supported by a Risk Assessment process, which is done at regular but unfortunately large intervals. This lack of a continuous Risk Assessment process in an ever-changing environment, such as Information Systems, tends to make Risk Management a more complex and less accurate task. In this paper different existing approaches to face Dynamic Risk Assessment and Management are recapitulated along with their pros and cons and finally, future action lines are proposed in order to avoid existing gaps.

[1]  Ram Dantu,et al.  Classification of Attributes and Behavior in Risk Management Using Bayesian Networks , 2007, 2007 IEEE Intelligence and Security Informatics.

[2]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[3]  Svein J. Knapskog,et al.  DIPS: A Framework for Distributed Intrusion Prediction and Prevention Using Hidden Markov Models and Online Fuzzy Risk Assessment , 2007, Third International Symposium on Information Assurance and Security.

[4]  Stephen N. Luko,et al.  Risk Management Principles and Guidelines , 2013 .

[5]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[6]  H. K. Huang,et al.  Online Risk Assessment of Intrusion Scenarios Using D-S Evidence Theory , 2008, ESORICS.

[7]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[8]  Jie Ma,et al.  A Fusion Model for Network Threat Identification and Risk Assessment , 2009, 2009 International Conference on Artificial Intelligence and Computational Intelligence.

[9]  Ashish Gehani,et al.  RheoStat: Real-Time Risk Management , 2004, RAID.

[10]  Matthew Henry,et al.  Risk Analysis in Interdependent Infrastructures , 2007, Critical Infrastructure Protection.

[11]  Kelly M. Kavanagh,et al.  Magic Quadrant for Security Information and Event Management , 2011 .

[12]  Sarah Brown,et al.  Conceptual framework for cyber defense information sharing within trust relationships , 2012, 2012 4th International Conference on Cyber Conflict (CYCON 2012).

[13]  Xue Liu,et al.  Dynamic Assessment and VaR-Based Quantification of Information Security Risk , 2010, 2010 2nd International Conference on E-business and Information System Security.

[14]  Luc Beaudoin Autonomic computer network defence using risk states and reinforcement learning , 2009 .

[15]  Li Zhang,et al.  A Dynamic Risk Assessment Framework Using Principle Component Analysis with Projection Pursuit in Ad Hoc Networks , 2010, 2010 7th International Conference on Ubiquitous Intelligence & Computing and 7th International Conference on Autonomic & Trusted Computing.

[16]  Joint Task Force Transformation Initiative Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach , 2014 .

[17]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[18]  Yacov Y Haimes,et al.  A comprehensive Network Security Risk Model for process control networks. , 2009, Risk analysis : an official publication of the Society for Risk Analysis.

[19]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[20]  Morton Swimmer Using the danger model of immune systems for distributed defense in modern data networks , 2007, Comput. Networks.

[21]  Ajith Abraham,et al.  DIPS: A Framework for Distributed Intrusion Prediction and Prevention Using Hidden Markov Models and Online Fuzzy Risk Assessment , 2007 .