论文信息 - Analysis of Information Security Problem by Probabilistic Risk Assessment

Analysis of Information Security Problem by Probabilistic Risk Assessment

The information security risk assessment is investigated from perspectives of most advanced probabilistic risk assessment (PRA) for nuclear power plants. Accident scenario enumeration by initiating events, mitigation systems and event trees are first described and demonstrated. Assets, confidentiality, integrity, availability, threats, vulnerabilities, impacts, likelihoods, and safeguards are reformulated by the PRA. Two illustrative examples are given: network access attacker and physical access attacker. Defenseless time spans and their frequencies are introduced to cope with non-rare initiating events of information security problems. A common event tree structure may apply to variety of security problems, thus facilitating the risk assessment. Keywords— Information security, Probabilistic risk assessment, Initiating event, Mitigation system, Asset, Threat, Vulnerability, Impact

Hiromitsu Kumamoto | H. Kumamoto | Naoki Satoh | Naoki Satoh

[1] Robert J. Ellison,et al. Attack Trees , 2009, Encyclopedia of Biometrics.

[2] Hiromitsu Kumamoto,et al. Viewpoint of ISO GMITS and probabilistic risk assessment in information security , 2008 .

[3] Norihisa Komoda,et al. An Analysis of Patterns for Automating Information System Operations , 2008 .

[4] Jeffrey L. Hieb,et al. Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[5] 熊本博光. Satisfying safety goals by probabilistic risk assessment , 2007 .

[6] Thomas R. Peltier. Information Security Risk Analysis, Second Edition , 2005 .

[7] Marianne M. Swanson,et al. Standards for Security Categorization of Federal Information and Information Systems , 2004 .

[8] E. Byres,et al. The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems , 2004 .

[9] Jim Alves-Foss,et al. Risk Analysis and Probabilistic Survivability Assessment ( RAPSA ) : An Assessment Approach for Power Substation Hardening , 2002 .

[10] Hiromitsu Kumamoto,et al. Probabilistic Risk Assessment and Management for Engineers and Scientists , 1996 .

[11] G. E. Apostolakis,et al. Probabilistic risk assessment in the nuclear power utility industry , 1989 .

[12] E. Gifford. Electronic information security , 1988, IEEE Potentials.