A new lightweight method for security risk assessment based on fuzzy cognitive maps
For contemporary software systems, security is considered to be a key quality factor and the analysis of IT security risk becomes an indispensable stage during software deployment. However, performing risk assessment according to methodologies and standards issued for the public sector or large institutions can be too costly and time consuming. Current business practice tends to circumvent risk assessment by defining sets of standard safeguards and applying them to all developed systems. This leads to a substantial gap: threats are not re-evaluated for particular systems and the selection of security functions is not based on risk models. This paper discusses a new lightweight risk assessment method aimed at filling this gap. In this proposal, Fuzzy Cognitive Maps (FCMs) are used to capture dependencies between assets, and FCM-based reasoning is performed to calculate risks. An application of the method is studied using an example of an e-health system providing remote telemonitoring, data storage and teleconsultation services. Lessons learned indicate that the proposed method is an efficient and low-cost approach, giving instantaneous feedback and enabling reasoning on the effectiveness of the security system.
- Aguilar, J. (2005). A survey about fuzzy cognitive maps papers, International Journal 3(2): 27-33.
- Anderson, S., De Palma, A. and Thisse, J. (1992). Discrete Choice Theory of Product Differentiation, MIT Press, Boston, MA.
- Axelrod, R.M. (1976). Structure of Decision: The Cognitive Maps of Political Elites, Princeton University Press, New York, NY.
- Baudrit, C., Dubois, D. and Guyonnet, D. (2006). Joint propagation and exploitation of probabilistic and possibilistic information in risk assessment, IEEE Transactions on Fuzzy Systems 14(5): 593-608.
- Birolini, A. (2000). Reliability Engineering: Theory and Practice, 3rd Edn., Springer-Verlag, Berlin.
- Bowles, J.B. and Wan, C. (2001). Software failure modes and effects analysis for a small embedded control system, Proceedings of the Annual Reliability and Maintainability Symposium, Philadelphia, PA, USA, pp. 1-6.
- Cervesato, I. and Meadows, C. (2003). Fault-tree representation of NPATRL security requirements, Proceedings of the 3rd Workshop on Issues in the Theory of Security, Warsaw, Poland, pp. 1-10.
- Chen, X.Z. (2006). Hierarchical threat assessment and quantitative calculation method of network security threatening state, Journal of Software 17(4): 885-897.
- Chiang, F. and Braun, R. (2007). Self-adaptability and vulnerability assessment of secure autonomic communication networks, Proceedings of the 10th Asia-Pacific Conference on Network Operations and Management Symposium: Managing Next Generation Networks and Services, APNOMS'07, Sapporo, Japan, pp. 112-122.
- Craft, R., Vandewart, R., Wyss, G. and Funkhouser, D. (1998). An open framework for risk management 1, 21st National Information Systems Security Conference, Arlington, VA, USA.
- Eom, J.-H., Park, S.-H., Han, Y.-J. and Chung, T.-M. (2007). Risk assessment method based on business process-oriented asset evaluation for information system security, Proceedings of the 7th International Conference on Computational Science, Beijing, China, pp. 1024-1031.
- Guttman, B. and Roback, E.A. (1995). An introduction to computer security: The NIST handbook, Security 800(12): 1-290.
- Hagiwara, M. (1992). Extended fuzzy cognitive maps, Proceedings of the IEEE International Conference on Fuzzy Systems, San Diego, CA, USA, pp. 795-801.
- Han, Y.-J., Yang, J.S., Chang, B.H., Na, J.C. and Chung, T.-M. (2004). The vulnerability assessment for active networks: Model, policy, procedures, and performance evaluations, in A. Laganà, M.L. Gavrilova, V. Kumar, Y. Mun, C.J.K. Tan and O. Geruasi (Eds.), ICCSA (1), Lecture Notes in Computer Science, Vol. 3034, Springer, Berlin/Heidelberg, pp. 191-198.
- Hoo, K.J.S. (2000). How much is enough? A risk-management approach to computer security, Working Paper, Stanford University, Stanford, CA, pp. 1-99.
- Hubbard, D. and Evans, D. (2010). Problems with scoring methods and ordinal scales in risk assessment, Journal of Research and Development 54(3): 1-10.
- Institute for Computer Sciences and Technology (1979). Guideline for Automatic Data Processing Risk Analysis, National Bureau of Standards, Washington, DC.
- ISO/IEC (2011). Information technology-Security techniques-Information security risk management, Technical Report ISO/IEC 27005:2011, International Organization for Standardization, Washington, DC.
- Jetter, A. and Schweinfort, W. (2011). Building scenarios with fuzzy cognitive maps: An exploratory study of solar energy, Futures 43(1): 52-66.
- Kobylarz, D. and Danda, J. (2013). A common interface for bluetooth-based health monitoring devices, 29th Southern Biomedical Engineering Conference (SBEC), Ho Chi Minh City, Vietnam, pp. 153-154.
- Kosko, B. (1986). Fuzzy cognitive maps, International Journal of Machine Studies 24(1): 65-75.
- Kosko, B. (1992). Neural Networks and Fuzzy Systems: A Dynamical Systems Approach to Machine Intelligence, Prentice Hall, Englewood Cliffs, NJ.
- Landoll, D.J. (2005). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Auerbach Publications, Boca Raton, FL.
- Lazzerini, B. and Mkrtchyan, L. (2011). Analyzing risk impact factors using extended fuzzy cognitive maps, IEEE Systems Journal 5(2): 288-297.
- Maglogiannis, I., Zafiropoulos, E., Platis, A. and Lambrinoudakis, C. (2006). Risk analysis of a patient monitoring system using Bayesian network modeling, Journal of Biomedical Informatics 39(6): 637-647.
- Mikulik, J. and Zajdel, M. (2009). Automatic risk control based on FSA methodology adaptation for safety assessment in intelligent buildings, International Journal of Applied Mathematics and Computer Science 19(2): 317-326, DOI: 10.2478/v10006-009-0027-1.
- Modarres, M., Kaminskiy, M. and Krivtsov, V. (1999). Reliability Engineering and Risk Analysis, CRC Press, New York, NY.
- Ozesmi, U. Ozesmi, S. (2004). Ecological models based on people's knowledge: A multi-step fuzzy cognitive mapping approach, Ecological Modelling 176(1-2): 43-64.
- Papageorgiou, E.I. (2011). Learning algorithms for fuzzy cognitive maps-A review study, IEEE Transactions on Systems 42(2): 1-14.
- Peng L.X. (2007). Model danger theory based network risk assessment, Journal of University of Electron Science and Technology 36(6).
- Ross, R.S. (2011). Guide for conducting risk assessments, NIST Special Publication SP-800-30 Rev 1, September, p. 85.
- Schneier, B. (1999). Attack trees, Dr. Dobb's Journal 24(12): 21-29.
- Stamatis, D. H. (2003). Failure Mode and Effect Analysis: FMEA from Theory to Execution, ASQ Quality Press, Milwaukee, WI.
- Stathiakis, N., Chronaki, C., Skipenes, E., Henriksen, E., Charalambus, E., Sykianakis, A., Vrouchos, G., Antonakis, N., Tsiknakis, M. and Orphanoudakis, S. (2003). Risk assessment of a cardiology ehealth service in HYGEIAnet, Computers in Cardiology (CIC'2003), Cambridge, MA, USA, pp. 201-204.
- Sun, L., Srivastava, R.P. and Mock, T.J. (2006). An information systems security risk assessment model under the Dempster-Shafer theory of belief functions, Journal of Management Information Systems 22(4): 109-142.
- Szpyrka, M., Jasiul, B., Wrona, K. and Dziedzic, F. (2013). Telecommunications networks risk assessment with Bayesian networks, in K. Saeed, R. Chaki, A. Cortesi and S.T. Wierzchon (Eds.), Computer Information Systems and Industrial Management, Lecture Notes in Computer Sience, Vol. 8104, Springer-Verlag, Berlin, pp. 277-288.
- Szwed, P. (2013). Application of fuzzy ontological reasoning in an implementation of medical guidelines, 6th International Conference on Human System Interaction (HSI), Sopot, Poland, pp. 342-349.
- Szwed, P., Skrzynski, P. and Grodniewicz, P. (2013). Risk assessment for SWOP telemonitoring system based on fuzzy cognitive maps, in A. Dziech and A. Czyżewski (Eds.), Multimedia Communications, Services and Security, Communications in Computer and Information Science, Vol. 368, Springer, Berlin/Heidelberg, pp. 233-247.
- The Open Group (2012). Open Group Standard, Archimate 2.0 Specification, www.opengroup.org.
- Vesely, W.E., Goldberg, F.F., Roberts, N.H. and Haasl, D.F. (1981). Fault tree handbook, Technical Report Nureg0492, Nuclear Regulatory Commission, Washington, DC.
- Wang Y., Zhu, A. and Zhang, J. (2011). Research on and application of the analyzing method of network security based on security case reasoning, International Conference on Control, Automation and Systems Engineering (CASE), Tokyo, Japan, pp. 1-4.
- Zhuang, Y., Li, X., Xu, B. and Zhou, B. (2009). Information security risk assessment based on artificial immune danger theory, Proceedings of the 2009 4th International MultiConference on Computing in the Global Information Technology, ICCGI'09, Cannes, France, pp. 169-174.