Information Security Risk Assessment by Using Bayesian Learning Technique

Similar documents
Project Management for the Professional Professional Part 3 - Risk Analysis. Michael Bevis, JD CPPO, CPSM, PMP

Project Selection Risk

Optimization of China EPC power project cost risk management in construction stage based on bayesian network diagram

RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

13.1 Quantitative vs. Qualitative Analysis

International Journal of Advance Engineering and Research Development A MODEL FOR RISK MANAGEMENT IN BUILDING CONSTRUCTION PROJECTS

Running Head: Information Security Risk Assessment Methods, Frameworks and Guidelines

Integrated Management System For Construction Projects

Comparison of Risk Analysis Methods: Mehari, Magerit, NIST and Microsoft s Security Management Guide

Information security management systems

LCS International, Inc. PMP Review. Chapter 6 Risk Planning. Presented by David J. Lanners, MBA, PMP

CONSTRUCTION ENGINEERING & TECHNOLOGY: EMV APPROACH AS AN EFFECTIVE TOOL

Aligning an information risk management approach to BS :2005

INSE 6230 Total Quality Project Management

M_o_R (2011) Foundation EN exam prep questions

Risk Management: Assessing and Controlling Risk

Post-Class Quiz: Information Security and Risk Management Domain

Risk Evaluation. Chapter Consolidation of Risk Analysis Results

Электронный архив УГЛТУ

Risk Analysis for Critical Infrastructure and Key Asset Protection: Methods and Challenges

For the PMP Exam using PMBOK Guide 5 th Edition. PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc.

Evaluation of Construction Risks Impact on Construction Project Manager s

Development of a Post-Consequence Model (PCoM) for Aircraft Accident Severity Assessment

Strategic Security Management: Risk Assessments in the Environment of Care. Karim H. Vellani, CPP, CSC

PROJECT RISK ANALYSIS AND MANAGEMENT DECISION-MAKING IN DETERMINING THE PARAMETERS OF ORE QUARRIES

Chapter-8 Risk Management

Objectives. What is Risk? But a Plan is not Reality. Positive Risks? What do we mean by Uncertainty?

Risk Assessment Method Based on Business Process-Oriented Asset Evaluation for Information System Security

Project Risk Management

APPENDIX 1. Transport for the North. Risk Management Strategy

Tangible Assets Threats and Hazards: Risk Assessment and Management in the Port Domain

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Project Management in ICT. Prof. Dr. Harald Wehnes

SUBJECTS OF STUDY AND SCHEME OF EVALUATION SEMESTER I (MANAGEMENT PROGRAMMES - CABM) S. No Code Course Category Theory Practical Total

Predicting and Preventing Credit Card Default

UNBIASED INVESTMENT RISK ASSESSMENT FOR ENERGY GENERATING COMPANIES: RATING APPROACH

Certified in Risk and Information Systems Control

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

CONCEPT OF RISK ASSESSMENT FOR ESTONIAN OIL SHALE MINES RISKA NOVĒRTĒŠANAS JĒDZIENS IGAUNIJAS DEGSLĀNEKĻA RAKTUVĒS

International Project Management. prof.dr MILOŠ D. MILOVANČEVIĆ

Risk Identification and Analysis of Communication Project Based on Fault Tree: The Case of the Telecom IVR Project

Fortuity Management in Software Development: A Review

A Skewed Truncated Cauchy Logistic. Distribution and its Moments

JFSC Risk Overview: Our approach to risk-based supervision

Project Theft Management,

Risk Management Made Easy 1, 2

Crowe, Dana, et al "EvaluatingProduct Risks" Design For Reliability Edited by Crowe, Dana et al Boca Raton: CRC Press LLC,2001

A Study on Risk Analysis in Construction Project

Managing Project Risks. Dr. Eldon R. Larsen, Marshall University Mr. Ryland W. Musick, West Virginia Division of Highways

Presented to: Eastern Idaho Chapter Project Management Institute. Presented by: Carl Lovell, PMP Contract and Technical Integration.

Risk Analysis And Management Of Track Construction On Running Railway Line Of High Speed Railway For PDL Zhao Teng 1,a, Liu Xin 1,b, Yang Wenqi 1,c

Market Variables and Financial Distress. Giovanni Fernandez Stetson University

Iran s Stock Market Prediction By Neural Networks and GA

An introduction to Machine learning methods and forecasting of time series in financial markets

A DECISION SUPPORT SYSTEM FOR HANDLING RISK MANAGEMENT IN CUSTOMER TRANSACTION

A GUIDE TO CYBER RISKS COVER

Neural Network Prediction of Stock Price Trend Based on RS with Entropy Discretization

Fundamentals of Project Risk Management

Moderator: Kevin M Madigan MAAA,ACAS,CERA. Presenters: Barry A Franklin MAAA,FCAS,CERA Kevin M Madigan MAAA,ACAS,CERA

JAYARAM COLLEGE OF ENGINEERING AND TECHNOLOGY DEPARTMENT OF INFORMATION TECHNOLOGY

Information Technology Project Management, Sixth Edition

Model Maestro. Scorto TM. Specialized Tools for Credit Scoring Models Development. Credit Portfolio Analysis. Scoring Models Development

The Countermeasures Research on the Issues of Enterprise Financial Early Warning System

Auckland Transport HS03-01 Risk and Hazard Management

Risk management as an element of processes continuity assurance

Subject : Computer Science. Paper: Machine Learning. Module: Decision Theory and Bayesian Decision Theory. Module No: CS/ML/10.

Cyber Risk Proposal Form

EURASIAN JOURNAL OF BUSINESS AND MANAGEMENT

The Role of Cash Flow in Financial Early Warning of Agricultural Enterprises Based on Logistic Model

Monte Carlo Methods (Estimators, On-policy/Off-policy Learning)

Challenges in developing internal models for Solvency II

Introduction to Risk for Project Controls

Volume Title: Bank Stock Prices and the Bank Capital Problem. Volume URL:

Information Security Risk Management

Zurich Hazard Analysis (ZHA) Introducing ZHA

Uncertainty Analysis with UNICORN

Security Risk Management

Establishment of Risk Evaluation Index System for Third Party Payment in Internet Finance

Game-Theoretic Risk Analysis in Decision-Theoretic Rough Sets

Probabilistic Completion Time in Project Scheduling Min Khee Chin 1, Sie Long Kek 2, Sy Yi Sim 3, Ta Wee Seow 4

Risk Analysis Risk Management

Naïve Bayesian Classifier and Classification Trees for the Predictive Accuracy of Probability of Default Credit Card Clients

Project Risk Management

Monte Carlo for selecting risk response strategies

Process capability estimation for non normal quality characteristics: A comparison of Clements, Burr and Box Cox Methods

AN INTRODUCTION TO RISK CONSIDERATION

An Introduction to Risk

Chapter CHAPTER 4. Basic Probability. Assessing Probability. Example of a priori probability

Methodological and organizational problems of professional risk management in construction

STOCHASTIC COST ESTIMATION AND RISK ANALYSIS IN MANAGING SOFTWARE PROJECTS

Composite Analysis of Phase Resolved Partial Discharge Patterns using Statistical Techniques

Equivalence Tests for Two Correlated Proportions

Credit Risk Evaluation of SMEs Based on Supply Chain Financing

Better decision making under uncertain conditions using Monte Carlo Simulation

BFO Theory Principles and New Opportunities for Company Value and Risk Management

Measuring Sustainability in the UN System of Environmental-Economic Accounting

Advanced Operational Risk Modelling

Feasibility Analysis Simulation Model for Managing Construction Risk Factors

Creation and Application of Expert System Framework in Granting the Credit Facilities

Decommissioning Basis of Estimate Template

Transcription:

Information Security Risk Assessment by Using Bayesian Learning Technique Farhad Foroughi* Abstract The organisations need an information security risk management to evaluate asset's values and related risks. The risk management is usually a human activity which includes risk assessment, strategy development and risk mitigation by using managerial resources. The significant part of risk assessment which identifies threats and vulnerabilities, is very relevant to the past incidents, their likelihood and impacts. The problem is the risk identification and evaluation of new assets according to their properties, current security controls and consequences of before incidents. According to this problem, a system that could assist experts or works on behalf of them to assess the risks during the normal working processes is required. The system should be reactive and autonomous because it is needed to respond immediately and independently of events. An intelligent software agent is the best solution for this aim. It learns risk of past experiences regarding to risk factors and asset's properties, and predicts the probability of new risk for a new instance. This article will describe an intelligent system which is based on Bayesian Learning Technique for Information Security Risk Assessment. Index Terms Bayesian Belief Network, Bayesian Learning, Information Security, Intelligent Agent, Risk Assessment. I. INTRODUCTION All organisations and businesses are in the target of information security attacks. Those who work by using e-services are most in danger. The attacks could be from hackers, viruses or internal employees. There is no way to find which kind of attacks may occur but all know that this would lead to lose a large amount of money, time and other resources. The organisations spend millions of dollars on technical security equipments such as firewalls, IDSs, encryption tools and anti-viruses to protect them against the threats. Nonetheless, always there is a cleaver intruder or unknown vulnerability that may make a successful attack. [1] Regarding to CSI/FBI survey 2007, 13% of companies which are participated in the survey have no idea that how much they spent for security in last year. The 48% of them suppose that they should invest just 1% of IT budget for security awareness but just 39% are using ROI (Return on Investment) to ensure how much is enough to spend on * Farhad Foroughi is with University of Sunderland security. The 46% of companies have obviously found at least one security incident in the past 12 months but only 29% of them have security risk management techniques in progress. What is the most challenge for these companies? The answer is simple. They don't know about what they have, and what they need. They want to know which asset or technology has a security risk and for which one, they have enough security control to protect. [2] To manage this challenge, the organisations need an information security risk management to evaluate asset's values and related risks. The risk management is usually a human activity which includes risk assessment, strategy development and risk mitigation by using managerial resources. The risk assessment is a process which identifies the assets, their values, threats and their consequences. A significant part of risk assessment which identifies threats and vulnerabilities, is very relevant to the past incidents, their likelihood and impacts. II. THE PROBLEM The risk is the logical time of likelihood to impact. The likelihood is the rate of occurrence and the impact is the weight of loss. In this definition, the prioritization of amount of loss and rate of occurrence is crucial. It means, the handling of greatest probability against of greatest loss may make a difficulty in risk calculation. For example, we have an asset with high probability of a threat but low loss versus another asset with low probability of attack and high amount of loss. Which one is more under the risk? The answer to this question is not easy. It depends on the asset characteristics, the existing controls and before experiences. In these situations, an expert opinion needed to make a decision, but it could not help without any scientific theory or technology to support that. The continual risk assessment is a problem in large organisations and complex business environments which produce or use information assets. In other mean, the problem is the risk identification and evaluation of new assets according to their properties, current security controls and consequences of before incidents. III. THE SOLUTION A. Intelligent Software Agent We need a system that could assist experts or works on behalf of them to assess the risks during the normal working processes. The system should be reactive and autonomous because it is needed to respond immediately and

independently of events. It should also be communicative and cooperative with logs and reports which are made in relation with other databases and past experiences. The learning capability is very significant for this system because it should learn from past incidents and others which made by itself. The flexibility is also important because the factors and parameters may change during the time or special circumstances. [3] An intelligent software agent is the best solution for this aim. It could perform various tasks on behalf of human experts and has all properties which the system needs. It learns risk of past experiences regarding to risk factors and asset's properties, and predicts the probability of new risk for a new instance. It could also dynamically adjust itself by new decisions which are made and their results. This will increase the accuracy of the prediction. For this reason and because we need to predict the probability of risk, the Bayesian learning theory is the best choice for this intelligent agent. The Bayesian learning theory is based on conditional probability and the risk evaluation is an uncertain prediction under conditional assumption. We have data set of past incidents and consequences. The instances in that data set classified by common asset attributes and common threat and vulnerability groups. It could link the assumptions and make a probabilistic prediction. We just need to make the data set as the knowledge and training data for the learning method and define the optimal hypothesis. [1] B. Risk Assessment and BBN The first step in risk management is establishing risk assessment and asset identification. The potential risk identification could run after this assessment. A risk is the probability of cause of a problem when a threat triggered by vulnerabilities. The source of the problem is vulnerability and the problem itself is threats. Threats are much related to the characteristics of the assets and vulnerabilities are relevant to the security controls. [1] We need to develop a causal diagram which could represent the probable source of security breaches to evaluate the risks. In this case, the Bayesian Belief Network is the choice because it could graphically represent the probabilistic relationships regarding to the data set which we have. For better result and most real prediction, the model should set up a list of risk factors and impacts which are common in all incidents. The BBN could be made by creating the structure of the network and the probability estimation of each node. The fist one will present by diagram and the second one will calculate through mathematical procedure which is associated to the training data set. In the year of 2002, the British standard Institute developed a guideline for information security risk assessment and identified the most common threats, vulnerabilities and risk factors. The model describes the asset attributes and security control categories which are critical for risk probability calculation. The asset attributes will indicate the impact and threats and the security control categories will represent the source of problems. The occurrence rate will also involve in risk calculation. [4] C. Risk Calculation and Knowledge Requirements According to BSI PD-3002:2002 and Data-Centric Quantitative Computer Security Risk Assessment research [5] the risk of an information system s asset could be determined by the following formula: Risk = Impact Occurrence Rate (Threat Vulnerability) From the same research, the threat is potential violation of security and vulnerability is a weakness in security controls which increase the probability of threat occurrence. Impact is the weight cost of losing an asset. This cost depends on the asset characteristics and its value for organisation. The asset s value for organisation could be presented by its classification. The occurrence rate is the count of a threat which is occurred in one year (Annualized Rate of Occurrence: ARO). The Combination of Impact and ARO is Annualized Loss Expectancy (ALE). ALE = Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) Risk = ALE (Threat Vulnerability) According to this result, we need information about Single Loss Expectancy, Annualized Rate of Occurrence, Threats and Vulnerabilities. The ARO is the rate of occurrence in the past and is available through logs. For SLE, we need to find the classification (we call it C in the formula) of the asset in organisation s documents and the properties of the asset. Regarding to [6] Research, the asset value depends on asset content. In information systems, each asset could have one or more factors of the following: [6] Financial Focus (AC1) Customer Focus (AC2) Process Focus (AC3) Renewal and Development Focus (AC4) Human Focus (AC5) Furthermore, according to BSI PD-3002 (2002), the common threats in information systems could be categorized in the four groups: [7] Physical and Environmental (T1) Computer and Network (T2) Business Continuity (T3) Compliance (T4) In addition, from the same guideline, the common vulnerabilities are related to the following security objectives: Personal Security (V1) Physical and Environmental Security (V2) Computer and Network Management (V3) System Development and Maintenance (V4)

By using Bayesian Belief Network (BBN) we could determine the relationship between these factors and their probabilities to risk evaluation. The BBN diagram is presented in figure 1 in appendix. According to the BBN diagram: P (Risk) = P (Impact) P (Occurrence Rate) P (Probability) P (R) = ( P (Asset Value) P (Classification) ) P (Occurrence Rate) (P(Threat) P(Vulnerability)) P (R) = (P (AC1) P(AC2) P(AC3) P(AC4) P(AC5) P(C)) P (ARO) (P(T1) P(T2) P(T3) P(T4) P(V1) P(V2) P(V3) P(V4)) The above sentence means that probability of risk is equal of time of all factors probabilities together. On the other hand, regarding to Bayes Theorem, P (h D) = (P (D h) P (h)) / P(D). P (h D) means the probability of h happening given that D has happened. The P (h D) is the predictable risk because it means the probability of risk when instance D has happened. D is a set of training data. P(D) denotes the prior probability that training data D will be observed. Because the h is independent on D, we could ignore P (D). Because instance h described by a set of attributes, we could use Naïve Bayes Classifier to simplify the formula. The Naïve Bayes Classifier will use when the target function f(x) can take any value from some finite set attributes. P (a1,a2,...,an vj) = P (ai vj) P ( C,AC1,AC2,AC3,AC4,AC5,ARO,T1,T2,T3,T4,V1,V2,V 3,V4 D) = P (AC1) P(AC2) P(AC3) P(AC4) P(AC5) P(C) P (ARO) P(T1) P(T2) P(T3) P(T4) P(V1) P(V2) P(V3) P(V4) The Training data come from the log files and achieved incident reports of organisations. If there is no data available, this is possible to gather this information from international institutes which are making surveys and reports around the incidents such as CSI/FBI and SANS. D. A Sample Regarding to above formula and the training data which is made from company A s achieved logs by windowing technique, the risk of a new instance will calculate. The new instance is an asset by the following attributes: Asset name: Annual Financial Report C : Private, AC1: Yes, AC2:No, AC3:No, AC4:Yes, AC5:Yes, T1: Yes, T2:No, T3:Yes, T4:No, V1:Yes, V2:Yes, V3:Yes, V4:Yes, ARO:1 P ( C,AC1,AC2,AC3,AC4,AC5,ARO,T1,T2,T3,T4,V1,V2,V 3,V4 D) = P (AC1) P(AC2) P(AC3) P(AC4) P(AC5) P(C) P (ARO) P(T1) P(T2) P(T3) P(T4) P(V1) P(V2) P(V3) P(V4) P (Risk High) = (4/6) * (4/6) * (3/6) * (2/6) * (3/6) * (3/6) * (1) * (4/6) * (3/6) * (4/6) * (1) * (4/6) * (1) * (1) * (2/6) = 0.0914 P (Risk Medium) = 0 P (Risk Low) = 0 The probability of risk to be high is 0.0914 and for risk to be medium and low are 0. It means that risk is probable to be high. IV. RECOMMENDATION FOR FUTURE RESEARCH One of the most obvious factors which affect on the risk is external factor. External factor is an event that is happening out side of the organisation and may be social, economical or political. The Intelligent agent could make a connection to other databases which track these events and adjust itself and the data set by making change in external attribute. It will help the organisations to adjust themselves with the best security controls all the times. The agent could also use Data Mining techniques to determine accuracy parameters.

APPENDIX Figure 1: Information Security Risk Assessment Bayesian Belief Network Table 1: Company A Training Data Asset Characteristics / Impact Threat Vulnerability Probability Risk Asset Asset Content Threat Group Classification Financial Focus Customer Focus Process Focus Renewal and Development Focus Human Focus Physical and Environmental Computer and Network Business Continuity Compliance Personal Security Physical and Environmental Security Computer and Network Management System Development and Maintenance Occurrence Rate Risk Level A C AC1 AC2 AC3 AC4 AC5 T1 T2 T3 T4 V1 V2 V3 V4 ARO R 1 P. Y Y Y Y N Y N Y N Y Y Y Y 1 High 2 P. Y N Y N Y Y N Y Y Y Y Y Y 1 High 3 P. N Y N Y N Y Y N N Y N Y Y 2 High 4 P. N N N N Y Y N N N Y N Y Y 3 High 5 S. Y Y Y Y N Y N Y Y Y Y Y Y 2 High 6 S. Y N Y N Y Y N N N Y Y Y Y 2 High 7 S. N Y N Y N Y N N N Y N Y Y 1 Medium 8 S. N N N N Y Y N N N Y N Y Y 1 Medium 9 E. Y Y Y N N Y N N N Y Y Y N 1 Medium 10 E. N N N N N Y N N N Y Y Y N 2 Medium 11 E. N Y N N Y N Y N Y Y N Y Y 2 Medium 12 E. N N N N Y N Y N N Y N Y N 1 Low 13 Pu. Y Y N N N N N N N Y N N N 0 Low 14 Pu. N N N N N N N N N Y N N N 1 Low 15 Pu. N N N N N N N N N Y N N N 1 Low

Table 2: Company A Asset Classification Table Classification Definition Examples External (E.) Private (P.) Sensitive (S.) Public (Pu.) Security and handling requirements are given by another entity outside of company If disclosed could cause serious harm to business If disclosed could cause moderate harm to business or personnel Data is not sensitive - Data from a government program - Controlled information from a business partner - Specifications or drawings of products - Business plans/strategies - Salary information - Sales figures - Organization charts - Company picnic plans - Sales literature REFERENCES [1] A. Mukhopadhyay, S. Chatterjee, D. Saha, A. Mahanti & S.K. Sadhukhan. (2006, 01, 07). e-risk Management with Insurance : A framework using Copula aided Bayesian Belief Networks, Proceedings of the 39th Hawaii International Conference on System Sciences. [2] CSI/FBI (2007, 12, 03). The 12th Annual Computer Crime and Security Survey, [Online]. Available: http://www.gocsi.com/forms/csi_survey.jhtml. [3] X. Wang, H. Kiliccote, P.K. Khosla & C. Zhang. (2000). Agent-based Risk Learning for Computing Systems, Proceedings of the Fourth International Conference on MultiAgent Systems, pp. 459-460. [4] A.K.T. Hui & D.B. Liu (2004, 01, 29). A Bayesian Belief Network Model And Tool To Evaluate Risk And Impact In Software Development Projects, Proceedings of the 2004 Annual Symposium of Reliability and Maintainability, pp. 297-301. [5] B. Berger. (2003, 08, 20). Data-Centric Quantitative Computer Security Risk Assessment, [Online]. Available: http://www.sans.org/reading_room/whitepapers/auditin g/1209.php. [6] N. Bontis. (2001, 03). Assessing knowledge assets: a review of the models used to measure intellectual capital, International Journal of Management Reviews, vol. 39, no. 1, pp. 41-60. [7] BSI (2002, 12, 17), PD 3002:2002 - Guide to BS 7799 Risk Assessment, London: British Standards Institution.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback