RAMeX: a prototype expert system for computer security risk analysis and management

1995 ◽  
Vol 14 (5) ◽  
pp. 449-463 ◽  
Author(s):  
Muninder P. Kailay ◽  
Peter Jarratt
Keyword(s):  
Expert System ◽  
Risk Analysis ◽  
Computer Security ◽  
Security Risk ◽  
Risk Analysis And Management

scholarly journals Method for Attack Tree Data Transformation and Import Into IT Risk Analysis Expert Systems

2020 ◽  
Vol 10 (23) ◽  
pp. 8423
Author(s):  
Donatas Vitkus ◽  
Jonathan Salter ◽  
Nikolaj Goranin ◽  
Dainius Čeponis
Keyword(s):  
Expert System ◽  
Risk Analysis ◽  
Expert Systems ◽  
Knowledge Base ◽  
Automated Analysis ◽  
Knowledge Bases ◽  
It Security ◽  
Security Risk ◽  
Attack Tree ◽  
Attack Trees

Information technology (IT) security risk analysis preventatively helps organizations in identifying their vulnerable systems or internal controls. Some researchers propose expert systems (ES) as the solution for risk analysis automation since risk analysis by human experts is expensive and timely. By design, ES need a knowledge base, which must be up to date and of high quality. Manual creation of databases is also expensive and cannot ensure stable information renewal. These facts make the knowledge base automation process very important. This paper proposes a novel method of converting attack trees to a format usable by expert systems for utilizing the existing attack tree repositories in facilitating information and IT security risk analysis. The method performs attack tree translation into the Java Expert System Shell (JESS) format, by consistently applying ATTop, a software bridging tool that enables automated analysis of attack trees using a model-driven engineering approach, translating attack trees into the eXtensible Markup Language (XML) format, and using the newly developed ATES (attack trees to expert system) program, performing further XML conversion into JESS compatible format. The detailed method description, along with samples of attack tree conversion and results of conversion experiments on a significant number of attack trees, are presented and discussed. The results demonstrate the high method reliability rate and viability of attack trees as a source for the knowledge bases of expert systems used in the IT security risk analysis process.

Security Protection for Critical Infrastructure

2011 ◽  
pp. 609-615
Author(s):  
M. J. Warren
Keyword(s):  
Information Technology ◽  
Risk Analysis ◽  
Computer Security ◽  
Critical Infrastructure ◽  
Information Infrastructure ◽  
Information Warfare ◽  
Security Risk ◽  
Security Risks ◽  
Information Technology Security ◽  
Information Interchange

Understanding and managing information infrastructure (II) security risks is a priority to most organizations dealing with information technology and information warfare (IW) scenarios today (Libicki, 2000). Traditional security risk analysis (SRA) was well suited to these tasks within the paradigm of computer security, where the focus was on securing tangible items such as computing and communications equipment (NCS,1996; Cramer, 1998). With the growth of information interchange and reliance on information infrastructure, the ability to understand where vulnerabilities lie within an organization, regardless of size, has become extremely difficult (NIPC, 1996). To place a value on the information that is owned and used by an organization is virtually an impossible task. The suitability of risk analysis to assist in managing IW and information infrastructure-related security risks is unqualified, however studies have been undertaken to build frameworks and methodologies for modeling information warfare attacks (Molander, Riddile, & Wilson, 1996; Johnson, 1997; Hutchinson & Warren, 2001) which will assist greatly in applying risk analysis concepts and methodologies to the burgeoning information technology security paradigm, information warfare.

scholarly journals Automated Expert System Knowledge Base Development Method for Information Security Risk Analysis

2019 ◽  
Vol 14 (6) ◽  
pp. 743-758 ◽  
Author(s):  
Donatas Vitkus ◽  
Žilvinas Steckevičius ◽  
Nikolaj Goranin ◽  
Diana Kalibatienė ◽  
Antanas Čenys
Keyword(s):  
Expert System ◽  
Information Security ◽  
Risk Analysis ◽  
Knowledge Base ◽  
Expert Knowledge ◽  
Management Decision ◽  
Problem Solution ◽  
Security Risk ◽  
Development Method ◽  
Information Security Risk

Information security risk analysis is a compulsory requirement both from the side of regulating documents and information security management decision making process. Some researchers propose using expert systems (ES) for process automation, but this approach requires the creation of a high-quality knowledge base. A knowledge base can be formed both from expert knowledge or information collected from other sources of information. The problem of such approach is that experts or good quality knowledge sources are expensive. In this paper we propose the problem solution by providing an automated ES knowledge base development method. The method proposed is novel since unlike other methods it does not integrate ontology directly but utilizes automated transformation of existing information security ontology elements into ES rules: The Web Ontology Rule Language (OWL RL) subset of ontology is segregated into Resource Description Framework (RDF) triplets, that are transformed into Rule Interchange Format (RIF); RIF rules are converted into Java Expert System Shell (JESS) knowledge base rules. The experiments performed have shown the principal method applicability. The created knowledge base was later verified by performing comparative risk analysis in a sample company.

scholarly journals Security Risk Analysis and Management in mobile wallet transaction: A Case study of Pagatech Nigeria Limited

2018 ◽  
Vol 10 (12) ◽  
pp. 21-33
Author(s):  
Musbau D. Abdulrahaman ◽  
◽  
John K. Alhassan ◽  
Joseph A. Ojeniyi ◽  
Shafii M. Abdulhamid
Keyword(s):  
Risk Analysis ◽  
Security Risk ◽  
Risk Analysis And Management

scholarly journals ESTUDIO COMPARATIVO ENTRE LAS METODOLOGÍAS CRAMM Y MAGERIT PARA LA GESTIÓN DE RIESGO DE TI EN LAS MPYMES

UDA AKADEM ◽  
2018 ◽  
pp. 38-47
Author(s):  
Esteban Crespo-Martínez ◽  
Geovanna Cordero-Torres
Keyword(s):  
Risk Management ◽  
Information Security ◽  
Risk Analysis ◽  
Reference Frames ◽  
Security Risk ◽  
Project Proposal ◽  
Palabras Clave ◽  
Security Risk Management ◽  
Iso 27001 ◽  
Risk Analysis And Management

Lograr el objetivo de proponer una metodología de seguridad de la información para la gestión del riesgoinformático, aplicable al entorno empresarial y organizacional, del sector MPYME ecuatoriano, requiere del análisis de las metodologías Magerit y CRAMM (CCTA Risk Analysis and Management Method), las mismas que son internacionalmente utilizadas en la gestión del riesgo de información; contemplando los marcos de referencia que contienen las mejores prácticas de la industria: ISO 27001, 27002, 27005 y 31000.Palabras clave: riesgos, gestión, Magerit, CRAMM, tecnologías de información, TI, seguridad, información, SGSI.AbstractThis paper aims to study the CRAMM (CCTA Risk Analysis and Manage ment Method) and Magerit methodologies used in information risk management. It contemplates international reference frames that contain the best practices in the industry: ISO 27001, 27002, 27005 and 31000.This research is part of a project proposal of “Methodology for information security risk management, applicable to MSMEs” applicable to the Ecuadorian environment. Keywords: Risk, Management, Magerit, CRAMM, Information Technology, IT, Information Security, ISMS.  

Sign in / Sign up

Export Citation Format

Share Document