Model-Based Risk Assessment to Improve Enterprise Security
نویسندگان
چکیده
The main objective of the CORAS project is to provide methods and tools for precise, unambiguous, and efficient risk assessment of security critical systems. To this end, we advocate a model-based approach to risk assessment, and this paper attempts to define the required models for this. Whereas traditional risk assessment is performed without any formal description of the target of evaluation or results of the risk assessment, CORAS aims to provide a well defined set of models well suited to (1) describe the target of assessment at the right level of abstraction, (2) as a medium for communication between different groups of stakeholders involved in a risk assessment, and (3) to document risk assessment results and the assumptions on which these results depend. We propose here models for each step in a risk assessment process and report results of use.
منابع مشابه
Threat-Based Risk Assessment for Enterprise Networks
Protecting enterprise networks requires continuous risk assessment that automatically identifies and prioritizes cybersecurity risks, enables efficient allocation of cybersecurity resources, and enhances protection against modern cyberthreats. Lincoln Laboratory developed a foundational network security maturity model to guide development of such risk assessments and has developed practical ris...
متن کاملAn EFQM Based Model to Assess an Enterprise Readiness for ERP Implementation
In today's competitive market, Enterprise Resource Planning (ERP) system is widely being used by industries. However, the results of the research efforts carried out in this field reveal that the rate of successful implementations for ERP projects is low and in most cases the planned goals are not achieved. Therefore it is necessary to assess maturity of an enterprise in terms of factors affect...
متن کاملA risk model for cloud processes
Traditionally, risk assessment consists of evaluating the probability of "feared events", corresponding to known threats and attacks, as well as these events' severity, corresponding to their impact on one or more stakeholders. Assessing risks of cloud-based processes is particularly difficult due to lack of historical data on attacks, which has prevented frequency-based identification...
متن کاملAttack tree based information security risk assessment method integrating enterprise objectives with vulnerabilities
In order to perform the analysis and mitigation efforts related with the information security risks there exists quantitative and qualitative approaches, but the most critical shortcoming of these methods is the fact that the outcome mainly addresses the needs and priorities of the technical community rather than the management. For the enterprise management, this information is essentially req...
متن کاملDeveloping Secure Networked Web-Based Systems Using Model-based Risk Assessment and UMLsec
Despite a growing awareness of security issues in networked computing systems, most development processes used today still do not take security aspects into account. To address this problem, we designed a process for developing secure networked systems based on the extension of the Unified Modeling Language (UML) for secure systems development UMLsec and on the concept of model-based risk asses...
متن کامل