Performance evaluation of the recommendation mechanism of information security risk identification

信息安全风险鉴别推荐机制的性能评估

Neurocomputing, In press, corrected proof, Available online 2 December 2017

Yu-Chih Wei, Wei-Chen Wu, Ya-Chi Chu

Abstract:In recent decades, information security has become crucial for protecting the benefits of a business operation. Many organizations perform information security risk management in order to analyze their weaknesses, and enforce the security of the business processes. However, identifying the threat–vulnerability pairs for each information asset during the processes of risk assessment is not easy and time-consuming for the risk assessor. Furthermore, if the identified risk diverges from the real situation, the organization may put emphasis on the unnecessary controls to prevent the non-existing risk. In order to resolve the problem mentioned above, we utilize the data mining approach to discover the relationship between assets and threat–vulnerability pairs. In this paper, we propose a risk recommendation mechanism for assisting user in identifying threats and vulnerabilities. In addition, we also implement a risk assessment system to collect the historical selection records and measure the elapsed time. The result shows that with the assistance of risk recommendations, the mean elapsed time is shorter than with the traditional method by more than 21%. The experimental results show that the risk recommendation system can improve both the performance of efficiency and accuracy of risk identification.

Network and information security challenges within Industry 4.0 paradigm

工业4.0方案的网络与信息安全挑战

Procedia Manufacturing, Volume 13, 2017, Pages 1253-1260

T. Pereira, L. Barreto, A. Amaral

Abstract:Currently Information and Communication Technologies (ICT) support most of the industrial manufacturing processes. The IT revolution has brought an important transformation in organizations with high impacts, which are comparable to the mechanization and electricity brought in the first and second industrial revolution. This evolvement has promoted the emergence of cloud-based systems, the Internet of Things (IoT), Big Data, Industry 4.0, BYOD (Bring Your Own Device) and CYOD (Choose Your Own Device) trends. However, new technological solutions always carry security vulnerabilities, which most of time reveal unexpected risks. In fact, with increasing reliance on technology to gain competitive advantage, security issues have been one of the most critical and challenging requirements for conducting successful business. In this paper, it is highlighted some reflections regarding the challenges of Industry 4.0 emphasizing the security issues, towards raising awareness for security good practices within Industry 4.0.

On inter-Rater reliability of information security experts

信息安全工程师评分员间可信度

Journal of Information Security and Applications, Volume 37, December 2017, Pages 101-111

Abdulhadi Shoufan, Ernesto Damiani

Abstract:The Confidentiality-Availability-Integrity (CIA) triad is a time-honored warhorse of security analysis. Qualitative assessment of security requirements based on the CIA triad is an important step in many standard procedures for selecting and deploying security controls. However, little attention has been devoted to monitoring how the CIA triad is used in practice, and how reliable are experts’ assessment that make use of it. In this paper, a panel of 20 security experts was asked to use the CIA triad in 45 practical security scenarios involving UAV-to-ground transmission of control and information data. The experts’ responses were analyzed using Fleiss’ kappa, a specific statistics test for inter-rater reliability. Results show agreement to be low (from 13.8% to 20.1% depending on the scenario), but higher on scenarios where the experts’ majority estimates tight security to be needed. Low number of polled experts is found to affect inter-rater reliability negatively, however, increasing this number beyond ten does not provide additional reliability. A bias to give a specific rate could be identified with 14 out of the 20 experts. The six unbiased experts showed a higher inter-rater agreement. These findings suggest that (i) there is no guaranteed “safety in numbers” for recruiting security expert panels and (ii) expert selection for security rating processes should include verification of agreement level on toy problems for all subsets of the panel to highlight subsets showing high inter-rater agreement.

Wireless Information-Theoretic Security: Theoretical analysis & experimental measurements with multiple eavesdroppers in an outdoor obstacle-dense MANET

无线信息-理论安全：户外障碍密集MANET环境下多窃听的理论分析与实验测量

Physical Communication, Volume 25, Part 2, December 2017, Pages 577-587

Theofilos Chrysikos, Konstantinos Birkos, Tasos Dagiuklas, Stavros Kotsopoulos

Abstract:Wireless Information-Theoretic Security (WITS) has been suggested as a robust security scheme, especially for infrastructure-less networks. Based on the physical layer, WITS considers quasi-static Rayleigh fading instead of the classic Gaussian wiretap scenario. In this paper, the key parameters of WITS are investigated by implementing an 802.11n ad-hoc network in an outdoor obstacle-dense topology. Measurements performed throughout the topology allow for a realistic evaluation of a scenario with multiple moving eavesdroppers. Low speed user movement has been considered, so that Doppler spread can be discarded. A set of discrete field test trials have been conducted, based on simulation of human mobility throughout an obstacle-constrained environment. Average Signal-to-Noise Ratio (SNR) values have been measured for all moving nodes, and the Probability of Non-Zero Secrecy Capacity has been calculated for different eavesdropping cooperative schemes (Selection Combining and Maximal-Ratio Combining). In addition, the Outage Probability has been estimated with regard to a non-zero target Secrecy Rate for both techniques. The results have been compared with the respective values of WITS key parameters derived from theoretical analysis.