Biblio

Cybersecurity is without doubt becoming a societal challenge. It even starts to affect sectors that were not considered to be at risk in the past because of their relative isolation. One of these sectors is aviation in general, and specifically air traffic management. Nowadays, the cyber security is one of the essential issues of current Air Traffic Systems. Compliance with the basic principles of cyber security is mandated by European Union law as well as the national law. Therefore, EUROCONTROL as the provider of several tools or services (ARTAS, EAD, SDDS, etc.), is regularly conducting various activities, such as the cyber-security assessments, penetration testing, supply chain risk assessment, in order to maintain and improve persistence of the products against the cyber-attacks.

Cybersecurity attacks, which have many business impacts, continuously become more intelligent and complex. These attacks take the form of a combination of various attack elements. APT attacks reflect this characteristic well. To defend against APT attacks, organizations should sufficiently understand these attacks based on the attack elements and their relations and actively defend against these attacks in multiple dimensions. Most organizations perform risk management to manage their information security. Generally, they use the information system risk assessment (ISRA). However, the method has difficulties supporting sufficiently analyzing security risks and actively responding to these attacks due to the limitations of asset-driven qualitative evaluation activities. In this paper, we propose a threat-driven risk assessment method. This method can evaluate how dangerous APT attacks are for an organization, analyze security risks from multiple perspectives, and support establishing an adaptive security strategy.

Effective information security risk management is essential for survival of any business that is dependent on IT. In this paper we present an efficient and effective solution to find best parameters for managing cyber risks using artificial intelligence. Genetic algorithm is use as it can provide our required optimization and intelligence. Results show that GA is professional in finding the best parameters and minimizing the risk.

Currently, many organizations are moving to new digital management systems, which is accompanied not only by the introduction of new approaches based on the use of information technology, but also by a change in the organizational and management environment. Risk management is a process necessary to maintain the competitive advantage of an organization, but it can also become involved in the course of digitalization itself, which means that risk management also needs to change to meet modern conditions and ensure the effectiveness of the organization. This article discusses the risk management process in the digital environment. The main approach to the organization of this process is outlined, taking into account the use of information tools, together with the stages of this process, which directly affect the efficiency of the company. The risks that are specific to a digital organization are taken into account. Modern requirements for risk management for organizations are studied, ways of their implementation are outlined. The result is a risk management process that functions in a digital organization.

This document takes an in-depth approach to identify WhatsApp's Security risk management, governance and controls. WhatsApp is a communication mobile application that is available on both android and IOS, recently acquired by Facebook and allows us to stay connected. This document identifies all necessary assets, threats, vulnerabilities, and risks to WhatsApp and further provides mitigations and security controls to possibly utilize and secure the application.

Cybersecurity insurance is one of the important means of cybersecurity risk management and the development of cyber insurance is inseparable from the support of cyber risk assessment technology. Cyber risk assessment can not only help governments and organizations to better protect themselves from related risks, but also serve as a basis for cybersecurity insurance underwriting, pricing, and formulating policy content. Aiming at the problem that cybersecurity insurance companies cannot conduct cybersecurity risk assessments on policyholders before the policy is signed without the authorization of the policyholder or in legal, combining with the need that cybersecurity insurance companies want to obtain network security vulnerability risk profiles of policyholders conveniently, quickly and at low cost before the policy signing, this study proposed a non-intrusive network security vulnerability risk assessment method based on ensemble machine learning. Our model uses only open source intelligence and publicly available network information data to rate cyber vulnerability risk of an organization, achieving an accuracy of 70.6% compared to a rating based on comprehensive information by cybersecurity experts.

The article deals with the issues of improving the quality of corporate information systems functioning and ensuring the information security of financial organizations that have a complex structure and serve a significant number of customers. The formation of the company's informational system and its integrated information security system is studied based on the process approach, methods of risk management and quality management. The risks and threats to the security of the informational system functioning and the quality of information support for customer service of a financial organization are analyzed. The methods and tools for improving the quality of information services and ensuring information security are considered on the example of an organization for social insurance. Recommendations are being developed to improve the quality of the informational system functioning in a large financial company.

Information Technology (IT) governance crosses the organization practices, culture, and policy that support IT management in controlling five key functions, which are strategic alignment, performance management, resource management, value delivery, and risk management. The line of sight is extended from the corporate strategy to the risk management, and risk controls are assessed against operational goals. Thus, the risk management model is concerned with ensuring that the corporate risks are sufficiently controlled and managed. Many organizations rely on IT services to facilitate and sustain their operations, which mandate the existence of a risk management model in their IT governance. This paper examines prior research based on IT governance by using a risk management framework. It also proposes a new method for calculating and classifying IT-related risks. Additionally, we assessed our technique with one of the critical IT services that proves the reliability and accuracy of the implemented model.

This article analyzes Risk management (RM) activities against different ISO standards. The aim is to improve the coordination and interoperability of risk management activities in IT, IT services management, quality management, project management, and information security management. The ISO 31000: 2018 standard was chosen as a structured input for ISO 20000-1: 2018, ISO 21500: 2021, ISO 27000: 2018, ISO 9001: 2015 and ISO Annex SL standards relative to RM. The PDCA cycle has been chosen as one of the main methods for planning, implementing, and improving quality management systems and their processes. For a management system to be more effective, more reliable, and capable of preventing negative results, it must deal with the possible resulting risks.

This paper presents a Ph.D. research plan that focuses on solving the existing problems in risk management of critical infrastructures, by means of a novel DevSecOps-enabled framework. Critical infrastructures are complex physical and cyber-based systems that form the lifeline of a modern society, and their reliable and secure operation is of paramount importance to national security and economic vitality. Therefore, this paper proposes DevSecOps technology for managing risk throughout the entire development life cycle of such systems.

The Personnel Management Information System is managed by the Personnel and Human Resources Development Agency on local government office to provide personnel services. The existence of a system and information technology can help ongoing business processes but can have an impact or risk if the proper mitigation is not carried out. It is known that the problems are damage to databases, servers, and computer equipment due to bad weather, network connections being lost due to power outages, data loss due to not having backup data, and human error. This resulted in PMIS being inaccessible for some time, thus hampering ongoing business processes and causing financial losses. This study aims to identify risks, conduct a risk assessment using the failure mode and effects analysis (FMEA) method, and provide mitigation recommendations based on the ISO/IEC 27002:2013 standard. The analysis results obtained 50 failure modes categorized into five asset categories, and six failure modes have a high level. Then provide mitigation recommendations based on the ISO/IEC 27002:2013 Standard, which has been adapted to the needs of Human Resources Development Agency. Thus, the results of this study are expected to assist and serve as material for local office government's consideration in making improvements and security controls to avoid emerging threats to information assets.

With the spread of the Internet, various devices are now connected to it and the number of IoT devices is increasing. Data generated by IoT devices has traditionally been aggregated in the cloud and processed over time. However, there are two issues with using the cloud. The first is the response delay caused by the long distance between the IoT device and the cloud, and the second is the difficulty of implementing sufficient security measures on the IoT device side due to the limited resources of the IoT device at the end. To address these issues, fog computing, which is located in the middle between IoT devices and the cloud, has been attracting attention as a new network component. However, the risks associated with the introduction of fog computing have not yet been fully investigated. In this study, we conducted a risk assessment of fog computing, which is newly established to promote the use of IoT devices, and identified 24 risk factors. The main countermeasures include the gradual introduction of connected IoT connection protocols and security policy matching. We also demonstrated the effectiveness of the proposed risk measures by evaluating the risk values. The proposed risk countermeasures for fog computing should help us to utilize IoT devices in a safe and secure manner.

The presence of the Information Technology System (ITS) has become one of the components for basic needs that must be met in navigating through the ages. Organizational programs in responding to the industrial era 4.0 make the use of ITS is a must in order to facilitate all processes related to quality service in carrying out the main task of protecting and serving the community. The implementation of ITS is actually not easy forthe threat of challenges and disturbances in the form of risks haunts ITS's operations. These conditions must be able to be identified and analyzed and then action can be executed to reduce the negative impact, so the risks are acceptable. This research will study about ITS risk management using the the guideline of Information Technology Infrastructure Library (ITIL) to formulate an operational strategy in order ensure that STI services at the Papa Oscar Cikeas Data Center (DC) can run well in the form of recommendations. Based on a survey on the implementing elements of IT function, 82.18% of respondents considered that the IT services provided by DC were very important, 86.49% of respondents knew the importance of having an emergency plan to ensure their products and services were always available, and 67.17% of respondents believes that DC is well managed. The results of the study concludes that it is necessary to immediately form a structural DC organization to prepare a good path for the establishment of a professional data center in supporting public service information technology systems.

As permissioned blockchain becomes a common foundation of blockchain-based applications for current organizations, related stakeholders need a means to assess the security risks of the applications. Therefore, this study proposes a security risk management framework for permissioned blockchain applications. The framework divides itself into different implementation stacks and provides guidelines to control the security risks of permissioned blockchain applications. According to the best of our knowledge, this study is the first research that provides a means to evaluate the security risks of permissioned blockchain applications from a holistic point of view. If users can trust the applications that adopted this framework, this study can hopefully contribute to the adoption of permissioned blockchain technologies.

In recent years, a variety of information security incidents emerge in endlessly, with different types. Security vulnerability is an important factor leading to the security risk of information system, and is the most common and urgent security risk in information system. The research goal of this paper is to seamlessly integrate the security testing process and the integration process of software construction, deployment, operation and maintenance. Through the management platform, the security testing results are uniformly managed and displayed in reports, and the project management system is introduced to develop, regress and manage the closed-loop security vulnerabilities. Before the security vulnerabilities cause irreparable damage to the information system, the security vulnerabilities are found and analyzed Full vulnerability, the formation of security vulnerability solutions to minimize the threat of security vulnerabilities to the information system.

In the era of Big Data, opportunities and challenges are mixed. The data transfer is increasingly frequent and speedy, and the data lifecycle is also extended, bringing more challenges to security and privacy risk governance. Currently, the common measures of risk governance covering the entire data life cycle are the data-related staff management, equipment security management, data encryption codes, data content identification and de-identification processing, etc. With the trend of data globalization, regulations fragmentation and governance technologization, “International standards”, a measure of governance combining technology and regulation, has the potential to become the best practice. However, “voluntary compliance” of international standards derogates the effectiveness of risk governance through this measure. In order to strengthen the enforcement of the international standards, the paper proposes a governance approach which is “the framework regulated by international standards, and regulations and technologies specifically implemented by national legislation.” It aims to implement the security and privacy risk governance of Big Data effectively.

In recent years, new cyber attacks such as targeted attacks have caused extensive damage. With the continuing development of the IoT society, various devices are now connected to the network and are being used for various purposes. The Internet of Things has the potential to link cyber risks to actual property damage, as cyberspace risks are connected to physical space. With this increase in unknown cyber risks, the demand for cyber insurance is increasing. One of the most serious emerging risks is the silent cyber risk, and it is likely to increase in the future. However, at present, security measures against silent cyber risks are insufficient. In this study, we conducted a risk management of silent cyber risk for organizations with the objective of contributing to the development of risk management methods for new cyber risks that are expected to increase in the future. Specifically, we modeled silent cyber risk by focusing on state transitions to different risks. We newly defined two types of silent cyber risk, namely, Alteration risk and Combination risk, and conducted risk assessment. Our assessment identified 23 risk factors, and after analyzing them, we found that all of them were classified as Risk Transference. We clarified that the most effective risk countermeasure for Alteration risk was insurance and for Combination risk was measures to reduce the impact of the risk factors themselves. Our evaluation showed that the silent cyber risk could be reduced by about 50%, thus demonstrating the effectiveness of the proposed countermeasures.

This paper continues analysis of approaches of IT risk assessment and management in modern IT management frameworks. Building on systematicity principles and the review of concepts of risk and methods of risk analysis in the frameworks, we discuss applicability of the methods for business decision-making in the real world and propose ways to their improvement.

In order to ensure the security of information assets and standardize the risk assessment and inspection workflow of information assets. This paper has designed and developed a risk assessment system for information and communication equipment with simple operation, offline assessment, and diversified external interfaces. The process of risk assessment can be realized, which effectively improves the efficiency of risk assessment.

Currently, most companies systematically face challenges related to the loss of significant confidential information, including legally significant information, such as personal data of customers. To solve the problem of maintaining the confidentiality, integrity and availability of information, companies are increasingly using the methodology laid down in the basis of the international standard ISO / IEC 27001. Information security risk management is a process of continuous monitoring and systematic analysis of the internal and external environment of the IT environment, associated with the further adoption and implementation of management decisions aimed at reducing the likelihood of an unfavorable result and minimizing possible threats to business caused by the loss of manageability of information that is important for the organization. The article considers the problems and approaches to the development, practical implementation, and methodology of risk management based on the international standard ISO 31000 in the modern information security management system.

Cyber security risk assessment is very important to quantify the security level of communication-based train control (CBTC) systems. In this paper, a methodology is proposed to assess the cyber security risk of CBTC systems that integrates complex network theory and attack graph method. On one hand, in order to determine the impact of malicious attacks on train control, we analyze the connectivity of movement authority (MA) paths based on the working state of nodes, the connectivity of edges. On the other hand, attack graph is introduced to quantify the probabilities of potential attacks that combine multiple vulnerabilities in the cyber world of CBTC. Experiments show that our methodology can assess the security risks of CBTC systems and improve the security level after implementing reinforcement schemes.

Software-Defined Network (SDN) is the dynamic network technology to address the issues of traditional networks. It provides centralized view of the whole network through decoupling the control planes and data planes of a network. Most SDN-based security services globally detect and block a malicious host based on IP address. However, the IP address is not verified during the forwarding process in most cases and SDN-based security service may block a normal host with forged IP address in the whole network, which means false-positive. In this paper, we introduce an attack scenario that uses forged packets to make the security service consider a victim host as an attacker so that block the victim. We also introduce cost-effective risk avoidance strategy.

In order to improve the information security level of intelligent substation, this paper proposes an intelligent substation information security assessment tool through the research and analysis of intelligent substation information security risk and information security assessment method, and proves that the tool can effectively detect it. It is of great significance to carry out research on industrial control systems, especially intelligent substation information security.

This research explored how cyber security risks are managed across UK Critical National Infrastructure (CNI) sectors following implementation of the 2018 Networks and Information Security (NIS) legislation. Being in its infancy, there has been limited study into the effectiveness of this national framework for cyber risk management. The analysis of data gathered through interviews with key stakeholders against the NIS objectives indicated a collaborative implementation approach to improve cyber-risk management capabilities in CNI sectors. However, more work is required to bridge the gaps in the NIS framework to ensure holistic security across cyber spaces as well as non-cyber elements: cyber-physical security, cross-sector CNI service security measures, outcome-based regulatory assessments and risks due to connected smart technology implementations alongside legacy systems. This paper proposes ten key recommendations to counter the danger of not meeting the NIS key strategic objectives. In particular, it recommends that the approach to NIS implementation needs further alignment with its objectives, such as bringing a step-change in the cyber-security risk management capabilities of the CNI sectors.

In order to effectively assess the security risks in multimodal transport networks, a security risk assessment method based on WBS-RBS and Pythagorean Fuzzy Weighted Average (PFWA) operator is proposed. The risk matrix 0-1 assignment of WBS-RBS is replaced by the Pythagorean Fuzzy Number (PFLN) scored by experts. The security risk ranking values of multimodal transport network are calculated from two processes of whole-stage and phased, respectively, and the security risk assessment results are obtained. Finally, an example of railway-highway-waterway intermodal transportation process of automobile parts is given to verify the validity of the method, the results show that the railway transportation is more stable than the waterway transportation, and the highway transportation has the greatest security risk, and for different security risk factors, personnel risk has the greatest impact. The risk of goods will change with the change of the attributes of goods, and the security risk of storage facilities is the smallest.