Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements

International Journal of Information Management

Volumn 28, Issue 6, 2008, Pages 483-491

  Patel, Sandip C ^a   Graham, James H ^b   Ralston, Patricia A S ^b  

^a MORGAN STATE UNIVERSITY   (United States)

^b University of Louisville ^*  (United States)

Author keywords

Information security; Information security measurement; Risk analysis; Security threats; Vulnerability measurement

Indexed keywords

INFORMATION SYSTEMS; INFORMATION USE; MANAGERS; RISK ANALYSIS; SCADA SYSTEMS; SECURITY OF DATA;

COMPUTER BASED INFORMATION SYSTEMS; CYBER VULNERABILITIES; INFORMATION SECURITY RISKS; INFORMATION-SECURITY MEASUREMENT; SECURITY THREATS; SUPERVISORY CONTROL AND DATAACQUISITION SYSTEMS (SCADA); UNIVERSITY OF LOUISVILLE; VULNERABILITY MEASUREMENT;

RISK ASSESSMENT;

EID: 54949112031     PISSN: 02684012     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.ijinfomgt.2008.01.009     Document Type: Article

References (38)

1. Aagedal J., Braber F., Dimitrakos T., Gran B.A., Raptis D., and Stolen K. Model-based risk assessment to improve enterprise security. Proceedings of the sixth international distributed object computing conference, September 17-20 (2002), Lausanne, Switzerland 51-62
2. Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2003). Introduction to the OCTAVE approach. Retrieved, from 〈http://www.cert.org/octave/approach_intro.pdf〉.
3. Ayyub B. Risk analysis in engineering and economics (2003), CRC Press, Boca Raton, FL
4. Byres, E. & Lowe, J. (2004). The myths and facts behind cyber security risks for industrial control systems, In VDE Congress, Berlin, October 18-20, 213-218.
5. Campbell K., Gordon L.A., Loeb M.P., and Zhou L. The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security 11 3 (2003) 431-448
6. Campbell, P., & Stamp, J. (2004). A classification scheme for risk assessment methods. Sandia National Laboratory report SAND2004-4233, August.
7. Cavusoglu H., Mishra B., and Raghunathan S. A model for evaluating IT security investments. Communications of the ACM 47 7 (2004) 92-97
8. Cavusoglu H., Mishra B., and Raghunathan S. The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9 1 (2004) 69-104
9. Cohen F. Simulating cyber attacks, defenses, and consequences. Computers and Security 18 6 (1999) 479-518
10. Department of Homeland Security. (2006). National Infrastructure Protection Plan: Base Plan, revised draft V2. National Infrastructure Institute. 〈http://www.ni2ciel.org/NIPC/Revised-Draft-NIPP-v2.0.pdf〉. Accessed on January 5, 2007.
11. Dhillon G. Managing information system security (1997), Macmillan Press Ltd, London, UK
12. Ettredge, M., Richardson, V. J. (2002). Assessing the risk in e-commerce. In Proceedings of the 35th Hawaii international conference on system sciences, Big Island, HI, January 7-10, 194.
13. Farahmand F., Navathe S.B., Enslow P.H., and Sharp G.P. Managing vulnerabilities of information systems to security incidents. Proceedings of the fifth international conference on electronic commerce (2003), Pennsylvania, Pittsburgh 348-354 September 30-October 03
14. Farahmand F., Navathe S.B., Sharp G.P., and Enslow P.H. A management perspective on risk of security threats to information systems. Information Technology and Management 6 2-3 (2005) 203-225
15. Gordon L.A., and Loeb M.P. The economics of information security investment. ACM Transactions on Information and System Security 5 4 (2002) 438-457
16. Haimes Y.Y., and Chittester C.G. A roadmap for quantifying the efficacy of risk management of information security and interdependent SCADA systems. Journal of Homeland Security and Emergency Management 2 2 (2005) 1-21
17. Haimes Y.Y., Kaplan S., and Lambert J.H. Risk filtering, ranking, and management framework using hierarchical holographic modeling. Risk Analysis 22 2 (2002) 381-395
18. Henley E., and Kumamoto H. Probabilistic risk assessment. 2nd ed. (1996), IEEE Press, New York
19. Hovav A., and D'Arcy J. The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review 6 2 (2003) 97-121
20. Hovav A., and D'Arcy J. The impact of virus attack announcements on the market value of firms. Information Systems Security 13 3 (2004) 32-40
21. Iheagwara C. More effective risk assessment. Computer Security Journal 19 2 (2003) 8-20
22. Longstaff T., Chittister C., Pethia R., and Haimes Y. Are we forgetting the risk of information technology?. IEEE Computer 33 12 (2000) 43-51
23. Mell P., Scarfone K., and Romanosky S. Common vulnerability scoring system. IEEE Security and Privacy 4 6 (2006) 85-89
24. Miller D., and Byres E. Risk assessment: The first step. InTech 52 3 (2005) 68-69
25. Nozick L.K., Turnquist M.A., Jones D.A., Davis J.R., and Lawton C.R. Assessing the performance of interdependent infrastructures and optimizing investments. International Journal of Critical Infrastructures 1 2-3 (2005) 144-154
26. Patel, S. (2006). Secure internet-based communication protocol for SCADA networks. Ph.D. dissertation, University of Louisville, Louisville, Kentucky.
27. Patel S., Graham J., Ralston P., and Tantalean R. Secure SCADA communications, monitoring, and control over the Internet. Proceedings of the 18th computer applications in industry and engineering (2005), Honolulu, Hawaii 169-174 November 9-11
28. Patel S., Tantalean R., Ralston P., and Graham J. Supervisory control and data acquisition remote terminal unit testbed. Intelligent Systems Research Laboratory technical report TR-ISRL-05-01, Department of Computer Engineering and Computer Science (2005), University of Louisville, Louisville, Kentucky
29. Peltier T.R. Information security risk analysis (2001), Auerbach Publications, Boca Raton, Florida
30. Pumfrey, D. J. (1999). The principled design of computer system safety analyses. D. Phil. thesis, University of York, UK.
31. Rakaczky, E. (2005). Building a security business case. Process control systems forum, October 25-27, Chicago, Illinois, 〈www.pcsforum.org/events/2005/fall/pdf/Building%20a%20Security%20Business%20Case2a.pdf〉. Accessed on January 5, 2007.
32. Ralston P.A., Graham J.H., and Patel S.C. Literature review of security and risk assessment of SCADA and DCS systems. Intelligent Systems Research Laboratory technical report TR-ISRL-06-01, Department of Computer Engineering and Computer Science (2006), University of Louisville, Louisville, KY
33. Rinaldi, S. M. (2004). Modeling and simulating critical infrastructures and their interdependencies. In: Proceedings of the 37th Hawaii international conference on system sciences, January 05-08, Big Island, HI, pp. 1-8.
34. Schneier B. Attack trees. Dr. Dobb's Journal of Software Tools 24 12 (1999) 21-29
35. Stoneburner G. Toward a unified security/safety model. Computer 39 8 (2006) 96-97
36. Vidalis S., and Jones A. Using vulnerability tress for decision making in threat assessment. School of Computing technical report CS-03-02 (2003), University of Glamorgan, Pontypridd, Wales, UK
37. Whitman M., and Mattord H. Principles of information security. 2nd ed. (2005), Course Technology, Boston
38. Yasinsac, A., Childs, J. (2001). Analyzing internet security protocols. In Proceedings of the sixth international conference on high assurance systems, Boca Raton, FL, October 2001, pp. 149-159.