Simple and Multi Risk Assessment Framework for Information Security using Process Flow Diagram
DOI:
https://doi.org/10.31958/js.v15i1.9249Keywords:
Information Security, Risk Assessment, Asset Dependency, Simplify, Multi-risk model, COVID-19, PPE Information SystemAbstract
Organizations need a simple risk assessment framework to understand them. In contrast, risk analysis requires some mathematical tools to be able to estimate risk based on understanding and availability. In practice, the assets, for which the risk will be calculated, are dependent on one another, resulting in inevitable complexity. We propose a framework that addresses these three situations with a process flow diagram. Simplicity is obtained from a conceptual model based on data flow diagrams which are widely used in information system design. This conceptual model can be translated into several risk models at once: graph, Boolean algebra, BooleÔÇÖs algebra, and set theory. The complexity of asset dependencies is overcome when translating the conceptual model to the risk model. Solutions were shown in case studies of information systems for COVID-19 personal protective equipment in Indonesia, which require the construction of a simple information system, support multiple risk models, and take into account asset dependencies. The multi-risk model enables implementation proofing by testing the risk models used in each other.References
Alpcan, T., & Bambos, N. (2009). Modeling dependencies in security risk management. Post-Proceedings of the 4th International Conference on Risks and Security of Internet and Systems, CRiSIS 2009, 113–116. https://doi.org/10.1109/CRISIS.2009.5411969
Amutio, M. A., Candau, J., & Mañas, J. (2014). Magerit-version 3, methodology for information systems risk analysis and management, book I-the method. Ministerio de Administraciones Públicas.
Bauchner, H., Fontanarosa, P. B., & Livingston, E. H. (2020). Conserving supply of personal protective equipment—A call for ideas. Jama, 323(19), 1911–1911.
Bayhaqi, A. (2020, April 27). Pemerintah Siapkan Sistem Informasi Satu Data untuk Covid-19 | merdeka.com. Merdeka.Com. https://www.merdeka.com/peristiwa/pemerintah-siapkan-sistem-informasi-satu-data-untuk-covid-19.html
Boole, G. (1854). An investigation of the laws of thought: On which are founded the mathematical theories of logic and probabilities. Dover Publications.
Breier, J. (2014). Asset valuation method for dependent entities. Journal of Internet Services and Information Security, 4(3).
Breier, J., & Schindler, F. (2014). Assets dependencies model in information security risk management. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8407 LNCS, 405–412. https://doi.org/10.1007/978-3-642-55032-4_40
Chen, B., Kalbarczyk, Z., Nicol, D. M., Sanders, W. H., Tan, R., Temple, W. G., Tippenhauer, N. O., Vu, A. H., & Yau, D. K. (2013). Go with the flow: Toward workflow-oriented security assessment. Proceedings of the 2013 New Security Paradigms Workshop, 65–76.
Cook, T. M. (2020). Personal protective equipment during the coronavirus disease (COVID) 2019 pandemic – a narrative review. Anaesthesia, 75(7), 920–927. https://doi.org/10.1111/anae.15071
Fernandez, A., & Garcia, D. F. (2016). Complex vs. simple asset modeling approaches for information security risk assessment: Evaluation with MAGERIT methodology. 2016 Sixth International Conference on Innovative Computing Technology (INTECH), 542–549.
Goforth, E., Yosri, A., El-Dakhakhni, W., & Wiebe, L. (2022). Infrastructure Asset Management System Optimized Configuration: A Genetic Algorithm–Complex Network Theoretic Metamanagement Approach. Journal of Infrastructure Systems, 28(4), 04022029.
Grahanusa Mediatama. (2020, April 9). Kepolisian tindak 18 kasus terkait APD, ini berbagai modus yang digunakan. kontan.co.id. http://nasional.kontan.co.id/news/kepolisian-tindak-18-kasus-terkait-apd-ini-berbagai-modus-yang-digunakan
GTPP COVID-19. (2020). Daftar Website Kabupaten/Kota—Konten Berguna | Gugus Tugas Percepatan Penanganan COVID-19. Covid19.Go.Id. https://covid19.go.id/p/konten/daftar-website-kabupaten-kota
Haimes, Y. Y. (2018). Risk modeling of interdependent complex systems of systems: Theory and practice. Risk Analysis, 38(1), 84–98. https://doi.org/10.1111/risa.12804
Infopublik. (2020). Polisi Ungkap 18 Kasus Penyimpangan dan Penyalahgunaan APD. http://infopublik.id/kategori/lawan-covid-19/448350/polisi-ungkap-18-kasus-penyimpangan-dan-penyalahgunaan-apd
Ionita, D. (2018). Model-Driven Information Security Risk Assessment of Socio-Technical Systems [PhD Thesis, University of Twente]. https://research.utwente.nl/en/publications/model-driven-information-security-risk-assessment-of-socio-techni
Khanmohammadi, K., & Houmb, S. H. (2010). Business process-based information security risk assessment. 2010 Fourth International Conference on Network and System Security, 199–206. https://doi.org/10.1109/NSS.2010.37
Kim, D., & Solomon, M. G. (2018). Fundamentals of Information Systems Security. Jones & Bartlett Learning.
Kohonen, R., Moronen, T., & Heimonen, G. I. (2011). Concepts, Stakeholders, and Value Chains in Smart Energi Business and Services. e-hub.
Kotenko, I., Doynikova, E., Fedorchenko, A., & Desnitsky, V. (2022). Automation of Asset Inventory for Cyber Security: Investigation of Event Correlation-Based Technique. Electronics, 11(15), 2368.
Lam, J. (2014). Enterprise risk management: From incentives to controls. John Wiley & Sons.
Landoll, D. J., & Landoll, D. (2005). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.
Loloei, I., Shahriari, H. R., & Sadeghi, A. (2012). A model for asset valuation in security risk analysis regarding assets dependencies. ICEE 2012 - 20th Iranian Conference on Electrical Engineering, 763–768. https://doi.org/10.1109/IranianCEE.2012.6292456
Lund, M. S., Solhaug, B., & Stølen, K. (2010). Model-driven risk analysis: The CORAS approach. Springer Science & Business Media.
Merdeka. (2020). Kapolri Instruksikan Tindak Tegas Penimbunan & Penyalahgunaan Alat Kesehatan. Merdeka.Com. https://www.merdeka.com/peristiwa/kapolri-instruksikan-tindak-tegas-penimbunan-penyalahgunaan-alat-kesehatan.html
Muller, S. (2018). Risk Monitoring and Intrusion Detection for Industrial Control Systems [PhD Thesis]. University of Luxembourg, Luxembourg.
Muller, S., Harpes, C., Le Traon, Y., Gombault, S., & Bonnin, J.-M. (2017). Efficiently computing the likelihoods of cyclically interdependent risk scenarios. Computers & Security, 64, 59–68. https://doi.org/10.1016/j.cose.2016.09.008
Muller, S., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M., & Hoffmann, P. (2016). Dynamic risk analyses and dependency-aware root cause model for critical infrastructures. International Conference on Critical Information Infrastructures Security, 163–175.
Naidoo, R. (2020). A multi-level influence model of COVID-19 themed cybercrime. European Journal of Information Systems, 29(3), 1–16. https://doi.org/10.1080/0960085X.2020.1771222
Nielsen, T. D., & Jensen, F. V. (2009). Bayesian networks and decision graphs. Springer Science & Business Media.
Porter, M. E., & Millar, V. E. (1985). How information gives you competitive advantage (Vol. 63). Harvard Business Review Reprint Service.
Rahmad, B. (2010). Analisa Risiko Keamanan Informasi dengan Mempertimbangkan Dependensi Skenario Threat dan Kontrol sebagai Pereduksi Likelihood dan Impact [PhD Thesis]. Institut Teknologi Bandung.
Rahmad, B., Supangkat, S. H., Sembiring, J., & Surendro, K. (2010). Threat Scenario Dependency-Based Model of Information Security Risk Analysis. IJCSNS, 10(8), 93.
Rahmad, B., Supangkat, S. H., Sembiring, J., & Surendro, K. (2012). Modeling asset dependency for security risk analysis using threat-scenario dependency. International Journal of Computer Science and Information Security, 10(4), 103.
Republika. (2020). Kapolri Terbitkan Instruksi Atasi Persoalan Alat Kesehatan | Republika Online. https://republika.co.id/berita/q8f8v4354/kapolri-terbitkan-instruksi-atasi-persoalan-alat-kesehatan
Schmidt, S., & Albayrak, S. (2010). A quantitative framework for dependency-aware organizational IT Risk Management. 2010 10th International Conference on Intelligent Systems Design and Applications, 1207–1212. https://doi.org/10.1109/ISDA.2010.5687022
Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14–30. https://doi.org/10.1016/j.cose.2015.11.001
Tarjan, R. (1973). Enumeration of the elementary circuits of a directed graph. SIAM Journal on Computing, 2(3), 211–216. https://doi.org/10.1137/0202017
Tatar, Ü., & Karabacak, B. (2012). An hierarchical asset valuation method for information security risk analysis. International Conference on Information Society (i-Society 2012), 286–291. https://fuse.franklin.edu/facstaff-pub
Vesely, W. E., Goldberg, F. F., Roberts, N. H., & Haasl, D. F. (1981). Fault tree handbook (NUREG-0492; p. 209). Nuclear Regulatory Commission Washington DC. http://www.stormingmedia.us/37/3794/A379453.pdf{\%}5Cnhttp://ocw.mit.edu/courses/aeronautics-and-astronautics/16-63j-system-safety-fall-2012/related-resources/MIT16{\_}63JF12{\_}faulttree.pdf{\%}5Cnhttp://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0492/
Walpole, R. E., & Myers, R. H. (1995). Ilmu Peluang dan Statistika untuk Insinyur dan Ilmuwan. Instirut Teknologi Bandung.
Wang, L., Islam, T., Long, T., Singhal, A., & Jajodia, S. (2008). An attack graph-based probabilistic security metric. IFIP Annual Conference on Data and Applications Security and Privacy, 5094 LNCS, 283–296. https://doi.org/10.1007/978-3-540-70567-3_22
Wang, R., Li, H., Jing, J., Jiang, L., & Dong, W. (2022). WYSIWYG: IoT Device Identification Based on WebUI Login Pages. Sensors, 22(13), 4892.
Wildberger, N. (Director). (2019). Boolean algebra and set theory | Math Foundations 259.
Yourdon, E. (2006). Just enough structured analysis. Available in Wiki Format at: Http://Yourdon. Com/Strucanalysis/Wiki/Index. Php, 643. https://doi.org/10.3167/015597702782409310
Yunizal, E., Surendro, K., & Santoso, J. (2020). A Method of Simplifying the Asset Dependency Cycle in Security Risk Analysis. The 5th International Conference on Information Technology and Digital Applications (ICITDA 2020), 1077. https://doi.org/10.1088/1757-899x/1077/1/012002
Amutio, M. A., Candau, J., & Mañas, J. (2014). Magerit-version 3, methodology for information systems risk analysis and management, book I-the method. Ministerio de Administraciones Públicas.
Bauchner, H., Fontanarosa, P. B., & Livingston, E. H. (2020). Conserving supply of personal protective equipment—A call for ideas. Jama, 323(19), 1911–1911.
Bayhaqi, A. (2020, April 27). Pemerintah Siapkan Sistem Informasi Satu Data untuk Covid-19 | merdeka.com. Merdeka.Com. https://www.merdeka.com/peristiwa/pemerintah-siapkan-sistem-informasi-satu-data-untuk-covid-19.html
Boole, G. (1854). An investigation of the laws of thought: On which are founded the mathematical theories of logic and probabilities. Dover Publications.
Breier, J. (2014). Asset valuation method for dependent entities. Journal of Internet Services and Information Security, 4(3).
Breier, J., & Schindler, F. (2014). Assets dependencies model in information security risk management. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8407 LNCS, 405–412. https://doi.org/10.1007/978-3-642-55032-4_40
Chen, B., Kalbarczyk, Z., Nicol, D. M., Sanders, W. H., Tan, R., Temple, W. G., Tippenhauer, N. O., Vu, A. H., & Yau, D. K. (2013). Go with the flow: Toward workflow-oriented security assessment. Proceedings of the 2013 New Security Paradigms Workshop, 65–76.
Cook, T. M. (2020). Personal protective equipment during the coronavirus disease (COVID) 2019 pandemic – a narrative review. Anaesthesia, 75(7), 920–927. https://doi.org/10.1111/anae.15071
Fernandez, A., & Garcia, D. F. (2016). Complex vs. simple asset modeling approaches for information security risk assessment: Evaluation with MAGERIT methodology. 2016 Sixth International Conference on Innovative Computing Technology (INTECH), 542–549.
Goforth, E., Yosri, A., El-Dakhakhni, W., & Wiebe, L. (2022). Infrastructure Asset Management System Optimized Configuration: A Genetic Algorithm–Complex Network Theoretic Metamanagement Approach. Journal of Infrastructure Systems, 28(4), 04022029.
Grahanusa Mediatama. (2020, April 9). Kepolisian tindak 18 kasus terkait APD, ini berbagai modus yang digunakan. kontan.co.id. http://nasional.kontan.co.id/news/kepolisian-tindak-18-kasus-terkait-apd-ini-berbagai-modus-yang-digunakan
GTPP COVID-19. (2020). Daftar Website Kabupaten/Kota—Konten Berguna | Gugus Tugas Percepatan Penanganan COVID-19. Covid19.Go.Id. https://covid19.go.id/p/konten/daftar-website-kabupaten-kota
Haimes, Y. Y. (2018). Risk modeling of interdependent complex systems of systems: Theory and practice. Risk Analysis, 38(1), 84–98. https://doi.org/10.1111/risa.12804
Infopublik. (2020). Polisi Ungkap 18 Kasus Penyimpangan dan Penyalahgunaan APD. http://infopublik.id/kategori/lawan-covid-19/448350/polisi-ungkap-18-kasus-penyimpangan-dan-penyalahgunaan-apd
Ionita, D. (2018). Model-Driven Information Security Risk Assessment of Socio-Technical Systems [PhD Thesis, University of Twente]. https://research.utwente.nl/en/publications/model-driven-information-security-risk-assessment-of-socio-techni
Khanmohammadi, K., & Houmb, S. H. (2010). Business process-based information security risk assessment. 2010 Fourth International Conference on Network and System Security, 199–206. https://doi.org/10.1109/NSS.2010.37
Kim, D., & Solomon, M. G. (2018). Fundamentals of Information Systems Security. Jones & Bartlett Learning.
Kohonen, R., Moronen, T., & Heimonen, G. I. (2011). Concepts, Stakeholders, and Value Chains in Smart Energi Business and Services. e-hub.
Kotenko, I., Doynikova, E., Fedorchenko, A., & Desnitsky, V. (2022). Automation of Asset Inventory for Cyber Security: Investigation of Event Correlation-Based Technique. Electronics, 11(15), 2368.
Lam, J. (2014). Enterprise risk management: From incentives to controls. John Wiley & Sons.
Landoll, D. J., & Landoll, D. (2005). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.
Loloei, I., Shahriari, H. R., & Sadeghi, A. (2012). A model for asset valuation in security risk analysis regarding assets dependencies. ICEE 2012 - 20th Iranian Conference on Electrical Engineering, 763–768. https://doi.org/10.1109/IranianCEE.2012.6292456
Lund, M. S., Solhaug, B., & Stølen, K. (2010). Model-driven risk analysis: The CORAS approach. Springer Science & Business Media.
Merdeka. (2020). Kapolri Instruksikan Tindak Tegas Penimbunan & Penyalahgunaan Alat Kesehatan. Merdeka.Com. https://www.merdeka.com/peristiwa/kapolri-instruksikan-tindak-tegas-penimbunan-penyalahgunaan-alat-kesehatan.html
Muller, S. (2018). Risk Monitoring and Intrusion Detection for Industrial Control Systems [PhD Thesis]. University of Luxembourg, Luxembourg.
Muller, S., Harpes, C., Le Traon, Y., Gombault, S., & Bonnin, J.-M. (2017). Efficiently computing the likelihoods of cyclically interdependent risk scenarios. Computers & Security, 64, 59–68. https://doi.org/10.1016/j.cose.2016.09.008
Muller, S., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M., & Hoffmann, P. (2016). Dynamic risk analyses and dependency-aware root cause model for critical infrastructures. International Conference on Critical Information Infrastructures Security, 163–175.
Naidoo, R. (2020). A multi-level influence model of COVID-19 themed cybercrime. European Journal of Information Systems, 29(3), 1–16. https://doi.org/10.1080/0960085X.2020.1771222
Nielsen, T. D., & Jensen, F. V. (2009). Bayesian networks and decision graphs. Springer Science & Business Media.
Porter, M. E., & Millar, V. E. (1985). How information gives you competitive advantage (Vol. 63). Harvard Business Review Reprint Service.
Rahmad, B. (2010). Analisa Risiko Keamanan Informasi dengan Mempertimbangkan Dependensi Skenario Threat dan Kontrol sebagai Pereduksi Likelihood dan Impact [PhD Thesis]. Institut Teknologi Bandung.
Rahmad, B., Supangkat, S. H., Sembiring, J., & Surendro, K. (2010). Threat Scenario Dependency-Based Model of Information Security Risk Analysis. IJCSNS, 10(8), 93.
Rahmad, B., Supangkat, S. H., Sembiring, J., & Surendro, K. (2012). Modeling asset dependency for security risk analysis using threat-scenario dependency. International Journal of Computer Science and Information Security, 10(4), 103.
Republika. (2020). Kapolri Terbitkan Instruksi Atasi Persoalan Alat Kesehatan | Republika Online. https://republika.co.id/berita/q8f8v4354/kapolri-terbitkan-instruksi-atasi-persoalan-alat-kesehatan
Schmidt, S., & Albayrak, S. (2010). A quantitative framework for dependency-aware organizational IT Risk Management. 2010 10th International Conference on Intelligent Systems Design and Applications, 1207–1212. https://doi.org/10.1109/ISDA.2010.5687022
Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14–30. https://doi.org/10.1016/j.cose.2015.11.001
Tarjan, R. (1973). Enumeration of the elementary circuits of a directed graph. SIAM Journal on Computing, 2(3), 211–216. https://doi.org/10.1137/0202017
Tatar, Ü., & Karabacak, B. (2012). An hierarchical asset valuation method for information security risk analysis. International Conference on Information Society (i-Society 2012), 286–291. https://fuse.franklin.edu/facstaff-pub
Vesely, W. E., Goldberg, F. F., Roberts, N. H., & Haasl, D. F. (1981). Fault tree handbook (NUREG-0492; p. 209). Nuclear Regulatory Commission Washington DC. http://www.stormingmedia.us/37/3794/A379453.pdf{\%}5Cnhttp://ocw.mit.edu/courses/aeronautics-and-astronautics/16-63j-system-safety-fall-2012/related-resources/MIT16{\_}63JF12{\_}faulttree.pdf{\%}5Cnhttp://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0492/
Walpole, R. E., & Myers, R. H. (1995). Ilmu Peluang dan Statistika untuk Insinyur dan Ilmuwan. Instirut Teknologi Bandung.
Wang, L., Islam, T., Long, T., Singhal, A., & Jajodia, S. (2008). An attack graph-based probabilistic security metric. IFIP Annual Conference on Data and Applications Security and Privacy, 5094 LNCS, 283–296. https://doi.org/10.1007/978-3-540-70567-3_22
Wang, R., Li, H., Jing, J., Jiang, L., & Dong, W. (2022). WYSIWYG: IoT Device Identification Based on WebUI Login Pages. Sensors, 22(13), 4892.
Wildberger, N. (Director). (2019). Boolean algebra and set theory | Math Foundations 259.
Yourdon, E. (2006). Just enough structured analysis. Available in Wiki Format at: Http://Yourdon. Com/Strucanalysis/Wiki/Index. Php, 643. https://doi.org/10.3167/015597702782409310
Yunizal, E., Surendro, K., & Santoso, J. (2020). A Method of Simplifying the Asset Dependency Cycle in Security Risk Analysis. The 5th International Conference on Information Technology and Digital Applications (ICITDA 2020), 1077. https://doi.org/10.1088/1757-899x/1077/1/012002
Downloads
Published
2023-06-30
Issue
Section
Artikel
License
Copyright (c) 2023 Edri Yunizal
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
