Beruflich Dokumente
Kultur Dokumente
"Risk Analysis helps establish a good security posture; Risk Management keeps it that way" - B. D. Jenkins (1998). Viz "If your entire Security Infrastructure is not sound your business could fail." - searchSecurity.com Why does it often require a unique situation to make the risk clear? Could we possibly consider all threats? Risk Management Holds the Key to Security and Trust: In a Nutshell, Riskohndtering er nkkelen til sikkerhet og tillit
1 of 7
12/12/2013 9:15 AM
BS7799 Part 1 (1999): Code of Practice for information Security Management(BS7799) ISO 17799 - The Information Security Standard ISO 17799 The ISO 17799 Software Directory, and The ISO17799 NEWS page ISO 17799 Papers: BS 7799 By Biju Mukund International ISO 17799 User Group ISO TR 13335: Guidelines for Management of Information Technology Security-GMITS CSA Model Code for the Protection of Personal Information Diffuse Information Security Standards, including the above COBIT (Control Objectives for Information and Related Technologies) specification produced by the Information Systems Audit and Control Foundation COBIT Forums and Information CRAMM - the UK Government's Risk Analysis and Management Method The ISO 9000-14000 family of standards The National Institute of Standards and Technology (NIST) NASA Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners References to other standards
Risk Analysis, Assessment, Management, based on [1] AS/NZS 4360:1999 and [2] NS 5814
Risk Analysis [1]: A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences. Risk Analysis [2]: A systematic approach for describing and/or calculating risk. Risk analysis involves the identification of undesired events, and the causes and consequences of these events. Risk Assessment [1]: The overall process of risk analysis and risk evaluation Risk Management [1]: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. Risk Management Process [1]: The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk. Risk Evaluation [1]: The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria. Risk Evaluation [2]: A comparison of the results of a risk analysis with the acceptance criteria for risk and other decision criteria.
2 of 7
12/12/2013 9:15 AM
MORT (Management Oversight Risk Tree) SMORT (Safety Management Organization Review Technique) Risk Analysis Bibliographies by Tan Hiap Keong Security/Survivability Systems Analysis (S/SSA) CEA - Cost-Effectiveness Analysis in Emergency Medicine, Computer, and more by Zui-Shen Yen , and Primer on Cost-Effectiveness Analysis: Effective Clinical Practice Cost Benefit Analysis Introduction to Cost-Benefit Analysis Cost Benefit Analysis Method (CBAM) BCA - Benefit-Cost-Analysis for the use of Intelligent Transportation Technology CPR Perspective: Cost-benefit Analysis Cost/Benefit Analysis- Decision Making from Mind Tools SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies OMNI (Organising Medical Networked Information) Cost-Benefit Analysis Cost-Benefit Handbook Australian Government - Cost-Benefit Analysis
An adaptive risk management system is a system which is capable to learn, adapt, prevent,
identify and respond to new/unknown threats in critical time much like biological organisms adapt and
3 of 7
12/12/2013 9:15 AM
respond to threats in their struggle for survival. It essentially incorporates the characteristics and properties of genetic, holonic, AI, complex adaptive theory, and others, whose combination has a supra-additive synergistic effect. "Genetic algorithms are algorithms that work via the process of natural selection. They begin with a sample set of potential solutions which then evolves toward a set of more optimal solutions. Within the sample set, solutions that are poor tend to die out while better solutions mate and propagate their advantageous traits, thus introducing more solutions into the set that boast greater potential", for a brief introduction to genetic alogrithms see JGAP and Moshe Sipper A holon is a self-similar or fractal structure that is stable, coherent and that consists of several holons as sub-structures and is itself a part of a greater whole (for more info see Adaptive Risk Holarchy, Concepts for Holonic Manufacturing, Holonic Solutions, Holonic Software Development, Holonic Multiagent Systems, etc.) Artificial Neural Networks (ANNs) have been developed as a mathematical modelling of a human cognition system based on our knowledge about how biological neural cells (neurons) function in the brain. ANNs can be described either as mathematical and computational models for non-linear function approximation, data classification, clustering and non-parametric regression or as simulations of the behavior of collections of model biological neurons. ANNs can be used in a variety of powerful ways: to learn and reproduce rules or operations from given examples; to analyze and generalize from sample facts and make predictions from these; or to memorize characteristics and features of given data and to match or make associations from new data to the old data. ANNs can be seen as an adaptive system that is able to learn from the data that flows through the network and change its response according to it. For more information on ANN see Neural Computation: The Nature of Learning, Memory and Plasticity in an artificial neural network or Artificial neural network "Several Artificial Intelligence (AI) techniques have found applications in the field of risk management. Neural networks and fuzzy modeling are two system paradigms that lie at extreme poles of artificial intelligence system modeling. Neural networks can be viewed as 'black boxes' in which the process is unknown but there are many examples or observations. Fuzzy models, on the other hand can be viewed as 'white boxes' in which structured human knowledge is used to model the system and no data is required. Most of the real world problems, however, typically present a 'grey box' situation, where there are some observations and some structured human knowledge. A new technique called neuro-fuzzy modeling, which incorporates neural network learning concepts into fuzzy inference systems, forms a pivotal technique in what is today known as soft computing. A notable contribution was the development of the adaptive neuro fuzzy inference system (ANFIS) and its generalized version, CANFIS exploiting the equivalence of radial basis function networks (RBFNs) from neural network theory and various fuzzy inference system (FIS) models, to provide a performance superior to that of conventional neural networks and Fuzzy Inference systems." - Radha Arur, Polaris Software - 21 Feb 2006 Three major characteristics of complex adaptive systems can be distinguished: 1. active monitoring ensuring the organization's sensitivity to detect risk, 2. agility ensuring its flexibility to respond to risk, and 3. adaptive learning ensuring the capability of the organization's resources to mitigate risk. Yet, according to WOLFASI the conceptual components of a general adaptive security infrastructure are Detector, Analyser, and Responder: 1. The Detector senses, collects, and distributes information about the security environment 2. The Analyzer processes Detector data, along with other information (e.g. security policy, threat levels, or node trust levels) and occasionally proposes actions to bring about a new stage
4 of 7
12/12/2013 9:15 AM
3. The Responder executes the actions as directed by the Analyzer. These actions could include adjusting preventive mechanisms, adjusting detector settings, adjusting internal systems parameters, etc.
A European website presents science research and multimedia on health, food and risks
This European website specialises in presenting multimedia content on public funded European research in the areas of Health, Genomics and Food Safety. In addition, information and arguments on relevant risk issues are covered. The science subjects are treated in easy to understand modules for educators, students, interested public and film producers. EUSEM is funded through the sixth Framework Programme of the European Commission
5 of 7
12/12/2013 9:15 AM
Institute of Standards and Technology Information Security on the Internet: Internet Risks Information Security and Computer Crime Crime Resources - Crime Related News, Books and Web Resources. eRisks.com: Risk Wisdom Quantitative Risk Assessment(QRA) PHA - Process Hazard Analysis News Quantitative Risk Assessment(QRA) News Global Association of Risk Professionals RiskWatch Risk Assessment & Policy Association Risk Assessment Information System Page SRA/Glossary of Risk Analysis Terms Risk Glossaries RiskWorld: risk-related news, events, societies, etc. A Guide to Security Risk Management for Information Technology Systems (MG-2) Reliability, Availability, Maintainability and Safety Solutions from Reliability Software Infrastructure Vulnerabilities and Critical Infrastructure Protection (CIP) Articles / White Papers on Risk Analysis - from Crystal Ball Nonprofit Risk Management Center - A source for tools, advice and training to control risk.. RIMS - Risk and Insurance Management Society, Inc. PRMIA - News and Risk Management Links NZSIT - The New Zealand Security of Information Technology Publications PROVENTION Consortium Hazard Risk Management: Useful Links Social Risk Management Risk Management Forum Vulnerability Assessment Techniques and Applications (VATA) USDA: Risk Assessment Paula D. Gordon's Homeland Security Website with the extensive List of Selected Homeland Security References and Resources Homeland Security Norwegian Research Center for Computers and Law National Center for the Study of Counter Terrorism & CyberCrime at Norwich University Eastern Michigan University: Center for Regional and National Security Defense Security Services (DSS) Cyber Security: A Crisis of Prioritization, Report to the President, February 2005 Digital Evidence Research Programme from BIICL (British Institute of International and Comparative Law) NIFS (National Institute of Forensic Science): Serving the forensic science community Risk Modeling - King's College, University of London Adaptive Risk Management Laboratory - Prof. Mihaela Ulieru, PhD, The University of New Brunswick Peter G. Neumann's RISKS and Inside Risks, Computer-Related Risks, The Book Invest Sign - project management software CN&S' Network Security Risk Management, and Computer-Assisted Digital Investigation and Golbal Intrusion Detection Systems Project Risk Management Related Links The Risks Digest Monte Carlo Method Risk Analysis Books on Risk Analysis, Assessment, Management
12/12/2013 9:15 AM
ARMS - Automated Risk Management System CORAS - Platform for risk analysis of security critical IT systems Easy Threat Risk Assessment EBIOS - Expression of Needs and Identification of Security Objective ISO 17799 Risk Assessment Toolkit MARCO - MAximized Risk COntrol Minaccia ModSIC - an Open Source project for remote, automated IT Asset Assessments Open Source IT Risk Management OSMR - OpenSource Management of Risk OSRMT - Open Source Requirements Management Tool ThreatMind I proffer my sincere apologies for linking to most of the sites above prior to asking permission, in the event of inconvenience having been caused!
7 of 7
12/12/2013 9:15 AM