Towards an integrated risk analysis security framework according to a systematic analysis of existing proposals
Antonio SANTOS-OLMO1,2(), Luis Enrique SÁNCHEZ1,2, David G. ROSADO1, Manuel A. SERRANO3, Carlos BLANCO4, Haralambos MOURATIDIS2, Eduardo FERNÁNDEZ-MEDINA1
1. GSyA Research Group, University of Castilla-La Mancha, Ciudad Real 13071, Spain 2. Institute for Analytics and Data Science, University of Essex, Colchester CO4 3SQ, UK 3. Alarcos Research Group, University of Castilla-La Mancha, Ciudad Real 13071, Spain 4. ISTR Research group, Department of Computer Science and Electronics, University of Cantabria, Santander 39005, Spain
The information society depends increasingly on risk assessment and management systems as means to adequately protect its key information assets. The availability of these systems is now vital for the protection and evolution of companies. However, several factors have led to an increasing need for more accurate risk analysis approaches. These are: the speed at which technologies evolve, their global impact and the growing requirement for companies to collaborate. Risk analysis processes must consequently adapt to these new circumstances and new technological paradigms. The objective of this paper is, therefore, to present the results of an exhaustive analysis of the techniques and methods offered by the scientific community with the aim of identifying their main weaknesses and providing a new risk assessment and management process. This analysis was carried out using the systematic review protocol and found that these proposals do not fully meet these new needs. The paper also presents a summary of MARISMA, the risk analysis and management framework designed by our research group. The basis of our framework is the main existing risk standards and proposals, and it seeks to address the weaknesses found in these proposals. MARISMA is in a process of continuous improvement, as is being applied by customers in several European and American countries. It consists of a risk data management module, a methodology for its systematic application and a tool that automates the process.
. [J]. Frontiers of Computer Science, 2024, 18(3): 183808.
Antonio SANTOS-OLMO, Luis Enrique SÁNCHEZ, David G. ROSADO, Manuel A. SERRANO, Carlos BLANCO, Haralambos MOURATIDIS, Eduardo FERNÁNDEZ-MEDINA. Towards an integrated risk analysis security framework according to a systematic analysis of existing proposals. Front. Comput. Sci., 2024, 18(3): 183808.
? Interrelationships between risks according to control areas
P2
Networks
Fuzzy techniques
? Risks associated with networked business collaborations
? Prototyping and application in real cases
P3
Software defined networks (SDN)
Fuzzy techniques, DEMATEL
? Reduction of the degree of uncertainty
? Associative risk management
P4
Railways
Fuzzy techniques
? Reduction in the degree of uncertainty
?Hierarchical factors for risk probability and impact assessment
Framework
F1
Electronic transactions
STOPE, DMAIC
? Risks associated with networked business collaborations
F2
IT projects
KM
? Application of knowledge management techniques to risk analysis
F3
Global
?
? Structuring of information prior to risk analysis
? Knowledge reuse
F4
Global
?
? Dynamic risk assessment
F5
Software development
Fuzzy techniques
? Reduction in the degree of uncertainty
F6
Global
?
? Knowledge reuse
?Importance of Dynamic Risk and Cloud Environments
F7
Critical Infrastructure
FMEA
? Reduction inf the degree of uncertainty
F8
Global
Logic trees
? Decision-making processes
?Knowledge reuse
?Targeting SMEs & Associative risk management
F9
Business processes
?
? Integration of BPM with risk management
?Risk metamodel
Model
MO1
Global
Theory of evidenceFuzzy measures
? Management of uncertainty in results
?Consistency evidence
? Case study
MO2
Global
VIKOR, DEMATEL, ANP
? Interdependence and feedback of risk criteria
? PDCA risk assessment process
MO3
Global
Bayesian Networks
? Weakness propagation uncertainty analysis
MO4
Global
?
? Decision-making processes
? Improved processes with which to analyse risk information
? Case study
MO5
Data
?
? Use of risk patterns
?Associative risk management
?Case study
MO6
Global
Logistic regression models
? Predictive techniques
?Dynamic risk assessment
?Focus on SMEs
MO7
Data
Heuristic techniques
? Dynamic risk assessment
?Importance of the environment and third parties in risk
MO8
Supply chains
Stochastic & Deterministic techniques
? Mixed application of stochastic and deterministic techniques
?Reduction in the degree of uncertainty
?Decision-making processes
MO9
ICS
Mind Maps
? Dynamic risk assessment
?Associative risk management
?Case study
Methodology
ME1
Global
Fuzzy techniques
? Reduction in the degree of uncertainty
? Importance of the environment and third parties in risk
ME2
Global
FMEA
? Reduction of uncertainty
ME3
Critical Infrastructure
Bow Tie Models, Bayesian Networks
? Concurrent analysis of risks and vulnerabilities
?Case study
ME4
IoT
?
? Exploitability value of vulnerabilities
? Degrees of vulnerability
ME5
Financial
?
? Adaptation to dynamic scenarios
?Focus on SMEs
?Prototyping and application in real cases
ME6
I4.0 - HMI
VIKOR, DEMATEL, ANPFuzzy techniques
? Reduction in the degree of uncertainty
?Importance of the environment in risk
Others
O1
Global
?
? Progressive improvement of risk levels
O2
Data Centre
?
? Risk analysis in virtualisation
?Risks in data centres outside but part of the IS
Tab.2
Type
Initiative
AC
HA
RKL
DY
CC
AE
DM
LLS
SLC
TS
GS
PC
Process
P1
No
Part.
No
No
No
Part.
No
No
No
No
No
No
P2
No
Part.
No
No
No
Part.
No
No
No
Yes
No
Yes
P3
No
Part.
No
No
No
Part.
No
Part.
No
No
No
Part.
P4
No
Part.
No
No
No
Part.
No
Part.
No
No
No
No
Framework
F1
No
Part.
No
No
No
No
No
No
No
No
No
No
F2
No
No
Yes
No
No
No
No
No
No
No
No
No
F3
No
Part.
Yes
No
No
No
No
No
No
No
Yes
No
F4
No
No
Part.
No
No
No
No
Part.
No
No
Yes
No
F5
No
No
No
No
No
Part.
No
Part.
No
No
No
No
F6
No
Part.
Yes
Part.
No
No
No
No
No
No
Yes
No
F7
No
No
No
No
No
Part.
No
Part.
No
No
Yes
No
F8
No
Part.
Yes
No
No
Part.
No
No
Yes
Yes
Yes
No
F9
Part.
No
No
No
No
No
No
No
No
Part.
Yes
Part.
Model
MO1
No
Part.
No
Part.
No
Part.
No
Part.
No
No
Yes
Yes
MO2
No
No
Part.
No
No
Part.
No
No
No
No
Yes
Yes
MO3
No
Part.
No
No
No
Part.
No
Part.
No
No
Yes
No
MO4
No
Part.
Part.
No
No
No
No
No
No
No
Yes
Yes
MO5
Part.
Part.
No
No
No
Part.
No
No
No
No
No
Part.
MO6
No
No
No
Part.
No
No
No
Part.
Part.
No
Yes
Yes
MO7
No
Part.
No
Part.
No
No
No
No
No
No
No
No
MO8
No
No
No
Part.
No
Part.
No
No
No
No
No
No
MO9
Part.
Yes
No
Yes
No
Part.
No
No
No
No
No
Yes
Methodology
ME1
No
Part.
No
Part.
No
Part.
No
Part.
No
No
Yes
No
ME2
No
Part.
No
No
No
Part.
No
Part.
No
No
Yes
No
ME3
No
No
No
No
No
No
No
No
No
No
No
Yes
ME4
No
No
No
No
No
Part.
No
No
No
No
No
Yes
ME5
No
No.
No
Yes
No
Part.
Yes
No
Yes
Yes
No
Yes
ME6
No
Parc.
No
No
No
No
No
Yes
No
No
No
No
Others
O1
No
No
Yes
No
No
Part.
No
No
No
No
Yes
No
O2
No
Part.
No
Part.
No
No
No
No
No
No
No
Part.
Tab.3
Fig.1
Fig.2
Fig.3
Fig.4
Fig.5
1
A, Hussain A, Mohamed S Razali . A review on cybersecurity: challenges & emerging threats. In: Proceedings of the 3rd International Conference on Networking, Information Systems & Security, 2020, 28
2
M, Hölbl T Welzer . Experience with teaching cybersecurity. In: Proceedings of the 27th EAEEIE Annual Conference (EAEEIE). 2017, 1−4
3
S M T, Toapanta A J, Gurumendi L E M Gallegos . An approach of national and international cybersecurity laws and standards to mitigate information risks in public organizations of Ecuador. In: Proceedings of the 2nd International Conference on Education Technology Management. 2019, 61−66
4
P, Shamala R, Ahmad A, Zolait M Sedek . Integrating information quality dimensions into information security risk management (ISRM). Journal of Information Security and Applications, 2017, 36: 1–10
5
M, Mirtsch K, Blind C, Koch G Dudek . Information security management in ICT and non-ICT sector companies: a preventive innovation perspective. Computers & Security, 2021, 109: 102383
6
M Hentea . Security management. In: Hentea M, ed. Building an Effective Security Program for Distributed Energy Resources and Systems: Understanding Security for Smart Grid and Distributed Energy Resources and Systems, Volume 1. Wiley, 2021, 405–436
7
P Kumah . The role of human resource management in enhancing organizational information systems security. In: Misra S, Adewumi A, eds. Handbook of Research on the Role of Human Factors in IT Project Management. Hershey, PA, USA: IGI Global, 2019, 278–303
8
H, Lee C, Han T Yoo . The application of mistake-proofing to organisational security management. Total Quality Management & Business Excellence, 2019, 30(9–10): 1151–1166
9
F, Li T, Chen B, Wang J, Zhang S Qing . Research on information security technology of mobile application in electric power industry. In: Proceedings of 2020 Asia-Pacific Conference on Image Processing, Electronics and Computers (IPEC). 2020, 51−54
10
A, Nasir R A, Arshah M R A, Hamid S Fahmy . An analysis on the dimensions of information security culture concept: a review. Journal of Information Security and Applications, 2019, 44: 12–22
11
K, Khando S, Gao S M, Islam A Salman . Enhancing employees information security awareness in private and public organisations: a systematic literature review. Computers & Security, 2021, 106: 102267
12
A A, Ganin P, Quach M, Panwar Z A, Collier J M, Keisler D, Marchese I Linkov . Multicriteria decision framework for cybersecurity risk assessment and management. Risk Analysis, 2020, 40( 1): 183–199
13
der Schyff K, van S Flowerday . Mediating effects of information security awareness. Computers & Security, 2021, 106: 102313
14
A D, Prajanti K Ramli . A proposed framework for ranking critical information assets in information security risk assessment using the OCTAVE allegro method with decision support system methods. In: Proceedings of the 34th International Technical Conference on Circuits/Systems, Computers and Communications (ITC-CSCC). 2019, 1−4
15
A, Chopra M Chaudhary . The need for information security. In: Chopra A, Chaudhary M, eds. Implementing an Information Security Management System: Security Management Based on ISO 27001 Guidelines. Berkeley, CA: Apress, 2020, 1−20
16
S A, Grishaeva V I Borzov . Information security risk management. In: Proceedings of 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS). 2020, 96−98
17
M K, Zaini M N, Masrek Sani M K J Abdullah . The impact of information security management practices on organisational agility. Information and Computer Security, 2020, 28( 5): 681–700
18
M, Kiedrowicz J Stanik . Method for assessing efficiency of the information security management system. MATEC Web of Conferences, 2018, 210: 04011
19
L E, Sánchez A, Santos-Olmo E, Fernandez-Medina M Piattini . ISMS building for SMEs through the reuse of knowledge. In: Management Association I R, ed. Small and Medium Enterprises: Concepts, Methodologies, Tools, and Applications. Hershey, PA, USA: IGI Global, 2013, 394−419
20
A, Santos-Olmo L E, Sánchez I, Caballero S, Camacho E Fernandez-Medina . The importance of the security culture in SMEs as regards the correct management of the security of their assets. Future Internet, 2016, 8( 3): 30
21
G, Wangen C, Hallstensen E Snekkenes . A framework for estimating information security risk assessment method completeness. International Journal of Information Security, 2018, 17( 6): 681–699
22
D, Achmadi Y, Suryanto K Ramli . On developing information security management system (ISMS) framework for ISO 27001-based data center. In: Proceedings of 2018 International Workshop on Big Data and Information Security (IWBIS). 2018, 149−157
23
C Y, Jeong S Y T, Lee J H Lim . Information security breaches and IT security investments: impacts on competitors. Information & Management, 2019, 56( 5): 681–695
24
B, Uchendu J R C, Nurse M, Bada S Furnell . Developing a Cyber Security culture: current practices and future needs. Computers & Security, 2021, 109: 102387
25
V, Casola R, Catelli Benedictis A De . A first step towards an ISO-based information security domain ontology. In: Proceedings of the 28th IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). 2019, 334−339
26
A Shameli-Sendi . An efficient security data-driven approach for implementing risk assessment. Journal of Information Security and Applications, 2020, 54: 102593
27
I M M, Putra K Mutijarsa . Designing information security risk management on Bali regional police command center based on ISO 27005. In: Proceedings of the 3rd East Indonesia Conference on Computer and Information Technology (EIConCIT). 2021, 14−19
28
E, Hariyanti A, Djunaidy D O Siahaan . A conceptual model for information security risk considering business process perspective. In: Proceedings of the 4th International Conference on Science and Technology (ICST). 2018, 1−6
29
S, Szwaczyk K, Wrona M Amanowicz . Applicability of risk analysis methods to risk-aware routing in software-defined networks. In: Proceedings of 2018 International Conference on Military Communications and Information Systems (ICMCIS). 2018, 1−7
30
K Ruan . Introducing cybernomics: a unifying economic framework for measuring cyber risk. Computers & Security, 2017, 65: 77–89
31
J, Dobaj C, Schmittner M, Krisper G Macher . Towards integrated quantitative security and safety risk assessment. In: Proceedings of 2019 International Conference on Computer Safety, Reliability, and Security. 2019, 102−116
32
F Ö, Sönmez B G Kılıç . A decision support system for optimal selection of enterprise information security preventative actions. IEEE Transactions on Network and Service Management, 2021, 18( 3): 3260–3279
33
B, Tiganoaia A, Niculescu O, Negoita M Popescu . A new sustainable model for risk management—RiMM. Sustainability, 2019, 11( 4): 1178
34
M A, Amutio J, Candau J A Manas . MAGERIT-version 3.0 Methodology for information systems risk analysis and management. Ministry of Finance and Public Administration, 2014
35
M L, Ali K, Thakur B Atobatele . Challenges of cyber security and the emerging trends. In: Proceedings of 2019 ACM International Symposium on Blockchain and Secure Critical Infrastructure. 2019, 107−112
36
H, Khambhammettu S, Boulares K, Adi L Logrippo . A framework for risk assessment in access control systems. Computers & Security, 2013, 39: 86–103
37
M, Jouini L B A Rabai . A security risk management model for cloud computing systems: infrastructure as a service. In: Proceedings of the10th International Conference on Security, Privacy, and Anonymity in Computation, Communication, and Storage. 2017, 594−608
38
T Weil . Risk assessment methods for cloud computing platforms. In: Proceedings of the 43rd IEEE Annual Computer Software and Applications Conference (COMPSAC). 2019, 545−547
39
M, Brunner C, Sauerwein M, Felderer R Breu . Risk management practices in information security: exploring the status quo in the DACH region. Computers & Security, 2020, 92: 101776
40
H, Zakaria Bakar N A, Abu N H, Hassan S Yaacob . IoT security risk management model for secured practice in healthcare environment. Procedia Computer Science, 2019, 161: 1241–1248
41
Z Zhang . A new method for information security risk management in big data environment. In: Proceedings of the 2nd International Conference on Information Technology and Computer Application (ITCA). 2020, 1−4
42
Y, Fu J, Zhu S Gao . CPS information security risk evaluation system based on petri net. In: Proceedings of the 2nd IEEE International Conference on Data Science in Cyberspace (DSC). 2017, 541−548
43
H, Mokalled C, Pragliola D, Debertol E, Meda R Zunino . A comprehensive framework for the security risk management of cyber-physical systems. In: Flammini F, ed. Resilience of Cyber-Physical Systems: From Risk Modelling to Threat Counteraction. Cham: Springer International Publishing, 2019, 49−68
44
J, Chen Q Zhu . Interdependent strategic security risk management with bounded rationality in the internet of things. IEEE Transactions on Information Forensics and Security, 2019, 14( 11): 2958–2971
45
A, Capodieci L, Mainetti F Dipietrangelo . Model-driven approach to cyber risk analysis in industry 4.0. In: Proceedings of the 10th International Conference on Information Systems and Technologies. 2020, 33
46
V, Malik S Singh . Security risk management in IoT environment. Journal of Discrete Mathematical Sciences and Cryptography, 2019, 22( 4): 697–709
47
S G, Govender E, Kritzinger M Loock . A framework and tool for the assessment of information security risk, the reduction of information security cost and the sustainability of information security culture. Personal and Ubiquitous Computing, 2021, 25( 5): 927–940
48
M I, Javaid M M W Iqbal . A comprehensive people, process and technology (PPT) application model for Information Systems (IS) risk management in small/medium enterprises (SME). In: Proceedings of 2017 International Conference on Communication Technologies (ComTech). 2017, 78−90
49
N, Paltrinieri G Reniers . Dynamic risk analysis for Seveso sites. Journal of Loss Prevention in the Process Industries, 2017, 49: 111–119
50
A A O, Affia R, Matulevičius A Nolte . Security risk management in cooperative intelligent transportation systems: a systematic literature review. In: Proceedings of 2019 OTM Confederated International Conferences “On the Move to Meaningful Internet Systems”. 2019, 282−300
51
P G Genchev . Analysis of changes in the probability of an incident with information security. In: Proceedings of the 56th International Scientific Conference on Information, Communication and Energy Systems and Technologies (ICEST). 2021, 119−122
52
B, Kitchenham S Charters . Guidelines for performing systematic literature reviews in software engineering. 2007
53
B, Kitchenham P Brereton . A systematic review of systematic review process research in software engineering. Information and Software Technology, 2013, 55( 12): 2049–2075
54
S, Barat T, Clark B, Barn V Kulkarni . A model-based approach to systematic review of research literature. In: Proceedings of the 10th Innovations in Software Engineering Conference. 2017, 15−25
55
B, Barn S, Barat T Clark . Conducting systematic literature reviews and systematic mapping studies. In: Proceedings of the 10th Innovations in Software Engineering Conference. 2017, 212−213
56
C C, Lo W J Chen . A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 2012, 39( 1): 247–257
57
M, Wulan D Petrovic . A fuzzy logic based system for risk analysis and evaluation within enterprise collaborations. Computers in Industry, 2012, 63( 8): 739–748
58
R, Deb S Roy . A Software Defined Network information security risk assessment based on Pythagorean fuzzy sets. Expert Systems with Applications, 2021, 183: 115383
59
H, Zhang Q Sun . An integrated approach to risk assessment for special line shunting via fuzzy theory. Symmetry, 2018, 10( 11): 599
60
M S, Saleh A Alfantookh . A new comprehensive framework for enterprise information security risk management. Applied Computing and Informatics, 2011, 9( 2): 107–118
61
S, Alhawari L, Karadsheh Talet A, Nehari E Mansour . Knowledge-based risk management framework for information technology project. International Journal of Information Management, 2012, 32( 1): 50–65
62
P, Shamala R, Ahmad M Yusoff . A conceptual framework of info structure for information security risk assessment (ISRA). Journal of Information Security and Applications, 2013, 18( 1): 45–52
63
F, Khan S J, Hashemi N, Paltrinieri P, Amyotte V, Cozzani G Reniers . Dynamic risk management: a contemporary approach to process safety management. Current Opinion in Chemical Engineering, 2016, 14: 9–17
64
A K, Sangaiah O W, Samuel X, Li M, Abdel-Basset H Wang . Towards an efficient risk assessment in software projects−Fuzzy reinforcement paradigm. Computers & Electrical Engineering, 2018, 71: 833–846
65
D, Panchal A K, Singh P, Chatterjee E K, Zavadskas M Keshavarz-Ghorabaee . A new fuzzy methodology-based structured framework for RAM and risk analysis. Applied Soft Computing, 2019, 74: 242–254
66
C, Schmitz S Pape . LiSRA: Lightweight Security Risk Assessment for decision support in information security. Computers & Security, 2020, 90: 101656
67
E, Lamine R, Thabet A, Sienou D, Bork F, Fontanili H Pingaud . BPRIM: an integrated framework for business process management and risk management. Computers in Industry, 2020, 117: 103199
68
N, Feng M Li . An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 2011, 11( 7): 4332–4340
69
Yang Y P, Ou H M, Shieh G H Tzeng . A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 2013, 232: 482–500
70
N, Feng H J, Wang M Li . A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Information Sciences, 2014, 256: 57–73
71
L, Wang B, Wang Y Peng . Research the information security risk assessment technique based on Bayesian network. In: Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE). 2010
72
J, Webb A, Ahmad S B, Maynard G Shanks . A situation awareness model for information security risk management. Computers & Security, 2014, 44: 1–15
73
Figueira P, Tubío Bravo C, López López J L Rivas . Improving information security risk analysis by including threat-occurrence predictive models. Computers & Security, 2020, 88: 101609
74
F, Khan J H, Kim L, Mathiassen R Moore . Data breach management: an integrated risk model. Information & Management, 2021, 58( 1): 103392
75
A, Schmidt L A, Albert K Zheng . Risk management for cyber-infrastructure protection: a bi-objective integer programming approach. Reliability Engineering & System Safety, 2021, 205: 107093
76
Y, Cherdantseva P, Burnap S, Nadjm-Tehrani K Jones . A configurable dependency model of a SCADA system for goal-oriented risk assessment. Applied Sciences, 2022, 12( 10): 4880
77
E, Vicente A, Mateos A Jiménez-Martín . Risk analysis in information systems: a fuzzification of the MAGERIT methodology. Knowledge-Based Systems, 2014, 66: 1–12
78
S, Mandal J Maiti . Risk analysis using FMEA: fuzzy similarity value and possibility theory based approach. Expert Systems with Applications, 2014, 41( 7): 3527–3537
79
Staalduinen M A, van F, Khan V, Gadag G Reniers . Functional quantitative security risk analysis (QSRA) to assist in protecting critical process infrastructure. Reliability Engineering & System Safety, 2017, 157: 23–34
80
H, Abdo M, Kaouk J M, Flaus F Masse . A safety/security risk analysis approach of Industrial Control Systems: a Cyber Bowtie − combining new version of attack tree with bowtie analysis. Computers & Security, 2018, 72: 175–195
81
S, Sicari A, Rizzardi D, Miorandi A Coen-Porisini . A risk assessment methodology for the Internet of Things. Computer Communications, 2018, 129: 67–79
82
S, Armenia M, Angelini F, Nonino G, Palombi M F Schlitzer . A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs. Decision Support Systems, 2021, 147: 113580
83
E, Bozkuş İ, Kaya M Yakut . A fuzzy based model proposal on risk analysis for human-robot interactive systems. In: Proceedings of 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA). 2022, 1−6
84
H Sato . A new formula of security risk analysis that takes risk improvement factor into account. In: Proceedings of the IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing. 2011, 1243−1248
85
F, Munodawafa A I Awad . Security risk assessment within hybrid data centers: a case study of delay sensitive applications. Journal of Information Security and Applications, 2018, 43: 61–72
86
N M, Scala A C, Reilly P L, Goethals M Cukier . Risk and the five hard problems of Cybersecurity. Risk Analysis, 2019, 39( 10): 2119–2126
87
Q, Li P, Lv M, Wang Z, Zhang S, Wang P, Fang L Gao . A risk assessment method of smart grid in cloud computing environment based on game theory. In: Proceedings of the 5th IEEE International Conference on Cloud Computing and Big Data Analytics (ICCCBDA). 2020, 67−72
88
V, Malik S Singh . Intelligent strategies for cloud computing risk management and testing. In: Proceedings of ICMDE 2020 Computational Methods and Data Engineering. 2020, 101−114
89
A I, Volkov V G, Semin E R Khakimullin . Modeling the structures of threats to information security risks based on a fuzzy approach. In: Proceedings of 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS). 2020, 132−135
90
A G, Petrescu M A, Postole M Ciobanasu . The international experience in security risk analysis methods. In: Oncioiu I, ed. Network Security and its Impact on Business Strategy. Hershey, PA, USA: IGI Global, 2019, 157–169
91
M, Khosravi-Farmad A Ghaemi-Bafghi . Bayesian decision network-based security risk management framework. Journal of Network and Systems Management, 2020, 28( 4): 1794–1819
92
P Genchev . An approach to support information security risk assessment. In: Proceedings of 2020 International Conference on Biomedical Innovations and Applications (BIA). 2020, 125−128
93
P, Burnap Y, Cherdantseva A, Blyth P, Eden K, Jones H, Soulsby K Stoddart . Determining and sharing risk data in distributed interdependent systems. Computer, 2017, 50( 4): 72–79
94
T Tagarev . Towards the design of a collaborative cybersecurity networked organisation: identification and prioritisation of governance needs and objectives. Future Internet, 2020, 12( 4): 62
95
I, Kuzminykh B, Ghita V, Sokolov T Bakhshi . Information security risk assessment. Encyclopedia, 2021, 1( 3): 602–617
96
I Lee . Cybersecurity: risk management framework and investment cost analysis. Business Horizons, 2021, 64( 5): 659–671
97
M, Arafah S H, Bakry R, Al-Dayel O Faheem . Exploring cybersecurity metrics for strategic units: a generic framework for future work. In: Proceedings of 2019 Future of Information and Communication Conference on Information and Communication. 2020, 881−891
98
I, Kotenko E, Doynikova A, Chechulin A Fedorchenko . AI- and metrics-based vulnerability-centric cyber security assessment and countermeasure selection. In: Parkinson S, Crampton A, Hill R, eds. Guide to Vulnerability Analysis for Computer Networks and Systems: An Artificial Intelligence Approach. Cham: Springer International Publishing, 2018, 101−130
99
K, Piromsopa T, Klima L Pavlik . Designing model for calculating the amount of cyber risk insurance. In: Proceedings of the 4th International Conference on Mathematics and Computers in Sciences and in Industry (MCSI). 2017, 196−200
100
G, Stergiopoulos D, Gritzalis V Kouktzoglou . Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment. Computer Networks, 2018, 134: 23–45
101
W, Abbass A, Baina M Bellafkih . Using EBIOS for risk management in critical information infrastructure. In: Proceedings of the 5th World Congress on Information and Communication Technologies (WICT). 2015, 107−112
102
R, Oppliger G, Pernul S Katsikas . New frontiers: assessing and managing security risks. Computer, 2017, 50( 4): 48–51
103
C, García-Porras S, Huamani-Pastor J Armas-Aguirre . Information security risk management model for Peruvian SMEs. In: Proceedings of 2018 IEEE Sciences and Humanities International Research Conference (SHIRCON). 2018, 1−5
104
P, Wagner G, Hansch C, Konrad K H, John J, Bauer J Franke . Applicability of security standards for operational technology by SMEs and large enterprises. In: Proceedings of the 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA). 2020, 1544−1551
105
H K, Skrodelis J, Strebko A Romanovs . The information system security governance tasks in small and medium enterprises. In: Proceedings of the 61st International Scientific Conference on Information Technology and Management Science of Riga Technical University (ITMS). 2020, 1−4
106
M, Antunes M, Maximiano R, Gomes D Pinto . Information security and cybersecurity management: a case study with SMEs in Portugal. Journal of Cybersecurity and Privacy, 2021, 1( 2): 219–238
107
A K, Gill P, Zavarsky B Swar . Automation of security and privacy controls for efficient information security management. In: Proceedings of the 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC). 2021, 371−375
