Pub Date : 2013-12-06DOI: 10.1109/ISIAS.2013.6947732
F. Arnold, W. Pieters, M. Stoelinga
Existing penetration testing approaches assess the vulnerability of a system by determining whether certain attack paths are possible in practice. Thus, penetration testing has so far been used as a qualitative research method. To enable quantitative approaches to security risk management, including decision support based on the cost-effectiveness of countermeasures, one needs quantitative measures of the feasibility of an attack. Also, when physical or social attack steps are involved, the binary view on whether a vulnerability is present or not is insufficient, and one needs some viability metric. When penetration tests are performed anyway, it is very easy for the testers to keep track of, for example, the time they spend on each attack step. Therefore, this paper proposes the concept of quantitative penetration testing to determine the difficulty rather than the possibility of attacks based on such measurements. We do this by step-wise updates of expected time and probability of success for all steps in an attack scenario. In addition, we show how the skill of the testers can be included to improve the accuracy of the metrics, based on the framework of item response theory (Elo ratings). We prove the feasibility of the approach by means of simulations, and discuss application possibilities.
{"title":"Quantitative penetration testing with item response theory","authors":"F. Arnold, W. Pieters, M. Stoelinga","doi":"10.1109/ISIAS.2013.6947732","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947732","url":null,"abstract":"Existing penetration testing approaches assess the vulnerability of a system by determining whether certain attack paths are possible in practice. Thus, penetration testing has so far been used as a qualitative research method. To enable quantitative approaches to security risk management, including decision support based on the cost-effectiveness of countermeasures, one needs quantitative measures of the feasibility of an attack. Also, when physical or social attack steps are involved, the binary view on whether a vulnerability is present or not is insufficient, and one needs some viability metric. When penetration tests are performed anyway, it is very easy for the testers to keep track of, for example, the time they spend on each attack step. Therefore, this paper proposes the concept of quantitative penetration testing to determine the difficulty rather than the possibility of attacks based on such measurements. We do this by step-wise updates of expected time and probability of success for all steps in an attack scenario. In addition, we show how the skill of the testers can be included to improve the accuracy of the metrics, based on the framework of item response theory (Elo ratings). We prove the feasibility of the approach by means of simulations, and discuss application possibilities.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130637920","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-12-01DOI: 10.1109/ISIAS.2013.6947748
Andrey Sapegin, David Jaeger, Amir Azodi, Marian Gawron, Feng Cheng, C. Meinel
The differences in log file formats employed in a variety of services and applications remain to be a problem for security analysts and developers of intrusion detection systems. The proposed solution, i.e. the usage of common log formats, has a limited utilization within existing solutions for security management. In our paper, we reveal the reasons for this limitation. We show disadvantages of existing common log formats for normalisation of security events. To deal with it we have created a new log format that fits for intrusion detection purposes and can be extended easily. Taking previous work into account, we would like to propose a new format as an extension to existing common log formats, rather than a standalone specification.
{"title":"Hierarchical object log format for normalisation of security events","authors":"Andrey Sapegin, David Jaeger, Amir Azodi, Marian Gawron, Feng Cheng, C. Meinel","doi":"10.1109/ISIAS.2013.6947748","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947748","url":null,"abstract":"The differences in log file formats employed in a variety of services and applications remain to be a problem for security analysts and developers of intrusion detection systems. The proposed solution, i.e. the usage of common log formats, has a limited utilization within existing solutions for security management. In our paper, we reveal the reasons for this limitation. We show disadvantages of existing common log formats for normalisation of security events. To deal with it we have created a new log format that fits for intrusion detection purposes and can be extended easily. Taking previous work into account, we would like to propose a new format as an extension to existing common log formats, rather than a standalone specification.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125074223","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-12-01DOI: 10.1109/ISIAS.2013.6947744
Dhekra Bousnina, R. Ejbali, M. Zaied, C. Amar
This paper presents a virtual object control method of augmented reality scene. We have based on control approach on speech recognition. The idea came from human-machine interaction. The speech recognition system is based on wavelet network. In this paper, we have briefly described the used toolkit to do with the augmented reality. Then, we present the speech recognition approach the training and recognition approach. Finally, we present the results.
{"title":"A wavelet network speech recognition system to control an augmented reality object","authors":"Dhekra Bousnina, R. Ejbali, M. Zaied, C. Amar","doi":"10.1109/ISIAS.2013.6947744","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947744","url":null,"abstract":"This paper presents a virtual object control method of augmented reality scene. We have based on control approach on speech recognition. The idea came from human-machine interaction. The speech recognition system is based on wavelet network. In this paper, we have briefly described the used toolkit to do with the augmented reality. Then, we present the speech recognition approach the training and recognition approach. Finally, we present the results.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124929223","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-12-01DOI: 10.1109/ISIAS.2013.6947746
Markus Graube, P. Órtiz, M. Carnerero, Ó. Lázaro, Mikel Uriarte, L. Urbas
Linked Data offers easy extensibility and interoperability of information spaces. This provides a great potential for industrial companies allowing to share information with partners in a virtual enterprise. Hence, together they can become faster and more flexible which results in an advantage in the market. However, there is still the barrier to protect own information with a fine grain. Access control graphs are an approach for this issue. Information is put into different views by executing infer mechanisms on role-based policy rules. Afterwards queries are automatically rewritten at runtime in order to match the generated views and provide only data from views that should be accessible by the authenticated role. This paper demonstrates the balance between flexibility and security using this approach. The amount and complexity of the policy rules are highly dependent on the information model used. However, a moderate restriction of the huge flexibility in the information modelling allows for few rules but those are powerful ones. Additionally, the approach allows can also be leveraged for consistency checking of Linked Data data structures. Thus, clients can rely on these information invariants and the information provider can rely on the fact that fine grained access is granted.
{"title":"Flexibility vs. security in linked enterprise data access control graphs","authors":"Markus Graube, P. Órtiz, M. Carnerero, Ó. Lázaro, Mikel Uriarte, L. Urbas","doi":"10.1109/ISIAS.2013.6947746","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947746","url":null,"abstract":"Linked Data offers easy extensibility and interoperability of information spaces. This provides a great potential for industrial companies allowing to share information with partners in a virtual enterprise. Hence, together they can become faster and more flexible which results in an advantage in the market. However, there is still the barrier to protect own information with a fine grain. Access control graphs are an approach for this issue. Information is put into different views by executing infer mechanisms on role-based policy rules. Afterwards queries are automatically rewritten at runtime in order to match the generated views and provide only data from views that should be accessible by the authenticated role. This paper demonstrates the balance between flexibility and security using this approach. The amount and complexity of the policy rules are highly dependent on the information model used. However, a moderate restriction of the huge flexibility in the information modelling allows for few rules but those are powerful ones. Additionally, the approach allows can also be leveraged for consistency checking of Linked Data data structures. Thus, clients can rely on these information invariants and the information provider can rely on the fact that fine grained access is granted.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"64 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129827607","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-12-01DOI: 10.1109/ISIAS.2013.6947733
Gianpiero Costantino, F. Martinelli, D. Sgandurra
Single Sign-On (SSO) is an authentication procedure that allows users to adopt the same credentials to access multiple services. On the other hand, OAuth 2.0 is a protocol that enables authorized applications to access data that are stored in a resource server. A practical example of the adoption of SSO with OAuth 2.0 is given by all the websites or applications that use the “Log in with Facebook” procedure to authenticate users already registered with Facebook. In this paper, we propose a mechanism that exploits a weakness of OAuth 2.0 and a missing control of the website to show how it is possible to register a user by reducing the number of scopes that the website requires with the “Log in with Facebook” procedure. Finally, we illustrate two examples that exploit the proposed mechanism and provide a solution to address the problem.
单点登录(SSO)是一种身份验证过程,允许用户使用相同的凭据访问多个服务。另一方面,OAuth 2.0是一种允许授权应用程序访问存储在资源服务器中的数据的协议。所有使用“login with Facebook”过程对已经在Facebook注册的用户进行身份验证的网站或应用程序都给出了一个使用OAuth 2.0采用SSO的实际示例。在本文中,我们提出了一种机制,利用OAuth 2.0的弱点和对网站的缺失控制来展示如何通过减少“登录Facebook”过程中网站所需的范围数量来注册用户。最后,我们举例说明了利用所提出的机制并提供解决问题的解决方案的两个示例。
{"title":"How to grant less permissions to facebook applications","authors":"Gianpiero Costantino, F. Martinelli, D. Sgandurra","doi":"10.1109/ISIAS.2013.6947733","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947733","url":null,"abstract":"Single Sign-On (SSO) is an authentication procedure that allows users to adopt the same credentials to access multiple services. On the other hand, OAuth 2.0 is a protocol that enables authorized applications to access data that are stored in a resource server. A practical example of the adoption of SSO with OAuth 2.0 is given by all the websites or applications that use the “Log in with Facebook” procedure to authenticate users already registered with Facebook. In this paper, we propose a mechanism that exploits a weakness of OAuth 2.0 and a missing control of the website to show how it is possible to register a user by reducing the number of scopes that the website requires with the “Log in with Facebook” procedure. Finally, we illustrate two examples that exploit the proposed mechanism and provide a solution to address the problem.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"75 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125233004","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-12-01DOI: 10.1109/ISIAS.2013.6947728
A. Balti, M. Sayadi, F. Fnaiech
Our objective of this project is to apply the theory of linear algebra called “singular value decomposition (SVD)” to digital image processing, specifically for fingerprint images verification. For optimal recognition, we proceed in two steps. In the first step, we begin by identifying the fingerprint features with SVD approach. In the second step, the classification accuracy of the proposed approach is evaluated with Back Propagation Neural Network (BPNN) classifier. I have implemented many extensive experiments, they prove that the fingerprint classification based on a novel SVD features and the BPNN give better results in fingerprint verification than several other features and methods.
{"title":"Finger verification Using SVD features","authors":"A. Balti, M. Sayadi, F. Fnaiech","doi":"10.1109/ISIAS.2013.6947728","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947728","url":null,"abstract":"Our objective of this project is to apply the theory of linear algebra called “singular value decomposition (SVD)” to digital image processing, specifically for fingerprint images verification. For optimal recognition, we proceed in two steps. In the first step, we begin by identifying the fingerprint features with SVD approach. In the second step, the classification accuracy of the proposed approach is evaluated with Back Propagation Neural Network (BPNN) classifier. I have implemented many extensive experiments, they prove that the fingerprint classification based on a novel SVD features and the BPNN give better results in fingerprint verification than several other features and methods.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"240 ","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120866175","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-12-01DOI: 10.1109/ISIAS.2013.6947743
V. G. Martínez, L. H. Encinas
Elliptic Curve Cryptography (ECC) is a branch of public-key cryptography based on the arithmetic of elliptic curves. Given its mathematical characteristics, ECC is currently one of the best options for protecting sensitive information. The lastest version of the Java Card platform includes several classes related to elliptic curves. However, potential developers are discouraged by the peculiarities of its programming model and the scarce information available. In this work, we present an up to date and extensive review of the ECC support in Java Card. In addition to that, we offer to the reader the complete code of an application that will allow programmers to understand and test the entire application development process in Java Card.
{"title":"Developing ECC applications in Java Card","authors":"V. G. Martínez, L. H. Encinas","doi":"10.1109/ISIAS.2013.6947743","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947743","url":null,"abstract":"Elliptic Curve Cryptography (ECC) is a branch of public-key cryptography based on the arithmetic of elliptic curves. Given its mathematical characteristics, ECC is currently one of the best options for protecting sensitive information. The lastest version of the Java Card platform includes several classes related to elliptic curves. However, potential developers are discouraged by the peculiarities of its programming model and the scarce information available. In this work, we present an up to date and extensive review of the ECC support in Java Card. In addition to that, we offer to the reader the complete code of an application that will allow programmers to understand and test the entire application development process in Java Card.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133571395","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-12-01DOI: 10.1109/ISIAS.2013.6947736
R. Abdullah, M. Faizal, Z. Noh, S. R. Selamat, M. Z. Mas'ud, S. Shahrin
Nowadays, botnets are the most advanced cybercrime as being powerful threaten to the internet infrastructure by risking the Internet stability and security. Millions of computers have been hijacking and infecting by botnets especially during peak activity. The P2P botnets exploit users and dominating the P2P technology which make botnets are harder to detect and terminated. As P2P botnets issues been highlighted as it's dramatically evolvement, this paper addresses on current problems relate to P2P botnets faced by users and recommending the improvement. Also, this paper concentrated on proposing P2P botnets detection framework. Also, an in-depth analysis of P2P botnets has been conducted to understand and cope with their behaviors and characteristics. The new improvement has been introduced at the propose botnets framework architecture to improve the effectiveness of P2P detection analysis. The framework architecture has been structuralized with hybrid analyzer through the marriage of host-based and network based. Prior to this matter, this research has proposed a new enhancement on framework architecture that has been reinforced by hybrid detection technique to improve the effectiveness and efficiency of P2P botnets detection.
{"title":"Enhanced P2P botnets detection framework architecture with hybrid analyzer: Host-based and network-based","authors":"R. Abdullah, M. Faizal, Z. Noh, S. R. Selamat, M. Z. Mas'ud, S. Shahrin","doi":"10.1109/ISIAS.2013.6947736","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947736","url":null,"abstract":"Nowadays, botnets are the most advanced cybercrime as being powerful threaten to the internet infrastructure by risking the Internet stability and security. Millions of computers have been hijacking and infecting by botnets especially during peak activity. The P2P botnets exploit users and dominating the P2P technology which make botnets are harder to detect and terminated. As P2P botnets issues been highlighted as it's dramatically evolvement, this paper addresses on current problems relate to P2P botnets faced by users and recommending the improvement. Also, this paper concentrated on proposing P2P botnets detection framework. Also, an in-depth analysis of P2P botnets has been conducted to understand and cope with their behaviors and characteristics. The new improvement has been introduced at the propose botnets framework architecture to improve the effectiveness of P2P detection analysis. The framework architecture has been structuralized with hybrid analyzer through the marriage of host-based and network based. Prior to this matter, this research has proposed a new enhancement on framework architecture that has been reinforced by hybrid detection technique to improve the effectiveness and efficiency of P2P botnets detection.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125146567","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-12-01DOI: 10.1109/ISIAS.2013.6947745
Pardis Pourghomi, M. Saeed, G. Ghinea
Near Field Communication (NFC) is a short range wireless technology that provides contactless transmission of data between devices. With an NFC enabled device, users can exchange information from one device to another, make payments and use their NFC enabled device as their identity. As the main payment ecosystem players such as service providers and secure element issuers have crucial roles in a multi-application mobile environment similar to NFC, managing such an environment has become very challenging. One of the technologies that can be used to ensure secure NFC transaction is cloud computing which offers wide range of advantages compare to the use of a Secure Element (SE) as a single entity in an NFC enabled phone. This approach provides a comprehensive leadership of the cloud provider towards managing and controlling customer's information where it allows the SE which is stored within an NFC phone to deal with authentication mechanisms rather than storing and managing sensitive transaction information. This paper discusses the NFC cloud Wallet model which has been proposed by us previously [1] and introduces a different insight that defines a new integrated framework based on a trusted relationship between the vendor and the Mobile Network Operator (MNO). We then carry out an analysis of such a relationship to investigate different possibilities that arise from this approach.
{"title":"Trusted integration of cloud-based NFC transaction players","authors":"Pardis Pourghomi, M. Saeed, G. Ghinea","doi":"10.1109/ISIAS.2013.6947745","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947745","url":null,"abstract":"Near Field Communication (NFC) is a short range wireless technology that provides contactless transmission of data between devices. With an NFC enabled device, users can exchange information from one device to another, make payments and use their NFC enabled device as their identity. As the main payment ecosystem players such as service providers and secure element issuers have crucial roles in a multi-application mobile environment similar to NFC, managing such an environment has become very challenging. One of the technologies that can be used to ensure secure NFC transaction is cloud computing which offers wide range of advantages compare to the use of a Secure Element (SE) as a single entity in an NFC enabled phone. This approach provides a comprehensive leadership of the cloud provider towards managing and controlling customer's information where it allows the SE which is stored within an NFC phone to deal with authentication mechanisms rather than storing and managing sensitive transaction information. This paper discusses the NFC cloud Wallet model which has been proposed by us previously [1] and introduces a different insight that defines a new integrated framework based on a trusted relationship between the vendor and the Mobile Network Operator (MNO). We then carry out an analysis of such a relationship to investigate different possibilities that arise from this approach.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"55 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128376920","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Risk assessment and management for information system are very important for assuring the system security. It requires not only careful but also systematic analysis of threat and vulnerability information. Depending on the analysis result, we could determine the extent to which events could adversely impact the organization and the likelihood that such events will occur. Under FISMA(Federal Information Security Management Act) of 2002, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) develops a series of publications to protect the information system. In this paper, we give the outline of the state of the art of the risk assessment and management in the ITL at NIST. Some fundamental concepts and model are introduced to interpret the process of risk assessment. Besides, the relationship among the security related publications corresponding with the risk management is analyzed and concluded.
{"title":"The state of the art of risk assessment and management for information systems","authors":"Lulu Liang, Wang Ren, Jing Song, Huaming Hu, Qiang He, Shuo Fang","doi":"10.1109/ISIAS.2013.6947735","DOIUrl":"https://doi.org/10.1109/ISIAS.2013.6947735","url":null,"abstract":"Risk assessment and management for information system are very important for assuring the system security. It requires not only careful but also systematic analysis of threat and vulnerability information. Depending on the analysis result, we could determine the extent to which events could adversely impact the organization and the likelihood that such events will occur. Under FISMA(Federal Information Security Management Act) of 2002, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) develops a series of publications to protect the information system. In this paper, we give the outline of the state of the art of the risk assessment and management in the ITL at NIST. Some fundamental concepts and model are introduced to interpret the process of risk assessment. Besides, the relationship among the security related publications corresponding with the risk management is analyzed and concluded.","PeriodicalId":370107,"journal":{"name":"2013 9th International Conference on Information Assurance and Security (IAS)","volume":"128 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116521954","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: