Assessing the Performance of a Classification-Based Vulnerability Analysis Model.
Wang Tai-ran,Mousseau Vincent,Pedroni Nicola,Zio Enrico
Risk analysis : an official publication of the Society for Risk Analysis
In this article, a classification model based on the majority rule sorting (MR-Sort) method is employed to evaluate the vulnerability of safety-critical systems with respect to malevolent intentional acts. The model is built on the basis of a (limited-size) set of data representing (a priori known) vulnerability classification examples. The empirical construction of the classification model introduces a source of uncertainty into the vulnerability analysis process: a quantitative assessment of the performance of the classification model (in terms of accuracy and confidence in the assignments) is thus in order. Three different app oaches are here considered to this aim: (i) a model-retrieval-based approach, (ii) the bootstrap method, and (iii) the leave-one-out cross-validation technique. The analyses are presented with reference to an exemplificative case study involving the vulnerability assessment of nuclear power plants.
10.1111/risa.12305
Infrastructure Vulnerability Assessment Model (I-VAM).
Ezell Barry Charles
Risk analysis : an official publication of the Society for Risk Analysis
Quantifying vulnerability to critical infrastructure has not been adequately addressed in the literature. Thus, the purpose of this article is to present a model that quantifies vulnerability. Vulnerability is defined as a measure of system susceptibility to threat scenarios. This article asserts that vulnerability is a condition of the system and it can be quantified using the Infrastructure Vulnerability Assessment Model (I-VAM). The model is presented and then applied to a medium-sized clean water system. The model requires subject matter experts (SMEs) to establish value functions and weights, and to assess protection measures of the system. Simulation is used to account for uncertainty in measurement, aggregate expert assessment, and to yield a vulnerability (Omega) density function. Results demonstrate that I-VAM is useful to decisionmakers who prefer quantification to qualitative treatment of vulnerability. I-VAM can be used to quantify vulnerability to other infrastructures, supervisory control and data acquisition systems (SCADA), and distributed control systems (DCS).
10.1111/j.1539-6924.2007.00907.x
Development of a security vulnerability assessment process for the RAMCAP chemical sector.
Moore David A,Fuller Brad,Hazzan Michael,Jones J William
Journal of hazardous materials
The Department of Homeland Security (DHS), Directorate of Information Analysis & Infrastructure Protection (IAIP), Protective Services Division (PSD), contracted the American Society of Mechanical Engineers Innovative Technologies Institute, LLC (ASME ITI, LLC) to develop guidance on Risk Analysis and Management for Critical Asset Protection (RAMCAP). AcuTech Consulting Group (AcuTech) has been contracted by ASME ITI, LLC, to provide assistance by facilitating the development of sector-specific guidance on vulnerability analysis and management for critical asset protection for the chemical manufacturing, petroleum refining, and liquefied natural gas (LNG) sectors. This activity involves two key tasks for these three sectors: Development of a screening to supplement DHS understanding of the assets that are important to protect against terrorist attack and to prioritize the activities. Development of a standard security vulnerability analysis (SVA) framework for the analysis of consequences, vulnerabilities, and threats. This project involves the cooperative effort of numerous leading industrial companies, industry trade associations, professional societies, and security and safety consultants representative of those sectors. Since RAMCAP is a voluntary program for ongoing risk management for homeland security, sector coordinating councils are being asked to assist in communicating the goals of the program and in encouraging participation. The RAMCAP project will have a profound and positive impact on all sectors as it is fully developed, rolled-out and implemented. It will help define the facilities and operations of national and regional interest for the threat of terrorism, define standardized methods for analyzing consequences, vulnerabilities, and threats, and describe best security practices of the industry. This paper will describe the results of the security vulnerability analysis process that was developed and field tested for the chemical manufacturing sector. This method was developed through the cooperation of the many organizations and the individuals involved from the chemical sector RAMCAP development activities. The RAMCAP SVA method is intended to provide a common basis for making vulnerability assessments and risk-based decisions for homeland security. Mr. Moore serves as the coordinator for the chemical manufacturing, petroleum refining, and LNG sectors for the RAMCAP project and Dr. Jones is the chief technology officer for ASME-ITI, LLC for RAMCAP.
10.1016/j.jhazmat.2006.06.133
Security Risk Intelligent Assessment of Power Distribution Internet of Things via Entropy-Weight Method and Cloud Model.
Sensors (Basel, Switzerland)
The current power distribution Internet of Things (PDIoT) lacks security protection terminals and techniques. Network security has a large exposure surface that can be attacked from multiple paths. In addition, there are many network security vulnerabilities and weak security protection capabilities of power distribution Internet of Things terminals. Therefore, it is crucial to conduct a scientific assessment of the security of PDIoT. However, traditional security assessment methods are relatively subjective and ambiguous. To address the problems, we propose to use the entropy-weight method and cloud model theory to assess the security risk of the PDIoT. We first analyze the factors of security risks in PDIoT systems and establish a three-layer PDIoT security evaluation index system, including a perception layer, network layer, and application layer. The index system has three first-level indicators and sixteen second-level indicators. Then, the entropy-weight method is used to optimize the weight of each index. Additionally, the cloud model theory is employed to calculate the affiliation degree and eigenvalue of each evaluation index. Based on a comprehensive analysis of all evaluation indexes, we can achieve the security level of PDIoT. Taking the PDIoT of Meizhou Power Supply Bureau of Guangdong Power Grid as an example for empirical testing, the experimental results show that the evaluation results are consistent with the actual situation, which proves that the proposed method is effective and feasible.
10.3390/s22134663
Toward an Epidemiology of Safety and Security Risks: An Organizational Vulnerability Assessment in International Airports.
Bongiovanni Ivano,Newton Cameron
Risk analysis : an official publication of the Society for Risk Analysis
International airports are complex sociotechnical systems that have an intrinsic potential to develop safety and security disruptions. In the absence of appropriate defenses, and when the potential for disruption is neglected, organizational crises can occur and jeopardize aviation services. This investigation examines the ways in which modern international airports can be "authors of their own misfortune" by adopting practices, attitudes, and behaviors that could increase their overall level of vulnerability. A sociotechnical perspective, the macroergonomic approach, is applied in this research to detect the potential organizational determinants of vulnerability in airport operations. Qualitative data nurture the case study on international airports produced by the present research. Findings from this study highlight that systemic weaknesses frequently reside in areas at the intersection of physical, organizational, and social spaces. Specific pathways of vulnerability can be drawn across these areas, involving the following systemic layers: individual, task, tools and technology, environment, and organization. This investigation expands the existing literature on the dynamics that characterize crisis incubation in multiorganization, multistakeholder systems such as international airports and provides practical recommendations for airport managers to improve their capabilities to early detect symptoms of organizational vulnerability.
10.1111/risa.13238
Cyber and Physical Security Vulnerability Assessment for IoT-Based Smart Homes.
Ali Bako,Awad Ali Ismail
Sensors (Basel, Switzerland)
The Internet of Things (IoT) is an emerging paradigm focusing on the connection of devices, objects, or "things" to each other, to the Internet, and to users. IoT technology is anticipated to become an essential requirement in the development of smart homes, as it offers convenience and efficiency to home residents so that they can achieve better quality of life. Application of the IoT model to smart homes, by connecting objects to the Internet, poses new security and privacy challenges in terms of the confidentiality, authenticity, and integrity of the data sensed, collected, and exchanged by the IoT objects. These challenges make smart homes extremely vulnerable to different types of security attacks, resulting in IoT-based smart homes being insecure. Therefore, it is necessary to identify the possible security risks to develop a complete picture of the security status of smart homes. This article applies the operationally critical threat, asset, and vulnerability evaluation (OCTAVE) methodology, known as OCTAVE Allegro, to assess the security risks of smart homes. The OCTAVE Allegro method focuses on information assets and considers different information containers such as databases, physical papers, and humans. The key goals of this study are to highlight the various security vulnerabilities of IoT-based smart homes, to present the risks on home inhabitants, and to propose approaches to mitigating the identified risks. The research findings can be used as a foundation for improving the security requirements of IoT-based smart homes.
10.3390/s18030817