A risk analysis methodology for modern networks
SubjectΑρχιτεκτονική ηλεκτρονικών υπολογιστών ; Computer architecture ; Computer security ; Ασφάλεια ηλεκτρονικών υπολογιστών ; Ηλεκτρονικοί υπολογιστές -- Δίκτυα -- Μέτρα ασφαλείας ; Computer networks -- Security measures
Recently, organizations around the world are becoming aware of the need to run risk management programs in order to enhance their information security. However, the majority of the existing qualitative/empirical methods fail to adhere to the terminology defined by ISO 27005 and study deliberate threats in a high level which could prove misleading for complex threats. In this work, after making a review of current work in risk analysis and security assessment in general, a quantitative risk analysis methodology for deliberate threats is introduced. The proposed approach follows the steps suggested by the ISO 27005 standard for risk management, extending them in order to focus on deliberate threats and the different information security incidents that realize them. It is based on three-levels: the conceptual foundation level, the modeling tools level and the mathematical foundation level. The conceptual foundation level defines and analyzes the terminology involved, using unified modeling language (UML) class diagrams. The modeling tools level introduces certain tools that assist in modeling the relations among different concepts. The mathematical foundation level includes all the different mathematical formulas and techniques used to estimate risk values for each threat. Moreover, we implement this methodology on GPRS, which is a well-studied yet complex system, and more specifically on user data interception over the radio interface, which is considered one of the most important threats of GPRS security.