Abstract
For various IT systems security is considered to be a key quality factor. In particular, for health care systems security is of uttermost importance, as it is related to patients’ health and safety. Risk assessment is an important activity in security management; it aims at identifying assets, threats and vulnerabilities, analysis of implemented countermeasures and their effectiveness in mitigating risks. This paper discusses a new risk assessment method, in which risk calculation is based on Fuzzy Cognitive Maps (FCMs) approach. FCMs are used to capture dependencies between assets and FCM based reasoning is applied to aggregate risks assigned to lower-level assets (e.g. hardware, software modules, communications, people) to such high level assets as services, maintained data and processes. An application of the method is studied on an example of e-health system providing remote telemonitoring, data storage and teleconsultation services. Lessons learned indicate, that the proposed method is an efficient and low-cost approach, giving instantaneous feedback and enabling reasoning on effectiveness of security system.
This work is supported by the National Centre for Research and Development (NCBiR) under Grant No. NR13-0093-10.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CRAMM, http://www.cramm.com/ (last accessed Januay 2013)
Inventory of risk management / risk assessment methods, http://rm-inv.enisa.europa.eu/methods/rm_ra_methods.html (last accessed January 2013)
Aguilar, J.: A Survey about Fuzzy Cognitive Maps Papers ( Invited Paper ). International Journal 3(2), 27–33 (2005)
Anderson, S., De Palma, A., Thisse, J.: Discrete Choice Theory of Product Differentiation. MIT Press (1992)
Axelrod, R.M.: Structure of Decision: The Cognitive Maps of Political Elites. Princeton University Press (1976)
Baudrit, C., Dubois, D., Guyonnet, D.: Joint propagation and exploitation of probabilistic and possibilistic information in risk assessment. Trans. Fuz. Sys. 14(5), 593–608 (2006)
Birolini, A.: Reliability engineering: theory and practice, 3rd edn. (2000)
Bowles, J.B., Wan, C.: Software failure modes and effects analysis for a small embedded control system (2001)
Cervesato, I., Meadows, C.: Fault-tree representation of NPATRL security requirements (2003)
Chen, X.Z.: Hierarchical threat assessment and quantitative calculation method of network security threatening state. Journal of Software 17(4), 885–897 (2006)
Chiang, F., Braun, R.: Self-adaptability and vulnerability assessment of secure autonomic communication networks. In: Ata, S., Hong, C.S. (eds.) APNOMS 2007. LNCS, vol. 4773, pp. 112–122. Springer, Heidelberg (2007)
Craft, R., Vandewart, R., Wyss, G., Funkhouser, D.: An open framework for risk management, vol. 1 (1998)
Eom, J.-H., Park, S.-H., Han, Y.-J., Chung, T.-M.: Risk assessment method based on business process-oriented asset evaluation for information system security. In: Shi, Y., van Albada, G.D., Dongarra, J., Sloot, P.M.A. (eds.) ICCS 2007, Part III. LNCS, vol. 4489, pp. 1024–1031. Springer, Heidelberg (2007)
Guttman, B., Roback, E.A.: An introduction to computer security: The NIST handbook. Security 800(12), 1–290 (1995)
Han, Y.J., Yang, J.S., Chang, B.H., Na, J.C., Chung, T.M.: The vulnerability assessment for active networks; model, policy, procedures, and performance evaluations. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3043, pp. 191–198. Springer, Heidelberg (2004)
Hoo, K.J.S.: How much is enough? A risk-management approach to computer security. In: Economics and Information Security, pp. 1–99. U.C. Berkeley, CA (2000)
Hubbard, D., Evans, D.: Problems with scoring methods and ordinal scales in risk assessment. Journal of Research and Development 54(3), 1–10 (2010)
Institute for Computer Sciences and Technology: Guideline for automatic data processing risk analysis. National Bureau of Standards, Institute for Computer Sciences and Technology (1979)
ISO/IEC: Information technology – security techniques – information security risk management, ISO/IEC 27005:2011. Tech. rep., International Organization for Standardization (2011)
Jetter, A., Schweinfort, W.: Building scenarios with Fuzzy Cognitive Maps: An exploratory study of solar energy. Futures 43(1), 52–66 (2011)
Kosko, B.: Fuzzy Cognitive maps. International Journal of Machine Studies 24, 65–75 (1986)
Landoll, D.J.: The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. Auerbach Publications (2005)
Maglogiannis, I., Zafiropoulos, E., Platis, A., Lambrinoudakis, C.: Risk analysis of a patient monitoring system using bayesian network modeling. J. of Biomedical Informatics 39(6), 637–647 (2006)
Modarres, M., Kaminskiy, M., Krivtsov, V.: Reliability engineering and risk analysis
Papageorgiou, E.I.: Learning Algorithms for Fuzzy Cognitive Maps - A Review Study. Construction, 1–14 (2011)
Peng, L.X., et al.: Model danger theory based network risk assessment (2007)
Ross, R.S.: Guide for conducting risk assessments, NIST SP - 800-30rev1, vol. 85. NIST Special Publication (September 2011)
Sherwood Applied Business Security Architecture: SABSA, http://www.sabsa-institute.org/the-sabsa-method (last accessed January 2013)
Stamatis, D.H.: Failure mode and effect analysis: FMEA from theory to execution. ASQ Quality Press, Milwaykee (2003)
Stathiakis, N., Chronaki, C., Skipenes, E., Henriksen, E., Charalambus, E., Sykianakis, A., Vrouchos, G., Antonakis, N., Tsiknakis, M., Orphanoudakis, S.: Risk assessment of a cardiology eHealth service in HYGEIAnet (2003)
Sun, L., Srivastava, R.P., Mock, T.J.: An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. J. Manage. Inf. Syst. 22(4), 109–142 (2006)
Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F.: Fault Tree handbook, Technical Report NUREG-0492 (1981)
Wang, Y., et al.: Research on and application of the analyzing method of network security based on security case reasoning. Minitype Computer System 24(12), 2082–2085 (2003)
Zhuang, Y., Li, X., Xu, B., Zhou, B.: Information security risk assessment based on artificial immune danger theory. In: Proceedings of the 2009 Fourth International Multi-Conference on Computing in the Global Information Technology, ICCGI 2009, pp. 169–174. IEEE Computer Society, Washington, DC (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Szwed, P., Skrzynski, P., Grodniewicz, P. (2013). Risk Assessment for SWOP Telemonitoring System Based on Fuzzy Cognitive Maps. In: Dziech, A., CzyĹĽewski, A. (eds) Multimedia Communications, Services and Security. MCSS 2013. Communications in Computer and Information Science, vol 368. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38559-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-38559-9_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38558-2
Online ISBN: 978-3-642-38559-9
eBook Packages: Computer ScienceComputer Science (R0)