Author
Sheng-Yuan Wang
Bio: Sheng-Yuan Wang is an academic researcher from Peking University. The author has contributed to research in topics: Risk assessment & Factor analysis of information risk. The author has an hindex of 1, co-authored 1 publications receiving 58 citations.
Papers
More filters
25 Jun 2010
TL;DR: A survey is proposed in which the common risk assessment methods are divided into four types: vulnerability identification and risk assessment, risk factors simulation and risk estimation, security situation assessment, and the risk calculation based on business process analysis.
Abstract: In order to exploring the inherent rule of information security risk assessment development, based on information system or asset structure and operation status, a survey is proposed in which the common risk assessment methods are divided into four types: vulnerability identification and risk assessment, risk factors simulation and risk estimation, security situation assessment, the risk calculation based on business process analysis. The method on delving into the information system of the highest level structure--namely business process structure and change is advocated, on which business operating performance indicators are regarded as risk scale, so real-time and dynamically information security risk calculation is obtained. Finally, Based on an understanding of the information system structure and utilization, combined with feedback control theory, three levels of judgment is defined which positions information security risk assessment method status, and the information security risk assessment study on the return to the rule of non-linear system.
59 citations
Cited by
More filters
TL;DR: This paper gives a comprehensive introduction to research and development in this field, with a description of existing problems and some currently active research topics in the areas of cybersspace itself, cyberspace security, cryptography, network security, information system security and information content security.
Abstract: Along with the rapid development and wide application of information technology, human society is entering the information era. In this era, people live and work in cyberspace, which is a collection of all infor-mation systems, and the information environment for human survival. Therefore, ensuring cyberspace security is necessary. This paper provides a comprehensive introduction to the research and development, existing prob-lems, and some popular research topics on the cyberspace concept, cyberspace security discipline, cryptography, network security, information system security, and information content security.
211 citations
TL;DR: A new RA methodology is proposed based on AHP–TOPSIS integration extended with Pythagorean fuzzy sets, which is used to weigh risk parameters with expert judgment and prioritize previously identified risks.
Abstract: Risk analysis (RA) contains several methodologies that object to ensure the protection and safety of occupational stakeholders. Multi attribute decision-making (MADM) is one of the most important RA methodologies that is applied to several areas from manufacturing to information technology. With the widespread use of computer networks and the Internet, information security has become very important. Information security is vital as institutions are mostly dependent on information, technology, and systems. This requires a comprehensive and effective implementation of information security RA. Analytic hierarchy process (AHP) and technique for order preference by similarity to ideal solution (TOPSIS) are commonly used MADM methods and recently used for RA. In this study, a new RA methodology is proposed based on AHP–TOPSIS integration extended with Pythagorean fuzzy sets. AHP strengthened by interval-valued Pythagorean fuzzy numbers is used to weigh risk parameters with expert judgment. Then, TOPSIS with Pythagorean fuzzy numbers is used to prioritize previously identified risks. A comparison of the proposed approach with three approaches (classical RA method, Pythagorean fuzzy VIKOR and Pythagorean fuzzy MOORA) is also provided. To illustrate the feasibility and practicality of the proposed approach, a case study for information security RA in corrugated cardboard sector is executed.
96 citations
TL;DR: The proposed A2G2V algorithm uses existing model-checking tools, an architecture description tool, and the own code to generate an attack graph that enumerates the set of all possible sequences in which atomic-level vulnerabilities can be exploited to compromise system security.
Abstract: Securing cyber-physical systems (CPS) and Internet of Things (IoT) systems requires the identification of how interdependence among existing atomic vulnerabilities may be exploited by an adversary to stitch together an attack that can compromise the system. Therefore, accurate attack graphs play a significant role in systems security. A manual construction of the attack graphs is tedious and error-prone, this paper proposes a model-checking-based automated attack graph generator and visualizer (A2G2V). The proposed A2G2V algorithm uses existing model-checking tools, an architecture description tool, and our own code to generate an attack graph that enumerates the set of all possible sequences in which atomic-level vulnerabilities can be exploited to compromise system security. The architecture description tool captures a formal representation of the networked system, its atomic vulnerabilities, their pre-and post-conditions, and security property of interest. A model-checker is employed to automatically identify an attack sequence in the form of a counterexample. Our own code integrated with the model-checker parses the counterexamples, encodes those for specification relaxation, and iterates until all attack sequences are revealed. Finally, a visualization tool has also been incorporated with A2G2V to generate a graphical representation of the generated attack graph. The results are illustrated through application to computer as well as control (SCADA) networks.
49 citations
29 May 2012
TL;DR: A dynamical risk assessment method for IoT inspired by Artificial Immune System is proposed in this paper, made up of Detection Agent of Attack and Sub-system of Dynamical Risk Assessment.
Abstract: The Internet of Things (IoT) confronts a complicated and changeful attack environment It is necessary to evaluate the security risk of IoT dynamically to judge the situation of IoT To resolve the above problem, a dynamical risk assessment method for IoT inspired by Artificial Immune System is proposed in this paper The proposed method is made up of Detection Agent of Attack and Sub-system of Dynamical Risk Assessment Furthermore, it adopts the technology of detector distribution The simulation of immune principles and mechanisms in the real IoT environment is deduced by set theory in math The attack detector evolves dynamically in the IoT immune environment Its change forms the dynamical security risk value of IoT
36 citations
01 Jul 2016
TL;DR: A dynamic Bayesian network model is created based on the risk assessment process of information security risk assessment to analyze an information system and calculate the probability of the risk.
Abstract: With the increasing complexity and diversity of information systems, more and more researchers gradually pay attention to the real-time dynamic risk assessment. In this paper, we introduce a method for information security risk assessment based on the dynamic Bayesian network. Firstly, we create a dynamic Bayesian network model based on the risk assessment process. Secondly, according to Bayesian theory and inference procedure, we analyze an information system and calculate the probability of the risk. Finally, in order to verify the validity and accuracy of the dynamic assessment model, we make an experiment to compare the dynamic Bayesian network model with the static Bayesian network model.
20 citations