Anis Ben Aissa

Quantifying security threats and their potential impacts: a case study

In earlier works we presented a computational infrastructure that allows an analyst to estimate the security of a system in terms of the loss that each stakeholder stands to sustain as a result of security breakdowns. In this paper we illustrate this infrastructure by means of an e-commerce application.

Classification of Security Threats in Information Systems

Abstract Information systems are frequently exposed to various types of threats which can cause different types of damages that might lead to significant financial losses. Information security damages can range from small losses to entire information system destruction. The effects of various threats vary considerably: some affect the confidentiality or integrity of data while others affect the availability of a system. Currently, organizations are struggling to understand what the threats to their information assets are and how to obtain the necessary means to combat them which continues to pose a challenge. To improve our understanding of security threats, we propose a security threat classification model which allows us to study the threats class impact instead of a threat impact as a threat varies over time. This paper addresses different criteria of information system security risks classification and gives a review of most threats classification models. We define a hybrid model for information system security threat classification in order to propose a classification architecture that supports all threat classification principles and helps organizations implement their information security strategies.

An economic model of security threats for cloud computing systems

Cloud computing is a prospering technology that most organizations consider as a cost effective strategy to manage Information Technology (IT). It delivers computing services as a public utility rather than a personal one. However, despite the significant benefits, these technologies present many challenges including less control and a lack of security. In this paper, we illustrate the use of a cyber security metrics to define an economic security model for cloud computing system. We also, propose a solution related to the vulnerabilities in cloud computing in order to reduce the probability that the components fail.

Defining and computing a value based cyber-security measure

In past work[1,3,4], we presented a value based measure of cybersecurity that quantifies the security of a system in concrete terms, specifically, in terms of how much each system stakeholder stands to lose (in dollars per hour of operation) as a result of security threats and system vulnerabilities\; our metric varies according to the stakes that each stakeholder has in meeting each security requirement. In this paper we discuss the specification and design of a system that collects, updates and maintains all the information that pertains to estimating our cybersecurity measure, and offers stakeholders quantitative means to make security-related decisions.

Quantifying security threats and their impact

In earlier works, we present a computational infrastructure that allows an analyst to estimate the security of a system in terms of the loss that each stakeholder stands to sustain as a result of security breakdowns. In this paper, we illustrate this infrastructure by means of an e-commerce application.

Modeling stakeholder/value dependency through mean failure cost

In an earlier series of works, Boehm et al. discuss the nature of information system dependability and highlight the variability of system dependability according to stakeholders. In a recent paper, the dependency patterns of this model are analyzed. In our recent works, we presented a stakeholder dependent quantitative security model, where we quantify security for a given stakeholder by the mean of the loss incurred by the stakeholder as a result of security threats. We show how this mean can be derived from the security threat configuration (represented as a vector of probabilities that reflect the likelihood of occurrence of the various security threats). We refer to our security metric as MFC, for Mean Failure Cost. In this paper, we analyze Boehms model from the standpoint of the proposed metric, and show whether, to what extent, and how our metric addresses the issues raised by Boehms Stakeholder/Value definition of system dependability.

Quantifying security threats for E-learning systems

As the reach of the internet expands to cover ever broader aspects of our economic and social welfare, cyber security is emerging as a major concern for researchers and practitioners, dealing as it does with privacy, confidentiality, user authentication, etc. E-learning systems epitomize computing systems and networks of the internet generation, since they involve multiple stakeholders, geographically distributed resources and data, and special requirements for confidentiality, authentication, and privacy. In this paper, we discuss the application of a cyber security metric to E-learning systems, in light of their standard architecture, their well-defined classes of stakeholders, and their specific security requirements.

Mean Failure Cost as a Measurable Value and Evidence of Cybersecurity: E-Learning Case Study

Addressing Cybersecurity within e-Learning systems becomes empowered to make online information more secure. Certain competences need to be identified as necessary skills to manage security online such the ability to assess sources and architectural components, understanding the privacy, confidentiality and user authentication. Security management approaches quantifying security threats in e-learning are common with other e-services. It is of our need to adopt a quantitative security risk management process in order to determine the worthiest attack and the ignored one, based on financial business risk measure which is the measure of the mean failure cost.This paper proposes a cyber security measure called the Mean Failure Cost MFC suitable for e-Learning systems. It is based on the identification of systems architecture, the well-defined classes of stakeholders, the list of possible threats and vulnerabilities and the specific security requirements related to e-Learning systems and applications. In the mean time, security requirements are considered as appropriate mechanisms for preventing, detecting and recovering security attacks, for this reason an extension of the MFC measure is presented in order to detect the most critical security requirements. Also this paper highlights the security measures and guidelines for controlling e-Learning security policies regarding the most critical security requirements.

Quantifying the impact of unavailability in cyber-physical environments

The Supervisory Control and Data Acquisition (SCADA) system discussed in this work manages a distributed control network for the Tunisian Electric & Gas Utility. The network is dispersed over a large geographic area that monitors and controls the flow of electricity/gas from both remote and centralized locations. The availability of the SCADA system in this context is critical to ensuring the uninterrupted delivery of energy, including safety, security, continuity of operations and revenue. Such SCADA systems are the backbone of national critical cyber-physical infrastructures. Herein, we propose adapting the Mean Failure Cost (MFC) metric for quantifying the cost of unavailability. This new metric combines the classic availability formulation with MFC. The resulting metric, so-called Econometric Availability (EA), offers a computational basis to evaluate a system in terms of the gain/loss (

Quantifying availability in SCADA environments using the cyber security metric MFC

/hour of operation) that affects each stakeholder due to unavailability.