Towards an integrated risk analysis security framework according to a systematic analysis of existing proposals  

作　　者：Antonio SANTOS-OLMO Luis Enrique SÁNCHEZ David G.ROSADO Manuel A.SERRANO Carlos BLANCO Haralambos MOURATIDIS Eduardo FERNÁNDEZ-MEDINA 

机构地区：[1]GSyA Research Group,University of Castilla-La Mancha,Ciudad Real 13071,Spain [2]Institute for Analytics and Data Science,University of Essex,Colchester CO43SQ,UK [3]Alarcos Research Group,University of Castilla-La Mancha,Ciudad Real 13071,Spain [4]ISTR Research group,Department of Computer Science and Electronics,University of Cantabria,Santander 39005,Spain

出　　处：《Frontiers of Computer Science》2024年第3期199-216,共18页中国计算机科学前沿（英文版）

基　　金：the AETHERUCLM(PID2020-112540RB-C42)funded by MCIN/AEI/10.13039/501100011033,Spain;ALBA-UCLM(TED2021-130355B-C31,id.4809130355-130355-28-521);ALBA-UC(TED2021-130355B-C33,id.3611130630-130630-28-521)funded by the“Ministerio de Ciencia e Innovacion”,Spain;supported by the European Union’s Horizon 2020 Project“CyberSANE”under Grant Agreement No.833683.

摘　　要：The information society depends increasingly on risk assessment and management systems as means to adequately protect its key information assets.The availability of these systems is now vital for the protection and evolution of companies.However,several factors have led to an increasing need for more accurate risk analysis approaches.These are:the speed at which technologies evolve,their global impact and the growing requirement for companies to collaborate.Risk analysis processes must consequently adapt to these new circumstances and new technological paradigms.The objective of this paper is,therefore,to present the results of an exhaustive analysis of the techniques and methods offered by the scientific community with the aim of identifying their main weaknesses and providing a new risk assessment and management process.This analysis was carried out using the systematic review protocol and found that these proposals do not fully meet these new needs.The paper also presents a summary of MARISMA,the risk analysis and management framework designed by our research group.The basis of our framework is the main existing risk standards and proposals,and it seeks to address the weaknesses found in these proposals.MARISMA is in a process of continuous improvement,as is being applied by customers in several European and American countries.It consists of a risk data management module,a methodology for its systematic application and a tool that automates the process.

关 键 词：information security management security system security risk assessment and management 

分 类 号：TM743[电气工程—电力系统及自动化]