Abstract
Port Information Technology Systems are of critical importance for the uninterrupted and effective operation of commercial ports. However, as shown in this paper the current safety and security approaches have several weaknesses and they are not thoroughly harmonized with the current demanding global collaborative environment. An analysis of the major current risk assessment methodologies shows that they aim to identify risks through resources (time, manpower, cost), which are time and resource consuming procedures and their results depend not only on the specific characteristics of the entity analyzed but also on the quantitative or the qualitative approach of the methodology. This paper concludes that current risk assessment methodologies demand significant parameterization and suggest the development of a new approach with less complexity that will sufficiently cover the identified weaknesses.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Adler, R., Fuller, J.: An integrated framework for assessing and mitigating risks to maritime critical infrastructure. In: Proceedings of IEEE Conference on Technologies for Home-land Security, pp. 252–257 (2007)
Alberts, C., Dorofee, A.: Operationally critical threat, asset, and vulnerability evaluation (OCTAVE) method implementation guide, v2.0. Software Engineering Institute, Carnegie Mellon University (2001). http://www.cert.org/octave/
Balmat, J., Lafont, F., Maifret, R., Pessel, N.: MAritime RISk Assessment (MARISA), a fuzzy approach to define an individual ship risk factor. Ocean Eng. 36(15–16), 1278–1286 (2009)
BSI Standard 100-1: Information Security Management Systems (ISMS) (2005). www.bsi.bund.de
BSI Standard 100-2.: IT - Grundszchutz methodology (2005). www.bsi.bund.de
BSI Standard 100-3: Risk analysis based on IT–Grundszchutz (2005). www.bsi.bund.de
Club de la Securite de L’ information Francais Methods Commision: Mehari 2010: Risk analysis and treatment Guide, France, August 2010 (2010). http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI-2010-Risk-Analysis-and-Treatment-Guide.pdf
Crespo, F., Gomez, M., Candau, J., Manas, J.A.: MAGERIT – Version 2, Methodology for Information Systems Risk Analysis and Management, Books I – The Method. Ministerio de Administraciones Publicas, Madrid (2006)
Crespo, F., Gomez, M., Candau, J., Manas, J.A.: MAGERIT – Version 2, Methodology for Information Systems Risk Analysis and Management, Book III – Techniques. Ministerio de Administraciones Publicas, Madrid (2006)
Crespo, F., Gomez, M., Candau, J., Manas, J.A.: MAGERIT – Version 2, Methodology for Information Systems Risk Analysis and Management, Book II – Catalogue of Elements. Ministerio de Administraciones Publicas, Madrid (2006)
Downs, Β.: The maritime security risk analysis model. In: USCG Proceedings of the Marine Safety and Security Council (2007). http://www.uscg.mil/proceedings/
Ebios: Expression of Needs and Identification of Security Objectives Premier Ministre Secrétariat général de la défense nationale Direction centrale de la sécurité des systèmes d’information Sous-direction des opérations Bureau conseil (2010). www.ssi.gouv.fr
El Fray, I.: A comparative study of risk assessment methods, MEHARI & CRAMM with a new formal model of risk assessment (FoMRA) in information systems. In: Cortesi, A., Chaki, N., Saeed, K., Wierzchoń, S. (eds.) CISIM 2012. LNCS, vol. 7564, pp. 428–442. Springer, Heidelberg (2012)
Elachgar, H., Regragui, B.: Information Security, new approach. In: Conference on Innovative Computing Technology (INTECH). IEEE (2012)
Analysis of cyber security aspects in the maritime sector. ENISA report (2011). http://www.enisa.europa.eu/act/res/other-areas/cyber-security-aspects-in-the-maritime-sector/cyber-security-aspects-in-the-maritime-sector-1. Accessed 4 Mar 2014
Insight Consulting: CRAMM User Guide. Issue 5.1, United Kingdom (2005)
ISAMM - Information Security Assessment & Monitoring Method (2002). http://www.telindus.com
ISO/IEC:17799: Information technology - security techniques - code of practice for information security management (2005). http://www.iso.org
ISO/IEC:27002: Information technology - security techniques - code of practice for information security management (2005). http://www.iso.org
ISO/IEC:27005: Information technology - Security techniques - Information Security Risk Management (2008). http://www.iso.org
ISO/IEC:27001: Information technology - Security techniques - Specification for an Information Security Management System (2005). http://www.iso.org
López, D., Pastor, O., García Villalba, L.J.: Dynamic risk assessment in information systems: state-of-the-art. In: ICIT 2013, South Africa (2013)
Maritime Domain Awareness Data Sharing Community of Interest (MDA DS COI). Data Management Working Group, Spiral 2, Vocabulary Handbook Version 2.0.2 (2007). http://www.uscg.mil/acquisition/nais/RFP/SectionJ/MDA-COI-vocab.pdf
National Institute for Standards and Technology: Risk management guide for information technology systems. NIST Special Publication 800-30, USA (2002)
Ntouskas, T., Polemi, N.: A secure, collaborative environment for the security management of port information systems. In: Proceedings of the 5th International Conference on the Internet and Web Applications and Services, pp. 374–379. IEEE Press, Spain (2010a)
Ntouskas, T., Polemi, N.: Collaborative security management services for Port Information Systems. In: Proceedings of International Conference on e-Business, pp. 305–308. SciTePress, Italy (2012a)
Ntouskas, T., Polemi, N.: STORM-RM: a collaborative and multicriteria risk management methodology. Int. J. Multicriteria Decis. Making 2(2), 159–177 (2012)
Ntouskas, T., Polemi, N.: STORM-RA: an implemented, collaborative, multicriteria decision making risk assessment methodology. In: 7th Meeting Multicriteria Decision Analysis, Greece (2010b)
OCTAVE Method Implementation Guide Version 2.0. Carnegie Mellon University, June 2001 (2010). http://www.cert.org/octave/
Polemi, N.: Security management of the ports’ information systems. ENISA project (2013). http://www.enisa.europa.eu. Accessed 4 Mar 2014
Polemi, N., Ntouskas, T.: Open issues and proposals in the IT security management of commercial ports: the S-PORT national case. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 567–572. Springer, Heidelberg (2012)
Syalim, A., Hori, Y., Sakurai, K.: Comparison of risk analysis methods: Mehari, Magerit, NIST800-30 and Microsoft’s Security Management Guide. In: International Conference on Availability, Reliability and Security (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Makrodimitris, G., Polemi, N., Douligeris, C. (2014). Security Risk Assessment Challenges in Port Information Technology Systems. In: Sideridis, A., Kardasiadou, Z., Yialouris, C., Zorkadis, V. (eds) E-Democracy, Security, Privacy and Trust in a Digital World. e-Democracy 2013. Communications in Computer and Information Science, vol 441. Springer, Cham. https://doi.org/10.1007/978-3-319-11710-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-11710-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11709-6
Online ISBN: 978-3-319-11710-2
eBook Packages: Computer ScienceComputer Science (R0)