CRAMM

Abstract: The pervasive use of information technology in enterprises of every size and the emergence of widely deployed ubiquitous networking technologies have brought with them a widening need for security. Information system security policy development must begin with a thorough analysis of sensitivity and criticality. Risk analysis methodologies, like CRAMM, provide the ability to analyse and manage the associated risks. By performing a risk analysis on a typical small enterprise and a home‐office set‐up the article identifies the risks associated with availability, confidentiality, and integrity requirements. Although both environments share weaknesses and security requirements with larger enterprises, the risk management approaches required are different in nature and scale. Their implementation requires co‐operation between end users, network service providers, and software vendors.

Abstract: Agents that learn from experience can profit immensely from memorizing what they have done, why, how, and what happened. For autonomous robots performing complex manipulation tasks, these memories include low level data, such as perceptual snapshots of relevant scenes that influenced decision making, detailed complex motions the robot performed, and effects of these motions. They also include high level representations of the intended actions and the belief-dependent descisions that led to the chosen course of action. In this paper, we propose CRAMm, a memory management system that can record very comprehensive and informative memories without slowing down the operation of the robot. CRAMm offers a query interface that allows the robot to retrieve the kinds of information stated above. This is done using a first-order logical language that provides predicates concerning the beliefs and intentions of the robot, its physical state, perceptual information, and action effects and their relations at various different levels of abstraction.

Abstract: This paper describes a method for risk analysis based on the approach used in CRAMM, but instead of using discrete measures for threats and vulnerabilities and look-up tables to derive levels of risk, it uses subjective beliefs about threats and vulnerabilities as input parameters, and uses the belief calculus of subjective logic to combine them. Belief calculus has the advantage that uncertainty about threat and vulnerability estimates can be taken into consideration, and thereby reflecting more realistically the nature of such estimates. As a result, the computed risk assessments will better reflect the real uncertainties associated with those risks.

Abstract: Risk management methodologies, such as Mehari, Ebios, CRAMM and SP 800-30 (NIST) use a common step based on threat, vulnerability and probability witch are typically evaluated intuitively using verbal hazard scales such as low, medium, high. Because of their subjectivity, these categories are extremely difficult to assign to threats, vulnerabilities and probability, or indeed, to interpret with any degree of confidence. The purpose of the paper is to propose a mathematical formulation of risk by using a lower level of granularity of its elements: threat, probability, criteria used to determine an asset‘s value, exposure, frequency and existing protection measure. General Terms Security risk assessment, risk management system, framework, audit, information system.