A Review of Risk Identification Approaches in the Telecommunication Domain

Ahmed Seid Yesuf

2017

Abstract

Risks in the telecommunication (telco) domain are complex to identify due to the involvement of several independent stakeholders and the difficulty of predicting emerging threats to the services. This is costing the Telecom operators billions of dollars. We believe the little emphasis given to the important step of risk assessment process – risk identification (RI) – is the main reason for this loss. Unlike other domains, the proprietary nature of Telecom systems makes it challenging to show the risk assessment approaches in the domain. In this paper, we investigate the classifications of the RI approaches from the literature written on the telco and other related domains. We also investigate the research trends in the last 16 years when Telecom risks are evolving and the revenue loss of Telecom operators is largely affected. Based on our review, we also show future research directions in the domain.

References

  1. Aagedal, J., Braber, F. D., Dimitrakos, T., Gran, B., Raptis, D., and Stolen, K. (2002). Model-based risk assessment to improve enterprise security. In Proceedings. Sixth International Enterprise Distributed Object Computing, pages 51-62. IEEE.
  2. Ariss, O. E. (2011). Modeling Security Attacks with Statecharts. In Security, pages 123-132, New York, New York, USA. ACM Press.
  3. Bihina Bella, M. A., Eloff, J. H. P., and Olivier, M. S. (2009). A fraud management system architecture for next-generation networks. Forensic science international, 185(1-3):51-8.
  4. Bojanc, R. and Jerman-Blaz?ic?, B. (2008). An economic modelling approach to information security risk management. International Journal of Information Management, 28(5):413-422.
  5. Brucker, A. D., Petritsch, H., and Weber, S. G. (2010). Fraud Detection for Voice over IP Services on NextGeneration Networks, volume 6033 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, Berlin, Heidelberg.
  6. Buhr, R., Nel, A., and Dos Santos, M. (2007). Laying the foundation of a sector wide risk model for the telecommunications industry. In IEEE International Engineering Management Conference, pages 366-370. IEEE.
  7. CFCA (2000-2015). Global telecom fraud report. Technical report, Communications Fraud Control Association.
  8. Cholez, H. and Feltus, C. (2014). Towards an Innovative Systemic Approach of Risk Management. In Proceedings of the 7th International Conference on Security of Information and Networks - SIN 7814, pages 61-64, New York, New York, USA. ACM Press.
  9. Clark, K., Singleton, E., Tyree, S., and Hale, J. (2008). Strata-Gem. In Proceedings of the 4th ACM workshop on Quality of protection - QoP 7808, page 51, New York, New York, USA. ACM Press.
  10. Cortellessa, V., Goseva-Popstojanova, K., Appukkutty, K. A. K., a.R. Guedem, Hassan, a., Elnaggar, R., Abdelmoez, W., and Ammar, H. (2005). Model-based performance risk analysis. IEEE Transactions on Software Engineering, 31(1):3-20.
  11. Dantu, R., Loper, K., and Kolan, P. (2004). Risk management using behavior based attack graphs. In International Conference on Information Technology: Coding Computing, volume 1, pages 445-449. IEEE.
  12. Ernawati, T., Suhardi, and Nugroho, D. R. (2012). IT risk management framework based on ISO 31000:2009. In System Engineering and Technology (ICSET), 2012 International Conference on, pages 1-8. IEEE.
  13. Esteves, J., Rodriguez, N., Pastor-Collado, J., and Roy, R. (2004). Extending The SEI Risk Management Approach With Organizational Factors: An ActionResearch Project.
  14. Gran, B. A., Fredriksen, R., and Thunem, A. P.-J. (2007). Addressing dependability by applying an approach for model-based risk assessment. Reliability Engineering & System Safety, 92(11):1492-1502.
  15. Harmantzis, F. and Malek, M. (2004). Security risk analysis and evaluation. In 2004 IEEE International Conference on Communications, volume 4, pages 1897- 1901 Vol.4. IEEE.
  16. He, W. H. W., Xia, C. X. C., Zhang, C. Z. C., Ji, Y. J. Y., and Ma, X. M. X. (2008). A Network Security Risk Assessment Framework Based on Game Theory. In 2008 Second International Conference on Future Generation Communication and Networking, volume 2, pages 249-253. IEEE.
  17. Herzfeldt, A., Hausen, M., Briggs, R. O., and Krcmar, H. (2012). Developing a Risk Management Process and Risk Taxonomy for Medium-Sized It Solution Providers.
  18. Iannicca, D. C., Young, D. P., Thadhani, S. K., and Winter, G. a. (2013). Security risk assessment process for UAS in the NAS CNPC architecture. In Integrated Communications, Navigation and Surveillance Conference, ICNS, pages 1-9. IEEE.
  19. ISO, I. (2009). ISO 31000:2009, risk managementprinciples and guidelines.
  20. Jurjens, J., Schreck, J., and Bartmann, P. (2008). Modelbased security analysis for mobile communications. In 2008 ACM/IEEE 30th International Conference on Software Engineering, page 683, New York, New York, USA. ACM Press.
  21. La Corte, A. and Scatà, M. (2010). A process approach to manage the security of the communication systems with risk analysis based on epidemiological model. In Proceedings - 5th International Conference on Systems and Networks Communications, ICSNC 2010, pages 166-171. IEEE.
  22. Macwan, A. (2004). Approach for identification and analysis of human vulnerabilities in protecting telecommunications infrastructure. Bell Labs Technical Journal, 9(2):85-89.
  23. Martinez-moyano, I. J., Conrad, S. H., Rich, E. H., and Andersen, D. F. (2006). MODELING THE EMERGENCE OF INSIDER THREAT VULNERABILITIES. Engineering, pages 562-568.
  24. Montoya, L. (2013). The trespass project.
  25. Mounzer, J., Alpcan, T., and Bambos, N. (2010). Integrated security risk management for IT-intensive organizations. In 2010 6th International Conference on Information Assurance and Security, IAS 2010, pages 329-334. IEEE.
  26. Nostro, N., Ceccarelli, A., Bondavalli, A., and Brancati, F. (2014). Insider Threat Assessment. ACM SIGOPS Operating Systems Review, 48(2):3-12.
  27. O'Donnell, E. (2005). Enterprise risk management: A systems-thinking framework for the event identification phase. International Journal of Accounting Information Systems, 6(3):177-195.
  28. Pieters, W., Hadz?iosmanovic, D., Lenin, A., Montoya Morales, A., and Willemson, J. (2014). Trespass: Plug-and-play attacker profiles for security risk analysis (poster).
  29. Prasad, N. R. (2007). Threat model framework and methodology for Personal Networks (PNs). In Proceedings of the 2007 2nd International Conference on Communication System Software and Middleware and Workshops, COMSWARE 2007, pages 1-6. IEEE.
  30. Rippon, W. (2006). Threat assessment of IP based voice systems. In 1st IEEE Workshop on VoIP Management and Security, 2006., pages 17-26. IEEE.
  31. Rohde, M., Peko, G., and Sundaram, D. (2016). Mindful Routines in the Face of Fraud. AMCIS 2016 Proceedings.
  32. Rossebø, J. E. Y., Cadzow, S., and Sijben, P. (2007). ETVRA, a threat, vulnerability and risk assessment method and tool for eEurope. In Proceedings - Second International Conference on Availability, Reliability and Security, ARES 2007, pages 925-933. IEEE.
  33. Sadiq, M., Rahmani, M., Ahmad, M., and Jung, S. J. S. (2010). Software risk assessment and evaluation process (SRAEP) using model based approach. In Networking and Information Technology (ICNIT), 2010 International Conference on, pages 171-177. IEEE.
  34. Seify, M. and Bijani, S. (2009). A Methodology for Mobile Network Security Risk Management. In 2009 Sixth International Conference on Information Technology: New Generations, pages 1572-1573. IEEE.
  35. Sherif, M., Hoeflin, D., and Recchia, M. (2003). Risk management for new service introduction in telecommunications networks. In Proceedings of the Eighth IEEE Symposium on Computers and Communications. ISCC 2003, pages 597-601. IEEE Comput. Soc.
  36. Stoneburner, G., Goguen, A. Y., and Feringa, A. (2002). SP 800-30. Risk Management Guide for Information Technology Systems.
  37. Subudhi, S. and Panigrahi, S. (2015). Quarter-Sphere Support Vector Machine for Fraud Detection in Mobile Telecommunication Networks. Procedia Computer Science, 48:353-359.
  38. Sutton, S. G., Hampton, C., Khazanchi, D., and Anrold, V. (2008). Risk Analysis in Extended Enterprise Environments : Identification of Critical Risk Factors in B2B E- Commerce Relationships.
  39. Tsai, H.-Y. and Huang, Y.-L. (2011). An Analytic Hierarchy Process-Based Risk Assessment Method for Wireless Networks. IEEE Transactions on Reliability, 60(4):801-816.
  40. Tseng, V. S., Ying, J.-C., Huang, C.-W., Kao, Y., and Chen, K.-T. (2015). FrauDetector. In Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD 7815, pages 2157-2166, New York, New York, USA. ACM Press.
  41. Vahl, M., Boehmer, S., and Oestreich, T. (2009). Probability Based Risk Analysis for a VoIP System. In 2009 Fifth Advanced International Conference on Telecommunications, pages 441-446. IEEE.
  42. Vidalenc, B. and Ciavaglia, L. (2010). Proactive fault management based on risk-augmented routing. In IEEE Globecom Workshops, GC'10, pages 481-485. IEEE.
  43. Vinnakota, T. (2011). Systemic assessment of risks for projects: A systems and Cybernetics approach. In 2011 IEEE International Conference on Quality and Reliability, ICQR 2011, pages 376-380. IEEE.
  44. Vollbrecht, J. R., Calhoun, P. R., Farrell, S., Gommans, L., Gross, G. M., Bruijn, B. D., Laat, C. T. D., Holdrege, M., and Spence, D. W. (2000). AAA Authorization Framework Status. pages 1-35.
  45. von Brocke, J., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., Cleven, A., Brocke, J. V., and Reimer, K. (2009). Reconstructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process.
  46. Wickboldt, J. A., Bianchin, L. A., Lunardi, R. C., Granville, L. Z., Gaspary, L. P., and Bartolini, C. (2011). A framework for risk assessment based on analysis of historical information of workflow execution in IT systems. Computer Networks, 55(13):2954-2975.
  47. Wu, B. and Wang, A. (2011). A multi-layer tree model for enterprise vulnerability management. In Proceedings of the 2011 conference on Information technology education - SIGITE 7811, page 257, New York, New York, USA. ACM Press.
  48. Yu, Z. and Wu, Y. (2010). Risk assessment of customer information in telecommunication industry. In Proceedings - 2010 International Conference of Information Science and Management Engineering, ISME 2010, volume 2, pages 341-344. IEEE.
  49. Zalewski, J., Drager, S., McKeever, W., and Kornecki, A. J. (2013). Threat modeling for security assessment in cyberphysical systems. In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop on - CSIIRW 7813, page 1, New York, New York, USA. ACM Press.
Download


Paper Citation


in Harvard Style

Seid Yesuf A. (2017). A Review of Risk Identification Approaches in the Telecommunication Domain . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 389-396. DOI: 10.5220/0006197603890396


in Bibtex Style

@conference{icissp17,
author={Ahmed Seid Yesuf},
title={A Review of Risk Identification Approaches in the Telecommunication Domain},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={389-396},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006197603890396},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Review of Risk Identification Approaches in the Telecommunication Domain
SN - 978-989-758-209-7
AU - Seid Yesuf A.
PY - 2017
SP - 389
EP - 396
DO - 10.5220/0006197603890396