Simple and Multi Risk Assessment Framework for Information Security using Process Flow Diagram

(1)

Website: http://ojs.iainbatusangkar.ac.id/ojs/index.php/sainstek

E-mail: [email protected] ISSN: 2580-278X (e) pp : 20-35

Sainstek: Jurnal Sains dan Teknologi

Vol 15 No 1, June 2023 ISSN: 2085-8019 (p), ISSN: 2580-278x (e)

20

Simple and Multi Risk Assessment Framework for Information Security using Process Flow Diagram

Edri Yunizal

¹

*, Judhi Santoso

²

, Kridanto Surendro

²

1Manajemen Informatika, Institut Agama Islam Negeri Batusangkar, Indonesia

2Sekolah Teknik Elektro dan Informatika, Institut Teknologi Bandung, Indonesia Jalan Sudirman No. 137 Batusangkar, West Sumatra, Indonesia

*email: [email protected]

Article History Received: 10 May 2023 Reviewed: 14 June 2023 Accepted: 19 June 2023 Published: 30 June 2023 Key Words

Information Security; Risk Assessment; Asset

Dependency; Simplify, Multi-risk model; COVID- 19; PPE Information System

Abstract

Organizations need a simple risk assessment framework to understand them. In contrast, risk analysis requires some mathematical tools to be able to estimate risk based on understanding and availability. In practice, the assets, for which the risk will be calculated, are dependent on one another, resulting in inevitable complexity. We propose a framework that addresses these three situations with a process flow diagram. Simplicity is obtained from a conceptual model based on data flow diagrams which are widely used in information system design. This conceptual model can be translated into several risk models at once:

graph, Boolean algebra, Boole’s algebra, and set theory. The complexity of asset dependencies is overcome when translating the conceptual model to the risk model. Solutions were shown in case studies of information systems for COVID-19 personal protective equipment in Indonesia, which require the construction of a simple information system, support multiple risk models, and take into account asset dependencies. The multi-risk model enables implementation proofing by testing the risk models used in each other.

INTRODUCTION

Pandemic data is very sensitive because the data is material that circulates fast in the form of printed, electronic and social media.

Information leakage or confusing information in a pandemic situation can cause chaos. One data information system is needed so that problems can be resolved quickly and validly (Bayhaqi, 2020). Currently in Indonesia, COVID-19 handling data was still being processed with 80 separate websites (GTPP COVID-19, 2020). The information system created must consider the

security of the information used (Kim &

Solomon, 2018; Landoll & Landoll, 2005).

Unfortunately, information security still has problems with the complexity of asset dependencies (Haimes, 2018; Shameli-Sendi et al., 2016). Asset dependencies indicate assets that are dependent on other assets. This must be considered in calculating asset risk because it is the foundation of many security operations (R.

Wang et al., 2022). Complexity arises because the solutions offered are difficult to map the value of assets against organizational goals.

There are offers based only on the physical

(2)

21 connectedness of assets (Breier, 2014; Breier &

Schindler, 2014), or dependencies with a long list of threat-scenarios (Rahmad, 2010; Rahmad et al., 2010, 2012). Complexity also arises from the complexity of the proposed organizational meta-model/layer (Alpcan & Bambos, 2009;

Fernandez & Garcia, 2016; Loloei et al., 2012;

Schmidt & Albayrak, 2010), or the valuation is only based on a long list of tables containing the CIA of each asset (Tatar & Karabacak, 2012).

Another cause of complexity is the placement of each security goal on one node (Muller, 2018; Muller et al., 2016, 2017). Thus, the number of nodes in the conceptual model is as many as assets multiplied by the security goal.

Complexity also comes from solutions that have too many diagrams (Lund et al., 2010), or two different handling/diagrams for cyclic situations on dependencies (Muller et al., 2017; Yunizal et al., 2020).

The complexity of the solutions offered hinders organizational understanding of the importance of security problems they face.

Limited funds and staff force them to focus on issues they consider more important (Landoll &

Landoll, 2005). The risk section provides a very thick risk report. However, the report cannot provide the information needed by decision makers (Lam, 2014). Complexity makes risk assessment cannot be done quickly. As a result, the main challenges facing managing an asset is information asymmetry and information overload (Goforth et al., 2022). And is required

to automate identification of system assets and connections between them (Kotenko et al., 2022).

Complexity must be overcome by simplification. Effective communication between the organization and risk analysis will be possible with the same conceptual model understood by both. It can be done through simple language understood by both to obtain Target of Assessment (ToA) model. This is possible with a dataflow diagram (Yourdon, 2006) that has been known by managers and analysts for a long time. The use of the same language understood by both will facilitate the communication on the problem to be overcome.

For the need to model the risks, it would be best if there is a flexible conceptual model which can be translated into various mathematical descriptions. Mathematical descriptions can be in the form of algebra, basic mathematics, and applied mathematics. When it is based on the same core, mathematics is on one concept, so that it can be converted into one another.

These two ideas underlie the development of the Simple and Multi Risk Assessment Framework (SARAF). A risk assessment framework that allows the use of languages that are familiar to the ToA, and can be translated into various mathematical descriptions that are already known or already have tools. It produces a simple framework that can be fully exploited rapidly.

Security goal

Processflow description

System description

(1)

PFD

(2) (3)

(A) (B) (C)

Evidence Graphs

Boole’s Boolean Set theory

(4) (6)

(5)

C I

. . . A

x (8) (7)

Figure 1. Simple and Multi Risk Assessment Framework (SARAF)

(3)

22 SIMPLEANDMULTIRISKASSESSMENT

FRAMEWORK COMPONENTS

The proposed framework consisted of seven components and three methods. The required components were the process flow description, system description, security goals, Process Flow Diagram (PFD), risk models, and

evidence, while the method consisted of ToA model development, risk model development, and risk calculation. See boxes (A), (B), and (C) in Figure 1. (A) - (C) show the method, (A) for the target of assessment, (B) for risk model development, and (C) for risk calculation. (1) – (7) show the component, (1) for process flow description, (2) for system description, (3) for security goal, (4) for applied mathematics, (5) for basic mathematics, (6) for set theory, (7) for mathematical description, and (8) for risk model.

Input

Input components are data that must be provided to conduct an assessment.

Table 1. PFD Components Component Name Description

a ^Terminal Actors or external entities that communicate with the system. Terminals are generally in the form of individuals, groups of people, external computer systems, and external organizations.

q ^Process Functions that are owned by the system. The process will transform the input into an output.

Flow The relationship between processes and actors. Actors and Processes that require input and produce output are manifested by flow.

Process Flow Description

Process flow description is based on workflow description (Chen et al., 2013).

Workflow description describes how the system provides value. The value is obtained from the identification of tasks performed to achieve goals. Achievement of the objectives will identify the actors doing the task and the data that is exchanged. This input can be in the form of: Unified Modeling Language (UML), Business Process Modeling Notation (BPMN), and Data Flow Diagrams (DFD).

System description

System description is the details of the system being evaluated. Forms of system description input include network topology, device specifications, or software profiles (Chen et al., 2013).

Security goal

A security goal is a measurement of the risk an organization will experience if it suffers damage to elements that affect the value dimension used (Amutio et al., 2014). We used a security goal definition based on a system perspective, with value dimensions of confidentiality (C), integrity (I), and availability (A). This framework supports other dimensions such as authenticity and accountability (Amutio et al., 2014).

Evidence

Evidence is intended to evaluate the system following the security goals. Evidence must be in quantitative form, because it consists of different values. Source value can involve processes, assets, and actors all at once.

Examples of evidence are hardware usage statistics, virus statistics, data leakage cases and others.

Process

(4)

23 Process components will process inputs

into outputs.

Process flow diagram (PFD)

PFD is a proposed conceptual model which provides an overview of system design.

PFD will present the process flow description,

system description, and security goals in one chart. This chart is intended as a ToA model.

PFD which is combined with security goals, will be a tool for forming risk models.

PFD is a simplification of DFD. This diagram only used three DFD components:

terminal, process, and flow ( Table 1). Simplification of DFD is also

done by ignoring the dataset and context diagrams. The abandonment of the dataset is because the component is more intended for technical purposes, which tends to confuse management. Context diagrams are not used because they will involve many assets in one diagram, thus making the model complex.

PFD inherits DFD top-down partitionable model capabilities (Yourdon, 2006). This capability allows PFD to be organized into several levels. Each level explains the level above it.

PFD is the core of the framework, it is an input, a process as well as an output. PFD as output can be seen in the flow out of the box (1) in Figure 1, the process flow description produces PFD. PFD as an input can be seen in the PFD flow to chart (B) to produce a goal model. As a process, PFD can produce process models, system models, and risk models alternately. Because it functions more as a process, PFD is placed on the process component.

Mathematical description

Mathematical description is a tool used to translate PFD into risk models. The scope of mathematical description supported by PFD is Graph for applied mathematics, Boole's &

Boolean algebra for algebra, and set theory for basic mathematics. See Figure 1, applied mathematics is in box (4), algebra in box (5), and basic mathematics in box (6).

Output

The output component is the result of the framework.

Risk model

The risk model here is a simple mathematical description based on knowledge and experience combined with data from the past. A risk model is a combination of PFD and

security goals using a mathematical description.

After the security goal is indicated, and a mathematical description is chosen, the ToA is ready to make a risk model for calculating risk.

Risk calculation

Risk calculation is the result obtained after the evidence is inputted into the risk model.

Based on the calculations, the system risk value is obtained for follow-up.

METHOD

The risk assessment process generally requires two models: the conceptual model as input, and risk model as output. Conceptual models are a combination of concepts and relationships sed, so that the subject represented can be understood simply (Ionita, 2018).

SARAF was divided into three stages, ToA (conceptual model), risk model, and risk calculation. Each stage was an input for the next stage and is an output for the previous stage, see sections (A), (B), and (C) in Figure 1.

Target of Assessment Process identification

The initial stage was to develop PFD as a conceptual model of the process. The PFD development was based on the input process flow description, see box (1) in Figure 1. As a conceptual model of the process, PFD provided clear boundaries. Clear boundaries are the first stage in general risk analysis. Boundary that are too broad or too narrow will be very dangerous in risk assessment (Landoll & Landoll, 2005).

Boundary can be obtained through the selection of activities that will be supported. The organization has main or supporting activities (Porter & Millar, 1985). Each activity had its own process flow. The selection of activities will choose the flow of the process and produce clear boundary. Clear boundary allow analysis to be

(5)

24 done in large or small manner, but not

excessively. As a guide, organizations can use value chains (Porter & Millar, 1985) to help choose activities to develop.

Asset identification

Based on the boundary obtained in the identification process, the PFD was then detailed using the system description input (see box (2) in Figure 1). The system description shows the assets that support each process. Each asset was paired at the PFD terminal. Assets that initiate or get results from processes. Based on this stage, it can be seen how PFD maps the interdependencies between assets involved in the system.

It is at this stage that the top-down partitioned model feature from PFD is optimized for use. A process is seeing globally, then clarified by sub processes below.

Risk model development

PFD was intended to describe the system.

To calculate risk, PFD must be a mathematical

description that has the capability to calculate risk, a risk model. The purpose of the risk model was the creation of a model for the measurement of the CIA of each component involved. The formation of a risk model can be seen in chart (B) in Figure 1.

In rapid conditions, the learning process of mathematical descriptions that are new or unknown to the organization or analyst will slow down the assessment process. It is possible for PFD to be translated into mathematical descriptions that are best known or most wanted to be exploited by the user. This paper also shows, the translation of PFD into mathematical descriptions possible for validation of the risk model that has been made.

Development of risk models can be done in two stages. The first one is identifying the effect of security goals on PFD as ToA, and the followed by the translation of the PFD to the risk model in the selected mathematical description.

a c

C I A

a c

A

C I A

(a) (b)

r r

Figure 2. Security goal identification

Security goal identification

Security goals are one of the causes of the complexity of risk analysis. Security goals result in each terminal and process involved must have multi-value capabilities. Each PFD terminal will affect C, I, and A, and so on. Overcoming this PFD must be sorted out by each security purpose. As a result, each security goal had its own PFD. PFD-C for C, PFD-I for I, and PFD-A for A, see Figure 2 parts (a), note:

C=confidentiality, I=integrity, A=availability, a=terminal a, r=process r, and c=terminal c.

However, there will be situations where asset a will only affect objective A, not impacting objectives C and I (we have shown in

the case study). Because asset a affects A, PFD- A can still be used to determine A. The question now is how to determine PFD-C and PFD-I that do not involve a?

This question can be answered by Markov blanket. Markov blanket of variable a is a set consisting of parent a, children a, and the variable sharing its child with a (Nielsen &

Jensen, 2009). Terminal a and each process that is a Markov blanket must be removed from PFD- C and PFD-I. See Figure 2 part (a) is PFD-A, part (b) is PFD-C and PFD-I.

From conceptual ToA to risk model

After PFD was combined with security goals and produced PFD for each security goal.

(6)

25 PFD allowed ToA to be modeled on various

mathematical descriptions using Graphs, Boole's algebra, Boolean algebra, or set theory.

Each algebra, basic and applied mathematics has its own advantages. Graph has support for graphical displays which will help facilitate understanding of the model. Graph also supports cyclic (Muller et al., 2017; Yunizal et al., 2020) which can be used for visualization.

Boole's and Boolean algebra will be able to translate the risk logically. The set theory will translate risk into probability.

The ability of PFD to be translated into various mathematical descriptions will provide flexibility advantages. In the case study, we

show that the capabilities of each model can be exploited, graphs for graphical presentations, supported by set theories to see probabilities.

Suppose there are other cases where there are no graph support tools. Users can utilize the simplicity of Boole's algebra to simplify mathematical descriptions. After obtaining the simplest mathematical description, a set theory was applied to obtain results that are easier to understand probability. PFD is very flexible.

Risk calculation

After the risk model of each asset security goal was obtained. Users could apply the evidence obtained to calculate risks.

PPE Warehouse BNPB Central

BNPB Regional

Hospital Drugstore

Reading result Reading result

Reading result Reading request

Reading request

Reading request Reading

request shipping

shipping shipping

shipping shipping Reading result

Figure 3. PPE supply chain system in a simplified form. Case study is the Regional BNPB Server (in the box).

COVID-19ISCASESTUDY

Personal protective equipment (PPE) is one of the hot topics during the COVID-19 pandemics. One of the leading problems is the availability of PPE (Cook, 2020) caused by various crime (Grahanusa Mediatama, 2020;

Infopublik, 2020; Merdeka, 2020; Naidoo, 2020;

Republika, 2020) and supply chain (Bauchner et al., 2020). Academics act quickly, ideas related to the PPE supply chain are gathered, and 291 ideas were collected the span of March 20 to April 30 (Bauchner et al., 2020).

COVID-19ISOVERVIEW

Smart grid is a modern electrical system that has global measurement characteristics and control capabilities. One example is Advanced Metering Infrastructure (AMI). The system consists of several smart meters that provide home consumption data, and the ability to

provide prices dynamically (Chen et al., 2013;

Kohonen et al., 2011). For example, a proposed system applies the basic smart grid idea to the PPE COVID-19 supply in Indonesia. The National Disaster Management Agency (BNPB Central), as one of the people responsible for handling COVID-19 in Indonesia, will have connections with hospitals, pharmacies, PPE warehouses, and transportation services.

In the proposed IS, BNPB Central conducted an on-demand reading of the number of patients and the availability of PPE in hospitals and pharmacies throughout Indonesia.

Based on these data, the patient's development was identified, and the data used to forecast the growth of PPE needs. Furthermore, BNPB Central calculated the closest/cheapest/best supply to locations that needed it. Stock sources such as shops and warehouses were ignored, because they should be controlled by BNPB as the system owner. The supply calculation resulted in a price fixing that would be passed on

(7)

26 to the transportation service. Transportation

services picked up PPE from the provider location and delivered it to the recipient location.

The delivery process was optimized by complementing each other. Transportation services carried shortages of PPE for location A.

After arriving at A, certain excess PPE at A moved to other locations that needed it.

The proposed IS should raise the following questions:

1) How the PPE stock data would be sent and received nationally?

a) How national stock data would be standardized?

b) How is the process of reading the stock data of each region?

c) How the instructions would be sent to each supporting component such as:

hospital, pharmacy and drug factory to send PPE?

2) How the risk of sending and receiving data between supporting components would be measured?

a) How the risk of data only accessed by authorized people only would be calculated?

b) How the risk of data integrity would be calculated?

c) How calculating risk of data can be available without any obstacle?

a r c s b

a p

b q

p

c t b

c u d v b

a) PFD level 1

b) PFD level 1 sub p

c) PFD level 2 sub s(0)

d) PFD level 2 sub s(1)

Figure 4. PFD. Note: a = BNPB regional, p = communication between BNPB regional and drugstore, b = drugstore, q = drugstore reading their data, r = communication between BNPB

regional and hospital, c = hospital, s = communication between hospital and drugstore, t = communication between hospital and automated drugstore, u = communication about data manual

drugstore between hospital and automated drugstore, v = communication between automated drugstore and manual drugstore.

ASSESSMENT PROCESS

Process flow identification

Based on the previous description, the case examples were limited to the main activity:

BNPB Regional Server Regional BNPB server (call a) initiated on-demand reading on each

Drugstore (call b). The assessment process would ignore point 1.a, because it was more intended for system development. On-demand reading should be in the form requests for stock and patient data. On-demand reading started with sending reading requests (call p) from a to b. After p was received by b, b then read it (call

(8)

27 q) and produced a reading result that was sent

back with p from b to a. Reading results was adjusted to the reading request, whether stock data, patient data, or both. The main activities are described in the PFD as in point a) in Figure 4.

Asset identification

After a general description of the system was obtained, the proposal then was developed into a preliminary draft network topology. It was assumed that this was done simply, due to time constraints and the urgency of the system to be designed immediately, a topology such as Figure 3. This simple topology was enough to develop PFD to the next stage.

After getting the topology, it turned out that the process a is not straight to b, but through hospitals in each (call c) area. The hospital may have a capable server, so it can be used as a data storage, the hospital also has a pharmacy that is usually quite large. Reading requests p from a→b by PFD will be replaced by a→r→c→s→b (see point b) PFD level 1 sub p at Figure 4). Point b) PFD level 1 sub p would replace the process p at point a). Because seeing from a system perspective, b→s→c→r→a is considered the same as a→r→c→s→b.

After making the topology, it was found out that not all drugstores have adequate communication devices. There were still drugstores that manage stock manually, without

involving the network, so requests from a→r→c cannot be forwarded to c→s→b.

The option to send data via the web manually by each drugstore was not given because it should increase the chances of fraud.

Delivery via the web of each drugstore would provide opportunities for individuals who use web entries for their own interests (example:

stockpiling).

Temporary solution offered, the inadequate drugstore must be connected to one of the closest drugstore (call d) with a more adequate device. Therefore, point b) in Figure 4 would get two choices. The first choice was point c) which modelled the direct connection between c to b through the process t. The second option was the connection of c to b through c to d with the process u which continued from d to b with the process v.

Solution b) in Figure 4 which can be replaced by c) or d) would answer questions 1.b and 1.c. The PFD would be added to the third level where process s at point b) would be replaced by point c) or point d). PFD has completed the answer the first question.

Risk model development

The PFD must be equipped with the answer to second question, to calculate the risk.

Simplified, second question is about security goals. The achievement goal is the CIA measurement of each component involved using a risk model.

c u d

Figure 5. The PFD models in C and I did not involve b, b has a Markov blanket v, both are removed from the model. Note c represent hospital, u represent communication between hospital

and automatic drugstore.

Security goal identification

Identification of security goals was seen to ensure the objectives that would be influenced by each terminal and the process of the PFD. In the case example, it was realized that data C and I were not available for b (complementary pharmacies) on d→v→b. Terminal b as inadequate drugstore, delivering the data to the nearest drugstore. Terminal b should not affect the confidentiality and integrity of the proposed system.

This identification resulted in the differentiation of PFD for A from PFD for C and I. The initial PFD as Figure 4 only applied to security goal A. This required changing the PFD for C and I. C and I will only be owned by the pharmacy d where the pharmacy b submits the data. Figure 5 is a diagram modification d) on Figure 4 as a result of multi value. Terminal b and process v are omitted from PFD, because terminal b did not support C and I, and process v was a Markov blanket from terminal b.

(9)

28

(1)

(2)

a b

p p

q

a r c s b

c t b

c u d v b

(3) (4) (A)

a b

p p

b q

(a) (b)

(B) (C)

a p b

b q

(a) (b)

(D)

(2) a r c s b

c t b

c u d v b

(3) (4)

(1) a p b q

(E)

a r c t b

d

u v b

a r c s b

(F)

a p b q

q

Figure 6. PFD to acyclic graph. Note: (A)-(F) is the sequence of the process of translating PFD to acyclic graph. (A) = PFD to list of graph, (B) = identification list of cyclic sub graph, (C) = reconstruct list of cyclic sub graph into list of acyclic sub graph, (D) = combine list of acyclic sub

graph into list of acyclic graph, (E) = combine list of acyclic graph into acyclic graph, and (F) = acyclic graph, the result.

PFD to Graph: availability

After the security goal was identified and the risk model has been chosen, PFD translations were carried out into risk models for each security goal.

The steps for translating PFD into a risk graph model for security goal A can be seen in boxes (A) to (F) in Figure 6. Each box shows a different graph. Each PFD diagram must be converted to a list of graph. Then, the list of graph was made into an acyclic graph and combined again into one acyclic graph, graph (F) on Figure 6.

Initially, PFD a) through d) on Figure 4 used as a list of graph. Processes and terminals were made into graph nodes, while flows were directed edges. This stage would produce a list of graphs (1) to (4). See box (A) in Figure 6.

List of graph (A) in Figure 6 had cyclic possibilities. Cyclic is a separate obstacle to complexity in graphs (Muller et al., 2017).

Therefore, each cyclic sub graph in each graph in the list of graph (A) would be made acyclic using (Yunizal et al., 2020). In Yunizal et al.

(2020), each cycle in the initial graph was identified by Tarjan (1973). The identified cycle was then extracted and replaced by a compound node. Incoming and outcoming edges in the cycle were moved to the compound node.

Furthermore, the extracted cyclic would be converted to an acyclic form using the Wang (2008) algorithm.

Here, we did not use compound nodes.

Each list of cyclic sub graphs in the list of graph (A) was identified by Tarjan (1973) as Yunizal (2020). This process would identify sub graph (1) in graph (A) as cyclic. The identified cyclic was extracted from the list of cyclic sub graphs, see graph (B) in Figure 6. Graphs (A) (2) through (A) (4) have been identified as acyclic, so there was no need for further processing.

Once identified, the cyclic sub graph was converted to acyclic using (L. Wang et al., 2008).

In Figure 6 shows how the cyclic sub graph (B) (a) was converted to an acyclic sub graph (C) (a), and (B) (b) became (C) (b).

Acyclic sub graph (C) (a) and (C) (b) in Figure 6 was derived from one cyclic graph (A)

(10)

29 (1). These two acyclic sub graphs must be

returned to one acyclic graph. Based on (Yunizal et al., 2020), because (C) (a) = a→p→b, b was a compound node with (C) (b) = b→q, extraction (C) (b) to (C) (a) would produce a combination of both in kind D(1) a→p→b→q.

The results of this stage were all the list of graphs in (A) which initially had cyclic sub graphs becoming list of acyclic graphs (D).

Each list of acyclic graphs in (D) Figure 6 then combined into one acyclic graph using the compound node algorithm (Yunizal et al., 2020).

The initial graph (D) (1) had a→p→b→q.

Terminal p as the compound node that was filled with a→r→c→s→b. Extraction (D) (2) in (D) (1) by replacing p in (D) (1) with (D) (2) to produce a→r→c→s→b→q. Similarly, p, s in (D) (2) were compound nodes of (D) (3) and (D) (4).

Extraction (D) (3) and D (4) in the previous extraction (D) (2) to (D) (1), would produce an acyclic graph (F).

PFD to Graph: confidentiality & integrity Since there were differences for C and I, a separate translation is needed. Based on the explanation of risk model development, the PFD to Graph stages for C and I will produce Figure 7.

Risk calculation

Supposed that it was different from the situation during the risk modeling. Due to a very urgent need, the graph risk model has not yet been built, so the calculation was done manually using Excel. For this reason, the set theory risk model was used.

The next stage was translating the PFD risk model into the set theory risk model.

a r c t b

d u

q

Figure 7. Acyclic graph for C and I

PFD to set theory: availability

For availability, the need was PFD in the form of set theory. The use of set theory required axiom, based on (Walpole & Myers, 1995) the following obtained:

Axiom 1:

1) 𝑥 ∩ 𝑥 = 𝑥;

2) 𝑝 ∪ 𝑞 = 𝑝 + 𝑞 − 𝑝𝑞;

3) 𝑝 ∩ 𝑞 = 𝑝 × 𝑞;

4) 𝑝𝑞 = 𝑞𝑝.

Because each terminal in the case affected A, the following can be done to produce a model:

For example, diagram a in Figure 4, the set theory is (𝑎 ∩ 𝑝 ∩ 𝑏 ∩ 𝑝 ∩ 𝑎) ∩ (𝑏 ∩ 𝑞 ∩ 𝑏) for security goal A of the target system.

Given p is 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑠 ∩ 𝑏 and Given 𝑠 is:

1) 𝑐 ∩ 𝑡 ∩ 𝑏;

2) 𝑐 ∩ 𝑢 ∩ 𝑑 ∩ 𝑣 ∩ 𝑏.

Then,

𝐴 = (𝑎 ∩ 𝑝 ∩ 𝑏 ∩ 𝑝 ∩ 𝑎) ∩

= 𝑎 ∩ 𝑝 ∩ 𝑏 ∩ 𝑞

= 𝑎 ∩ 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑠 ∩ 𝑏 ∩ 𝑏 ∩ 𝑞

= 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑏 ∩ 𝑞 ∩ (𝑐 ∩ 𝑡 ∩ 𝑏 ∪ 𝑐 ∩ 𝑢 ∩ 𝑑 ∩ 𝑣 ∩ 𝑏)

= 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑏 ∩ 𝑞 ∩ (𝑡 ∪ 𝑢 ∩ 𝑑 ∩ 𝑣 (1)

PFD to set theory: confidentiality & integrity Based on the identification of security goals, A was different from C and I. So point d) in the PFD must be modified to be able to accommodate b that does not support C and I.

The set theory for C and I was formula (2), with the following details:

For example, diagram a) in Figure 4 is (𝑎𝑝𝑏𝑝𝑎)(𝑏𝑞𝑏) for security goals C and I of the target system, by replacing part d) with Figure 5.

Given p is 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑠 ∩ 𝑏 and Given 𝑠 is:

1) 𝑐 ∩ 𝑡 ∩ 𝑏;

2) 𝑐 ∩ 𝑢 ∩ 𝑑; (b is excluded because it does not have C and I, v is also excluded because it is a Markov blanket of b)

Then,

(11)

30 𝐶, 𝐼 = (𝑎 ∩ 𝑝 ∩ 𝑏 ∩ 𝑝 ∩ 𝑎) ∩ (𝑏 ∩ 𝑞 ∩ 𝑏)

= 𝑎 ∩ 𝑝 ∩ 𝑏 ∩ 𝑞

= 𝑎 ∩ 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑠 ∩ 𝑏 ∩ 𝑏 ∩ 𝑞

= 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑏 ∩ 𝑞

∩ (𝑐 ∩ 𝑡 ∩ 𝑏 ∪ 𝑐 ∩ 𝑢 ∩ 𝑑)

= 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑏 ∩ 𝑞 ∩ (𝑡 ∪ 𝑢 ∩ 𝑑) (2)

Based on the final results of the risk formula (1) and (2) the risk value was obtained as

Table 2. The difference in the value of A

= 0.97 with the value of C = 0.98 is due to the value of v not included in the formula (2). In I, we deliberately set the value of all variables to

be 1, except for c which made 0.7. Hospital (c) has a big role to play, which immediately had a major impact on changing the value of I to 0.7 even though all conditions were safe.

Table 2. Risk calculation

Code Description C I A

a BNPB Regional 1 1 1

r a→ c 1 1 1

c Hospital 1 0.7 1

t c→b 0.9 1 0.9

b Drugstore 0.99 1 0.99

q b→b 1 1 1

u c→d 0.9 1 0.9

d Drugstore 0.99 1 0.99

v d→b 0.9

Risk value 0.98 0.7 0.97

Manual drugstores did not use electronic devices, so there was no effect on data

confidentiality and integrity. This was seen in connectedness d→v in

Table 2 for C and I whose values were left blank.

PROOFING

How PFD as a ToA model has the capability of meta-models has been presented in a case study. However, it must be ensured that each model did not deviate, this can be done by proof, included in the discussion of this section.

Proofing Graph using Boole’s algebra

Based on previous considerations, for example, in the case example, it was finally determined to use the risk graph model. The resulting risk model can be tested with one of the other models, for example, Boole's algebra. To do the test, an axiom was chosen to be used.

Suppose based on (Boole, 1854), the following was obtained:

Axiom 2:

1) 𝑥² = 𝑥;

2) 𝑥 + 𝑥 = 0;

3) pq=qp.

After the axiom was obtained, the next step was to translate the PFD into Boole's algebra form.

For example, chart a) on Figure 4 was (𝑎𝑝𝑏𝑝𝑎)(𝑏𝑞𝑏) for security goal A of the target system.

Given 𝑝 was 𝑎𝑟𝑐𝑠𝑏 and Given 𝑤𝑎𝑠:

1) 𝑐𝑡𝑏;

2) cudvb.

Then,

𝐴 = (𝑎𝑝𝑏𝑝𝑎)(𝑏𝑞𝑏)

= 𝑎𝑝𝑏𝑞

= 𝑎𝑎𝑟𝑐𝑠𝑏𝑏𝑞

= 𝑎𝑟𝑐𝑏𝑞𝑠

= 𝑎𝑟𝑐𝑏𝑞(𝑐𝑡𝑏𝑞 + 𝑐𝑢𝑑𝑣𝑏𝑞 + 𝑐𝑡𝑏𝑞𝑢𝑑𝑣)

= 𝑎𝑟𝑐𝑏𝑞𝑐𝑡𝑏𝑞 + 𝑎𝑟𝑐𝑏𝑞𝑐𝑢𝑑𝑣𝑏𝑞 + 𝑎𝑟𝑐𝑏𝑞𝑐𝑡𝑏𝑐𝑢𝑑𝑣𝑏

= 𝑎𝑟𝑐𝑏𝑞𝑡 + 𝑎𝑟𝑐𝑏𝑞𝑢𝑑𝑣 + 𝑎𝑟𝑐𝑏𝑞𝑡𝑢𝑑𝑣

= 𝑎𝑟𝑐𝑏𝑞(𝑡 + 𝑢𝑑𝑣 + 𝑡𝑢𝑑𝑣)

= 𝑎𝑟𝑐𝑏𝑞(𝑡 + 𝑢𝑑𝑣) (3)

(12)

31 Next was comparing Boole's algebra with

a graph.

Theorem 1: The acyclic graph (F) model in Figure 6 can be converted into Boole's algebra form:

𝑎𝑟𝑐(𝑐𝑡𝑏𝑞 + 𝑐𝑢𝑑𝑣𝑏𝑞 + 𝑐𝑡𝑏𝑞𝑢𝑑𝑣) (4) Then

𝑎𝑟𝑐(𝑐𝑡𝑏𝑞 + 𝑐𝑢𝑑𝑣𝑏𝑞 + 𝑐𝑡𝑏𝑞𝑢𝑑𝑣) = 𝑎𝑟𝑐𝑏𝑞(𝑡 + 𝑢𝑑𝑣)

Proof 1:

Using Axiom 2, (4) can be simplified into:

𝑎𝑟𝑐(𝑐𝑡𝑏𝑞 + 𝑐𝑢𝑑𝑣𝑏𝑞 + 𝑐𝑡𝑏𝑞𝑢𝑑𝑣) = 𝑎𝑟𝑐𝑡𝑏𝑞 + 𝑎𝑟𝑐𝑢𝑑𝑣𝑏𝑞 + 𝑎𝑟𝑐𝑡𝑏𝑢𝑑𝑣𝑞

= 𝑎𝑟𝑐𝑡𝑏𝑞 + 𝑎𝑟𝑐𝑢𝑑𝑣𝑏𝑞 + 𝑎𝑟𝑐𝑡𝑏𝑢𝑣𝑑𝑞

= 𝑎𝑟𝑐𝑏𝑞(𝑡 + 𝑢𝑑𝑣 + 𝑡𝑢𝑑𝑣)

= 𝑎𝑟𝑐𝑏𝑞(𝑡 + 𝑢𝑑𝑣)

Based on Proof 1, it was proven that (3) = (4). The same was applied to C and I, replacing part d) of Figure 4 becoming Figure 5.

Proofing Set Theory using Boolean algebra In Boolean algebra, we used Axiom 3 based on (Vesely et al., 1981). The use of the symbols ∨ and 𝑎𝑛𝑑 𝑤𝑎𝑠aimed to distinguish it from Boole’s algebra.

Axiom 3:

1) 𝑎𝑛𝑑𝑥 ∧ 𝑥 = 𝑥;

2) 𝑥 ∨ 𝑥 = 𝑥;

3) 𝑝 ∧ 𝑞 = 𝑞 ∧ 𝑝.

Based on the explanation of risk model development, at the security goal identification stage, PFD for C and I produced Figure 7 as a substitute for part d) of Figure 4.

For example, a) on Figure 4 which in part d) was changed to Figure 7. The PFD was used for the construction of risk goal models C and I.

The PFD can be translated as Boolean algebra by:

(𝑎 ∧ 𝑝 ∧ 𝑏 ∧ 𝑝 ∧ 𝑎) ∧ (𝑏 ∧ 𝑞 ∧ 𝑏) Given 𝑝 was 𝑎 ∧ 𝑟 ∧ 𝑐 ∧ 𝑠 ∧ 𝑏 and Given 𝑠 was:

1) 𝑐 ∧ 𝑡 ∧ 𝑏;

2) 𝑐 ∧ 𝑢 ∧ 𝑑.

Then,

𝐴 = (𝑎 ∧ 𝑝 ∧ 𝑏 ∧ 𝑝 ∧ 𝑎)(𝑏 ∧ 𝑞 ∧ 𝑏)

= 𝑎 ∧ 𝑝 ∧ 𝑏 ∧ 𝑞

= 𝑎 ∧ 𝑎 ∧ 𝑟 ∧ 𝑐 ∧ 𝑠 ∧ 𝑏 ∧ 𝑏 ∧ 𝑞

= 𝑎 ∧ 𝑟 ∧ 𝑐 ∧ 𝑏 ∧ 𝑞(𝑐 ∧ 𝑡 ∧ 𝑏 ∪ 𝑐 ∧ 𝑢 ∧ 𝑑)

= 𝑎 ∧ 𝑟 ∧ 𝑐 ∧ 𝑏 ∧ 𝑞 ∧ (𝑡 ∪ 𝑢 ∧ 𝑑) (5)

Theorem 2:

𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑏 ∩ 𝑞 ∩ (𝑡 ∪ 𝑢 ∩ 𝑑) = 𝑎 ∧ 𝑟 ∧ 𝑐 ∧ 𝑏 ∧ 𝑞 ∧ (𝑡 ∪ 𝑢 ∧ 𝑑) (6)

Next, translation was needed from Boolean algebra to set theory. (Wildberger, 2019) proved that distributive laws in set theory also applied to Boolean algebra. We use it as a support for the conversion of random events in the Finite set from Boolean algebra to Boole’s algebra and vice versa.

Axiom 4:

1) 𝐴 ∪ (𝐵 ∩ 𝐶) = (𝐴 ∪ 𝐵) ∩ (𝐴 ∪ 𝐶) = 𝐴 ∨ (𝐵 ∧ 𝐶) = (𝐴 ∨ 𝐵) ∧ (𝐴 ∨ 𝐶)

2) 𝑝 ∪ 𝑞 = 𝑝 ∨ 𝑞 − 𝑝𝑞;

3) 𝑝 ∨ 𝑞 = 𝑝 + 𝑞 + 𝑝𝑞 4) 𝑝 ∩ 𝑞 = 𝑝 ∧ 𝑞 = 𝑝𝑞.

Proof 4:

𝑎 ∧ 𝑟 ∧ 𝑐 ∧ 𝑏 ∧ 𝑞 ∧ (𝑡 ∪ 𝑢 ∧ 𝑑) = 𝑎𝑟𝑐𝑏𝑞(𝑡 + 𝑢𝑑)

= 𝑎 ∩ 𝑟 ∩ 𝑐 ∩ 𝑏 ∩ 𝑞 ∩ (𝑡 ∪ 𝑢 ∩ 𝑑) Based on Proof 4, it was proven that (5)=(6).

RESULTANDDISCUSSION In a pandemic situation, there are two needs that must be met in an information security risk framework: simplicity and multi risk models.

SIMPLICITY

A fast-changing situation makes simplicity absolutely necessary in the risk framework used in a pandemic situation. There are two parties that communicate, those are management and risk management.

Communication between the two requires a

(13)

32 model that can be understood by managers as

decision makers. The model must also be understood by risk managers so that it can be executed as a risk model. This is complicated by the failure of the existing approach to answer the need to obtain the level of criticality of the assets of the system, and the dependencies between the assets (Shameli-Sendi et al., 2016).

Criticality and dependencies will be obtained by changing the perspective of risk itself. Risk benchmarks should refer to the processes carried out by the organization, after which only the assets involved are included (Khanmohammadi & Houmb, 2010). The value of assets will also be easier to understand if it is viewed from a system perspective (Chen et al., 2013).

The proposed framework was based on processes in the system's perspective. So that the

criticality and dependencies were in the grip.

Simplification was done using PFD, a simple ToA conceptual model based on the long known:

DFD. PFD supports modular and multi value.

Thus, overcoming the constraints of the complexity of previous research include: a model based solely on the physical relationship of assets on (Breier, 2014; Breier & Schindler, 2014), a model based on the threat-scenario complexity of (Rahmad, 2010; Rahmad et al., 2010, 2012). Also the constraints from: the number of diagrams on (Lund et al., 2010), or multi-layer organization (Alpcan & Bambos, 2009; Fernandez & Garcia, 2016; Loloei et al., 2012; Schmidt & Albayrak, 2010), or forms based only on tables (Tatar & Karabacak, 2012).

Case studies were made, designed in such a way as to resemble case examples Chen et al.

(2013) for comparison purposes. Every A in Table 2 used the same value as the value

used in case Chen et al. (2013) for A.Phy. The result is the same value as 0.97. Idea workflow description Chen et al. (2013) was the basis for forming the process flow description. When Chen et al. (2013) set a security goal from the start, SARAF did so after the PFD was equipped with a system description. The most basic difference with Chen et al. (2013) was gathering evidence, Chen et al. (2013) was automated, SARAF still relied on manual methods. In their case study,(Chen et al., 2013) required a graph with 60 nodes and 82 edges to describe the system to be assessed. In the same case, the proposed graph model only required 18 nodes and 16 edges, see Figure 4. A very significant comparison to complexity, made it easier for organizations to understand.

PFD has the capability to present all security goals in one node will overcome one node for one security goal on (Muller, 2018;

Muller et al., 2016, 2017). Simplified cyclic to acyclic ((A) to (D) on Figure 6) overcome two different treatments for cyclic and general (Muller et al., 2017), or with compound and extraction node (Yunizal et al., 2020).

MULTI RISK MODEL

It is desirable to build a risk model using existing knowledge. Thus, multi risk models are needed as output from the framework. Until

now, there is no framework that has this capability.

The conceptual model of ToA can be translated into more than one risk model. The framework also allows to be implemented across models. Furthermore, additional capabilities with ToA capabilities that can be processed in stages enable the assessment to be carried out collaboratively. For example, the initial PFD was made by top management. Next, the modules are detailed by each section below.

CONCLUSION

This research shows a new paradigm in risk assessment. A framework that allows holistic assessments to be carried out quickly because it uses a simple model that is very well known. A framework that is very much needed in a pandemic situation, the system is built fast but takes into account the risks involved. There is no information security framework intended for COVID-19 IS. Involves multi-engineering and mathematical models in a form that can prove to one another.

Since it is preliminary research, so there are many future work can be done, the opportunities identified include:

1) The case of multi value that is different from each asset is still not finished for the acyclic graph model. Supposedly, there is no need to

(14)

33

‘return’ to the PFD for differences in security goals in each terminal;

2) SARAF framewok automation. This is possible by replacing the basic SARAF diagram from PFD to DFD;

3) The development of PFD that supports attacks, just like assets, attacks also have dependencies, and attacks should also be simplified;

4) Evidence can be obtained by survey, or through an attack graph, or PFD for an attack, a comparison of the three;

5) Comparison of the application of SARAF acyclic graph using graph versus SQL;

6) PFD automation of data flow diagrams, workflow diagrams, and network topology;

7) Implementation of SARAF framework in other domains: earthquake, critical infrastructure, academic, inventory, or supply chain;

8) Asset dependency measurement through the influence of independent variables to the dependent variable in the SARAF framework.

REFERENCES

Alpcan, T., & Bambos, N. (2009). Modeling dependencies in security risk management. Post-Proceedings of the 4th International Conference on Risks and Security of Internet and Systems, CRiSIS

2009, 113–116.

https://doi.org/10.1109/CRISIS.2009.541 1969

Amutio, M. A., Candau, J., & Mañas, J. (2014).

Magerit-version 3, methodology for information systems risk analysis and management, book I-the method.

Ministerio de Administraciones Públicas.

Bauchner, H., Fontanarosa, P. B., & Livingston, E. H. (2020). Conserving supply of personal protective equipment—A call for ideas. Jama, 323(19), 1911–1911.

Bayhaqi, A. (2020, April 27). Pemerintah Siapkan Sistem Informasi Satu Data untuk Covid-19 | merdeka.com. Merdeka.Com.

https://www.merdeka.com/peristiwa/pem erintah-siapkan-sistem-informasi-satu- data-untuk-covid-19.html

Boole, G. (1854). An investigation of the laws of thought: On which are founded the mathematical theories of logic and probabilities. Dover Publications.

Breier, J. (2014). Asset valuation method for dependent entities. Journal of Internet Services and Information Security, 4(3).

Breier, J., & Schindler, F. (2014). Assets dependencies model in information security risk management. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),

8407 LNCS, 405–412.

https://doi.org/10.1007/978-3-642- 55032-4_40

Chen, B., Kalbarczyk, Z., Nicol, D. M., Sanders, W. H., Tan, R., Temple, W. G., Tippenhauer, N. O., Vu, A. H., & Yau, D.

K. (2013). Go with the flow: Toward workflow-oriented security assessment.

Proceedings of the 2013 New Security Paradigms Workshop, 65–76.

Cook, T. M. (2020). Personal protective equipment during the coronavirus disease (COVID) 2019 pandemic – a narrative review. Anaesthesia, 75(7), 920–927.

https://doi.org/10.1111/anae.15071 Fernandez, A., & Garcia, D. F. (2016). Complex

vs. simple asset modeling approaches for information security risk assessment:

Evaluation with MAGERIT

methodology. 2016 Sixth International Conference on Innovative Computing Technology (INTECH), 542–549.

Goforth, E., Yosri, A., El-Dakhakhni, W., &

Wiebe, L. (2022). Infrastructure Asset Management System Optimized Configuration: A Genetic Algorithm–

Complex Network Theoretic Metamanagement Approach. Journal of Infrastructure Systems, 28(4), 04022029.

Grahanusa Mediatama. (2020, April 9).

Kepolisian tindak 18 kasus terkait APD, ini berbagai modus yang digunakan.

kontan.co.id.

http://nasional.kontan.co.id/news/kepolisi an-tindak-18-kasus-terkait-apd-ini- berbagai-modus-yang-digunakan

GTPP COVID-19. (2020). Daftar Website Kabupaten/Kota—Konten Berguna |

(15)

34 Gugus Tugas Percepatan Penanganan

COVID-19. Covid19.Go.Id.

https://covid19.go.id/p/konten/daftar- website-kabupaten-kota

Haimes, Y. Y. (2018). Risk modeling of interdependent complex systems of systems: Theory and practice. Risk Analysis, 38(1), 84–98.

https://doi.org/10.1111/risa.12804

Infopublik. (2020). Polisi Ungkap 18 Kasus Penyimpangan dan Penyalahgunaan APD. http://infopublik.id/kategori/lawan- covid-19/448350/polisi-ungkap-18- kasus-penyimpangan-dan-

penyalahgunaan-apd

Ionita, D. (2018). Model-Driven Information Security Risk Assessment of Socio- Technical Systems [PhD Thesis,

University of Twente].

https://research.utwente.nl/en/publication s/model-driven-information-security- risk-assessment-of-socio-techni

Khanmohammadi, K., & Houmb, S. H. (2010).

Business process-based information security risk assessment. 2010 Fourth International Conference on Network and System Security, 199–206.

https://doi.org/10.1109/NSS.2010.37 Kim, D., & Solomon, M. G. (2018).

Fundamentals of Information Systems Security. Jones & Bartlett Learning.

Kohonen, R., Moronen, T., & Heimonen, G. I.

(2011). Concepts, Stakeholders, and Value Chains in Smart Energi Business and Services. e-hub.

Kotenko, I., Doynikova, E., Fedorchenko, A., &

Desnitsky, V. (2022). Automation of Asset Inventory for Cyber Security:

Investigation of Event Correlation-Based Technique. Electronics, 11(15), 2368.

Lam, J. (2014). Enterprise risk management:

From incentives to controls. John Wiley

& Sons.

Landoll, D. J., & Landoll, D. (2005). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.

Loloei, I., Shahriari, H. R., & Sadeghi, A.

(2012). A model for asset valuation in security risk analysis regarding assets dependencies. ICEE 2012 - 20th Iranian

Conference on Electrical Engineering, 763–768.

https://doi.org/10.1109/IranianCEE.2012.

6292456

Lund, M. S., Solhaug, B., & Stølen, K. (2010).

Model-driven risk analysis: The CORAS approach. Springer Science & Business Media.

Merdeka. (2020). Kapolri Instruksikan Tindak Tegas Penimbunan & Penyalahgunaan Alat Kesehatan. Merdeka.Com.

https://www.merdeka.com/peristiwa/kap olri-instruksikan-tindak-tegas-

penimbunan-penyalahgunaan-alat- kesehatan.html

Muller, S. (2018). Risk Monitoring and Intrusion Detection for Industrial Control Systems [PhD Thesis]. University of Luxembourg, Luxembourg.

Muller, S., Harpes, C., Le Traon, Y., Gombault, S., & Bonnin, J.-M. (2017). Efficiently computing the likelihoods of cyclically interdependent risk scenarios. Computers

& Security, 64, 59–68.

https://doi.org/10.1016/j.cose.2016.09.00 8

Muller, S., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M., & Hoffmann, P. (2016).

Dynamic risk analyses and dependency- aware root cause model for critical infrastructures. International Conference on Critical Information Infrastructures Security, 163–175.

Naidoo, R. (2020). A multi-level influence model of COVID-19 themed cybercrime.

European Journal of Information

Systems, 29(3), 1–16.

https://doi.org/10.1080/0960085X.2020.1 771222

Nielsen, T. D., & Jensen, F. V. (2009). Bayesian networks and decision graphs. Springer Science & Business Media.

Porter, M. E., & Millar, V. E. (1985). How information gives you competitive advantage (Vol. 63). Harvard Business Review Reprint Service.

Rahmad, B. (2010). Analisa Risiko Keamanan Informasi dengan Mempertimbangkan Dependensi Skenario Threat dan Kontrol sebagai Pereduksi Likelihood dan Impact

(16)

35 [PhD Thesis]. Institut Teknologi

Bandung.

Rahmad, B., Supangkat, S. H., Sembiring, J., &

Surendro, K. (2010). Threat Scenario Dependency-Based Model of Information Security Risk Analysis. IJCSNS, 10(8), 93.

Rahmad, B., Supangkat, S. H., Sembiring, J., &

Surendro, K. (2012). Modeling asset dependency for security risk analysis using threat-scenario dependency.

International Journal of Computer Science and Information Security, 10(4), 103.

Republika. (2020). Kapolri Terbitkan Instruksi Atasi Persoalan Alat Kesehatan |

Republika Online.

https://republika.co.id/berita/q8f8v4354/k apolri-terbitkan-instruksi-atasi-persoalan- alat-kesehatan

Schmidt, S., & Albayrak, S. (2010). A quantitative framework for dependency- aware organizational IT Risk Management. 2010 10th International Conference on Intelligent Systems Design and Applications, 1207–1212.

https://doi.org/10.1109/ISDA.2010.5687 022

Shameli-Sendi, A., Aghababaei-Barzegar, R., &

Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14–

30.

https://doi.org/10.1016/j.cose.2015.11.00 1

Tarjan, R. (1973). Enumeration of the elementary circuits of a directed graph.

SIAM Journal on Computing, 2(3), 211–

216. https://doi.org/10.1137/0202017 Tatar, Ü., & Karabacak, B. (2012). An

hierarchical asset valuation method for information security risk analysis.

International Conference on Information Society (i-Society 2012), 286–291.

https://fuse.franklin.edu/facstaff-pub

Vesely, W. E., Goldberg, F. F., Roberts, N. H.,

& Haasl, D. F. (1981). Fault tree handbook (NUREG-0492; p. 209).

Nuclear Regulatory Commission

Washington DC.

http://www.stormingmedia.us/37/3794/A 379453.pdf{\%}5Cnhttp://ocw.mit.edu/c ourses/aeronautics-and-astronautics/16- 63j-system-safety-fall-2012/related- resources/MIT16{\_}63JF12{\_}faulttree .pdf{\%}5Cnhttp://www.nrc.gov/reading -rm/doc-collections/nuregs/staff/sr0492/

Walpole, R. E., & Myers, R. H. (1995). Ilmu Peluang dan Statistika untuk Insinyur dan Ilmuwan. Instirut Teknologi Bandung.

Wang, L., Islam, T., Long, T., Singhal, A., &

Jajodia, S. (2008). An attack graph-based probabilistic security metric. IFIP Annual Conference on Data and Applications Security and Privacy, 5094 LNCS, 283–

296. https://doi.org/10.1007/978-3-540- 70567-3_22

Wang, R., Li, H., Jing, J., Jiang, L., & Dong, W.

(2022). WYSIWYG: IoT Device Identification Based on WebUI Login Pages. Sensors, 22(13), 4892.

Wildberger, N. (Director). (2019). Boolean algebra and set theory | Math Foundations 259.

Yourdon, E. (2006). Just enough structured analysis. Available in Wiki Format at:

Http://Yourdon.

Com/Strucanalysis/Wiki/Index. Php, 643.

https://doi.org/10.3167/01559770278240 9310

Yunizal, E., Surendro, K., & Santoso, J. (2020).

A Method of Simplifying the Asset Dependency Cycle in Security Risk Analysis. The 5th International Conference on Information Technology and Digital Applications (ICITDA 2020), 1077. https://doi.org/10.1088/1757- 899x/1077/1/012002