Security Risk Analysis of Information System in Academic Institution based on Business Perspective: A Case Study

  • Authors

    • Prajna Deshanta Ibnugraha
    • Lukito Edi Nugroho
    • Paulus Insap Santosa
    2019-01-26
    https://doi.org/10.14419/ijet.v8i1.9.26374
  • Risk analysis, OWASP, information system, SQL injection.

  • Information system of academic institution is used to manage data from students, staffs and lecturers that consists a lot of critical information like student grades, accounts and other private information. However, some of information system have SQL injection vulnerability which occurs data security breach. It has possibility to make reputation damage and other business impact in academic institution. Therefore, objective of this study is to analyze risk based on business perspective as basic process to select suitable mitigation. OWASP is exisiting method that considered as proper method for risk analysis in this study because it has explicit metrics related business approach. Based on experiment result, business impact of vulnerability can be measured. However, some metrics still need to be developed to get more precision result that describe real impact for business of institution.

     

     

  • References

    1. [1] Bacudio, A. G., Yuan, X., Bill Chu, B. T., & Jones, M. (2011). An Overview of Penetration Testing. International Journal of Network Security & Its Applications, 3(6), 19–38. https://doi.org/10.5121/ijnsa.2011.3602

      [2] Cifuentes, Y., Beltrán, L., & Ramírez, L. (2015). Analysis of Security Vulnerabilities for Mobile Health Applications. International Journal of Electrical, Computer, Energetic, Electronic and Communication Engineering, 9(9), 999–1004.

      [3] Goel, J. N., & Mehtre, B. M. (2015). Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology. Procedia Computer Science, 57, 710–715. https://doi.org/10.1016/j.procs.2015.07.458

      [4] Huang, C., Liu, J., Fang, Y., & Zuo, Z. (2016). A study on Web security incidents in China by analyzing vulnerability disclosure platforms. Computers and Security, 58, 47–62. https://doi.org/10.1016/j.cose.2015.11.006

      [5] Ibnugraha, P. D., Nugroho, L. E., Widyawan, & Santosa, P. I. (2016). Risk Analysis of Database Privilege Implementation in SQL Injection Case. Jurnal Teknologi, 78: 5-7, 113–116.

      [6] Joh, H., & Malaiya, Y. K. (2011). Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In international conference on security and management (SAM) (pp. 10–16). Retrieved from http://www.cs.colostate.edu/~malaiya/p/johrisk11.pdf

      [7] Makino, Y., & Klyuev, V. (2015). Evaluation of web vulnerability scanners. In Proceedings of the 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS 2015 (Vol. 1, pp. 399–402). https://doi.org/10.1109/IDAACS.2015.7340766

      [8] McCallister, E., Grance, T., & Kent, K. (2010). Guide to protecting the confidentiality of personally identifiable information (PII). Recommendations of the National Institute of Standards and Technology (Vol. 800–122). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-122

      [9] Nyre, Å. A., & Jaatun, M. G. (2013). Seeking Risks: Towards a Quantitative Risk Perception Measure. In Availability, Reliability, and Security in Information Systems and HCI (Vol. 8127, pp. 256–271). Springer Berlin Heidelberg.

      [10] OWASP. (2013). Top 10 2013 – Top 10. Retrieved June 26, 2016, from https://www.owasp.org/index.php/Top_10_2013-Top_10

      [11] OWASP. (2015). OWASP Risk Rating Methodology. Retrieved from https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

      [12] Petrus, J., Bale, M., & Sediyono, E. K. O. (2014). Risk Management in Information Technology Using Facilitated Risk Analysis Process (FRAP) (Case Study: Acedemic Information System of Satya Wacana Christian University). Journal of Theoretical and Applied Information Technology, 68(2), 339–351.

      [13] Shah, S., & Mehtre, B. M. (2015). An overview of vulnerability assessment and penetration testing techniques. Journal of Computer Virology and Hacking Techniques, 11(1), 27–49. https://doi.org/10.1007/s11416-014-0231-x

      [14] Sinanaj, G., Muntermann, J., & Cziesla, T. (2015). How Data Breaches Ruin Firm Reputation on Social Media ! – Insights from a Sentiment-based Event Study. In 12th International Conference on Wirtschaftsinformatik (pp. 902–916).

      [15] Williams, M. G. (2015). A Risk Assessment on Raspberry PI using NIST Standards. International Journal of Computer Science and Network Security, 15(6), 22–30.

  • Downloads

  • How to Cite

    Deshanta Ibnugraha, P., Edi Nugroho, L., & Insap Santosa, P. (2019). Security Risk Analysis of Information System in Academic Institution based on Business Perspective: A Case Study. International Journal of Engineering & Technology, 8(1.9), 87-91. https://doi.org/10.14419/ijet.v8i1.9.26374