A Process Approach to Manage the Security of the Communication Systems with Risk Analysis Based on Epidemiological Model

Abstract

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction, to assure confidentiality, availability and integrity. The new trends of telecommunications of the last year is the move towards the trasmission of voice over traditional packet switched IP network, voice over IP, that has become a valid alternative to traditional public circuit-switched telephone network and then the convergence of the communication systems, through the next generation networks definition. This environment presents many security problems and significant security challenges. The voice over IP system increase these with those normally tie to IP network. Along with a several benefits of voice over IP, there are new security threats for exchanged informations. This paper analyzes the security issues of the communication systems, starting from the traditional public switched telephone network toward the new next generation network. Then, with this paper, we want to introduce a process approach to manage the security, based on epidemiological model. This model is characterized by three steps, Analysis, Assessment and Management, and it can be applied to a general information security system, to identify, assess and classify the information assets, the processes concerning it, vulnerabilities of each level and common threats. Finally we evaluate the risk and the probability of damage that can crash the system or part of this and propose a model of failure time analysis. The target of this analysis is to calculate the extent of the risk function in order to understand the state and the degree of security of our system, by studying the statistics of failure and to ensure highest degree of security optimizing the business strategic decisions and information and communication technology security economic investments. The methodology is designed to be applied in the future to communication systems, more specifically. This does not exclude the application of this methodology in other areas of interest (biomedical or economical areas) to understand, formalize and solve problems of similar nature.