Security Risk Definitions

This chapter presents the basic concepts and definition of risk (Section 3.1), a protocol for conducting transportation risk assessments (Section 3.2), and a prioritization process for identifying important issues and transportation scenarios requiring a more detailed risk analysis (Section 3.3). Due to the differences in safety and security definitions and risk assessment methodologies, the focus of Chapters 3, 4, and 5 is limited to transportation safety. Security concepts, definition, and assessment methods are presented separately in Chapter 6, with this chapter providing a high-level comparison of safety and security. 

Under CEATS, Congress directed the DHS to identify and secure those chemical facilities that present the greatest security risk. From their definition, security risk is a function of the following ... 

Pharmacies are affected by these rules in two ways. Pharmacies, by definition, deal with PHI (e.g., a prescription itself is PHI). If the pharmacy uses a computer, the information is then electronic and is known as ePHI (Barlas, 2004). HIPAA protects all individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral (DHHS, 2003). This covered information includes demographic data, including the individual s physical or mental health (past, present, or future) the health care provided to the individual and payment information and common identifiers (e.g., name, address, birth date, and Social Security Number) that can be used to identify the individual. Pharmacies must have numerous policies and procedures in place to be in compliance with the HIPPA mandates. These include conducting risk assessments, appointing security and privacy officers to ensure compliance, and implementing policies and procedures to detect and prevent security violations. 

There is no global security policy, and therefore no unique definition of threats, protection criteria and risk assessment approaches. 

The actual definition of so-called standard fail-stop signature schemes is contained in Section 7.1. In Section 7.2, relations to alternative or additional security properties are shown. Section 7.3 presents fail-stop signature schemes with prekey, an important subclass, and proves simplified security criteria for them. Section 7.4 shows the relation between standard fail-stop signature schemes and ordinary digital signature schemes. Section 7.5 contains constructions of schemes with many risk bearers from schemes with one risk bearer. 

Section 7.1.1 explains why one can concentrate on schemes with special risk bearers. The components of the schemes are derived in Section 7.1.2 and summarized formally in Definitions 7.1 to 7.3. The requirements, which are now mixed with considerations of structure and degree of security, are studied in Sections 7.1.3 to 7.1.5. 

Definition 7.11. A standard fail-stop signature scheme is secure for risk bearers iff for all probabilistic polynomial-time interactive algorithms Aj and non-interactive A2 (the two parts of the attacker strategy) and all polynomials Qsig, Qn (determining the growth of a and N as functions of k) ... 

Definition 7.14. A standard fail-stop signature scheme is secure for the signer forwards iff for all probabilistic interactive functions B and F (representing a cheating risk bearer colluding with a forger) and all parameters par as in Definition 7.1 or 7.2, respectively,... 

The definition of unforgeability and the proof that it follows from the security for the signer and the risk bearers (with a stronger version if the backward definition of the security for the signer is used). 

Note that these forgers are special cases of those considered with the security for the signer. In the case with several risk bearers, let B denote the combination of B and O. Hence the definition of unforgeability deals with the same probabilities PB,F,par the forward definition of the security for the signer. 

As unforgeability will be a consequence of the security for both the signer and the risk bearers, both security parameters, k and CT, may have to tend to infinity. The definition of the precise relation between them corresponds to the following theorem it can be generalized. 

The first summand was defined as the probability from the security for risk bearers (Definition 7.11). Using this definition immediately yields the desired result. 

The obvious advantage of this construction is that the complexity of authentication and disputes is independent of the number of risk bearers. The disadvantage is that a general suitable key-generation protocol is very inefficient however, see the last subsection for more efficient special cases. (Moreover, due to problems with definitions of multi-party function evaluation protocols, I did not even dare to call the security considerations below a proof sketch.)... 

Proof sketch. The implicit and explicit requirements from Definitions 7.1 and 7.31 and the property to be polynomial-time in the interface inputs alone are easy to see. Among the criteria from Theorem 7.34, effectiveness of authentication is easily derived from that in the one-time scheme, and the security for the risk bearer is completely identical to that in the underlying one-time scheme. (Recall that the fact that the signer s entity bases many one-time key pairs on the same prekey makes no formal difference at all in Criterion 2 of Theorem 7.34.)... 

Proof, a) The only really interesting part of the proof is that the additional information stored non-secretly does not weaken the security for the signer — the requirements from Definitions 7.1 and 7.31 are easy to see, and effectiveness of authentication and the security for the risk bearer are unchanged in comparison with Theorem 10.14. (Recall from Theorem 10.2 that the security of the underlying scheme according to Definition 9.1 implies that in combination with message hashing, it fulfils the criteria of Theorem 7.34, and hence Theorem 10.14 can be applied.)... 

Proof. The implicit and explicit requirements fi-om Definitions 7.1 and 7.31 are obviously fulfilled, and effectiveness of authentication and the security for the risk bearer are shown as in Lemma 9.12. Furthermore, it is clear that every successful forgery /that is not the correct signature in the same position y in the sequence is provable. It remains to be shown that the reuse of halves of the one-time secret keys does not increase the likelihood with which such a forgery is the correct signature. Thus, with all the quantifiers as in Criterion 3 of Theorem 7.34 in the version of Definition 9.1, it has to be shown that for/= (m , s ) with s = (j, x , y ) ... 

That the security for risk bearers is needed is a problem, because Definition 7.11, like all computational cryptologic definitions, is asymptotic, i.e., security is only guaranteed for k sufficiently large. Thus, in a certain sense, one can only derive lower bounds for k > kQ, for an unknown kg. This seems unsatisfactory Nobody would have doubted that one needs arbitrarily long keys if one makes k sufficiently large, because in the definitions, k primarily determines the size of the problem instances and only secondarily the security. 

G N exists such that all provide the security level risk bearers against for the given a. (The polynomials Qsig and Qn can be the constants O and N, respectively.) Hence Definition 11.5 does not make any new assumptions. ... 

Remediation versus Clean-up. Identification of any contaminated land triggers the next duty to secure remediation of the land. The definition of remediation in Part IIA makes clear that this, too, is a risk-based concept. 

---