Information Security Risk Assessment (original) (raw)

Information Security Risks Assessment: A Case Study

ArXiv, 2018

Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising...

Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma

This paper presents main security risk assessment methodologies used in information technology. The author starts from and research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst. Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.

Quantitative Analysis of Information Security Risk

The purpose of this quantitative data analysis was to examine the relationship between industry type and information security risk-level among businesses in the United States. This paper took into account collected business related data from 36 industry types. Pattern recognition, bivariate linear regression analysis, and a one-sample t-test were performed to test the industry type and information security risk-level relationship of the selected business. Test results indicated that there is a significant predictive relationship between industry type and risk-level rates among United States businesses. Moreover, the one-sample t-test results indicated that United States businesses classified as a particular industry type are more likely to have a higher information security risk-level than the midpoint level of United States businesses.

Comparative Study of Information Security Risk Assessment Frameworks

With the increasing need of securing organization's computing environment, a security risks management framework is essentially needed that define the security risks management process accurately. In this regard, numerous risks management frameworks have been developed, and many more are emerging every day. They all have very different perspectives and addressing problems differently, though with the same basic goal of risks mitigation in direction of information security. Information is a critical asset for every organization and hence development and implementation of strategic plans for information security risks mitigation should be an essential part of every organizations operation. This paper compares and analyzes the different activities, inputs and outputs required by each information security risk assessment models. The primary goal of the paper is to identify which information security risk assessment model assesses information security risk effectively. The comparative study helps in evaluating the models' applicability to an organization and their specific needs.

Information Security Risk Assessment (ISRA): A Systematic Literature Review

Journal of Information Systems Engineering and Business Intelligence

Background: Information security is essential for organisations, hence the risk assessment. Information security risk assessment (ISRA) identifies, assesses, and prioritizes risks according to organisational goals. Previous studies have analysed and discussed information security risk assessment. Therefore, it is necessary to understand the models more systematically. Objective: This study aims to determine types of ISRA and fill a gap in literature review research by categorizing existing frameworks, models, and methods. Methods: The systematic literature review (SLR) approach developed by Kitchenham is applied in this research. A total of 25 studies were selected, classified, and analysed according to defined criteria. Results: Most selected studies focus on implementing and developing new models for risk assessment. In addition, most are related to information systems in general. Conclusion: The findings show that there is no single best framework or model because the best framew...

A management perspective on risk of security threats to information systems

Information Technology …

Electronic commerce and the Internet have enabled businesses to reduce costs, attain greater market reach, and develop closer partner and customer relationships. However, using the Internet has led to new risks and concerns. This paper provides a management perspective on the issues confronting CIO's and IT managers: it outlines the current state of the art for security in e-commerce, the important issues confronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. This methodology may be used to assess the probability of success of attacks on information assets in organizations, and to evaluate the expected damages of these attacks. The paper also outlines some possible remedies, suggested controls and countermeasures. Finally, it proposes the development of cost models which quantify damages of these attacks and the effort of confronting these attacks. The construction of one such cost model for security risk assessment is also outlined. It helps decision makers to select the appropriate choice of countermeasure(s) to minimize damages/losses due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations on the whole.

Information Security Risk Management and Risk Assessment Methodology and Tools

10 International Conference on Cyber Security and Computer Science (ICONCS 18), 2018, 2018

Nowadays risks related to information security are increasing each passing day. Both public enterprises and private sector are working on information security to provide information security. It is inevitable that the institutions must use the most appropriate methodology and tools for their own needs and legal responsibilities to provide information security. Particularly Personal Data Protection Law, the legal regulations and the development of cybersecurity risks oblige the public institutions and enterprises to establish information security management systems. In this study, methodology and tools covered under the Risk Management / Risk Assessment methodology and tools within the European Union Agency For Network and Information Security (ENISA)'s Threat and Risk Management studies are investigated. In the study, the seventeen methods and thirty one tools which are studied by ENISA on the inventory work are introduced on the basic level. The methods and tools are compared among themselves in different aspects such as the type of risk classification, the reference level, the definition of applicability, the lifecycle, the usage of them licensed.

An Information Security Risk Assessment Model for Public and University Administrators

Assessing risk within any business entity is vital. Risk assessment/management is an essential part of every state agency, university and municipality. Computer viruses, malicious hackers, along with disgruntled employees all pose a major threat to data for public agencies, universities and local government assets. This applied research project discusses information security in depth. The purpose of this paper is threefold. First, this paper will explore the literature on information security in order to identify ideal components of a security program. Second, a survey on these ideal components will gather information security professionals' opinion on the most important elements of each component. Finally, the results of the survey will provide input on an ideal information security risk assessment program for educational institutions and/or state and local government agencies. The methodology for this research is the gauging technique. Survey research was the primary method of collecting data for this research. Ideal components of an effective risk assessment were identified and an open ended survey on those respective components was sent out to public administrators in the information security profession. The most important elements within each subcomponent of an ideal category for a risk assessment program are presented in the results chapter. The results show the important elements according to the information security professionals which help public administrators create an effective risk assessment program in their respective agency.

Information Security Assessment: Procedures and Methodology

Computer Fraud & Security, 2000

This article will present the basic parameters that everyone (buyers and providers of service) should know in evaluating the right people to deal with and the best approach to addressing the associated issues.

Comparative Study of Information Security Risk Assessment Model

International Journal of Computer Applications

Analysis of security risks is crucial to the management of information systems. The same risks brought on by information assets, their potential threats, and vulnerabilities, as well as security measures, are to be prevented by security risk analysis models. Today, the majority of these models are utilized to assess risk value without recognizing the organization's security issues. As a result, decision-makers are unable to choose the best methodology for addressing security concerns. In this research paper, we have developed a Comparative Framework to carry out a thorough comparative analysis of the various models that underpin the information risk assessment process. Next, we have evaluated existing information security risk assessment models through this framework.