A new mathematical model for analytical risk assessment and prediction in IT systems (original) (raw)

A new mathematical model for analytical risk assessment

2012

In this paper, we propose a new formal model to describe risk analysis and measurement process for IT systems. Our model complies with international standards and recommendations for non-profit organisations. The model accounts for solutions used in widely known and recommended risk analysis methods and provides for evaluation of efficacy of these solutions. A simple example illustrates the application of the proposed model for effective risk analysis of any IT system. † This is an extended and amended version of the paper, presented at the 5 th Congress of Young IT Scientists (Miȩdzyzdroje, 23-25.IX.2010).

A review of research on risk analysis methods for IT systems

Proceedings of the 17th International Conference on Evaluation and Assessment in Software Engineering - EASE '13, 2013

Context: At the same time as our dependence on IT systems increases, the number of reports of problems caused by failures of critical IT systems has also increased. This means that there is a need for risk analysis in the development of this kind of systems. Risk analysis of technical systems has a long history in mechanical and electrical engineering. Objective: Even if a number of methods for risk analysis of technical systems exist, the failure behavior of information systems is typically very different from mechanical systems. Therefore, risk analysis of IT systems requires different risk analysis techniques, or at least adaptations of traditional approaches. This means that there is a need to understand what types of methods are available for IT systems and what research that has been conducted on these methods. Method: In this paper we present a systematic mapping study on risk analysis for IT systems. 1086 unique papers were identified in a database search and 57 papers were identified as relevant for this study. These papers were classified based on 5 different criteria. Results: This classification, for example, shows that most of the discussed risk analysis methods are qualitative and not quantitative and that most of the risk analysis methods that are presented in these papers are developed for IT systems in general and not for specific types of IT system, like e-government systems.

Risk Analysis for Information Systems

Journal of Information Technology, 1992

This paper presents an integrated approach to risk analysis for Information Systems (IS) using the Structured Risk Analysis (SRA) methodology developed at Hyperion. SRA has been used, very successfully, to perform risk analysis both for security-oriented risk analysis in the City and safety-oriented risk analysis for the European Space Agency. This paper develops and describes a particular instance of the SRA methodology for IS. Excluding safety-critical applications allows certain simplifications to the methodology in the case of IS. These simplifications make structured risk analysis for information systems (SRA-IS) a practical and cost-effective basis for risk analysis and risk management in commercial organizations.

RISK ANALYSIS IN INFORMATION TECHNOLOGY

Risk Analysis and Management is a key task administration exercise to make sure that the least variety of surprises take place whilst your task is underway. While we can by no means predict the future with certainty, we can follow an easy and streamlined threat administration procedure to predict the uncertainties in the tasks and reduce the incidence or have an effect on of these uncertainties. This improves the danger of profitable mission completion and reduces the penalties of these risks.This paper offers the structured Risk Management in information technology its scopes and resources. It also includes some tools which can help us in risk assessment and how it is impact on business impact analysis.

A Novel Approach to Information Security Risk Analysis

2020

A number of risk analysis methods became obsolete because of the profound changes in information technologies. Revolutionary changes in information technologies have converted many risk analysis methods into inconsistent, long lasting and expensive instruments. Therefore, risk analysis methods should be adaptively modified or redesigned according to the changes in information technologies, so that they meet the information security requirements of the organizations. By taking these requirements into consideration, a survey based approach is proposed for analyzing the risks of information technologies. This new method is named as Risk Analysis Method for Information Security (RAMIS). A case study is conducted to show the steps of RAMIS in detail and to obtain the risk results. To verify the results of the case study, simulation is performed based on the real statistical data. The results of simulation showed that RAMIS yields consistent results in a reasonable time period by allowing...

IT Risk Assessment: Quantitative and Qualitative Approach

IT risk management currently plays more and more important role in almost all aspects of contemporary organizations' functionality. It requires reliable and cyclical realization of its key task which is risk analysis. Literature of subject presents problems of risk analysis in different way, the most often skipped or selectively treated the problem of quantitative methods application for the purpose of risk analysis. The article presents the issue of one of the most significant stages of risk analysis which is IT risk assessment, especially focusing on chosen quantitative methods such as ALE (Annual Loss Expected) method, Courtney method, Fisher's method, using survey research ISRAM model (Information Security Risk Analysis Method) and other derived ratios. There were also shortly presented chosen qualitative methods – FMEA (Failure Mode and Effects Analysis) and FMECA (Failure Mode and Effects Criticality Analysis), NIST SP 800-30 method and CRAMM methodology. Index Terms— IT risk, IT security risk analysis methods, qualitative risk assessment methods, quantitative risk assessment methods.

Functional modelling of IT risk assessment support system

2000

Information technology systems represent the backbone of a company's operational infrastructure. A company's top management typically ensures that computer software and hardware mechanisms are adequate, functional and in adherence with regulatory guidelines and industry practices. Nowadays, due to depressed economic and increased intensity of performed operations, business highly recognizes the influence of effective Information Technology risk management on profitability.

Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk

International Journal of Computer Applications, 2014

Risk management methodologies, such as Mehari, Ebios, CRAMM and SP 800-30 (NIST) use a common step based on threat, vulnerability and probability witch are typically evaluated intuitively using verbal hazard scales such as low, medium, high. Because of their subjectivity, these categories are extremely difficult to assign to threats, vulnerabilities and probability, or indeed, to interpret with any degree of confidence. The purpose of the paper is to propose a mathematical formulation of risk by using a lower level of granularity of its elements: threat, probability, criteria used to determine an asset's value, exposure, frequency and existing protection measure.

A Hybrid Model for Information Security Risk Assessment

International Journal of Advanced Trends in Computer Science and Engineering, 2019

Many industry standards and methodologies were introduced which has brought forth the management of threats assessment and risk management of information assets in a systematic manner. This paper will review and analyze the main processes followed in IT risk management frameworks from the perspective of the threat analysis process using a threat modeling methodology. In this study, the authors propose a new assessment model which shows that systematic threat analysis is an essential element to be considered as an integrated process within IT risk management frameworks. The new proposed model complements and fulfills the gap in the practice of assessing information security risks.

Risk-based assessment of the surety of information systems

1996

Correct operation of an information system requires a balance ofcC~uretyy~ domains-access control (confidentiality), .integrity, utility, availability, and safety. However, traditional approaches provide little help on how to systematically analyze and balance the combined impact of surety requirements on a system. The key to achieving information system surety is identifying, prioritizing, and mitigating the sources of risk that may lead to system failure. Consequently, we propose a risk assessment methodology that provides a framework to guide the analyst in identifying and prioritizing sources of &k and selecting mitigation techniques. The framework leads the analyst to develop a risk-based system model for balancing the surety requirements and quantifying the effectiveness and combined impact of the mitigation techniques. Such a model allows the information system designer to make informed trade-offs based on the most effective risk-reduction measures.