Functional Modelling of It Risk Assessment Support System (original) (raw)

Domain Specific Simulation Language For IT Risk Assessment

ECMS 2011 Proceedings edited by: T. Burczynski, J. Kolodziej, A. Byrski, M. Carvalho, 2011

Information technology systems represent the backbone of a company's operational infrastructure. A company's top management typically ensures that computer software and hardware mechanisms are adequate, functional and in adherence with regulatory guidelines and industry practices. Nowadays, due to depressed economic and increased intensity of performed operations, business highly recognizes the influence of effective Information Technology risk management on profitability. Design of Unified Modelling Language (UML) based Domain Specific language (DSL) described in this paper achieves synergy from in IT industry widely used UML modelling technique and the domain specific risk management extensions. As a novelty for UML modelling, especially for simulation purposes, the presented DSL is enriched by a set of stochastic attributes of modelled activities. Such stochastic attributes are usable for further implementation of discrete-event system simulators.

A new mathematical model for analytical risk assessment and prediction in IT systems

Control and Cybernetics, 2012

In this paper, we propose a new formal model to describe risk analysis and measurement process for IT systems. Our model complies with international standards and recommendations for non-profit organisations. The model accounts for solutions used in widely known and recommended risk analysis methods and provides for evaluation of efficacy of these solutions. A simple example illustrates the application of the proposed model for effective risk analysis of any IT system. † This is an extended and amended version of the paper, presented at the 5 th Congress of Young IT Scientists (Miȩdzyzdroje, 23-25.IX.2010).

Risk Management in the context of Information Security: a Model-Driven approach

WSEAS Transactions on Information Science and Applications archive, 2017

Information security is concerned with the requirements of availability, integrity, and confidentiality of information's assets, which are fundamental to the long-term survival of an organization. Information security relies in risk management for security risks identification, evaluation and treatment, according to the ISO 31000. The methodologies supporting information security implementation, such the ones based on the ISO 27000 set of standards, are holistic approaches that deals with corporate systems, as well as an extended network that includes business partners, vendors, customers and other stakeholders. This paper uses the model-driven approach for addressing information security systems conception and design, deemed to be compliant with the ISO/IEC 27000 and the ISO 31000 set of standards. A domain level model (computation independent model) based on the information security and risk management vocabulary present in the standards was built. This CIM model serves as a meta-model for platform independent models of information security systems compliant with the information security and risk management standards. This model is the baseline for conceiving, implementing and testing actual information security systems, allowing users from different organizational, functional, and technical levels to use a common language when embedding information security and risk management in their processes.

Design of a modelling language for information system security risk management

2007

Abstract—Nowadays, security has become one of the most demanded characteristics of information systems. However, the ways to address information systems security still lack consensus and integration. On the one hand, researchers have extended various modelling languages and methods with security-oriented constructs in order to take security concerns into account throughout the development lifecycle.

Risk Analysis for Information Systems

Journal of Information Technology, 1992

This paper presents an integrated approach to risk analysis for Information Systems (IS) using the Structured Risk Analysis (SRA) methodology developed at Hyperion. SRA has been used, very successfully, to perform risk analysis both for security-oriented risk analysis in the City and safety-oriented risk analysis for the European Space Agency. This paper develops and describes a particular instance of the SRA methodology for IS. Excluding safety-critical applications allows certain simplifications to the methodology in the case of IS. These simplifications make structured risk analysis for information systems (SRA-IS) a practical and cost-effective basis for risk analysis and risk management in commercial organizations.

Towards a UML profile for model-based risk assessment

2002

The EU-funded CORAS project (IST-2000-25031) is developing a framework for model-based risk assessment of security-critical systems. This framework is characterised by: (1) A careful integration of aspects from partly complementary risk assessment methods. (2) Guidelines and methodology for the use of UML to support and direct the risk assessment methodology. A risk management process based on AS/NZS 4360 and ISO/IEC 17799. (4) A risk documentation framework based on RM-ODP. (5) An integrated risk management and system development process based on UP. (6) A platform for toolinclusion based on XML. This paper focuses on one specific aspect of the CORAS framework, namely the CORAS UML profile for risk assessment. In particular, it explains its role in the CORAS risk management process and demonstrates its use in the risk assessment of an e-Commerce system.

RISK ANALYSIS IN INFORMATION TECHNOLOGY

Risk Analysis and Management is a key task administration exercise to make sure that the least variety of surprises take place whilst your task is underway. While we can by no means predict the future with certainty, we can follow an easy and streamlined threat administration procedure to predict the uncertainties in the tasks and reduce the incidence or have an effect on of these uncertainties. This improves the danger of profitable mission completion and reduces the penalties of these risks.This paper offers the structured Risk Management in information technology its scopes and resources. It also includes some tools which can help us in risk assessment and how it is impact on business impact analysis.

Developing a Common Language About IT Risk Management

SSRN Electronic Journal, 2000

Research Briefings: a collection of short executive summaries of key findings from research projects. Case Study: an in-depth description of a firm's approach to an IT management issue (intended for MBA and executive education). Technical Research Report: a traditional academically rigorous research paper with detailed methodology, analysis, findings and references.

On the hierarchical composition of the risk management evaluation in computer information systems

Large computer systems consist of many components, which create few (software and hardware) layers. Analyzing accessibility of the given system function we should consider accessibility of connected functions of many components. We pay attention to singular functions, because during system failure we often lose access not to whole component, but only to some of its functions. So, analyzing an enterprise risk of a system failure, we consider not only the accessibility of the components (objects) but also of their functions (methods). UML help us to model a system, but the information necessary for a risk evaluation are located in different types of UML diagram (i.e. deployment and class diagrams). Thus we have decided to maintain own graph structure generated (from UML diagrams) and evaluated under aedNLC graph grammar. We show how a formal graph structures enables us to manage the risk associated with any level of the software hierarchy.

An Approach for Modeling Information Systems Security Risk Assessment

Proceedings of the 3rd International Workshop on Security in Information Systems, 2005

In this paper, we present a conceptual modeling approach, which is new in the domain of information systems security risk assessment. The approach is helpful for performing means-end analysis, thereby uncovering the structural origin of security risks in an information system, and how the rootcauses of such risks can be controlled from the early stages of the projects. The approach addresses this limitation of the existing security risk assessment models by exploring the strategic dependencies between the actors of a system, and analyzing the motivations, intents, and rationales behind the different entities and activities constituting the system.