A Novel Approach to Information Security Risk Analysis (original) (raw)

Related papers

ISRAM: information security risk analysis method

Computers & Security, 2005

Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today's information security risks properly. Some of these methods are supported by a software package. In this study, a survey based quantitative approach is proposed to analyze security risks of information technologies by taking current necessities into consideration. The new method is named as Information Security Risk Analysis Method (ISRAM). Case study has shown that ISRAM yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization. ª 54 are taking over this responsibility from the head of 55 IT department (Owens, 1998). Thus, managers of 56 organizations should understand the risk analysis 57 process that directly affects the protection of 58 information technologies. Moreover, managers 59 may desire to participate in risk analysis process. 60 The structure of new risk analysis methods allows 61 the participation of managers (In this study, a new method named Information 66 Security Risk Analysis Method (ISRAM) is proposed 67 for information security risk analysis by taking 68 today's needs into account. ISRAM is designed for 69 analyzing the risks at complex information systems 70 by allowing the participation of managers and 71 staff. Proposed method consists of seven steps. 72 These steps are exemplified in a case study in 73 order to explain ISRAM clearly. To verify the results 74 of the same case study, a risk model is set up with 75 Arena simulation software. The collected real-life 76 statistical data are introduced into the risk model. 77

A Comparative Study on Information Security Risk Analysis Methods

Background – Risk Analysis is an integral part of management practice and an essential element of good corporate governance. There are many risk analysis methods available today, and it is a tedious task for an organization (particularly small and mid-scale company) to choose the proper method. Problem – Although many methods and tools are available in this domain, very few inventories do exist that are structured according to a set of common properties. There are many risk analysis methods available today, and the main task for an organization is to determine which one to use. Contribution – The objective of this review paper is to provide researchers, an analysis of four risk analysis methods using the Campbell et al. classification scheme. The major contributions of this paper are; 1) Present a summary of four Information Security Risk analysis methods using ontology, 2) Classify these risk analysis methods using Campbell et al. classification scheme, 3) Compare risk analysis methods based on generic attributes i.e. input, outcome, purpose, effort, scalability, methodology, etc.

Comparative Study of Information Security Risk Assessment Model

International Journal of Computer Applications

Analysis of security risks is crucial to the management of information systems. The same risks brought on by information assets, their potential threats, and vulnerabilities, as well as security measures, are to be prevented by security risk analysis models. Today, the majority of these models are utilized to assess risk value without recognizing the organization's security issues. As a result, decision-makers are unable to choose the best methodology for addressing security concerns. In this research paper, we have developed a Comparative Framework to carry out a thorough comparative analysis of the various models that underpin the information risk assessment process. Next, we have evaluated existing information security risk assessment models through this framework.

Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk

International Journal of Computer Applications, 2014

Risk management methodologies, such as Mehari, Ebios, CRAMM and SP 800-30 (NIST) use a common step based on threat, vulnerability and probability witch are typically evaluated intuitively using verbal hazard scales such as low, medium, high. Because of their subjectivity, these categories are extremely difficult to assign to threats, vulnerabilities and probability, or indeed, to interpret with any degree of confidence. The purpose of the paper is to propose a mathematical formulation of risk by using a lower level of granularity of its elements: threat, probability, criteria used to determine an asset's value, exposure, frequency and existing protection measure.

Information Security Risk Management and Risk Assessment Methodology and Tools

10 International Conference on Cyber Security and Computer Science (ICONCS 18), 2018, 2018

Nowadays risks related to information security are increasing each passing day. Both public enterprises and private sector are working on information security to provide information security. It is inevitable that the institutions must use the most appropriate methodology and tools for their own needs and legal responsibilities to provide information security. Particularly Personal Data Protection Law, the legal regulations and the development of cybersecurity risks oblige the public institutions and enterprises to establish information security management systems. In this study, methodology and tools covered under the Risk Management / Risk Assessment methodology and tools within the European Union Agency For Network and Information Security (ENISA)'s Threat and Risk Management studies are investigated. In the study, the seventeen methods and thirty one tools which are studied by ENISA on the inventory work are introduced on the basic level. The methods and tools are compared among themselves in different aspects such as the type of risk classification, the reference level, the definition of applicability, the lifecycle, the usage of them licensed.

Comparative Study of Information Security Risk Assessment Frameworks

With the increasing need of securing organization's computing environment, a security risks management framework is essentially needed that define the security risks management process accurately. In this regard, numerous risks management frameworks have been developed, and many more are emerging every day. They all have very different perspectives and addressing problems differently, though with the same basic goal of risks mitigation in direction of information security. Information is a critical asset for every organization and hence development and implementation of strategic plans for information security risks mitigation should be an essential part of every organizations operation. This paper compares and analyzes the different activities, inputs and outputs required by each information security risk assessment models. The primary goal of the paper is to identify which information security risk assessment model assesses information security risk effectively. The comparative study helps in evaluating the models' applicability to an organization and their specific needs.

Risk analysis and risk management models for information systems security applications

Reliability Engineering & System Safety, 1989

RESEARCH OBJECTIVE: The aim of the article is analysis of international risk. THE RESEARCH PROBLEM AND METHODS: The fundamental problem of this publication is the analysis of selected research on international risk in the subject literature. The article uses traditional research tools which are literature studies. The choice of tool is dictated by the subject selected. THE PROCESS OF ARGUMENTATION: The study consists of three fundamental elements: Genesis and essence of risk. Literature review; Typology of research on risk. Genesis; Research on risk in international relations. RESEARCH RESULTS: Risk category is an important instrument for analysing the phenomena occurring in contemporary international environment, an attempt to deal with highly probable global threats and thanks to its successful mitigating mechanisms can be worked out. CONCLUSIONS, INNOVATIONS AND RECOMMENDATIONS: Creating new instruments and solutions in risk management; adopting various elements of risk management; developing research and scientific consulting aimed at working out suitable S u g g e s t e d c i t a t i o n:

Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma

This paper presents main security risk assessment methodologies used in information technology. The author starts from and research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst. Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.

Risk Assessment Model for Organizational Information Security

2015

Information security risk assessment (RA) plays an important role in the organization’s future strategic planning. Generally there are two types of RA approaches: quantitative RA and qualitative RA. The quantitative RA is an objective study of the risk that use numerical data. On the other hand, the qualitative RA is a subjective evaluation based on judgment and experiences which does not operate on numerical data. It is difficult to conduct a purely quantitative RA method, because of the difficulty to comprehend numerical data alone without a subjective explanation. However, the qualitative RA does not necessarily demand the objectivity of the risks, although it is possible to conduct RA that is purely qualitative in nature. If implemented in silos, the limitations of both quantitative and qualitative methods may increase the likelihood of direct and indirect losses of an organization. This paper suggests a combined RA model from both quantitative and qualitative RA methods to be u...

RISK ANALYSIS IN INFORMATION TECHNOLOGY

Risk Analysis and Management is a key task administration exercise to make sure that the least variety of surprises take place whilst your task is underway. While we can by no means predict the future with certainty, we can follow an easy and streamlined threat administration procedure to predict the uncertainties in the tasks and reduce the incidence or have an effect on of these uncertainties. This improves the danger of profitable mission completion and reduces the penalties of these risks.This paper offers the structured Risk Management in information technology its scopes and resources. It also includes some tools which can help us in risk assessment and how it is impact on business impact analysis.