A Novel Approach to Information Security Risk Analysis
Bilge Karabacak2020
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
A number of risk analysis methods became obsolete because of the profound changes in information technologies. Revolutionary changes in information technologies have converted many risk analysis methods into inconsistent, long lasting and expensive instruments. Therefore, risk analysis methods should be adaptively modified or redesigned according to the changes in information technologies, so that they meet the information security requirements of the organizations. By taking these requirements into consideration, a survey based approach is proposed for analyzing the risks of information technologies. This new method is named as Risk Analysis Method for Information Security (RAMIS). A case study is conducted to show the steps of RAMIS in detail and to obtain the risk results. To verify the results of the case study, simulation is performed based on the real statistical data. The results of simulation showed that RAMIS yields consistent results in a reasonable time period by allowing...
Related papers
ISRAM: information security risk analysis method
Computers & Security, 2005
Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today's information security risks properly. Some of these methods are supported by a software package. In this study, a survey based quantitative approach is proposed to analyze security risks of information technologies by taking current necessities into consideration. The new method is named as Information Security Risk Analysis Method (ISRAM). Case study has shown that ISRAM yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization. ª 54 are taking over this responsibility from the head of 55 IT department (Owens, 1998). Thus, managers of 56 organizations should understand the risk analysis 57 process that directly affects the protection of 58 information technologies. Moreover, managers 59 may desire to participate in risk analysis process. 60 The structure of new risk analysis methods allows 61 the participation of managers (In this study, a new method named Information 66 Security Risk Analysis Method (ISRAM) is proposed 67 for information security risk analysis by taking 68 today's needs into account. ISRAM is designed for 69 analyzing the risks at complex information systems 70 by allowing the participation of managers and 71 staff. Proposed method consists of seven steps. 72 These steps are exemplified in a case study in 73 order to explain ISRAM clearly. To verify the results 74 of the same case study, a risk model is set up with 75 Arena simulation software. The collected real-life 76 statistical data are introduced into the risk model. 77
A Comparative Study on Information Security Risk Analysis Methods
Background – Risk Analysis is an integral part of management practice and an essential element of good corporate governance. There are many risk analysis methods available today, and it is a tedious task for an organization (particularly small and mid-scale company) to choose the proper method. Problem – Although many methods and tools are available in this domain, very few inventories do exist that are structured according to a set of common properties. There are many risk analysis methods available today, and the main task for an organization is to determine which one to use. Contribution – The objective of this review paper is to provide researchers, an analysis of four risk analysis methods using the Campbell et al. classification scheme. The major contributions of this paper are; 1) Present a summary of four Information Security Risk analysis methods using ontology, 2) Classify these risk analysis methods using Campbell et al. classification scheme, 3) Compare risk analysis methods based on generic attributes i.e. input, outcome, purpose, effort, scalability, methodology, etc.
Comparative Study of Information Security Risk Assessment Model
International Journal of Computer Applications
Analysis of security risks is crucial to the management of information systems. The same risks brought on by information assets, their potential threats, and vulnerabilities, as well as security measures, are to be prevented by security risk analysis models. Today, the majority of these models are utilized to assess risk value without recognizing the organization's security issues. As a result, decision-makers are unable to choose the best methodology for addressing security concerns. In this research paper, we have developed a Comparative Framework to carry out a thorough comparative analysis of the various models that underpin the information risk assessment process. Next, we have evaluated existing information security risk assessment models through this framework.
Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk
International Journal of Computer Applications, 2014
Risk management methodologies, such as Mehari, Ebios, CRAMM and SP 800-30 (NIST) use a common step based on threat, vulnerability and probability witch are typically evaluated intuitively using verbal hazard scales such as low, medium, high. Because of their subjectivity, these categories are extremely difficult to assign to threats, vulnerabilities and probability, or indeed, to interpret with any degree of confidence. The purpose of the paper is to propose a mathematical formulation of risk by using a lower level of granularity of its elements: threat, probability, criteria used to determine an asset's value, exposure, frequency and existing protection measure.
Information Security Risk Management and Risk Assessment Methodology and Tools
10 International Conference on Cyber Security and Computer Science (ICONCS 18), 2018, 2018
Nowadays risks related to information security are increasing each passing day. Both public enterprises and private sector are working on information security to provide information security. It is inevitable that the institutions must use the most appropriate methodology and tools for their own needs and legal responsibilities to provide information security. Particularly Personal Data Protection Law, the legal regulations and the development of cybersecurity risks oblige the public institutions and enterprises to establish information security management systems. In this study, methodology and tools covered under the Risk Management / Risk Assessment methodology and tools within the European Union Agency For Network and Information Security (ENISA)'s Threat and Risk Management studies are investigated. In the study, the seventeen methods and thirty one tools which are studied by ENISA on the inventory work are introduced on the basic level. The methods and tools are compared among themselves in different aspects such as the type of risk classification, the reference level, the definition of applicability, the lifecycle, the usage of them licensed.
Quantitative Analysis of Information Security Risk
The purpose of this quantitative data analysis was to examine the relationship between industry type and information security risk-level among businesses in the United States. This paper took into account collected business related data from 36 industry types. Pattern recognition, bivariate linear regression analysis, and a one-sample t-test were performed to test the industry type and information security risk-level relationship of the selected business. Test results indicated that there is a significant predictive relationship between industry type and risk-level rates among United States businesses. Moreover, the one-sample t-test results indicated that United States businesses classified as a particular industry type are more likely to have a higher information security risk-level than the midpoint level of United States businesses.
Computer Support of Risk Analysis In Information Technology Environment
The risks associated with the functioning of information are becoming more common and have a variety of different forms. The risk connected with a wide application of information technologies in business is increasing with increasing interdependency of the organization from its customers, business partners and outsourcing operations. Technological change generates dependencies that cause an increase in diversity, complexity and quantity risk factors. In this context, risk analysis is a very important process, which minimizes the probability of losses. To facilitate and improve the effectiveness of risk analysis process, a number of methodologies and standards of risk analysis and management have been elaborated. Many different computer tools have been developed on the basis of these standards. They are used primarily for risk analysis and management and to maintain the current level of security in specific organizations. The article presents the issue of IT risk analysis, especially focusing on presentation of different tools, computer programs and packages supporting this process in enterprises.
Decision Support for Assessment of IT-security Risks
2013
IT-security risks can have a great impact on organizations and can cause high financial damage. To address security issues and avoid problems, knowledge about risks is vital. Therefore, a risk assessment process, which addresses security of IT-systems, is essential. However, risk assessment methods based on qualitative or quantitative approaches involve some difficulties and limitations. Therefore, in this research, we propose a risk assessment method based on semi-quantitative approach. The method provides decision support for security experts during evaluation of IT-security risks and enables assessment of threats both at a detailed level and as a whole. Imprecise information is captured from expert judgment and expressed numerically in interval form. The method is applied to a scenario in order to demonstrate its usage. We utilize a decision tool to present the outcomes. Moreover, sensitivity analysis is performed to point out most critical values.
Integrated approach to information risk assessment
2008
The primary intent of this thesis is to contribute to information risk assessment process conducted in large organizations, by addressing important aspects within the process, its principles, the steps followed within a structured methodology. In this thesis, first, the existing methodologies, best practices, standards, and tools in information risk assessment are compiled and evaluated according to well-defined criteria. Besides this evaluation, an integrated information risk assessment methodology is developed that uses the high potential of the previous methodologies and addresses their identified deficiencies. The new methodology is validated with a case study.
Information Security Risks Assessment: A Case Study
ArXiv, 2018
Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising...
Related papers
Comparative Study of Information Security Risk Assessment Frameworks
With the increasing need of securing organization's computing environment, a security risks management framework is essentially needed that define the security risks management process accurately. In this regard, numerous risks management frameworks have been developed, and many more are emerging every day. They all have very different perspectives and addressing problems differently, though with the same basic goal of risks mitigation in direction of information security. Information is a critical asset for every organization and hence development and implementation of strategic plans for information security risks mitigation should be an essential part of every organizations operation. This paper compares and analyzes the different activities, inputs and outputs required by each information security risk assessment models. The primary goal of the paper is to identify which information security risk assessment model assesses information security risk effectively. The comparative study helps in evaluating the models' applicability to an organization and their specific needs.
Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma
This paper presents main security risk assessment methodologies used in information technology. The author starts from and research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst. Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.
Risk analysis and risk management models for information systems security applications
Reliability Engineering & System Safety, 1989
RESEARCH OBJECTIVE: The aim of the article is analysis of international risk. THE RESEARCH PROBLEM AND METHODS: The fundamental problem of this publication is the analysis of selected research on international risk in the subject literature. The article uses traditional research tools which are literature studies. The choice of tool is dictated by the subject selected. THE PROCESS OF ARGUMENTATION: The study consists of three fundamental elements: Genesis and essence of risk. Literature review; Typology of research on risk. Genesis; Research on risk in international relations. RESEARCH RESULTS: Risk category is an important instrument for analysing the phenomena occurring in contemporary international environment, an attempt to deal with highly probable global threats and thanks to its successful mitigating mechanisms can be worked out. CONCLUSIONS, INNOVATIONS AND RECOMMENDATIONS: Creating new instruments and solutions in risk management; adopting various elements of risk management; developing research and scientific consulting aimed at working out suitable S u g g e s t e d c i t a t i o n:
Risk Assessment Model for Organizational Information Security
2015
Information security risk assessment (RA) plays an important role in the organization’s future strategic planning. Generally there are two types of RA approaches: quantitative RA and qualitative RA. The quantitative RA is an objective study of the risk that use numerical data. On the other hand, the qualitative RA is a subjective evaluation based on judgment and experiences which does not operate on numerical data. It is difficult to conduct a purely quantitative RA method, because of the difficulty to comprehend numerical data alone without a subjective explanation. However, the qualitative RA does not necessarily demand the objectivity of the risks, although it is possible to conduct RA that is purely qualitative in nature. If implemented in silos, the limitations of both quantitative and qualitative methods may increase the likelihood of direct and indirect losses of an organization. This paper suggests a combined RA model from both quantitative and qualitative RA methods to be u...
RISK ANALYSIS IN INFORMATION TECHNOLOGY
Risk Analysis and Management is a key task administration exercise to make sure that the least variety of surprises take place whilst your task is underway. While we can by no means predict the future with certainty, we can follow an easy and streamlined threat administration procedure to predict the uncertainties in the tasks and reduce the incidence or have an effect on of these uncertainties. This improves the danger of profitable mission completion and reduces the penalties of these risks.This paper offers the structured Risk Management in information technology its scopes and resources. It also includes some tools which can help us in risk assessment and how it is impact on business impact analysis.
Risk Analysis for Information Systems
Journal of Information Technology, 1992
This paper presents an integrated approach to risk analysis for Information Systems (IS) using the Structured Risk Analysis (SRA) methodology developed at Hyperion. SRA has been used, very successfully, to perform risk analysis both for security-oriented risk analysis in the City and safety-oriented risk analysis for the European Space Agency. This paper develops and describes a particular instance of the SRA methodology for IS. Excluding safety-critical applications allows certain simplifications to the methodology in the case of IS. These simplifications make structured risk analysis for information systems (SRA-IS) a practical and cost-effective basis for risk analysis and risk management in commercial organizations.
A Hybrid Model for Information Security Risk Assessment
International Journal of Advanced Trends in Computer Science and Engineering, 2019
Many industry standards and methodologies were introduced which has brought forth the management of threats assessment and risk management of information assets in a systematic manner. This paper will review and analyze the main processes followed in IT risk management frameworks from the perspective of the threat analysis process using a threat modeling methodology. In this study, the authors propose a new assessment model which shows that systematic threat analysis is an essential element to be considered as an integrated process within IT risk management frameworks. The new proposed model complements and fulfills the gap in the practice of assessing information security risks.
Information Security Risk Assessment
Encyclopedia, 2021
This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY
IT Risk Assessment: Quantitative and Qualitative Approach
IT risk management currently plays more and more important role in almost all aspects of contemporary organizations' functionality. It requires reliable and cyclical realization of its key task which is risk analysis. Literature of subject presents problems of risk analysis in different way, the most often skipped or selectively treated the problem of quantitative methods application for the purpose of risk analysis. The article presents the issue of one of the most significant stages of risk analysis which is IT risk assessment, especially focusing on chosen quantitative methods such as ALE (Annual Loss Expected) method, Courtney method, Fisher's method, using survey research ISRAM model (Information Security Risk Analysis Method) and other derived ratios. There were also shortly presented chosen qualitative methods – FMEA (Failure Mode and Effects Analysis) and FMECA (Failure Mode and Effects Criticality Analysis), NIST SP 800-30 method and CRAMM methodology. Index Terms— IT risk, IT security risk analysis methods, qualitative risk assessment methods, quantitative risk assessment methods.
Evaluation and Risk Assessment of Entities Involved in Information and Communication Technology (ICT
Information society with its fast rate of development makes it possible to use ICTs in every walk of life. The society has changed every pattern of life including business and economic developments in all branches. Security needs to be more secure in such type of environment to fulfill all needs of society. Risk assessment is a process of finding out risks and identifies, what happens if such risks occur in communication technology environment. Risk assessment is a systematic method which will identify risk and would identify basic source of risks arising in a system. There are different techniques used to evaluate risks in an environment. As now our living standards, work patterns, education systems, business criteria are all influenced by information society so it is a big deal to make ICT more valuable by assessing all risks to increase the array information and telecommunication products and services. In this research evaluation has been done by survey based study of IT environment and evaluation method. Information system has been marked for case study to evaluate risks and vulnerabilities to protect assets from damage or loss. ICT security means to secure data and entities involved in telecommunication. In the purposed research work evaluation and assessments of risks are made to minimize operational risks using evaluation technique.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.