skip to main content
10.1145/2381716.2381869acmotherconferencesArticle/Chapter ViewAbstractPublication PagescubeConference Proceedingsconference-collections
research-article

A two-phase quantitative methodology for enterprise information security risk analysis

Published: 03 September 2012 Publication History

Abstract

As Enterprise information infrastructure is becoming more and more complex, and connected, amount of risks to enterprise assets is increasing. Hence, the process of identification, analysis, and mitigation of Information Security risks has assumed utmost importance. This paper presents a quantitative information security risk analysis methodology for enterprises. The proposed methodology incorporates two approaches. Consolidated approach identifies risk as a single value for each asset. Detailed approach identifies the threat-vulnerability pair responsible for a risk and computes a risk factor corresponding to each security property for every asset. The assets are classified into three different risk zones namely high, medium and low risk zone. For high-risk assets, management may install high cost infrastructure to safeguard an asset; for medium-risk assets, management may apply security policies, guidelines and procedures; management may decide not to invest anything for assets at low-risk.

References

[1]
Alberts, C. and Dorofee, A. 2001. An Introduction to the OCTAVE Method. Software Engineering Institute, Carnegie Mellon University, USA - http://www.cert.org/octave/methodintro.html
[2]
COBRA: Introduction to Security Risk Analysis - http://www.security-risk-analysis.com/
[3]
CORAS: A platform for risk analysis of security critical systems - http://www2.nr.no/coras/
[4]
CRAMM: Information Security Risk Assessment Toolkit - http://www.cramm.com
[5]
enisa: European Network and Information Security Agency - http://rm-inv.enisa.europa.eu/rm_ra_methods.html
[6]
Mazumdar, C., et. al. 2007. Enterprise Information Security Risk Analysis: A Quantitative Methodology. In Proceedings of the National Workshop on Software Security (New Delhi, India, 2007), S. I. Ahson and M. Mehrotra, Ed. NWSS 2007. I. K. International Publishing House Pvt. Ltd., New Delhi, India, 1--12.
[7]
Peltier, T. R. 2010. Information Security Risk Analysis. Third Edition, Auerbach Publications, USA.
[8]
Sengupta, A., et. al. 2005. A Web-Enabled Enterprise Security Management Framework Based on a Unified Model of Enterprise Information System Security: (An Ongoing Project Report). In Proceedings of First International Conference on Information Systems Security (Kolkata, India, 2005). ICISS 2005. LNCS 3803, Heidelberg, Germany, 328--331.
[9]
Stoneburner, G., et. al. 2002. Risk Management Guide for Information Technology Systems. NIST Special Publication 800--30, MD, USA.
[10]
The International Organization for Standardization, The International Electrotechnical Commission (ISO/IEC). 2005. ISO/IEC 27002:2005, Information technology -- Security techniques - Code of practice for information security management. Edition 1. Switzerland.
[11]
The International Organization for Standardization, The International Electrotechnical Commission (ISO/IEC). 2009. ISO/IEC 31010:2009, Risk management --- Risk assessment techniques. Edition 1. Switzerland.
[12]
The International Organization for Standardization, The International Electrotechnical Commission (ISO/IEC). 2011. ISO/IEC 27005:2011, Information technology -- Security techniques - information security risk management. Edition 1. Switzerland.
[13]
Unified Modeling Language - http://www.uml.org/
[14]
Vorster, A. and Labuschagne, L. 2005. A Framework for Comparing Different Information Security Risk Analysis Methodologies. In Proceedings of the Annual Research Conference of the South African Institute of Computer Scientists (South Africa, September 20--22, 2005). SAICSIT 2005. ACM, New York, NY, 95--103.
[15]
Zadeh, L. A. 1996. Fuzzy Sets, Fuzzy Logic, and Fuzzy Systems: Selected Papers by L. A. Zadeh. In Advances in Fuzzy Systems: Applications and Theory Vol. 6, G. J. Klir and B. Yuan, Ed. World Scientific, Singapore.

Cited By

View all
  • (2018)Removing Software Vulnerabilities During Design2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2018.10284(504-509)Online publication date: Jul-2018
  • (2018)An algorithm to find relationships between web vulnerabilitiesThe Journal of Supercomputing10.1007/s11227-016-1770-374:3(1061-1089)Online publication date: 1-Mar-2018
  • (2015)A risk - aware framework for compliance goal-obstacle analysisProceedings of the 30th Annual ACM Symposium on Applied Computing10.1145/2695664.2696053(1401-1402)Online publication date: 13-Apr-2015
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
CUBE '12: Proceedings of the CUBE International Information Technology Conference
September 2012
879 pages
ISBN:9781450311854
DOI:10.1145/2381716
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

  • CUOT: Curtin University of Technology

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 September 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. enterprise information security
  2. risk analysis
  3. risk management

Qualifiers

  • Research-article

Conference

CUBE '12
Sponsor:
  • CUOT

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2018)Removing Software Vulnerabilities During Design2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2018.10284(504-509)Online publication date: Jul-2018
  • (2018)An algorithm to find relationships between web vulnerabilitiesThe Journal of Supercomputing10.1007/s11227-016-1770-374:3(1061-1089)Online publication date: 1-Mar-2018
  • (2015)A risk - aware framework for compliance goal-obstacle analysisProceedings of the 30th Annual ACM Symposium on Applied Computing10.1145/2695664.2696053(1401-1402)Online publication date: 13-Apr-2015
  • (2013)A formal methodology for Enterprise Information Security risk assessment2013 International Conference on Risks and Security of Internet and Systems (CRiSIS)10.1109/CRiSIS.2013.6766354(1-9)Online publication date: Oct-2013

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media