Effective Methodology for Security Risk Assessment of Computer Systems
Authors: Daniel F. García, Adrián Fernández
Abstract:
Today, computer systems are more and more complex and support growing security risks. The security managers need to find effective security risk assessment methodologies that allow modeling well the increasing complexity of current computer systems but also maintaining low the complexity of the assessment procedure. This paper provides a brief analysis of common security risk assessment methodologies leading to the selection of a proper methodology to fulfill these requirements. Then, a detailed analysis of the most effective methodology is accomplished, presenting numerical examples to demonstrate how easy it is to use.
Keywords: Computer security, qualitative and quantitative methods, risk assessment methodologies, security risk assessment.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1086625
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 3115References:
[1] A. Syalim, Y. Hori, and K. Sakurai “Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft’s Security Management Guide,” in Proc. Int. Conf. on Availability, Reliability and Security, Fukuoka, Japan, 2009, pp. 726–731.
[2] A. Vorster, and L. Labuschagne “A Framework for Comparing Different Information Security Risk Analysis Methodologies,” in Proc. Annual Research Conf. of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries, Johannesburg, South Africa, 2005, pp. 95–103.
[3] ISO/IEC, International Standard 27005 on Information Security Risk Management. Geneva, Switzerland: ISO, 2008.
[4] G. Stoneburner, A. Goguen, and A. Feringa, Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30, US Dep. of Commerce, 2002.
[5] NIST, Guide for Conducting Risk Assessments. NIST Special Publication 800-30 Revision 1, US Dep. of Commerce, 2011.
[6] S. Goel, and V. Chen “Information Security Risk Analysis – A Matrix- Based Approach,” in Proc. Information Resource Management Association (IRMA) Int. Conf., San Diego, CA, USA, 2005.
[7] D. Gilliam “Managing Information Technology Security Risk,” in Proc. Int. Symposium on Software Security, Tokyo, Japan, 2003, LNCS-2004 vol. 3233, pp. 296-317.
[8] B. Karabacaka, and I. Sogukpinar “ISRAM: Information Security Risk Analysis Method,” Computers & Security, vol. 24, pp. 147-159, 2005.
[9] A. Asosheh, B. Dehmoubed, and A. Khani “A new quantitative approach for information security risk assessment,” in Proc. IEEE Intelligence and Security Informatics Conference, Richardson (Dallas), TX, USA, 2009.
[10] D. V. Bernardo, B. B. Chua, and D. Hoang “Quantitative Security Risk Assessment (SRA) Method: An empirical case study,” in Proc. World Congress on Nature & Biologically Inspired Computing, Coimbatore, India, 2009, pp. 972-977.
[11] H. P. In, Y-G. Kim, T. Lee, C.-J. Moon, Y. Jung, and I. Kim “A Security Risk Analysis Model for Information Systems,” in Proc. 3rd Asian Simulation Conference on Systems Modeling and Simulation: theory and applications, LNAI vol. 3398, pp. 505-513, 2005.
[12] N. Satoh, and H. Kumamoto “Analysis of Information Security Problem by Probabilistic Risk Assessment,” NAUN International Journal of Computers, no. 3, vol. 3, 2009.
[13] X. Long, Q. Yong, L. Qianmu “Information Security Risk Assessment Based On Analytic Hierarchy Process and Fuzzy Comprehensive,” in Proc. Int. Conf. on Risk Management & Engineering Management, Beijing, China, 2008, pp. 404-409.
[14] D.-L. Liu, and S.-S. Yang “An Information System Security Risk Assessment Model Based on Fuzzy Analytic Hierarchy Process,” in Proc. Int. Conf. on E-Business and Information System Security, Wuhan, China, 2009.
[15] Z. Wang, and H. Zeng “Study on the Risk Assessment Quantitative Method of Information Security,” in Proc. 3rd Int. Conf. on Advanced Computer Theory and Engineering, Chengdu, China, 2010, vol. 6, pp. 529-533.
[16] C. Alberts, and A. Dorofee, Managing Information Security Risks: The OCTAVE Approach. Boston, USA: Addison Wesley, 2002.
[17] CLUSIF, MEHARI - Risk Analysis and Treatment Guide, Paris, France: Club de la Sécurité de l'Information Français, 2010.
[18] CLUSIF, MEHARI - Stakes Analysis and Classification Guide, Paris, France: Club de la Sécurité de l'Information Français, 2010.
[19] MICROSOFT, The Security Risk Management Guide, Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence, 2006.
[20] F. Lopez, M. A. Amutio, J. Candau, and J.A. Mañas, MAGERIT V2 Book I - The Method. Madrid, Spain: Ministerio de Administraciones Publicas, 2006.