Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 30848
Application of Process Approach to Evaluate the Information Security Risk and its Implementation in an Iranian Private Bank

Authors: Isa Nakhai Kamal Abadi, Esmaeel Saberi, Ehsan Mirjafari


Every organization is continually subject to new damages and threats which can be resulted from their operations or their goal accomplishment. Methods of providing the security of space and applied tools have been widely changed with increasing application and development of information technology (IT). From this viewpoint, information security management systems were evolved to construct and prevent reiterating the experienced methods. In general, the correct response in information security management systems requires correct decision making, which in turn requires the comprehensive effort of managers and everyone involved in each plan or decision making. Obviously, all aspects of work or decision are not defined in all decision making conditions; therefore, the possible or certain risks should be considered when making decisions. This is the subject of risk management and it can influence the decisions. Investigation of different approaches in the field of risk management demonstrates their progress from quantitative to qualitative methods with a process approach.

Keywords: information security, Probability, Risk management, Methodology

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1143


[1] A. Arora, D. Hall, A. Pinto, D. Ramsey, and R. Telang. Measuring the risk-based value of IT security solutions. IEEE IT PRO, November/December 2004.
[2] Atsec information security corporation,"ISMS Implementation Guide" ,2007,
[3] B. Blakley. A measure of information security in dollars. In Proceedings (online) of the First Annual Workshop on Economics and Information Security (WEIS-02), Berkeley, CA, May 2002.
[4] C. Alberts and A. Dorofee. An introduction to the OCTAVE method, January 2001. http:
[5] //
[6] Christopher Alberts, Audrey Dorofee, James Stevens & Carol Woody, "OCTAVE-S Implementation Guide-Volume 1: Introduction to OCTAVE-S",January 2005
[7] Christopher Alberts, Audrey Dorofee, James Stevens & Carol Woody, "OCTAVE-S Implementation Guide-Volume 2: Preparation Guidance",January 2005
[8] Christopher Alberts, Audrey Dorofee, James Stevens & Carol Woody, "OCTAVE-S Implementation Guide-Volume 10: Example Scenario",January 2005
[9] D. Greer, K. Hoo, and A. Jacquith. Information security: Why the future belongs to the quants. IEEE Security and Privacy, pages 24-32, July/August 2003.
[10] D. Tan. Quantitative risk analysis step-by-step, 2002. SANS Institute Reading Room paper#849.
[11] J. Meritt. A method for quantitative risk analysis. In Proceedings of the 22nd National Information Security Systems Conference, Arlington, VA, October 1999.
[12] K. Soo Hoo. How Much Security Is Enough? A Risk Management Approach to Security. PhD thesis, June 2000.
[13] L. Gordon, M. Loeb, and T. Sohail. A framework for using insurance for cyber risk management. Communications of ACM, pages 81-85, March 2003.
[14] Mohammed A. Bashir and Nicolas Christin , "Three Case Studies in Quantitative Information Risk Analysis" , 2007
[15] Secure insight analysis, 2007.