Abstract
Traditional information technology (IT) security risk assessment approaches are based on an analysis of events, probabilities and impacts. In practice, security experts often find it difficult to determine IT risks reliably with precision. In this paper, we review the risk determination steps of traditional risk assessment approaches and report on our experience of using such approaches. Our experience is based on performing IT audits and IT business insurance cover assessments within a reinsurance company. The paper concludes with a summary of issues concerning traditional approaches that are related to the identification and evaluation of events, probabilities and impacts. We also conclude that there is a need to develop alternative approaches, and suggest a security requirements-based risk assessment approach without events and probabilities.
Chapter PDF
Similar content being viewed by others
References
ENISA 2007-2008 ad hoc Working Group on Risk Assessment/Risk Management. Determining your organization’s information risk assessment and management requirements and selecting appropriate methodologies (2008)
Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE Approach. Carnegie Mellon Software Engineering Institute, Pittsburgh, USA (August 2003)
Alter, S., Sherer, S.: A general, but readily adaptable model of information system risk. Communications of the Association for Information Systems 14, 1–28 (2004)
Buyens, K., DeWin, B., Joosen, W.: Empirical and statistical analysis of risk analysis-driven techniques for threat management. IEEE Computer Society, Los Alamitos (2007)
Campbell, P., Stamp, J.: A classification scheme for risk assessment methods. Sandia Report, Sand2004-4233 (2004)
Australian/New Zealand Standards Comittee. Risk management ASNZ 4360:1999 (1999)
ENISA. Inventory of risk assessment and risk management methods, ENISA ad hoc working group on risk assessment and risk management (March 2006)
Feather, M., Cornford, S.: Relating risk and reliability predictions to design and development choices. In: Proceedings of the Annual Reliability and Maintainability Symposium (RAMS), Newport Beach, CA, January 23-26 (2006)
Frachot, A., Roncalli, T.: Mixing internal and external data for managing operational risk (2002)
Gerber, M., von Solms, R.: From risk analysis to security requirements. Computers & Security 20, 577–584 (2002)
Gerber, M., von Solms, R., Overbeek, P.: Formalizing information security requirements. Information Management & Computer Security 9(1), 32–37 (2001)
Halliday, S., Badenhorst, K., von Solms, R.: A business approach to effective information technology risk analysis and management. Information Management &Computer Security 4(1), 19–31 (1996)
Houmb, S., Jürjens, J.: Developing secure networked web-based systems using model-based risk assessment and UMLsec. In: 10th Asia-Pacific Software Engineering Conference (APSEC 2003), Chiangmai, Thailand, December 10-12 (2003)
Jackson, M.: NII-OU Security Workshop @ The Open University (November 2007)
Kaplan, S.: The words of risk analysis. Risk Analysis 17(4) (1997)
Kinney, W.: Research opportunities in internal auditing - chapter 5 auditing risk assessment and risk management process. The Institute of Internal Auditors Research Foundation (2003)
Zhang, Y., Jiang, S., Cui, Y., Zhang, B., Xia, H.: A qualitative and quantitative risk assessment method in software security. In: 2010 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE), vol. 1, pp. V1-534–V1-539 (2010)
Matulevius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development, pp. 541–555. Springer Publishing, Heidelberg (2008)
International Organization of Standardization (ISO). ISO 27005 Information technology - Security techniques - Information security risk management, International Organization of Standardization (ISO) (2008)
Pöttinger, J.: Self assessed risk management. Master’s thesis, Fachhochschul-Masterstudiengang Sichere Informationssysteme (2009)
Information Security Management References, Corporate Information Security Working Group, Chairman: A. Putnam, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Government Reform Committee, United States House of Representatives, Mapping of Existing Work on Infosec (Best Practices) Subgroup: C. Kreitner, M. Rasmussen, Coordinators (2004)
Rainer, R., Snyder, C., Carr, H.: Risk analysis for information technology. Journal of Management Information Systems 8(1), 129–147 (1991)
Ralston, P., Graham, J., Patel, S.: Literature review of security and risk assessment of SCADA and DCS systems, Technical Report TR-ISRL-06-01 (July 2006)
Rausand, M.: Risk Analysis An Introduction. In: System Reliability Theory, 2nd edn. Wiley, Chichester (2004)
Redmill, F.: Risk analysis - a subjective process. Engineering Management Journal 12(2), 91–96 (2002)
Siponen, M.: An analysis of the traditional is security approaches: implications for research and practice. European Journal of Information Systems 14, 303–315 (2005)
Stewart, A.: On risk: perception and direction. Computers & Security 23, 362–370 (2004)
Stiglitz, J.: Making globalization work: Global financial markets in an era of turbulence. Frankfurt (February 2008)
Stølen, K., den Braber, F., Dimitrakos, T., Fredriksen, R., Gran, B.A., Houmb, S., Lund, M., Stamatiou, Y., Aagedal, J.: Model-based risk assessment – the CORAS approach. In: NIK Informatics Conference 2002, Kongsberg (2002)
Stoneburner, G., Goguen, A., Feringa, A.: NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899-8930 (July 2002)
Vidalis, S.: A critical discussion of risk and threat analysis methods and methodologies. Technical Report CS-04-03, University of Glamorgan, Pontypridd (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Taubenberger, S., Jürjens, J., Yu, Y., Nuseibeh, B. (2011). Problem Analysis of Traditional IT-Security Risk Assessment Methods – An Experience Report from the Insurance and Auditing Domain. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds) Future Challenges in Security and Privacy for Academia and Industry. SEC 2011. IFIP Advances in Information and Communication Technology, vol 354. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21424-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-21424-0_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21423-3
Online ISBN: 978-3-642-21424-0
eBook Packages: Computer ScienceComputer Science (R0)