Abstract
Risk is usually expressed as a combination of likelihood and consequence but obtaining credible likelihood estimates is difficult. The Conflicting Incentives Risk Analysis (CIRA) method uses an alternative notion of risk. In CIRA, risk is modeled in terms of conflicting incentives between the risk owner and other stakeholders in regards to the execution of actions. However, very little has been published regarding how CIRA performs in non-trivial settings. This paper addresses this issue by applying CIRA to an Identity Management System (IdMS) similar to the eGovernment IdMS of Norway. To reduce sensitivity and confidentiality issues the study uses the Case Study Role Play (CSRP) method. In CSRP, data is collected from the individuals playing the role of fictitious characters rather than from an operational setting. The study highlights several risk issues and has helped in identifying areas where CIRA can be improved.
Keywords
Download to read the full chapter text
Chapter PDF
References
ASME Innovative Technologies Institute (ASME-ITI). RAMCAP(Risk Analysis and Management for Critical Asset Protection) Framework, Version 2.0 (May 2006)
AS/NZS 4360. Risk management. AS/NZS (2004)
Atzeni, A., Cameroni, C., Faily, S., Lyle, J., Flechais, I.: Here’s Johnny: A Methodology for Developing Attacker Personas. In: ARES, pp. 722–727 (2011)
Chulef, A.S., Read, S.J., Walsh, D.A.: A Hierarchical Taxonomy of Human Goals. Motivation and Emotion 25(3), 191–232 (2001)
Clemen, R.T.: Making Hard Decision: An Introduction to Decision Analysis, 2nd edn. Duxbury (1996)
Cooper, A.: The Inmates are Running the Asylum. Macmillan Publishing Co., Inc., Indianapolis (1999)
Cox Jr., L.A.: Some limitations of “Risk = Threat x Vulnerability x Consequence” for risk analysis of terrorist attacks. Risk Analysis 28(6), 1749–1761 (2008)
Difi (Direktoratet for forvaltning og IKT). MinID, http://minid.difi.no/minid/minid.php?lang=en (online accessed: November 2012)
Information Commissioner’s Office (ICO). Privacy Impact Assessment Handbook, Version 2.0 (2009), http://www.ico.org.uk/pia_handbook_html_v2/files/PIAhandbookV2.pdf (online accessed: May 2013)
ISACA, Rolling Meadows. The Risk IT Framework (2009)
ISACA. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. IT Governance Institute (2012)
ISO 31000. Risk Management – Principles and Guidelines (2009)
ISO/IEC 27005. Information technology -Security techniques -Information security risk management. ISO/IEC, 1st edn. (2008)
Karabacak, B., Sogukpinar, I.: ISRAM: information security risk analysis method. Computers & Security 24(2), 147–159 (2005)
Lund, M.S., Solhaug, B., Stølen, K.: A Guided Tour of the CORAS Method. In: Model-Driven Risk Analysis, pp. 23–43. Springer, Heidelberg (2011)
NIST. NIST SP 800-39, Managing Information Security Risk - Organization, Mission, and Information System View (2011)
NIST. NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments (September 2012)
Treasury Board of Canada Secretariat. Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks Guidelines (April 2012), http://www.tbs-sct.gc.ca (online accessed: January 2013)
Rajbhandari, L., Snekkenes, E.: Intended Actions: Risk Is Conflicting Incentives. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 370–386. Springer, Heidelberg (2012)
Shanteau, J., Stewart, T.R.: Why study expert decision making? Some historical perspectives and comments. Organizational Behavior and Human Decision Processes 53(2), 95–106 (1992)
Solove, D.J.: A Taxonomy of Privacy. University of Pennsylvania Law Review 154(3), 477 (2006); GWU Law School Public Law Research Paper No. 129
Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30, Risk Management Guide for Information Technology. NIST (July 2002)
The Honeynet Project. Know Your Enemy, 2nd edn. Addison-Wesley (2004)
Wright, D.: Should privacy impact assessments be mandatory? Commun. ACM 54(8), 121–131 (2011)
Yardley-Matwiejczuk, K.M.: Role play: theory and practice. Sage Publications Limited (1997)
Yin, R.K.: Case Study Research: Design and Methods, 4th edn. Applied Social Research Method Series, vol. 5. Sage (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Rajbhandari, L., Snekkenes, E. (2013). Using the Conflicting Incentives Risk Analysis Method. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds) Security and Privacy Protection in Information Processing Systems. SEC 2013. IFIP Advances in Information and Communication Technology, vol 405. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39218-4_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-39218-4_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39217-7
Online ISBN: 978-3-642-39218-4
eBook Packages: Computer ScienceComputer Science (R0)