Abstract
Information security risk management is a fundamental process conducted for the purpose of securing information assets in an organization. It usually involves asset identification and valuation, threat analysis, risk analysis and implementation of countermeasures. A correct asset valuation is a basis for accurate risk analysis, but there is a lack of works describing the valuation process with respect to dependencies among assets. In this work we propose a method for inspecting asset dependencies, based on common security attributes - confidentiality, integrity and availability. Our method should bring more detailed outputs from the risk analysis and therefore make this process more objective.
Chapter PDF
References
NIST Special Publication 800-53 Managing Information Security Risk - Organization, Mission, and Information System View. NIST (2011)
Blakley, B., McDermott, E., Geer, D.: Information security is information risk management. In: Proceedings of the 2001 Workshop on New Security Paradigms, NSPW 2001, pp. 97–104. ACM, New York (2001)
ISO. ISO/IEC Std. ISO 27005:2011, Information technology – Security techniques – Information security risk management. ISO (2011)
Leitner, A., Schaumuller-Bichl, I.: Arima - a new approach to implement iso/iec 27005. In: 2nd International Logistics and Industrial Informatics, LINDI 2009, pp. 1–6 (2009)
Loloei, I., Shahriari, H.R., Sadeghi, A.: A model for asset valuation in security risk analysis regarding assets’ dependencies. In: 2012 20th Iranian Conference on Electrical Engineering (ICEE), pp. 763–768 (2012)
Mayer, J., Lemes Fagundes, L.: A model to assess the maturity level of the risk management process in information security. In: IFIP/IEEE International Symposium on Integrated Network Management-Workshops, IM 2009, pp. 61–70 (2009)
Suh, B., Han, I.: The is risk analysis based on a business model. Inf. Manage. 41(2), 149–158 (2003)
Tatar, U., Karabacak, B.: An hierarchical asset valuation method for information security risk analysis. In: 2012 International Conference on Information Society (i-Society), pp. 286–291 (2012)
Vavoulas, N., Xenakis, C.: A quantitative risk analysis approach for deliberate threats. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 13–25. Springer, Heidelberg (2011)
Williams, R., Pandelios, G., Behrens, S.: Software Risk Evaluation (SRE) method description (version 2.0). Software Engineering Institute (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Breier, J., Schindler, F. (2014). Assets Dependencies Model in Information Security Risk Management. In: Linawati, Mahendra, M.S., Neuhold, E.J., Tjoa, A.M., You, I. (eds) Information and Communication Technology. ICT-EurAsia 2014. Lecture Notes in Computer Science, vol 8407. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55032-4_40
Download citation
DOI: https://doi.org/10.1007/978-3-642-55032-4_40
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55031-7
Online ISBN: 978-3-642-55032-4
eBook Packages: Computer ScienceComputer Science (R0)