A Holistic Risk Analysis Method for Identifying Information Security Risks

  • Janine L. Spears
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 193)


Risk analysis is used during the planning of information security to identify security requirements, and is also often used to determine the economic feasibility of security safeguards. The traditional method of conducting a risk analysis is technology-driven and has several shortcomings. First, its focus on technology is at the detriment of considering people and processes as significant sources of security risk. Second, an analysis driven by technical assets can be overly time-consuming and costly. Third, the traditional risk analysis method employs calculations based largely on guesswork to estimate probability and financial loss of a security breach. Finally, an IT-centric approach to security risk analysis does not involve business users to the extent necessary to identify a comprehensive set of risks, or to promote security-awareness throughout an organization. This paper proposes an alternative, holistic method to conducting risk analysis. A holistic risk analysis, as defined in this paper, is one that attempts to identify a comprehensive set of risks by focusing equally on technology, information, people, and processes. The method is driven by critical business processes, which provides focus and relevance to the analysis. Key aspects of the method include a business-driven analysis, user participation in the analysis, architecture and data flow diagrams as a means to identify relevant IT assets, risk scenarios to capture procedural and security details, and qualitative estimation. The mixture of people and tools involved in the analysis is expected to result in a more comprehensive set of identified risks and a significant increase in security awareness throughout the organization.


risk analysis information security risk management business process data flow diagram risk scenario 


  1. Barrese, J. and Scordis, N., 2003, “Corporate risk management.” Review of Business 24(3):26.Google Scholar
  2. Baskerville, R., 1991, “Risk analysis as a source of professional knowledge.” Computers & Security 10(8):749–764.CrossRefGoogle Scholar
  3. Bennett, S. P. and Kailay, M. P., 1992. An application of qualitative risk analysis to computer security for the commercial sector. Computer Security Applications Conference, Eighth Annual, San Antonio, TX, IEEE.Google Scholar
  4. CERT, 2001, Alberts, C. and Dorofee, A., (January 30, 2001), “An introduction to the OCTAVE method.” from Scholar
  5. CERT, 2005, Keeney, M., Kowalski, E., Cappelli, D., Moore, A, Shimeall, T. and Rogers, S., (May 11, 2005),. Insider threat study: computer system sabotage in critical infrastructure sectors, Scholar
  6. Cerullo, V. and Cerullo, M. J., 2004, “Business continuity planning: a comprehensive approach.” Information Systems Management 21(3):70–78.Google Scholar
  7. de Ru, W. G. and Eloff, J. H. P., 1996, “Risk analysis modelling with the use of fuzzy logic.” Computers & Security 15(3):239–248.CrossRefGoogle Scholar
  8. Dhillon, G., 2001, “Violation of safeguards by trusted personnel and understanding related information security concerns.” Computers & Security 20(2): 165–172.CrossRefGoogle Scholar
  9. Freeman, J. W., Darr, T. C. and Neely, R. B., 1997, Risk assessment for large heterogeneous systems. Computer Security Applications Conference, 1997, San Diego, CA, IEEE.Google Scholar
  10. Gerber, M. and von Solms, R., 2005, “Management of risk in the information age.” Computers & Security 24:16–30.CrossRefGoogle Scholar
  11. Halliday, S., Badenhorst, K. and von Solms, R., 1996, “A business approach to effective information technology risk analysis and management.” Information Management & Computer Security 4(1): 19.CrossRefGoogle Scholar
  12. Humphreys, E. J., Moses, R. H. and Plate, H. E., 1998, Guide to Risk Assessment and Risk Management. London, British Standards Institute.Google Scholar
  13. ISO/IEC 17799, 2000, Information technology — Code of practice for information security management.Google Scholar
  14. Kolokotronis, N., Margaritis, C. and Papadopoulou, P., 2002, “An integrated approach for securing electronic transactions over the Web.” Benchmarking 9(2): 166–181.CrossRefGoogle Scholar
  15. Merriam-Webster Inc., 1996, Merriam-Webster’s Dictionary of Law, Philippines, Merriam-Webster, Inc.Google Scholar
  16. NIST, 2002, Risk Management Guide for Information Technology Systems. Washington, DC, National Institute of Standards and Technology: U.S. Department of Commerce, Scholar
  17. NIST, April 19, 2005, Practices & Checklists / Implementation Guides, National Institute of Standards and Technology: U.S. Department of Commerce, Scholar
  18. Pfleeger, C. P. and Pfleeger, S. L., 2003, Security in Computing. Upper Saddle River, NJ, Prentice Hall, pp. 462–475.Google Scholar
  19. Siponen, M. T., 2000, “Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice.” Information Management & Computer Security 8(5): 197–210.CrossRefGoogle Scholar
  20. Strang, R., 2001, “Recognizing and meeting Title III concerns in computer investigations.” Computer Crimes and Intellectual Property 49(2):8–13.Google Scholar
  21. Suh, B. and Han, I., 2003, “The IS risk analysis based on a business model.” Information & Management 41(2): pp. 149–158.CrossRefGoogle Scholar
  22. Tan, D., 2003, Quanitative Risk Analysis Step-by-Step, SANS Institute, Scholar
  23. Wade, J., 2004, The weak link in IT security. Risk Management. 51:32–37.Google Scholar
  24. Yazar, Z., 2002, A qualitative risk analysis and management tool — CRAMM, SANS Institute, Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Janine L. Spears
    • 1
  1. 1.Smeal College of BusinessThe Pennsylvania State UniversityUniversity Park

Personalised recommendations