Risk Acceptance and Rejection for Threat and Opportunity Risks in Conflicting Incentives Risk Analysis
Classical methods for risk analysis usually rely on probability estimates that are sometimes difficult to verify. In particular, this is the case when the system in question is non-stationary or does not have a history for which reliable statistics is available. These methods focus on risks in relation to threats failing to consider risks in relation to opportunity. The Conflicting Incentives Risk Analysis (CIRA) addresses both these issues. Previously, CIRA has been investigated in analyzing threat risks. The paper contributes by illustrating the concept of opportunity risk in the context of CIRA. We give some theoretical underpinnings of risk acceptance and rejection of CIRA, addressing both risks. Furthermore, the paper explains the extension of CIRA to risk management by outlining the risk treatment (response) measures for threat (opportunity) risks.
Keywordsthreat risk opportunity risk risk acceptance risk rejection risk analysis
Unable to display preview. Download preview PDF.
- 1.Alberts, C., Dorofee, A.: Managing information security risks, The OCTAVE approach. Addison Wesley (2002) ISBN 0-321-11886-3Google Scholar
- 2.ASME Innovative Technologies Institute, LLC. Risk Analysis and Management for Critical Asset Protection (RAMCAP): The Framework, Version 2.0 (May 2006)Google Scholar
- 5.ISACA. The Risk IT Framework (2009)Google Scholar
- 6.ISO 31000. Risk Management – Principles and Guidelines. ISO (2009)Google Scholar
- 7.ISO/IEC 27005. Information technology -Security techniques -Information security risk management. ISO/IEC, 1st edn. (2008)Google Scholar
- 10.Rajbhandari, L., Snekkenes, E.: Using the Conflicting Incentives Risk Analysis method. In: Janczewski, L.J., Wolf, H., Shenoi, S. (eds.) SEC 2013. IFIP AICT, vol. 405, pp. 315–329. Springer, Heidelberg (2013)Google Scholar
- 11.Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30, Risk Management Guide for Information Technology. NIST (July 2002)Google Scholar
- 13.White, B.E.: Enterprise Opportunity and Risk. In: INCOSE Symposium, Orlando, FL (July 2006)Google Scholar