Risk Acceptance and Rejection for Threat and Opportunity Risks in Conflicting Incentives Risk Analysis

  • Lisa Rajbhandari
  • Einar Snekkenes
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8058)


Classical methods for risk analysis usually rely on probability estimates that are sometimes difficult to verify. In particular, this is the case when the system in question is non-stationary or does not have a history for which reliable statistics is available. These methods focus on risks in relation to threats failing to consider risks in relation to opportunity. The Conflicting Incentives Risk Analysis (CIRA) addresses both these issues. Previously, CIRA has been investigated in analyzing threat risks. The paper contributes by illustrating the concept of opportunity risk in the context of CIRA. We give some theoretical underpinnings of risk acceptance and rejection of CIRA, addressing both risks. Furthermore, the paper explains the extension of CIRA to risk management by outlining the risk treatment (response) measures for threat (opportunity) risks.


threat risk opportunity risk risk acceptance risk rejection risk analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alberts, C., Dorofee, A.: Managing information security risks, The OCTAVE approach. Addison Wesley (2002) ISBN 0-321-11886-3Google Scholar
  2. 2.
    ASME Innovative Technologies Institute, LLC. Risk Analysis and Management for Critical Asset Protection (RAMCAP): The Framework, Version 2.0 (May 2006)Google Scholar
  3. 3.
    Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)CrossRefGoogle Scholar
  4. 4.
    Hillson, D.: Extending the risk process to manage opportunities. International Journal of Project Management 20(3), 235–240 (2002)CrossRefGoogle Scholar
  5. 5.
    ISACA. The Risk IT Framework (2009)Google Scholar
  6. 6.
    ISO 31000. Risk Management – Principles and Guidelines. ISO (2009)Google Scholar
  7. 7.
    ISO/IEC 27005. Information technology -Security techniques -Information security risk management. ISO/IEC, 1st edn. (2008)Google Scholar
  8. 8.
    Olsson, R.: In search of opportunity management: Is the risk management process enough? International Journal of Project Management 25(8), 745–752 (2007)CrossRefGoogle Scholar
  9. 9.
    Rajbhandari, L., Snekkenes, E.: Intended Actions: Risk Is Conflicting Incentives. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 370–386. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Rajbhandari, L., Snekkenes, E.: Using the Conflicting Incentives Risk Analysis method. In: Janczewski, L.J., Wolf, H., Shenoi, S. (eds.) SEC 2013. IFIP AICT, vol. 405, pp. 315–329. Springer, Heidelberg (2013)Google Scholar
  11. 11.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30, Risk Management Guide for Information Technology. NIST (July 2002)Google Scholar
  12. 12.
    Ward, S., Chapman, C.: Transforming project risk management into project uncertainty management. International Journal of Project Management 21(2), 97–105 (2003)CrossRefGoogle Scholar
  13. 13.
    White, B.E.: Enterprise Opportunity and Risk. In: INCOSE Symposium, Orlando, FL (July 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Lisa Rajbhandari
    • 1
  • Einar Snekkenes
    • 1
  1. 1.Norwegian Information Security LaboratoryGjøvik University CollegeNorway

Personalised recommendations