Assets Dependencies Model in Information Security Risk Management

  • Jakub Breier
  • Frank Schindler
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8407)


Information security risk management is a fundamental process conducted for the purpose of securing information assets in an organization. It usually involves asset identification and valuation, threat analysis, risk analysis and implementation of countermeasures. A correct asset valuation is a basis for accurate risk analysis, but there is a lack of works describing the valuation process with respect to dependencies among assets. In this work we propose a method for inspecting asset dependencies, based on common security attributes - confidentiality, integrity and availability. Our method should bring more detailed outputs from the risk analysis and therefore make this process more objective.


Information Security Risk Management Asset Valuation Asset Dependency Risk Analysis 


  1. 1.
    NIST Special Publication 800-53 Managing Information Security Risk - Organization, Mission, and Information System View. NIST (2011)Google Scholar
  2. 2.
    Blakley, B., McDermott, E., Geer, D.: Information security is information risk management. In: Proceedings of the 2001 Workshop on New Security Paradigms, NSPW 2001, pp. 97–104. ACM, New York (2001)Google Scholar
  3. 3.
    ISO. ISO/IEC Std. ISO 27005:2011, Information technology – Security techniques – Information security risk management. ISO (2011)Google Scholar
  4. 4.
    Leitner, A., Schaumuller-Bichl, I.: Arima - a new approach to implement iso/iec 27005. In: 2nd International Logistics and Industrial Informatics, LINDI 2009, pp. 1–6 (2009)Google Scholar
  5. 5.
    Loloei, I., Shahriari, H.R., Sadeghi, A.: A model for asset valuation in security risk analysis regarding assets’ dependencies. In: 2012 20th Iranian Conference on Electrical Engineering (ICEE), pp. 763–768 (2012)Google Scholar
  6. 6.
    Mayer, J., Lemes Fagundes, L.: A model to assess the maturity level of the risk management process in information security. In: IFIP/IEEE International Symposium on Integrated Network Management-Workshops, IM 2009, pp. 61–70 (2009)Google Scholar
  7. 7.
    Suh, B., Han, I.: The is risk analysis based on a business model. Inf. Manage. 41(2), 149–158 (2003)CrossRefGoogle Scholar
  8. 8.
    Tatar, U., Karabacak, B.: An hierarchical asset valuation method for information security risk analysis. In: 2012 International Conference on Information Society (i-Society), pp. 286–291 (2012)Google Scholar
  9. 9.
    Vavoulas, N., Xenakis, C.: A quantitative risk analysis approach for deliberate threats. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 13–25. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Williams, R., Pandelios, G., Behrens, S.: Software Risk Evaluation (SRE) method description (version 2.0). Software Engineering Institute (1999)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Jakub Breier
    • 1
    • 2
  • Frank Schindler
    • 3
  1. 1.Physical Analysis and Cryptographic EngineeringTemasek Laboratories@NTUSingapore
  2. 2.School of Physical and Mathematical Sciences, Division of Mathematical SciencesNanyang Technological UniversitySingapore
  3. 3.Faculty of InformaticsPan-European UniversityBratislavaSlovakia

Personalised recommendations