Abstract
Measuring risk is not a simple task since it almost invariably includes an analyst’s subjective judgment. Risk analysis often forces the analyst to estimate or predict future events, which are uncertain. Therefore, we should consider the uncertainties associated with judgments made by the analyst. Hence in this article, we try to apply belief functions, which are used to express and manipulate uncertainties. We use an evidential network to combine answers and uncertainties from a checklist-based risk analysis. A checklist method is still useful in that it is relatively easier and simpler than other risk analysis methods. Furthermore, a checklist-based risk analysis can be used in a baseline approach. To establish the measure of risk in a checklist-based analysis, and the uncertainty that exists in this measurement, we suggest the use of belief functions. An evidential network deployed in a checklist-based risk analysis can also be applied to the self-assessment of BS7799 compliance when preparing for accredited certification against BS7799.
Chapter PDF
Similar content being viewed by others
References
CCTA, An Overview of CRAMM, CCTA IT Security and Privacy Group, UK, 1990
Ciechanowicz, Z., Risk Analysis Requirements, Conflicts and Problems, Computers & Security, 1997, Vol. 16, No. 3, pp. 223–232
Erwin, D., The Thirty-Minute Risk Analysis, Information Systems Security, 1994, Vo1.3, No. 3, pp. 37–44
GISA (German Information Security Agency), IT-Baseline Protection Manual, Bundesamt für Sicherheit in der Informationstechnik, 1997
Laskey, K.B. and Cohen, M.S., Applications of the Dempster-Shafer Theory of Evidence, Proceedings of the 1986 Winter Simulation Conference, December 8–10, 1986, Washington, DC, pp. 440–444
NIST, An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12, 1995
Pfleeger, C.P., Security in Computing, 2nd Edition, Prentice-Hall, NJ, 1997
Rainer, R.K., Snyder, C.A. and Carr, H.H., Risk Analysis for Information Technology, Journal of Management Information Systems, 1991, Vol. 8, No. 1, pp. 129–147
Shafer, G.R., A Mathematical Theory of Evidence, Princeton University Press, NJ, 1976
Smets, P., Varieties of Ignorance and the Need for Well-Founded Theories, Information Sciences, 1991, Vol. 57–58, pp. 135–144.
Srivastava, R.P. and Mock, T.J., Evidential Reasoning for WebTrust Assurance Services, Journal of Management Information Systems, 1999–2000; Vol. 16, No. 3, pp. 11–32
Srivastava, R.P. and Shafer, G.R., Belief-Function Formulas for Audit Risk, The Accounting Review, 1992, Vol. 67, No. 2, pp. 249–283
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 IFIP International Federation for Information Processing
About this paper
Cite this paper
Cho, S., Ciechanowicz, Z. (2001). Checklist-Based Risk Analysis with Evidential Reasoning. In: Dupuy, M., Paradinas, P. (eds) Trusted Information. SEC 2001. IFIP International Federation for Information Processing, vol 65. Springer, Boston, MA. https://doi.org/10.1007/0-306-46998-7_19
Download citation
DOI: https://doi.org/10.1007/0-306-46998-7_19
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-7923-7389-6
Online ISBN: 978-0-306-46998-5
eBook Packages: Springer Book Archive