Qualitative Method-Based the Effective Risk Mitigation Method in the Risk Management
In the paper, we presented the method of safeguard selection for the effective risk mitigation using a qualitative method. We provided the suitable selection method of safeguard’s method/technique according to risk type, and performed cost-benefit analysis. In the selection of the safeguard method, we recommended the suitable method among risk avoidance, transference, prevention, threats reduction and impacts reduction, etc. according to risk type. After selecting the safeguard method, we chose the safeguard technique considering organization’s IT system capability such as IT system and network structure, functionality, exclusiveness and achievability of safeguard, etc. And then, we applied the safeguard technique to the safeguard method for implement effective security technology. We performed cost-benefit analysis with candidate safeguards, considering organization’s security budget. As performing this procedure, we can decide optimal safeguards with methods and techniques against risk’s types before implementing safeguards. We also can prevent redundant works and security budgets waste as analyzing the efficiency of existing safeguard. Lastly, we reflected the organization’s CEO opinions to require special safeguards for the specific information system related to their core business.
KeywordsSecurity Policy Malicious Code Security Program Risk Type Security Architecture
Unable to display preview. Download preview PDF.
- 1.ISO/IEC, T.R.: 13335(Part 1): Concepts and Models for IT Security, ISO/IEC JTC1/SC 27 (1996)Google Scholar
- 2.ISO/IEC TR 13335(Part 2): Managing and Planning IT Security, ISO/IEC JTC1/SC 27 (1997)Google Scholar
- 3.ISO/IEC TR 13335(Part 3):Techniques for the Management of IT Security, ISO/IEC JTC1/SC 27 (1997)Google Scholar
- 4.NIST Special Publication 800-30: Computer Security-Risk Management Guide, NIST (2001)Google Scholar
- 5.Jenkins, B.D.: Security risk analysis and management. Countermeasures, Inc. (1998)Google Scholar
- 6.BS 7799-Guide to Risk Assessment and Risk management. BSI (1998)Google Scholar
- 7.Alberts, C.J., et al.: OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation. Software Engineering Institute Carnegie Mellon (1999)Google Scholar
- 8.CSE MG-3: A Guide to Risk Assessment and Safeguard Selection For Information Technology Systems. Communications Security Establishment (January 1996)Google Scholar
- 9.Risk Analysis and Management Standards for Public Information Systems Security-Concepts and Models, TTA-Korea (1998)Google Scholar
- 10.Risk Analysis and Management Standards for Public Information Systems Security-Risk Analysis, TTA-Korea (2000)Google Scholar
- 11.Eom, J.H., Lee, S.H., Chung, T.M.: A study on the Simplified Cost-Benefit Analysis to Select Safeguards against Risks in the Risk Management. In: SAM 2002, June 2002, pp. 292–297 (2002)Google Scholar
- 12.Ramamoorthy, C.V., Chandra, C., Ishihara, S., Ng, Y.: Knowledge Based Tools for Risk Assessment in software Development and Reuse, pp. 364–371. IEEE, Los Alamitos (1993)Google Scholar