Qualitative Method-Based the Effective Risk Mitigation Method in the Risk Management

  • Jung-Ho Eom
  • Sang-Hun Lee
  • Hyung-Jin Lim
  • Tai-Myoung Chung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3981)


In the paper, we presented the method of safeguard selection for the effective risk mitigation using a qualitative method. We provided the suitable selection method of safeguard’s method/technique according to risk type, and performed cost-benefit analysis. In the selection of the safeguard method, we recommended the suitable method among risk avoidance, transference, prevention, threats reduction and impacts reduction, etc. according to risk type. After selecting the safeguard method, we chose the safeguard technique considering organization’s IT system capability such as IT system and network structure, functionality, exclusiveness and achievability of safeguard, etc. And then, we applied the safeguard technique to the safeguard method for implement effective security technology. We performed cost-benefit analysis with candidate safeguards, considering organization’s security budget. As performing this procedure, we can decide optimal safeguards with methods and techniques against risk’s types before implementing safeguards. We also can prevent redundant works and security budgets waste as analyzing the efficiency of existing safeguard. Lastly, we reflected the organization’s CEO opinions to require special safeguards for the specific information system related to their core business.


Security Policy Malicious Code Security Program Risk Type Security Architecture 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ISO/IEC, T.R.: 13335(Part 1): Concepts and Models for IT Security, ISO/IEC JTC1/SC 27 (1996)Google Scholar
  2. 2.
    ISO/IEC TR 13335(Part 2): Managing and Planning IT Security, ISO/IEC JTC1/SC 27 (1997)Google Scholar
  3. 3.
    ISO/IEC TR 13335(Part 3):Techniques for the Management of IT Security, ISO/IEC JTC1/SC 27 (1997)Google Scholar
  4. 4.
    NIST Special Publication 800-30: Computer Security-Risk Management Guide, NIST (2001)Google Scholar
  5. 5.
    Jenkins, B.D.: Security risk analysis and management. Countermeasures, Inc. (1998)Google Scholar
  6. 6.
    BS 7799-Guide to Risk Assessment and Risk management. BSI (1998)Google Scholar
  7. 7.
    Alberts, C.J., et al.: OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation. Software Engineering Institute Carnegie Mellon (1999)Google Scholar
  8. 8.
    CSE MG-3: A Guide to Risk Assessment and Safeguard Selection For Information Technology Systems. Communications Security Establishment (January 1996)Google Scholar
  9. 9.
    Risk Analysis and Management Standards for Public Information Systems Security-Concepts and Models, TTA-Korea (1998)Google Scholar
  10. 10.
    Risk Analysis and Management Standards for Public Information Systems Security-Risk Analysis, TTA-Korea (2000)Google Scholar
  11. 11.
    Eom, J.H., Lee, S.H., Chung, T.M.: A study on the Simplified Cost-Benefit Analysis to Select Safeguards against Risks in the Risk Management. In: SAM 2002, June 2002, pp. 292–297 (2002)Google Scholar
  12. 12.
    Ramamoorthy, C.V., Chandra, C., Ishihara, S., Ng, Y.: Knowledge Based Tools for Risk Assessment in software Development and Reuse, pp. 364–371. IEEE, Los Alamitos (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jung-Ho Eom
    • 1
  • Sang-Hun Lee
    • 1
  • Hyung-Jin Lim
    • 1
  • Tai-Myoung Chung
    • 1
  1. 1.Internet Management Technology Laboratory, School of Information and Communication EngineeringSungkyunkwan UniversitySuwon, Kyunggi-doRepublic of Korea

Personalised recommendations