Abstract
Information Security (IS) Risk Assessment is a main part of risk analysis; it helps organizations make decisions to protect their Information Technology (IT) services and underlying IT assets from potentially adverse events. How to do assessment in this context, however, is not a well defined task. Some approaches provide guidelines but leave analysts to define how to implement them, leading to different mechanisms to identify input data, different procedures to process those inputs, and different results as a consequence. To address this problem, we present a semiautomatic procedure, based on data systematically obtained from modern IT Service Management (ITSM) tools used by IT staff to handle IT services’ assets and configurations. We argue that these tools handle actual data that may be used to collect inputs for a IS risk assessment procedure, thus reducing subjective values. We evaluated the procedure in a real case study and found that our approach actually reduces variability of some results. We also identified areas that must be addressed in future work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anikin, I.: Information security risk assessment and management in computer networks. In: International Siberian Conference on Control and Communications (2015)
Anikin, I., Emaletdinova, L.Y.: Information security risk management in computer networks based on fuzzy logic and cost/benefit ratio estimation. In: Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015, Sochi, Russia, pp. 8–11. ACM (2015). ISBN 978-1-4503-3453-2
Center for Internet Security. CIS Controls. https://www.cisecurity.org/controls/
MITRE Corporation: CVE Common Vulnerabilities and Exposures (2017). http://cve.mitre.org
Ekelhart, A., et al.: Security ontologies: improving quantitative risk analysis. In: 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 156a. IEEE (2007)
Eom, J.-H., et al.: Risk assessment method based on business process oriented asset evaluation for information system security. In: Proceedings of the 7th International Conference on Computational Science, ICCS 2007, pp. 1024–1031. Springer, Heidelberg (2007). ISBN 978-3-540-72587-9
FIRST Organization: Common Vulnerability Scoring System SIG. https://www.first.org/cvss
FIRST Organization: Common Vulnerability Scoring System v3.0 Specification Document. 3.0. FIRST Organization Inc
Guan, J.-Z., et al.: Knowledge-based information security risk assessment method. J. China Univ. Posts Telecommun. 20(3), 60–63 (2013)
de Gusmão, A.P.H.: Information security risk analysis model using fuzzy decision theory. Int. J. Inf. Manage. 36(1), 25–34 (2016)
Je, Y.-M., You, Y.-Y., Na, K.-S.: Information security evaluation using multi-attribute threat index. Wireless Pers. Commun. 89(3), 913–925 (2016)
Karabey, B., Baykal, N.: Attack tree based information security risk assessment method integrating enterprise objectives with vulnerabilities. Int. Arab J. Inf. Technol. 10(3), 297–304 (2013)
Khanmohammadi, K., Houmb, S.H.: Business process-based information security risk assessment. In: Fourth International Conference on Network and System Security (2010)
Korchenko, O., et al.: Increment order of linguistic variables method in information security risk assessment. In: International Scientific-Practical Conference Problems of Infocommunications Science and Technology (2015)
Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System Version 2.0
Sajko, M., Hadjine, N., Pesut, D.: Multi-criteria model for evaluation of information security risk assessment methods and tools. In: International Convention on Information and Communication Technology, Electronics and Microelectronics (2010)
Salmela, H.: Analysing business losses caused by information systems risk: a business process analysis approach, pp. 180–216 (2016). cited By 0
Shameli-Sendi, A., Aghababaei-Barzegar, R., Cheriet, M.: Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57, 14–30 (2016)
Sherwood, J., Clark, A., Lynas, D.: Architecture, Enterprise Security (2009)
International Organization for Standardization: ISO 27005. Information Security Risk Management (2011)
Symantec. Internet Security Threat Report. Techical report Symantec (2016)
The OpenWeb Application Security Project. OWASP Risk Rating Methodology. http://www.owasp.org
U.S. National Institute of Standards and Technology - NIST. National Vulnerability Database. http://nvd.nist.gov
U.S. National Institute of Standards and Technology - NIST. Official Common Platform Enumeration (CPE). https://nvd.nist.gov/products/cpe
U.S. National Institute of Standards and Technology - NIST. SP 800–30. Guide for Conducting Risk Assessments (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Rueda, S., Avila, O. (2018). Automating Information Security Risk Assessment for IT Services. In: Florez, H., Diaz, C., Chavarriaga, J. (eds) Applied Informatics. ICAI 2018. Communications in Computer and Information Science, vol 942. Springer, Cham. https://doi.org/10.1007/978-3-030-01535-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-01535-0_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01534-3
Online ISBN: 978-3-030-01535-0
eBook Packages: Computer ScienceComputer Science (R0)