Automating Information Security Risk Assessment for IT Services

  • Sandra RuedaEmail author
  • Oscar Avila
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 942)


Information Security (IS) Risk Assessment is a main part of risk analysis; it helps organizations make decisions to protect their Information Technology (IT) services and underlying IT assets from potentially adverse events. How to do assessment in this context, however, is not a well defined task. Some approaches provide guidelines but leave analysts to define how to implement them, leading to different mechanisms to identify input data, different procedures to process those inputs, and different results as a consequence. To address this problem, we present a semiautomatic procedure, based on data systematically obtained from modern IT Service Management (ITSM) tools used by IT staff to handle IT services’ assets and configurations. We argue that these tools handle actual data that may be used to collect inputs for a IS risk assessment procedure, thus reducing subjective values. We evaluated the procedure in a real case study and found that our approach actually reduces variability of some results. We also identified areas that must be addressed in future work.


IT risk evaluation Configuration management system Configuration item Service security 


  1. 1.
    Anikin, I.: Information security risk assessment and management in computer networks. In: International Siberian Conference on Control and Communications (2015)Google Scholar
  2. 2.
    Anikin, I., Emaletdinova, L.Y.: Information security risk management in computer networks based on fuzzy logic and cost/benefit ratio estimation. In: Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015, Sochi, Russia, pp. 8–11. ACM (2015). ISBN 978-1-4503-3453-2Google Scholar
  3. 3.
    Center for Internet Security. CIS Controls.
  4. 4.
    MITRE Corporation: CVE Common Vulnerabilities and Exposures (2017).
  5. 5.
    Ekelhart, A., et al.: Security ontologies: improving quantitative risk analysis. In: 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 156a. IEEE (2007)Google Scholar
  6. 6.
    Eom, J.-H., et al.: Risk assessment method based on business process oriented asset evaluation for information system security. In: Proceedings of the 7th International Conference on Computational Science, ICCS 2007, pp. 1024–1031. Springer, Heidelberg (2007). ISBN 978-3-540-72587-9CrossRefGoogle Scholar
  7. 7.
    FIRST Organization: Common Vulnerability Scoring System SIG.
  8. 8.
    FIRST Organization: Common Vulnerability Scoring System v3.0 Specification Document. 3.0. FIRST Organization IncGoogle Scholar
  9. 9.
    Guan, J.-Z., et al.: Knowledge-based information security risk assessment method. J. China Univ. Posts Telecommun. 20(3), 60–63 (2013)CrossRefGoogle Scholar
  10. 10.
    de Gusmão, A.P.H.: Information security risk analysis model using fuzzy decision theory. Int. J. Inf. Manage. 36(1), 25–34 (2016)CrossRefGoogle Scholar
  11. 11.
    Je, Y.-M., You, Y.-Y., Na, K.-S.: Information security evaluation using multi-attribute threat index. Wireless Pers. Commun. 89(3), 913–925 (2016)CrossRefGoogle Scholar
  12. 12.
    Karabey, B., Baykal, N.: Attack tree based information security risk assessment method integrating enterprise objectives with vulnerabilities. Int. Arab J. Inf. Technol. 10(3), 297–304 (2013)Google Scholar
  13. 13.
    Khanmohammadi, K., Houmb, S.H.: Business process-based information security risk assessment. In: Fourth International Conference on Network and System Security (2010)Google Scholar
  14. 14.
    Korchenko, O., et al.: Increment order of linguistic variables method in information security risk assessment. In: International Scientific-Practical Conference Problems of Infocommunications Science and Technology (2015)Google Scholar
  15. 15.
    Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System Version 2.0Google Scholar
  16. 16.
    Sajko, M., Hadjine, N., Pesut, D.: Multi-criteria model for evaluation of information security risk assessment methods and tools. In: International Convention on Information and Communication Technology, Electronics and Microelectronics (2010)Google Scholar
  17. 17.
    Salmela, H.: Analysing business losses caused by information systems risk: a business process analysis approach, pp. 180–216 (2016). cited By 0Google Scholar
  18. 18.
    Shameli-Sendi, A., Aghababaei-Barzegar, R., Cheriet, M.: Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57, 14–30 (2016)CrossRefGoogle Scholar
  19. 19.
    Sherwood, J., Clark, A., Lynas, D.: Architecture, Enterprise Security (2009)Google Scholar
  20. 20.
    International Organization for Standardization: ISO 27005. Information Security Risk Management (2011)Google Scholar
  21. 21.
    Symantec. Internet Security Threat Report. Techical report Symantec (2016)Google Scholar
  22. 22.
    The OpenWeb Application Security Project. OWASP Risk Rating Methodology.
  23. 23.
    U.S. National Institute of Standards and Technology - NIST. National Vulnerability Database.
  24. 24.
    U.S. National Institute of Standards and Technology - NIST. Official Common Platform Enumeration (CPE).
  25. 25.
    U.S. National Institute of Standards and Technology - NIST. SP 800–30. Guide for Conducting Risk Assessments (2012)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Computing and Systems Engineering Department, School of EngineeringUniversidad de los AndesBogotaColombia

Personalised recommendations