Skip to main content

Automating Information Security Risk Assessment for IT Services

Part of the Communications in Computer and Information Science book series (CCIS,volume 942)

Abstract

Information Security (IS) Risk Assessment is a main part of risk analysis; it helps organizations make decisions to protect their Information Technology (IT) services and underlying IT assets from potentially adverse events. How to do assessment in this context, however, is not a well defined task. Some approaches provide guidelines but leave analysts to define how to implement them, leading to different mechanisms to identify input data, different procedures to process those inputs, and different results as a consequence. To address this problem, we present a semiautomatic procedure, based on data systematically obtained from modern IT Service Management (ITSM) tools used by IT staff to handle IT services’ assets and configurations. We argue that these tools handle actual data that may be used to collect inputs for a IS risk assessment procedure, thus reducing subjective values. We evaluated the procedure in a real case study and found that our approach actually reduces variability of some results. We also identified areas that must be addressed in future work.

Keywords

  • IT risk evaluation
  • Configuration management system
  • Configuration item
  • Service security

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-01535-0_14
  • Chapter length: 15 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-01535-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.

References

  1. Anikin, I.: Information security risk assessment and management in computer networks. In: International Siberian Conference on Control and Communications (2015)

    Google Scholar 

  2. Anikin, I., Emaletdinova, L.Y.: Information security risk management in computer networks based on fuzzy logic and cost/benefit ratio estimation. In: Proceedings of the 8th International Conference on Security of Information and Networks, SIN 2015, Sochi, Russia, pp. 8–11. ACM (2015). ISBN 978-1-4503-3453-2

    Google Scholar 

  3. Center for Internet Security. CIS Controls. https://www.cisecurity.org/controls/

  4. MITRE Corporation: CVE Common Vulnerabilities and Exposures (2017). http://cve.mitre.org

  5. Ekelhart, A., et al.: Security ontologies: improving quantitative risk analysis. In: 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 156a. IEEE (2007)

    Google Scholar 

  6. Eom, J.-H., et al.: Risk assessment method based on business process oriented asset evaluation for information system security. In: Proceedings of the 7th International Conference on Computational Science, ICCS 2007, pp. 1024–1031. Springer, Heidelberg (2007). ISBN 978-3-540-72587-9

    CrossRef  Google Scholar 

  7. FIRST Organization: Common Vulnerability Scoring System SIG. https://www.first.org/cvss

  8. FIRST Organization: Common Vulnerability Scoring System v3.0 Specification Document. 3.0. FIRST Organization Inc

    Google Scholar 

  9. Guan, J.-Z., et al.: Knowledge-based information security risk assessment method. J. China Univ. Posts Telecommun. 20(3), 60–63 (2013)

    CrossRef  Google Scholar 

  10. de Gusmão, A.P.H.: Information security risk analysis model using fuzzy decision theory. Int. J. Inf. Manage. 36(1), 25–34 (2016)

    CrossRef  Google Scholar 

  11. Je, Y.-M., You, Y.-Y., Na, K.-S.: Information security evaluation using multi-attribute threat index. Wireless Pers. Commun. 89(3), 913–925 (2016)

    CrossRef  Google Scholar 

  12. Karabey, B., Baykal, N.: Attack tree based information security risk assessment method integrating enterprise objectives with vulnerabilities. Int. Arab J. Inf. Technol. 10(3), 297–304 (2013)

    Google Scholar 

  13. Khanmohammadi, K., Houmb, S.H.: Business process-based information security risk assessment. In: Fourth International Conference on Network and System Security (2010)

    Google Scholar 

  14. Korchenko, O., et al.: Increment order of linguistic variables method in information security risk assessment. In: International Scientific-Practical Conference Problems of Infocommunications Science and Technology (2015)

    Google Scholar 

  15. Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System Version 2.0

    Google Scholar 

  16. Sajko, M., Hadjine, N., Pesut, D.: Multi-criteria model for evaluation of information security risk assessment methods and tools. In: International Convention on Information and Communication Technology, Electronics and Microelectronics (2010)

    Google Scholar 

  17. Salmela, H.: Analysing business losses caused by information systems risk: a business process analysis approach, pp. 180–216 (2016). cited By 0

    Google Scholar 

  18. Shameli-Sendi, A., Aghababaei-Barzegar, R., Cheriet, M.: Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57, 14–30 (2016)

    CrossRef  Google Scholar 

  19. Sherwood, J., Clark, A., Lynas, D.: Architecture, Enterprise Security (2009)

    Google Scholar 

  20. International Organization for Standardization: ISO 27005. Information Security Risk Management (2011)

    Google Scholar 

  21. Symantec. Internet Security Threat Report. Techical report Symantec (2016)

    Google Scholar 

  22. The OpenWeb Application Security Project. OWASP Risk Rating Methodology. http://www.owasp.org

  23. U.S. National Institute of Standards and Technology - NIST. National Vulnerability Database. http://nvd.nist.gov

  24. U.S. National Institute of Standards and Technology - NIST. Official Common Platform Enumeration (CPE). https://nvd.nist.gov/products/cpe

  25. U.S. National Institute of Standards and Technology - NIST. SP 800–30. Guide for Conducting Risk Assessments (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sandra Rueda .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Rueda, S., Avila, O. (2018). Automating Information Security Risk Assessment for IT Services. In: Florez, H., Diaz, C., Chavarriaga, J. (eds) Applied Informatics. ICAI 2018. Communications in Computer and Information Science, vol 942. Springer, Cham. https://doi.org/10.1007/978-3-030-01535-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01535-0_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01534-3

  • Online ISBN: 978-3-030-01535-0

  • eBook Packages: Computer ScienceComputer Science (R0)