Abstract
A cyber-risk assessment conducted in a large organization may lead to heterogeneous results due to the subjectivity of certain aspects of the evaluation, especially those concerning the negative consequences (impact) of a cyber-incident. To address this problem, we propose an approach based on the identification of a set of sensitivity features, i.e. certain attributes of the assets or processing activities that are strongly related to the levels of impact of cyber-incidents. We apply our approach to revise the results of a Data Protection Impact Assessment, a mandatory activity for complying with GDPR, conducted in a medium-to-large organization of the Italian Public Administration, and we obtain encouraging results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, V.: A comparative study on information security risk analysis methods. JCP 12(1), 57–67 (2017)
Behnia, A., Rashid, R.A., Chaudhry, J.A.: A survey of information risk analysis methods. Smart Comput. Rev. 2, 79–94 (2012)
Bell, D.E., LaPadula, L.J.: Secure computer systems: mathematical foundations, No. MTR-2547-VOL-1. MITRE CORP BEDFORD MA (1973)
Bijon, K.Z., Krishnan, R., Sandhu, R.: A framework for risk-aware role based access control. In: Proceedings of the IEEE Conference on Communications and Network Security, pp. 462–469. National Harbor, MD, USA, 14–16 October 2013
Karabacak, B., Sogukpinar, I.: ISRAM: information security risk analysis method. Comput. Secur. 24.2, 147–159 (2005)
McEvoy, N., Whitcombe, A.: Structured risk analysis. In: Davida, G., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 88–103. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45831-X_7
Mollaeefar, M., Siena, A., Ranise, S.: Multi-stakeholder cybersecurity risk assessment for data protection. In: Proceedings of the 17th International Joint Conference on e-Business and Telecommunications - SECRYPT, pp. 349–356 (2020)
National Institute of Standards and Technology (NIST). Risk management guide for information technology systems (2001). Special Publication 800-30
Shukla, N., Sachin, K.: A comparative study on information security risk analysis practices. IJCA Special Issue on Issues and Challenges in Networking, Intelligence and Computing Technologies ICNICT 3, 28–33 (2012)
Vose, D.: Risk Analysis: A Quantitative Guide. Wiley (2008)
Wiefling, S., Dürmuth, M., Lo Iacono, L.: What’s in score for website users: a data-driven long-term study on risk-based authentication characteristics. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 361–381. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-64331-0_19
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Mascia, C., Ranise, S. (2022). Asset Sensitivity for Aligning Risk Assessment Across Multiple Units in Complex Organizations. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-08147-7_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08146-0
Online ISBN: 978-3-031-08147-7
eBook Packages: Computer ScienceComputer Science (R0)