Abstract
Information security risk assessment is an important component of information security management. A sound method of risk assessment is critical to accurate evaluation of identified risks and costs associated with information assets. This paper reviews major qualitative and quantitative approaches to assessing information security risks and discusses their strengths and limitations. This paper argues for an optimal method that integrates the strengths of both quantitative calculation and qualitative evaluation for information security risk assessment.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alberts, C., & Dorofee, A. (2002). Managing information security risks: The OCTAVE approach. Boston: Addison Wesley Longman Publishing Co., Inc..
Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2003). Introduction to the OCTAVE approach. Retrieved from http://www.cert.org/octave/pubs.html
Anderson, R., & et al. (2013). Measuring the cost of cybercrime. The Economics of Information Security and Privacy. Springer.
Blakley, B., McDerMott, E., & Geer, D. (2002). Information security is risk management. NSPW'0I, September 10–13th, 2002, Cioudcroll, New Mexico, 97–104.
Bodin, L. D., Gordon, L. E., & Loeb, M. P. (2008). Information security and risk management. Communications of the ACM, 51(4), 64–68.
Ghazouani, M., et al. (2014). Information security risk Assessment — A practical approach with a mathematical formulation of risk. International Journal of Computer Applications, 103(8), 36–42.
Gibson, D. (2015). Managing risk in information systems (2nd ed.). Burlington: Jones & Bartlett Learning.
Kiran, K. V. D., et al. (2013). A comparative analysis on risk assessment information security models. International Journal of Computer Applications, 82(9), 41–47.
Karabacak, B., & Sogukpinar, I. (2005). ISRAM: Information security risk analysis method. Computer & Security, 24(2005), 147–159.
NIST. (2012). “Guide for Conducting Risk Assessments” (NIST SP800–30 Revision 1) by NIST (2012). Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
Stolen, K., den Braber, F., Dimitrakos, T., Fredriksen, T., Gran, B. A., Houmb, S., et al. (2002). Model-based risk assessment – the CORAS approach. Retrieved from http://www.nik.no/2002/Stolen.pdf
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems: Recommendations of NIST. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Suh, B., & Han, I. (2003). The IS risk analysis based on a business model. Information & Management, 41(2003), 149–158.
Vorster, A., & Labuschagne, L. (2005). A framework for comparing different information security risk analysis methodologies. Proceedings of SAICSIT 2005, pp. 95–103.
Wang, J. A. (2005). Information security models and metrics. Proceedings of the 43rd ACM Southeast Conference, March 18–20, 2005, Kennesaw, GA. 178–184.
Whitman, M. E., & Mattord, H. J. (2008). Management of information security (2nd ed.). Boston: Thomson Course Technology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Wang, P., Ratchford, M. (2018). Integrated Methodology for Information Security Risk Assessment. In: Latifi, S. (eds) Information Technology - New Generations. Advances in Intelligent Systems and Computing, vol 558. Springer, Cham. https://doi.org/10.1007/978-3-319-54978-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-54978-1_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54977-4
Online ISBN: 978-3-319-54978-1
eBook Packages: EngineeringEngineering (R0)