Problem Analysis of Traditional IT-Security Risk Assessment Methods – An Experience Report from the Insurance and Auditing Domain

  • Stefan Taubenberger
  • Jan Jürjens
  • Yijun Yu
  • Bashar Nuseibeh
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 354)


Traditional information technology (IT) security risk assessment approaches are based on an analysis of events, probabilities and impacts. In practice, security experts often find it difficult to determine IT risks reliably with precision. In this paper, we review the risk determination steps of traditional risk assessment approaches and report on our experience of using such approaches. Our experience is based on performing IT audits and IT business insurance cover assessments within a reinsurance company. The paper concludes with a summary of issues concerning traditional approaches that are related to the identification and evaluation of events, probabilities and impacts. We also conclude that there is a need to develop alternative approaches, and suggest a security requirements-based risk assessment approach without events and probabilities.


IT risk analysis IT risk assessment Security requirements 


  1. 1.
    ENISA 2007-2008 ad hoc Working Group on Risk Assessment/Risk Management. Determining your organization’s information risk assessment and management requirements and selecting appropriate methodologies (2008)Google Scholar
  2. 2.
    Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE Approach. Carnegie Mellon Software Engineering Institute, Pittsburgh, USA (August 2003)Google Scholar
  3. 3.
    Alter, S., Sherer, S.: A general, but readily adaptable model of information system risk. Communications of the Association for Information Systems 14, 1–28 (2004)Google Scholar
  4. 4.
    Buyens, K., DeWin, B., Joosen, W.: Empirical and statistical analysis of risk analysis-driven techniques for threat management. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  5. 5.
    Campbell, P., Stamp, J.: A classification scheme for risk assessment methods. Sandia Report, Sand2004-4233 (2004)Google Scholar
  6. 6.
    Australian/New Zealand Standards Comittee. Risk management ASNZ 4360:1999 (1999)Google Scholar
  7. 7.
    ENISA. Inventory of risk assessment and risk management methods, ENISA ad hoc working group on risk assessment and risk management (March 2006)Google Scholar
  8. 8.
    Feather, M., Cornford, S.: Relating risk and reliability predictions to design and development choices. In: Proceedings of the Annual Reliability and Maintainability Symposium (RAMS), Newport Beach, CA, January 23-26 (2006)Google Scholar
  9. 9.
    Frachot, A., Roncalli, T.: Mixing internal and external data for managing operational risk (2002)Google Scholar
  10. 10.
    Gerber, M., von Solms, R.: From risk analysis to security requirements. Computers & Security 20, 577–584 (2002)CrossRefGoogle Scholar
  11. 11.
    Gerber, M., von Solms, R., Overbeek, P.: Formalizing information security requirements. Information Management & Computer Security 9(1), 32–37 (2001)CrossRefGoogle Scholar
  12. 12.
    Halliday, S., Badenhorst, K., von Solms, R.: A business approach to effective information technology risk analysis and management. Information Management &Computer Security 4(1), 19–31 (1996)CrossRefGoogle Scholar
  13. 13.
    Houmb, S., Jürjens, J.: Developing secure networked web-based systems using model-based risk assessment and UMLsec. In: 10th Asia-Pacific Software Engineering Conference (APSEC 2003), Chiangmai, Thailand, December 10-12 (2003)Google Scholar
  14. 14.
    Jackson, M.: NII-OU Security Workshop @ The Open University (November 2007)Google Scholar
  15. 15.
    Kaplan, S.: The words of risk analysis. Risk Analysis 17(4) (1997)Google Scholar
  16. 16.
    Kinney, W.: Research opportunities in internal auditing - chapter 5 auditing risk assessment and risk management process. The Institute of Internal Auditors Research Foundation (2003)Google Scholar
  17. 17.
    Zhang, Y., Jiang, S., Cui, Y., Zhang, B., Xia, H.: A qualitative and quantitative risk assessment method in software security. In: 2010 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE), vol. 1, pp. V1-534–V1-539 (2010)Google Scholar
  18. 18.
    Matulevius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development, pp. 541–555. Springer Publishing, Heidelberg (2008)Google Scholar
  19. 19.
    International Organization of Standardization (ISO). ISO 27005 Information technology - Security techniques - Information security risk management, International Organization of Standardization (ISO) (2008)Google Scholar
  20. 20.
    Pöttinger, J.: Self assessed risk management. Master’s thesis, Fachhochschul-Masterstudiengang Sichere Informationssysteme (2009)Google Scholar
  21. 21.
    Information Security Management References, Corporate Information Security Working Group, Chairman: A. Putnam, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Government Reform Committee, United States House of Representatives, Mapping of Existing Work on Infosec (Best Practices) Subgroup: C. Kreitner, M. Rasmussen, Coordinators (2004) Google Scholar
  22. 22.
    Rainer, R., Snyder, C., Carr, H.: Risk analysis for information technology. Journal of Management Information Systems 8(1), 129–147 (1991)Google Scholar
  23. 23.
    Ralston, P., Graham, J., Patel, S.: Literature review of security and risk assessment of SCADA and DCS systems, Technical Report TR-ISRL-06-01 (July 2006)Google Scholar
  24. 24.
    Rausand, M.: Risk Analysis An Introduction. In: System Reliability Theory, 2nd edn. Wiley, Chichester (2004)Google Scholar
  25. 25.
    Redmill, F.: Risk analysis - a subjective process. Engineering Management Journal 12(2), 91–96 (2002)CrossRefGoogle Scholar
  26. 26.
    Siponen, M.: An analysis of the traditional is security approaches: implications for research and practice. European Journal of Information Systems 14, 303–315 (2005)CrossRefGoogle Scholar
  27. 27.
    Stewart, A.: On risk: perception and direction. Computers & Security 23, 362–370 (2004)CrossRefGoogle Scholar
  28. 28.
    Stiglitz, J.: Making globalization work: Global financial markets in an era of turbulence. Frankfurt (February 2008)Google Scholar
  29. 29.
    Stølen, K., den Braber, F., Dimitrakos, T., Fredriksen, R., Gran, B.A., Houmb, S., Lund, M., Stamatiou, Y., Aagedal, J.: Model-based risk assessment – the CORAS approach. In: NIK Informatics Conference 2002, Kongsberg (2002)Google Scholar
  30. 30.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899-8930 (July 2002)Google Scholar
  31. 31.
    Vidalis, S.: A critical discussion of risk and threat analysis methods and methodologies. Technical Report CS-04-03, University of Glamorgan, Pontypridd (2004)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Stefan Taubenberger
    • 1
  • Jan Jürjens
    • 2
  • Yijun Yu
    • 3
  • Bashar Nuseibeh
    • 3
    • 4
  1. 1.MunichReMunichGermany
  2. 2.TU Dortmund and Fraunhofer ISSTGermany
  3. 3.LeroUniversity of LimerickIreland
  4. 4.The Open UniversityMilton KeynesUnited Kingdom

Personalised recommendations