Abstract
The article presents a simple model for the information security risk assessment. There are four main elements of the model: security threats, their business impact, security measures and their costs. The security measures – threats relationship matrix is the fundamental quantitative tool for the model. The model bases on well known methods like ALE, ROSI and ISRAM but allows for establishing more flexible and more precise metrics supporting the security management process at different organizational levels.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
BITS Key Risk Measurement Tool for Information Security Operational Risks, BITS Financial Services RoundTable (2004)
Cavusoglu, H., Mishra, B., Raghunathan, S.: A Model for Evaluating IT Security Investments. Communications of the ACM 47(7) (2004)
Davis, A.: Return on security investment - proving it’s worth it. Network Security 11, 8–10 (2005)
Dhaeseleer, P., Forrest, S., Helman, P.: An Immunological Approach to Change Detection: Algorithms, Analysis and Implications. In: IEEE Symposium on Security and Privacy (1996)
Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22, 461–485 (2003)
Karabacak, B., Sogukpinar, I.: ISRAM: information security risk analysis method. Computers & Security 24, 147–159 (2005)
Me, L.: GASSATA, a Genetic Algorithm as an Alternative Tool for Security Audit Trails Analysis
Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology. Special Publication, pp. 800–830 (2001)
Risk Management Principles for Electronic Banking. Basel Committee on Banking Supervision (2003)
Schechter, E.: Computer Security Strength & Risk: A Quantitative Approach. Thesis presented to The Division of Engineering and Applied Sciences. Harvard University, p. 29 (2004)
Sonnenreich, W.: Return On Security Investment (ROSI): A Practical Quantitative Model. A summary of Research and Development conducted at SageSecure (2002)
Sound Practices for the Management and Supervision of Operational Risk. Basel Committee on Banking Supervision (2003)
Tsiakis, T., Stephanides, G.: The economic approach of information security. Computers & Security 24, 105–108 (2005)
Wawrzyniak, D.: Organizational Aspects of Data Security in Banking Computer Systems. In: Abramowicz, W. (ed.) Business Information Systems Proceedings, pp. 237–245 (1998)
Wawrzyniak, D.: Zarzadzanie bezpieczenstwem systemow informatycznych w bankowosci. Wydawnictwo Zarzadzanie i Finanse (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wawrzyniak, D. (2006). Information Security Risk Assessment Model for Risk Management. In: Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C. (eds) Trust and Privacy in Digital Business. TrustBus 2006. Lecture Notes in Computer Science, vol 4083. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11824633_3
Download citation
DOI: https://doi.org/10.1007/11824633_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-37750-4
Online ISBN: 978-3-540-37752-8
eBook Packages: Computer ScienceComputer Science (R0)