A Cause and Effect Approach towards Risk Analysis

Risk analysis is critical for IT systems and for organizations and their daily operation. There are various tools and methods to analyse risk. Most approaches take risk assessment as a result of specific factors (such as threats and vulnerabilities) without investigating the impact of various types of system operation. Therefore, we suggest a causal approach toward risk analysis based on an existing security model. We start out from a current risk analysis method and improve it by taking the system operation, causal relation between the impairments, as well as latency effects into account. The approach exhibits the impact of the attack chain of impairments on system risk. We claim that the approach presented in this paper will make it possible to conduct a more refined quantitative assessment of risk.

[1]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[2]  Makis Stamatelatos,et al.  Fault tree handbook with aerospace applications , 2002 .

[3]  Eric S. K. Yu,et al.  A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities , 2010, Requirements Engineering.

[4]  Erland Jonsson,et al.  Towards an integrated conceptual model of security and dependability , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[5]  John L. Darby,et al.  Risk-based cost-benefit analysis for security assessment problems , 2010, 44th Annual 2010 IEEE International Carnahan Conference on Security Technology.

[6]  Edward N. Adams,et al.  Optimizing Preventive Service of Software Products , 1984, IBM J. Res. Dev..

[7]  Gregory S. Parnell,et al.  Mission Oriented Risk and Design Analysis of Critical Information Systems , 2005 .

[8]  Fabio Massacci,et al.  Modelling Quality of Protection in Outsourced Business Processes , 2007, Third International Symposium on Information Assurance and Security.

[9]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[10]  Hiromitsu Kumamoto,et al.  Probabilistic Risk Assessment , 1996 .

[11]  Ruth Breu,et al.  Quantitative Assessment of Enterprise Security System , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[12]  Erland Jonsson,et al.  A Framework for Security Metrics Based on Operational System Attributes , 2011, 2011 Third International Workshop on Security Measurements and Metrics.

[13]  J. B. Bowles,et al.  The new SAE FMECA standard , 1998, Annual Reliability and Maintainability Symposium. 1998 Proceedings. International Symposium on Product Quality and Integrity.

[14]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[15]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[16]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.