Risk Management for IT Security: When Theory Meets Practice

A Layer-Based Risk Tool (LBRT) for IT security management in a corporate environment is presented and discussed. The Risk-Rank algorithm is modified for implementation in this tool by taking practical considerations into account. The focus is shifted to a security requirement-based approach during actual assessment of operational risk in the organization and absolute risk values are computed instead of relative risk probabilities. In addition, a risk mitigation algorithm is proposed to find the optimum set of measures under certain budget constraints. A dynamic programming formulation is presented and a shortest path solution is obtained based on Dijkstra's algorithm. The risk assessment and mitigation algorithms are illustrated and evaluated with numerical examples.

[1]  Tansu Alpcan,et al.  Integrated security risk management for IT-intensive organizations , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[2]  Stefan Fenz,et al.  Ontology-based generation of IT-security metrics , 2010, SAC '10.

[3]  Tansu Alpcan,et al.  Network Security , 2010 .

[4]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[5]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[6]  R. Tempo,et al.  Randomized Algorithms for Analysis and Control of Uncertain Systems , 2004 .

[7]  Tansu Alpcan,et al.  Dynamic Control and Mitigation of Interdependent IT Security Risks , 2010, 2010 IEEE International Conference on Communications.

[8]  Amy Nicole Langville,et al.  A Survey of Eigenvector Methods for Web Information Retrieval , 2005, SIAM Rev..

[9]  Tansu Alpcan,et al.  Modeling dependencies in security risk management , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[10]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..