A conceptual framework of info structure for information security risk assessment (ISRA)

Information security has become a vital entity to most organizations today due to current trends in information transfer through a borderless and vulnerable world. The concern and interest in information security is mainly due to the fact that information security risk assessment (ISRA) is a vital method to not only to identify and prioritize information assets but also to identify and monitor the specific threats that an organization induces; especially the chances of these threats occurring and their impact on the respective businesses. However, organizations wanting to conduct risk assessment may face problems in selecting suitable methods that would augur well in meeting their needs. This is due to the existence of numerous methodologies that are readily available. However, there is a lack in agreed reference benchmarking as well as in the comparative framework for evaluating these ISRA methods to access the information security risk. Generally, organizations will choose the most appropriate ISRA method by carrying out a comparative study between the available methodologies in detail before a suitable method is selected to conduct the risk assessment. This paper suggests a conceptual framework of info-structure for ISRA that was developed by comparing and analysing six methodologies which are currently available. The info-structure for ISRA aims to assist organizations in getting a general view of ISRA flow, gathering information on the requirements to be met before risk assessment can be conducted successfully. This info-structure can be conveniently used by organizations to complete all the required planning as well as the selection of suitable methods to complete the ISRA.

[1]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[2]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[3]  Christopher J. Alberts,et al.  OCTAVEsm Criteria, Version 2.0 , 2001 .

[4]  Kouichi Sakurai,et al.  Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide , 2009, 2009 International Conference on Availability, Reliability and Security.

[5]  Kerry Raymond Reference Model of Open Distributed Processing (RM-ODP): Introduction , 1995 .

[6]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[7]  Atif Ahmad,et al.  Incorporating a knowledge perspective into security risk assessments , 2011 .

[8]  Les Labuschagne,et al.  A framework for comparing different information security risk analysis methodologies , 2005 .

[9]  Richard Baskerville,et al.  Risk analysis as a source of professional knowledge , 1991, Comput. Secur..

[10]  Atif Ahmad,et al.  Towards a knowledge perspective in information security risk assessments - an illustrative case study , 2009 .

[11]  Atif Ahmad,et al.  Information Security Risk Assessment: Towards a Business Practice Perspective , 2010, AISM 2010.

[12]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[13]  Christopher J. Alberts,et al.  OCTAVE Catalog of Practices, Version 2.0 , 2001 .

[14]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[15]  Janine L. Spears A Holistic Risk Analysis Method for Identifying Information Security Risks , 2004, IICIS.

[16]  Mohamed S. Saleh,et al.  A new comprehensive framework for enterprise information security risk management , 2011 .

[17]  Kobra Khanmohammadi,et al.  Business Process-Based Information Security Risk Assessment , 2010, 2010 Fourth International Conference on Network and System Security.

[18]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[19]  Ketil Stølen,et al.  The CORAS Framework for a Model-Based Risk Management Process , 2002, SAFECOMP.

[20]  J. Eloff,et al.  Information security management: a new paradigm , 2003 .

[21]  Karen J. Nelson,et al.  Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context , 2009 .

[22]  Steve Elky An Introduction to Information System Risk Management , 2007 .

[23]  Azadeh Sarkheyli,et al.  Improving the current Risk Analysis techniques by study of their process and using the human body's Immune System , 2010, 2010 5th International Symposium on Telecommunications.

[24]  F. Nelson Ford,et al.  An Investigation Of Organizational Information Security Risk Analysis , 2010 .

[25]  Jan H. P. Eloff,et al.  Information security architecture , 2005 .

[26]  Sharman Lichtenstein,et al.  Factors in the selection of a risk assessment method , 1996, Inf. Manag. Comput. Secur..

[27]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[28]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .