ISRAM: information security risk analysis method

Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today's information security risks properly. Some of these methods are supported by a software package. In this study, a survey based quantitative approach is proposed to analyze security risks of information technologies by taking current necessities into consideration. The new method is named as Information Security Risk Analysis Method (ISRAM). Case study has shown that ISRAM yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization.

[1]  Peter Sommer Industrial espionage: Analysing the risk , 1994, Comput. Secur..

[2]  Rolf Moulton,et al.  Operationalizing IT Risk Management , 2003, Comput. Secur..

[3]  David W. Roberts Evaluation Criteria for IT Security , 1991, Computer Security and Industrial Cryptography.

[4]  A. Bilbao TUAR-a model of risk analysis in the security field , 1992, Proceedings 1992 International Carnahan Conference on Security Technology: Crime Countermeasures.

[5]  Peter Jarratt,et al.  RAMeX: a prototype expert system for computer security risk analysis and management , 1995, Comput. Secur..

[6]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[7]  Stephen A. Floyd,et al.  Refereed Extending the Risk Analysis Model to Include Market-Insurance , 2001 .

[8]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[9]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[10]  Neil A. McEvoy,et al.  Structured Risk Analysis , 2002, InfraSec.

[11]  Rossouw von Solms,et al.  From Risk Analysis to Security Requirements , 2001, Comput. Secur..

[12]  Diomidis Spinellis,et al.  Security requirements, risks and recommendations for small enterprise and home-office environments , 1999, Inf. Manag. Comput. Secur..

[13]  Rolf Moulton,et al.  Applying information security governance , 2003, Comput. Secur..