A Holistic Risk Analysis Method for Identifying Information Security Risks

Risk analysis is used during the planning of information security to identify security requirements, and is also often used to determine the economic feasibility of security safeguards. The traditional method of conducting a risk analysis is technology-driven and has several shortcomings. First, its focus on technology is at the detriment of considering people and processes as significant sources of security risk. Second, an analysis driven by technical assets can be overly time-consuming and costly. Third, the traditional risk analysis method employs calculations based largely on guesswork to estimate probability and financial loss of a security breach. Finally, an IT-centric approach to security risk analysis does not involve business users to the extent necessary to identify a comprehensive set of risks, or to promote security-awareness throughout an organization. This paper proposes an alternative, holistic method to conducting risk analysis. A holistic risk analysis, as defined in this paper, is one that attempts to identify a comprehensive set of risks by focusing equally on technology, information, people, and processes. The method is driven by critical business processes, which provides focus and relevance to the analysis. Key aspects of the method include a business-driven analysis, user participation in the analysis, architecture and data flow diagrams as a means to identify relevant IT assets, risk scenarios to capture procedural and security details, and qualitative estimation. The mixture of people and tools involved in the analysis is expected to result in a more comprehensive set of identified risks and a significant increase in security awareness throughout the organization.

[1]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[2]  Richard Baskerville,et al.  Risk analysis as a source of professional knowledge , 1991, Comput. Secur..

[3]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[4]  P. Papadopoulou,et al.  An integrated approach for securing electronic transactions over the Web , 2002 .

[5]  Rossouw von Solms,et al.  A business approach to effective information technology risk analysis and management , 1996, Inf. Manag. Comput. Secur..

[6]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[7]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[8]  Gurpreet Dhillon,et al.  Refereed Papers: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns , 2001 .

[9]  Nicos A. Scordis,et al.  Corporate Risk Management , 2003 .

[10]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[11]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[12]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[13]  Cheryl L Toth,et al.  E-risk management. , 2003, Medical economics.

[14]  James W. Freeman,et al.  Risk assessment for large heterogeneous systems , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[15]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[16]  Michael J. Cerullo,et al.  Business Continuity Planning: A Comprehensive Approach , 2004, Inf. Syst. Manag..

[17]  Jan H. P. Eloff,et al.  Risk analysis modelling with the use of fuzzy logic , 1996, Comput. Secur..

[18]  Muninder P. Kailay,et al.  An application of qualitative risk analysis to computer security for the commercial sector , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.