Current established risk assessment methodologies and tools

The technology behind information systems evolves at an exponential rate, while at the same time becoming more and more ubiquitous. This brings with it an implicit rise in the average complexity of systems as well as the number of external interactions. In order to allow a proper assessment of the security of such (sub)systems, a whole arsenal of methodologies, methods and tools have been developed in recent years. However, most security auditors commonly use a very small subset of this collection, that best suits their needs. This thesis aims at uncovering the differences and limitations of the most common Risk Assessment frameworks, the conceptual models that support them, as well as the tools that implement them. This is done in order to gain a better understanding of the applicability of each method and/or tool and suggest guidelines to picking the most suitable one.

[1]  Kouichi Sakurai,et al.  Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide , 2009, 2009 International Conference on Availability, Reliability and Security.

[2]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[3]  Thomas R. Peltier Information Security Risk Analysis, Second Edition , 2005 .

[4]  Richard E. Overill,et al.  On the role of the Facilitator in information security risk assessment , 2007, Journal in Computer Virology.

[5]  Pieter H. Hartel,et al.  Model-based qualitative risk assessment for availability of IT infrastructures , 2010, Software & Systems Modeling.

[6]  Junaid Ahsenali Chaudhry,et al.  A Survey of Information Security Risk Analysis Methods , 2012, Smart Comput. Rev..

[7]  Douglas W. Hubbard,et al.  The Failure of Risk Management: Why It's Broken and How to Fix It , 2009 .

[8]  Isaca The Risk IT Framework , 2009 .

[9]  Standards New Zealand.,et al.  Risk management guidelines: companion to AS/NZS 4360:2004 , 2004 .

[10]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[11]  Alan Calder,et al.  Information Security Risk Management for ISO27001/ISO17799 , 2007 .

[12]  Frank Fleer,et al.  Australian / New Zealand standards , 1996 .

[13]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[14]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[15]  Siv Hilde Houmb,et al.  Decision Support for Choice of Security Solution: The Aspect-Oriented Risk Driven Development (AORDD)Framework , 2007 .

[16]  Neil A. McEvoy,et al.  Structured Risk Analysis , 2002, InfraSec.

[17]  Angelika Jaschob,et al.  IT-Grundschutz: Two-Tier Risk Assessment for a Higher Efficiency in IT Security Management , 2006, ISSE.

[18]  Martin Gorrod The risk management challenge , 2004 .

[19]  Ketil Stølen,et al.  The coras approach for model-based risk management applied to e-commerce domain , 2002, Communications and Multimedia Security.

[20]  Sabah Al-Fedaghi,et al.  Threat Risk Modeling , 2010, 2010 Second International Conference on Communication Software and Networks.

[21]  John R. Vacca Computer and Information Security Handbook , 2009 .

[22]  Jake Kouns,et al.  Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams , 2010 .

[23]  Stephen N. Luko,et al.  Risk Management Principles and Guidelines , 2013 .