Adopting and Adapting Medical Approach in Risk Management Process for Analysing Information Security Risk

Risk management process is defined as a systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk (AS/NZS ISO 31000:2009, 2009). In addition, precise security risk analysis method should provide two key advantages (Kim et al., 2007). Firstly, effective monitoring of information security policies by protecting organisations critical assets and secondly, capacity to provide appropriate information for the purpose of future prediction and for the development secured information management. However in the real world, most of the organisations do not have proper data about security breaches because they typically fail to document and systematically record the threats incidents (Bojanc and Jerman-Blazic, 2008). According to (Baker et al., 2007) stated that the lack of real data on risk factors is considered as one of the main problem in information security research. Therefore, most of the existing methods intended to estimate probability of an identified vulnerability of security breach is largely relied on guesswork or rough estimation (Baker et al., 2007; Ekelhart et al., 2009; Spears, 2006).

[1]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[2]  Loren Paul Rees,et al.  Necessary measures: metric-driven information security risk assessment and decision making , 2007, CACM.

[3]  Johnathan Coleman Assessing information security risk in healthcare organizations of different scale , 2004, CARS.

[4]  Robert H. Friis,et al.  Epidemiology for public health practice , 1996 .

[5]  R. Brooks,et al.  Duration of IPOs between offering and listing: Cox proportional hazard models--Evidence for Chinese A-share IPOs , 2009 .

[6]  Per Hasvold,et al.  Risk analysis of information security in a mobile instant messaging and presence system for healthcare , 2007, Int. J. Medical Informatics.

[7]  Ann Aschengrau,et al.  Essentials of Epidemiology in Public Health , 2003 .

[8]  Alenka Kavkler,et al.  Modeling Unemployment Duration in Slovenia using Cox Regression Models , 2009 .

[9]  Yongdai Kim,et al.  Asymptotic properties of the maximum likelihood estimator for the proportional hazards model with doubly censored data , 2010, J. Multivar. Anal..

[10]  John W. Creswell,et al.  Designing and Conducting Mixed Methods Research , 2006 .

[11]  Carmine Zoccali,et al.  Cohort Studies: Prospective versus Retrospective , 2009, Nephron Clinical Practice.

[12]  D. Kleinbaum,et al.  Survival Analysis: A Self-Learning Text. , 1996 .

[13]  S. Love,et al.  Survival Analysis Part II: Multivariate data analysis – an introduction to concepts and methods , 2003, British Journal of Cancer.

[14]  Axel W. Krings,et al.  Dynamic Hybrid Fault Modeling and Extended Evolutionary Game Theory for Reliability, Survivability and Fault Tolerance Analyses , 2011, IEEE Transactions on Reliability.

[15]  Youakim Badr,et al.  Security And Risk Management in Supply Chains , 2007 .

[16]  R. Mikolajczyk Methods and Concepts of Epidemiology , 2009 .

[17]  Daniel J. Ryan,et al.  Performance Metrics for Information Security Risk Management , 2008, IEEE Security & Privacy.

[18]  Eric Châtelet,et al.  Optimization of maintenance policy using the proportional hazard model , 2009, Reliab. Eng. Syst. Saf..

[19]  Marco Domenico Aime,et al.  AMBRA: automated model-based risk analysis , 2007, QoP '07.

[20]  Elisa T. Lee,et al.  Statistical Methods for Survival Data Analysis , 1994, IEEE Transactions on Reliability.

[21]  I. Maglogiannis,et al.  Modeling Risk in Distributed Healthcare Information Systems , 2006, 2006 International Conference of the IEEE Engineering in Medicine and Biology Society.

[22]  Ping Zhu,et al.  Study of Customer Lifetime Value Model Based on Survival-Analysis Methods , 2009, 2009 WRI World Congress on Computer Science and Information Engineering.

[23]  T. Neubauer,et al.  AURUM: A Framework for Information Security Risk Management , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[24]  W. Brass,et al.  Basic Statistics: A Primer for the Biomedical Sciences. , 1962 .

[25]  Janine L. Spears A Holistic Risk Analysis Method for Identifying Information Security Risks , 2004, IICIS.

[26]  Zhanshan Ma,et al.  Survival Analysis Approach to Reliability, Survivability and Prognostics and Health Management (PHM) , 2008, 2008 IEEE Aerospace Conference.

[27]  P. Ricci Environmental and Health Risk Assessment and Management: Principles and Practices , 2005 .

[28]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[29]  Forrest W. BREY,et al.  Statistical Methods for Survival Data Analysis , 2003 .

[30]  R. Bhopal Concepts of epidemiology: an integrated introduction to the ideas, theories, principles and methods of epidemiology. , 2002 .

[31]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[32]  Xinhua Bi,et al.  Survival Analysis on Information Technology Adoption of Chinese Enterprises , 2008, 2008 4th International Conference on Wireless Communications, Networking and Mobile Computing.

[33]  Maria Blettner,et al.  Types of study in medical research: part 3 of a series on evaluation of scientific publications. , 2009, Deutsches Arzteblatt international.

[34]  Zhanshan Ma,et al.  A new life system approach to the Prognostic and Health Management (PHM) with survival analysis, dynamic hybrid fault models, evolutionary game theory, and three-layer survivability analysis , 2009, 2009 IEEE Aerospace conference.

[35]  Costas Lambrinoudakis,et al.  Risk analysis of a patient monitoring system using Bayesian Network modeling , 2006, J. Biomed. Informatics.

[36]  Soo-Hyun Park,et al.  Modeling and Simulation for Security Risk Propagation in Critical Information Systems , 2006, CIS.

[37]  K. I. Musa,et al.  Prognostic factors in patients with colorectal cancer at Hospital Universiti Sains Malaysia. , 2010, Asian journal of surgery.

[38]  M. J. Norušis,et al.  SPSS 14.0 Advanced Statistical Procedures Companion , 2005 .

[39]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[40]  Borka Jerman-Blazic,et al.  Towards a standard approach for quantifying an ICT security investment , 2008, Comput. Stand. Interfaces.

[41]  Axel W. Krings,et al.  Dynamic hybrid fault models and the applications to wireless sensor networks (WSNs) , 2008, MSWiM '08.

[42]  T G Clark,et al.  Survival Analysis Part I: Basic concepts and first analyses , 2003, British Journal of Cancer.

[43]  Zhanshan Ma,et al.  Competing Risks Analysis of Reliability, Survivability, and Prognostics and Health Management (PHM) , 2008, 2008 IEEE Aerospace Conference.