论文信息 - Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk

Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk

Risk management methodologies, such as Mehari, Ebios, CRAMM and SP 800-30 (NIST) use a common step based on threat, vulnerability and probability witch are typically evaluated intuitively using verbal hazard scales such as low, medium, high. Because of their subjectivity, these categories are extremely difficult to assign to threats, vulnerabilities and probability, or indeed, to interpret with any degree of confidence. The purpose of the paper is to propose a mathematical formulation of risk by using a lower level of granularity of its elements: threat, probability, criteria used to determine an asset‘s value, exposure, frequency and existing protection measure. General Terms Security risk assessment, risk management system, framework, audit, information system.

[1] Rabiah Ahmad,et al. A conceptual framework of info structure for information security risk assessment (ISRA) , 2013, J. Inf. Secur. Appl..

[2] Stefan Fenz,et al. Automation Possibilities in Information Security Management , 2011, 2011 European Intelligence and Security Informatics Conference.

[3] Peter Norvig,et al. Artificial Intelligence: A Modern Approach , 1995 .

[4] Mark Talabis,et al. Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis , 2012 .

[5] Kamel Adi,et al. A framework for risk assessment in access control systems , 2013, Comput. Secur..

[6] Jake Kouns,et al. Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams , 2010 .

[7] Mohamed S. Saleh,et al. A new comprehensive framework for enterprise information security risk management , 2011 .

[8] Stefan Fenz,et al. AURUM: A Framework for Information Security Risk Management , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[9] Roxanne E. Burkey,et al. Designing a total data solution : technology, implementation and deployment , 2000 .

[10] Iyad Abu Doush,et al. Multi-Agent Systems - Modeling, Control, Programming, Simulations and Applications , 2011 .