Improving information security risk analysis by including threat-occurrence predictive models

Abstract Protecting information is a crucial issue in today society, in both work and home environments. Over the years, different tools and technologies have contributed to safeguarding information, including risk analysis methodologies developed to evaluate the risk of threat materialization despite security measures. Traditional risk analysis methodologies base risk computation on, among other parameters, the frequency of occurrence of threats, which is gathered from available historical data. However, as new safeguards are implemented, and vulnerability potential changes, threat frequencies may also change. To take into account the current state of an organization’s system as well as historical data, we propose to substitute past threat frequency by the probability of a threat occurring in the future. To compute this future threat probability, we use regression models, validated by a risk analysis for a Spanish SME based on Magerit (Spanish adaptation of ISO/IEC 27005). The results show that the future probability of each threat can be calculated with accuracy, precision, sensitivity and specificity rates above 70%. Obtaining a more realistic risk estimate (reflecting to the current state of vulnerabilities) is translated into the adoption of better and more efficient safeguards that reduce losses and improve information security in a business.

[1]  Rok Bojanc,et al.  A Quantitative Model for Information-Security Risk Management , 2012 .

[2]  P. Warner Ordinal logistic regression , 2008, Journal of Family Planning and Reproductive Health Care.

[3]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[4]  Zeki Yazar,et al.  A Qualitative Risk Analysis and Management Tool-CRAMM , 2019 .

[5]  Sarah Eichmann The Role Of Risk Management Guide For Information Technology Systems , 2016 .

[6]  Dong Mei Zhao,et al.  The Research of Information Security Risk Assessment Method Based on AHP , 2011 .

[7]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[8]  Frank E. Harrell,et al.  Ordinal Logistic Regression , 2001 .

[9]  Ketil Stølen,et al.  The CORAS Framework for a Model-Based Risk Management Process , 2002, SAFECOMP.

[10]  M. Stone Cross‐Validatory Choice and Assessment of Statistical Predictions , 1976 .

[11]  Andreas Christmann,et al.  Support vector machines , 2008, Data Mining and Knowledge Discovery Handbook.

[12]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[13]  Ming Chang Lee Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method , 2014 .

[14]  Minqiang Li,et al.  A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis , 2014, Inf. Sci..

[15]  David A. Landgrebe,et al.  A survey of decision tree classifier methodology , 1991, IEEE Trans. Syst. Man Cybern..

[16]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[17]  Chen Yu,et al.  Risk Prediction Method of information system based on Bayesian Game , 2013, Proceedings of 2013 3rd International Conference on Computer Science and Network Technology.

[18]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[19]  Lisa Rajbhandari,et al.  Using the Conflicting Incentives Risk Analysis Method , 2013, SEC.

[20]  Mohamed Cheriet,et al.  Taxonomy of information security risk assessment (ISRA) , 2016, Comput. Secur..

[21]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[22]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[23]  Antonio Jiménez-Martín,et al.  Risk analysis in information systems: A fuzzification of the MAGERIT methodology , 2014, Knowl. Based Syst..