A framework for estimating information security risk assessment method completeness

In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization. ISRA practices vary among industries and disciplines, resulting in various approaches and methods for risk assessments. There exist several methods for comparing ISRA methods, but these are scoped to compare the content of the methods to a predefined set of criteria, rather than process tasks to be carried out and the issues the method is designed to address. It is the lack of an all-inclusive and comprehensive comparison that motivates this work. This paper proposes the Core Unified Risk Framework (CURF) as an all-inclusive approach to compare different methods, all-inclusive since we grew CURF organically by adding new issues and tasks from each reviewed method. If a task or issue was present in surveyed ISRA method, but not in CURF, it was appended to the model, thus obtaining a measure of completeness for the studied methods. The scope of this work is primarily functional approaches risk assessment procedures, which are the formal ISRA methods that focus on assessments of assets, threats, vulnerabilities, and protections, often with measures of probability and consequence. The proposed approach allowed for a detailed qualitative comparison of processes and activities in each method and provided a measure of completeness. This study does not address aspects beyond risk identification, estimation, and evaluation; considering the total of all three activities, we found the “ISO/IEC 27005 Information Security Risk Management” to be the most complete approach at present. For risk estimation only, we found the Factor Analysis of Information Risk and ISO/IEC 27005:2011 as the most complete frameworks. In addition, this study discovers and analyzes several gaps in the surveyed methods.

[1]  Terje Aven,et al.  The risk concept - historical and recent development trends , 2012, Reliab. Eng. Syst. Saf..

[2]  Lisa Rajbhandari,et al.  Using the Conflicting Incentives Risk Analysis Method , 2013, SEC.

[3]  S. Chatterjee,et al.  Design Science Research in Information Systems , 2010 .

[4]  Stefan Fenz,et al.  Current challenges in information security risk management , 2014, Inf. Manag. Comput. Secur..

[5]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[6]  Alexander M. Millkey The Black Swan: The Impact of the Highly Improbable , 2009 .

[7]  Lisa Rajbhandari,et al.  Risk Analysis Using "Conflicting Incentives" as an Alternative Notion of Risk , 2013 .

[8]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[9]  Ketil Stølen,et al.  Risk Analysis of Changing and Evolving Systems Using CORAS , 2011, FOSAD.

[10]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[11]  Les Labuschagne,et al.  A Framework for Information Security Risk Management Communication , 2005, ISSA.

[12]  T. Aven Misconceptions of Risk , 2010 .

[13]  Vivek Agrawal,et al.  A Comparative Study on Information Security Risk Analysis Methods , 2017, J. Comput..

[14]  Kouichi Sakurai,et al.  Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide , 2009, 2009 International Conference on Availability, Reliability and Security.

[15]  Ketil Stølen,et al.  The CORAS Model-based Method for Security Risk Analysis , 2006 .

[16]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[17]  Gaute Wangen,et al.  Information Security Risk Assessment: A Method Comparison , 2017, Computer.

[18]  Nassim Nicholas Taleb,et al.  The Black Swan: The Impact of the Highly Improbable , 2007 .

[19]  T. Aven,et al.  On risk defined as an event where the outcome is uncertain , 2009 .

[20]  Jack Jones,et al.  Measuring and Managing Information Risk: A FAIR Approach , 2014 .

[21]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[22]  Andrew E O Obwanda An information security risk management gap analysis tool based on ISO/IEC 27005:2011 compliance for SMEs in Kenya , 2018 .

[23]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[24]  Kjell Jørgen Hole,et al.  Toward Risk Assessment of Large-Impact and Rare Events , 2010, IEEE Security & Privacy.

[25]  Jason Edwin Stamp,et al.  A classification scheme for risk assessment methods. , 2004 .

[26]  Rabiah Ahmad,et al.  A conceptual framework of info structure for information security risk assessment (ISRA) , 2013, J. Inf. Secur. Appl..

[27]  Alan R. Hevner,et al.  Design Research in Information Systems: Theory and Practice , 2010 .

[28]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[29]  P. Dent The Black Swan: The Impact of the Highly Improbable (2nd edition) , 2010 .

[30]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[31]  Alan R. Hevner,et al.  POSITIONING AND PRESENTING DESIGN SCIENCE RESEARCH FOR MAXIMUM IMPACT 1 , 2013 .