A two-phase quantitative methodology for enterprise information security risk analysis

As Enterprise information infrastructure is becoming more and more complex, and connected, amount of risks to enterprise assets is increasing. Hence, the process of identification, analysis, and mitigation of Information Security risks has assumed utmost importance. This paper presents a quantitative information security risk analysis methodology for enterprises. The proposed methodology incorporates two approaches. Consolidated approach identifies risk as a single value for each asset. Detailed approach identifies the threat-vulnerability pair responsible for a risk and computes a risk factor corresponding to each security property for every asset. The assets are classified into three different risk zones namely high, medium and low risk zone. For high-risk assets, management may install high cost infrastructure to safeguard an asset; for medium-risk assets, management may apply security policies, guidelines and procedures; management may decide not to invest anything for assets at low-risk.