A Comparative Study of Risk Assessment Methods, MEHARI & CRAMM with a New Formal Model of Risk Assessment (FoMRA) in Information Systems

In this article, we present a comparative study of a developed new formal mathematical model of risk assessment (FoMRA) with expert methods of risk assessment in the information systems (IS). Proposed analysis verified the correctness of theoretical assumptions of developed model. In the paper, the examples of computations illustrating the application of FoMRA and known and accepted throughout the world methods of risk assessment: MEHARI and CRAMM were presented and related to a specific unit of the public administration operating in Poland.

[1]  J.A.G. van Kleef,et al.  Developing capabilities and competence for sustainable business management as innovation: a research agenda , 2007 .

[2]  Ingoo Han,et al.  Security threats to Internet: a Korean multi-industry investigation , 2001, Inf. Manag..

[3]  Tia Fisher,et al.  ROI in social media: A look at the arguments , 2009 .

[4]  Houston H. Carr,et al.  Risk Analysis for Information Technology , 1991, J. Manag. Inf. Syst..

[5]  Karen A. Forcht,et al.  Computer Security Management , 1993 .

[6]  Amit Bhatnagar,et al.  Segmenting consumers based on the benefits and risks of Internet shopping , 2004 .

[7]  Jim Dray COMPUTER SECURITY AND CRIME: IMPLICATIONS FOR POLICY AND ACTION , 1988 .

[8]  Nicolas Mayer,et al.  La gestion des risques pour les systèmes d'information , 2006 .

[9]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[10]  Robert R. Moeller,et al.  IT Audit, Control, and Security , 2010 .

[11]  Mirosław Kurkowski,et al.  A new mathematical model for analytical risk assessment and prediction in IT systems , 2012 .

[12]  J.D Andrews,et al.  Application of the cause-consequence diagram method to static systems , 2002, Reliab. Eng. Syst. Saf..

[13]  Hany H. Ammar,et al.  A Methodology for Architecture-Level Reliability Risk Analysis , 2002, IEEE Trans. Software Eng..

[14]  Raduan Che Rose,et al.  A conceptual framework of the relationship betweenorganizational resources, capabilities, systems, competitiveadvantage and performance , 2009 .

[15]  Quey-Jen Yeh,et al.  Threats and countermeasures for information system security: A cross-industry study , 2007, Inf. Manag..

[16]  Lisa M. Bartlett,et al.  Integrated system fault diagnostics utilising digraph and fault tree-based approaches , 2009, Reliab. Eng. Syst. Saf..

[17]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[18]  Linda G. Wallace,et al.  Is Information Security Under Control?: Investigating Quality in Information Security Management , 2007, IEEE Security & Privacy.

[19]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[20]  Ibnu Gunawan,et al.  AUDIT SISTEM INFORMASI PERPUSTAKAAN UNIVERSITAS KRISTEN PETRA BERDASARKAN STANDAR CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT 4.0) , 2013 .

[21]  Christopher J. Alberts,et al.  Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 , 1999 .

[22]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[23]  J. Ezingeard,et al.  Triggers of Change in Information Security Management Practices , 2007 .

[24]  Brian Veitch,et al.  Methodology for Computer-Aided Fault Tree Analysis , 2007 .

[25]  Herbert J. Mattord,et al.  Principles of Information Security, 4th Edition , 2011 .

[26]  B. Moon Consumer adoption of the internet as an information search and product purchase channel: some research hypotheses , 2004 .

[27]  Robert Moeller IT Audit, Control, and Security: Moeller/IT , 2010 .

[28]  Avimanyu Datta,et al.  Information Technology Capability, Knowledge Assets and Firm Innovation: A Theoretical Framework for Conceptualizing the Role of Information Technology in Firm Innovation , 2011, Int. J. Strateg. Inf. Technol. Appl..