Modeling dependencies in security risk management

This paper develops a framework for analyzing security risk dependencies in organizations and ranking the risks. The framework captures how risk ‘diffuses’ via complex interactions and reaches an equilibrium by introducing a Risk-Rank algorithm. A conceptual structure of an organization — comprised of business units, security threats/vulnerabilities, and people — is leveraged for modeling risk dependencies and cascades. The Risk-Rank algorithm captures risk diffusion over time and ranks various risks based on a balancing of the immediate risk versus the future one emerging via cascading across system dependencies. Thus, the presented framework facilitates a systematic prioritization of risks in organizations.