论文信息 - A formal methodology for Enterprise Information Security risk assessment

A formal methodology for Enterprise Information Security risk assessment

Assets are valuable for an enterprise as they help to execute its business activities. They contain vulnerabilities, which, if exploited by threats, can cause harm to an enterprise. Risk assessment is the process of identifying potential harm (risks) that may occur if vulnerabilities are exploited by threats. Existing methodologies for assessing risks are inadequate as they fail to consider important aspects of risk elements, like asset dependency, vulnerability dependency, etc. This paper presents a formal risk assessment methodology that considers these issues during risk computation, and also identifies the actual contributors to risk values.

Anirban Sengupta | Chandan Mazumdar | Jaya Bhattacharjee

[1] Anirban Sengupta,et al. A two-phase quantitative methodology for enterprise information security risk analysis , 2014, Comput. Syst. Sci. Eng..

[2] D. Elliott Bell,et al. Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[3] Anirban Sengupta,et al. A formal methodology for detection of vulnerabilities in an enterprise information system , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[4] Christopher J. Alberts,et al. OCTAVEsm Criteria, Version 2.0 , 2001 .

[5] Gary Stoneburner,et al. SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[6] Christian Ensel. A scalable approach to automated service dependency modeling in heterogeneous environments , 2001, Proceedings Fifth IEEE International Enterprise Distributed Object Computing Conference.

[7] G. Stoneburner,et al. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[8] Qian Ma,et al. Model-Based Dependency Management for Migrating Service Hosting Environment , 2007, IEEE International Conference on Services Computing (SCC 2007).

[9] Thomas Peltier,et al. Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[10] Nora Cuppens-Boulahia,et al. Service Dependencies in Information Systems Security , 2010, MMM-ACNS.