A framework for estimating information security risk assessment method completeness

Wangen, Gaute; Hallstensen, Christoffer; Snekkenes, Einar

doi:10.1007/s10207-017-0382-0

Cited by 73 publications

(75 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This scheme makes them less suited for analyzing cause-effect relationships between method and results, since causes not present in the criteria may be neglected. The CURF bottom-up approach [5] solves this problem by mapping ISRA method content and using it as comparison criteria. For each added method reviewed in CURF, we identify which tasks the approach covers and combine all the tasks covered by all surveyed methods into a combined set.…”

Section: B Curf and Included Isra Methodsmentioning

confidence: 99%

“…The row scores reveal how well the ISRA methods scored overall. The three ISRA methods included in this study was also used as input for developing CURF (see [5]), following is a summary of each method and their differences.…”

Section: B Curf and Included Isra Methodsmentioning

confidence: 99%

“…It centers on assets, threats, controls, vulnerabilities, consequences, and likelihood. The ISO27005 scored the highest on the ISRA completeness measurement [5], Table I. We chose to include the ISO/IEC 27005:2011 as it is regarded as the best practice standard for ISRM.…”

Section: ) Nsmrosmentioning

confidence: 99%

“…The data for this study was collected through multiple risk assessment case studies in a Norwegian academic institution. Firstly, we apply the results from Core Unified Risk Framework (CURF) [5] to define distinctiveness of each method. Secondly, we collect and analyze experience data from ISRA groups.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Information Security Risk Assessment: A Method Comparison

Wangen

2017

Computer

Self Cite

View full text Add to dashboard Cite

Abstract-Information security risk assessments (ISRA) are per-formed daily according to different standards and industry methodologies, but how does the choice of a method affect the assessment process and its end results? This research qualitatively investigates the observable differences in effects from choosing one method over another. Through multiple empirical case studies, our work compares the application of three ISRA methods. We first outline the theoretical differences between the three methods and then analyze the experience data collected from the risk assessment teams. Finally, we examine the metadata of the produced risk assessments to identify differences. Our study found that the choice of a method influences the assessment process, along with its outcome.

show abstract

Section: B Curf and Included Isra Methodsmentioning

confidence: 99%

Section: B Curf and Included Isra Methodsmentioning

confidence: 99%

Section: ) Nsmrosmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Information Security Risk Assessment: A Method Comparison

Wangen

2017

Computer

Self Cite

View full text Add to dashboard Cite

show abstract

“…There several tasks that are common when conducting an ISRAn [17], we gathered the common denominators and asked the participants to rate them according to their importance, 1 -Not important to 6 -Very important. Table XIV displays the results, with no notable difference between any groups.…”

Section: F What Is the Most Important Task Of The Isra?mentioning

confidence: 99%

An initial insight into Information Security Risk Assessment practices

Wangen¹

2016

Annals of Computer Science and Information Systems

Self Cite

View full text Add to dashboard Cite

Abstract-Much of the debate surrounding risk management in information security (InfoSec) has been at the academic level, where the question of how practitioners view predominant issues is an essential element often left unexplored. Thus, this article represents an initial insight into how the InfoSec risk professionals see the InfoSec risk assessment (ISRA) field. We present the results of a 46-participant study where have gathered data regarding known issues in ISRA. The survey design was such that we collected both qualitative and quantitative data for analysis. One of the key contributions from the study is knowledge regarding how to handle risks at different organizational tiers, together with an insight into key roles and knowledge needed to conduct risk assessments. Also, we document several issues concerning the application of qualitative and quantitative methods, together with drawbacks and advantages. The findings of the analysis provides incentives to strengthen the research and scientific work for future research in InfoSec management.

show abstract

Quantifying and Analyzing Information Security Risk from Incident Data

Wangen

2019

Graphical Models for Security

View full text Add to dashboard Cite

A framework for estimating information security risk assessment method completeness

Cited by 73 publications

References 20 publications

Information Security Risk Assessment: A Method Comparison

Information Security Risk Assessment: A Method Comparison

An initial insight into Information Security Risk Assessment practices

Quantifying and Analyzing Information Security Risk from Incident Data

Contact Info

Product

Resources

About