A systematic review of information security risk assessment

Pan, Liuxuan; Tomlinson, Alex

doi:10.2495/safe-v6-n2-270-281

Cited by 20 publications

(15 citation statements)

References 41 publications

(59 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…En [60] se hace una revisión de las publicaciones científicas asociadas al análisis de riesgos, pero centradas en las metodologías NIST SP800-30, ISO27005/ISO27001, OCTAVE e ISRAM. Determina que estos mecanismos de análisis de riesgos tienen importantes carencias, como por ejemplo que no pueden abordar algunos factores importantes, como son la fuga de activos, los activos creados por los usuarios y el conocimiento crítico.…”

Section: Pan L and A Tomlinson "unclassified

“…• Los métodos deben tener mecanismos de soporte a la toma de decisiones [57]. • Los resultados del análisis de riesgos son informales y poco analíticos, obteniendo puntuaciones de riesgo subjetivas [58,60]. • Necesidad de contar con orientaciones y perspectivas económicas del análisis de riesgos [60].…”

Section: Tabla 1 Modelos Identificados Durante La Revisión Sistemáticaunclassified

“…• Los resultados del análisis de riesgos son informales y poco analíticos, obteniendo puntuaciones de riesgo subjetivas [58,60]. • Necesidad de contar con orientaciones y perspectivas económicas del análisis de riesgos [60]. • Necesidad de taxonomías de riesgos actualizadas y adecuadas a las nuevas tecnologías (ICSs, IoT, Smart Grids, …) [61,64,73,76].…”

Section: Tabla 1 Modelos Identificados Durante La Revisión Sistemáticaunclassified

See 2 more Smart Citations

Realizando una Revisión Sistemática de Metodologías ISRA orientadas a la Seguridad TIC. Periodo 2014-2019

Sánchez¹,

Santos-Olmo²,

Figueroa³

et al. 2020

Seguridad Informática. X Congreso Iberoamericano, CIBSI 2020

View full text Add to dashboard Cite

Section: Pan L and A Tomlinson "unclassified

Section: Tabla 1 Modelos Identificados Durante La Revisión Sistemáticaunclassified

See 1 more Smart Citation

Realizando una Revisión Sistemática de Metodologías ISRA orientadas a la Seguridad TIC. Periodo 2014-2019

Sánchez¹,

Santos-Olmo²,

Figueroa³

et al. 2020

Seguridad Informática. X Congreso Iberoamericano, CIBSI 2020

View full text Add to dashboard Cite

“…For example, [29] used risk evaluation and risk estimation interchangeably. On the contrary, the meaning ascribed to the concepts sometimes cause confusion when improperly defined among stakeholders [30]. This study preferred to use risk evaluation for risk quantification or qualification.…”

Section: Related Workmentioning

confidence: 99%

Comparative Analysis of Risk Evaluation Models for Risk-aware Access Control in Bring Your Own Device Environment

Ganiyu¹,

Jimoh²

2018

IJISR

View full text Add to dashboard Cite

Risk evaluation models are employed by individuals and organisations to determine the level of risk involved in a process. Specifically, such model could be employed in computing risk value for risk-aware access control in bring your own device (BYOD) environment. Remarkably, several of these models vary in their coverages of risk components, output rendering formalisms and areas of application; thereby, putting the burden of model selection on users. Worst still, attempts to compare these models by previous researchers are baffled by subjective criteria that are not well-founded and often based on old taxonomy that are incompatible with pervasive environments. Thus, the study purposely formulated eight comparison criteria from characteristics of BYOD risk factors and countermeasures. Thereafter, the criteria were ranked with Analytic Hierarchy Process (AHP). Then, the ranked criteria were used to compare twelve risk evaluation methods, which were selected through three selection criteria expressly crafted for the study. Specifically, the result was rendered as numeric value, which is easy to understand by nontechnical user. In all, the comparison approach presented in this study will assist BYOD operators in selecting model that could safeguard vital information assets against unauthorised access.

show abstract

“…This would enable them to prioritise their investments and customise their security arrangements to meet the organisation's needs. Security solutions should be guided by a conceptual framework that takes into account the various insider types, as well as how security controls interact to reduce insider risk along the various threat pathways [10,26,37,44,45].…”

Section: Introductionmentioning

confidence: 99%

A Risk-Based Framework to Inform Prioritisation of Security Investment for Insider Threats

Sektas-Bilusich¹,

Nunes-Vaz²,

Chim³

et al. 2020

IJSSE

View full text Add to dashboard Cite

Threats to information security from inside an organisation are difficult to manage as insiders, by definition, have legitimate access to the organisation's information, consistent with their roles. Impacts of insider threats range from minor information compromise perhaps through carelessness, to catastrophic financial and reputational damage. Security managers are required to continually upgrade security measures to reduce the risk posed by insider threats, however with so many security controls to choose from, finding optimal security solutions based on benefit-cost is challenging. We have developed a risk-based framework called Security-in-Depth (SiD) where residual risk is the metric that assists the security manager to make informed decisions on which security packages contribute more to the organisation's security objectives. We present a case study to illustrate the way our framework is applied, customised to manage a range of insider threats. Uncertainties about the future threat spectrum and the future effectiveness of controls are included in the framework to inform the decisionmaking process.

show abstract

A systematic review of information security risk assessment

Cited by 20 publications

References 41 publications

Realizando una Revisión Sistemática de Metodologías ISRA orientadas a la Seguridad TIC. Periodo 2014-2019

Realizando una Revisión Sistemática de Metodologías ISRA orientadas a la Seguridad TIC. Periodo 2014-2019

Comparative Analysis of Risk Evaluation Models for Risk-aware Access Control in Bring Your Own Device Environment

A Risk-Based Framework to Inform Prioritisation of Security Investment for Insider Threats

Contact Info

Product

Resources

About