Current challenges in information security risk management

Fenz, Stefan; Heurix, Johannes; Neubauer, Thomas; Pechstein, Fabian

doi:10.1108/imcs-07-2013-0053

Cited by 75 publications

(63 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The current installment of the NIST SP 800-30 -Guide for Conducting Risk Assessments is at revision one [18] (NIST80030) and was developed to further statutory responsibilities under the Federal Information Security Management Act. NIST800-30 was designed to aid larger and complex organizations in information risk management.…”

Section: Reviewed Methodsmentioning

confidence: 99%

“…However, reaching realistic estimates of P&C has been one of the major challenges of the InfoSec risk community since the very beginning [35,36], especially in the quantitative approaches [37]. We have defined the following issues and tasks for the ISRA estimation process (supplemented with issues and tasks from the risk identification process): Table 2 Risk estimation processes and output comparison.…”

Section: Main Process 2: Risk Estimationmentioning

confidence: 99%

“…We have defined the following issues and tasks for the ISRA estimation process (supplemented with issues and tasks from the risk identification process): Table 2 Risk estimation processes and output comparison. Scores: XX -Threat assessment (TA) expands the definition of risk identification, and the ISRA methods can provide tools to estimate the particular threat agent's (i) willingness/motivation to attack [11,18], (ii) capability in terms of know how [5,18], (iii) capacity in terms of resources available to conduct the attack [5], and (iv) the potential Attack duration which is often related to the consequences of the attack [5,19,20]. An example of the latter is the DDoS attack where the outcome of the event will be tightly related to the threats capacity to conduct a lengthy DDoS attack.…”

Section: Main Process 2: Risk Estimationmentioning

confidence: 99%

“…99-110). -The Risk aggregation (RAg) activity is conducted to roll up several linked, often low-level risks into a more general or higher-level risk [18]. During an event, interconnected individual risks can also aggregate into a more severe risk into a worst-case scenario.…”

Section: Main Process 2: Risk Estimationmentioning

confidence: 99%

“…The NIST SP 800-30 R.1 [18] is a sequential method based on the R = PxC definition of risk. The method scored two points below average completeness in the risk identification phase.…”

Section: Nist Special Publication 800-30 Revision X-guide For Conducmentioning

confidence: 99%

See 4 more Smart Citations

A framework for estimating information security risk assessment method completeness

Wangen¹,

Hallstensen²,

Snekkenes³

2017

Int. J. Inf. Secur.

View full text Add to dashboard Cite

In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization. ISRA practices vary among industries and disciplines, resulting in various approaches and methods for risk assessments. There exist several methods for comparing ISRA methods, but these are scoped to compare the content of the methods to a predefined set of criteria, rather than process tasks to be carried out and the issues the method is designed to address. It is the lack of an all-inclusive and comprehensive comparison that motivates this work. This paper proposes the Core Unified Risk Framework (CURF) as an all-inclusive approach to compare different methods, all-inclusive since we grew CURF organically by adding new issues and tasks from each reviewed method. If a task or issue was present in surveyed ISRA method, but not in CURF, it was appended to the model, thus obtaining a measure of completeness for the studied methods. The scope of this work is primarily functional approaches risk assessment procedures, which are the formal ISRA methods that focus on assessments of assets, threats, vulnerabilities, and protections, often with measures of probability and consequence. The proposed approach allowed for Digital Security Section, NTNU, Teknologiveien 22, 2815 Gjøvik, Norway a detailed qualitative comparison of processes and activities in each method and provided a measure of completeness. This study does not address aspects beyond risk identification, estimation, and evaluation; considering the total of all three activities, we found the "ISO/IEC 27005 Information Security Risk Management" to be the most complete approach at present. For risk estimation only, we found the Factor Analysis of Information Risk and ISO/IEC 27005:2011 as the most complete frameworks. In addition, this study discovers and analyzes several gaps in the surveyed methods.

show abstract

Section: Reviewed Methodsmentioning

confidence: 99%

Section: Main Process 2: Risk Estimationmentioning

confidence: 99%

Section: Main Process 2: Risk Estimationmentioning

confidence: 99%

Section: Main Process 2: Risk Estimationmentioning

confidence: 99%

“…The NIST SP 800-30 R.1 [18] is a sequential method based on the R = PxC definition of risk. The method scored two points below average completeness in the risk identification phase.…”

Section: Nist Special Publication 800-30 Revision X-guide For Conducmentioning

confidence: 99%

See 3 more Smart Citations