On risk: perception and direction

Stewart, Andrew J.

doi:10.1016/j.cose.2004.05.003

Cited by 40 publications

(28 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…For the impact and probability assessment of a risk, data regarding the impact and probability of event in a given situation for systems is needed. The major issues here are that exhaustive public available data of occurred events, impacts and their probabilities are not available [27], and the internal historic data are not available for the estimation of possible change impacts on the company. For example, the event has not occurred in this type of industry yet, within the company or the scope in this situation.…”

Section: Risk Determinationmentioning

confidence: 99%

“…For example, the impact of the event is not known or dependent on other conditions/parameters. However, side effects (multiple impacts or dependencies) or parameters are not considered and uncertainty is assessed by gut feelings or subjective security expert knowledge [27]. Although safeguards put in place are considered in the impact assessment, they are evaluated for a particular threat/vulnerability, and the side effects of other events are not considered.…”

Section: Risk Determinationmentioning

confidence: 99%

“…Furthermore, assessments are influenced by perceptions. Behavioural biases outgoing of the educational background, organizational level or positive/negative attitude of the assessor may affect the assessment of events, probabilities of occurrence or the impact estimation [16], [27], [25]. In addition, current risk assessment proceedings lead to simplification and are focused to strong on technical issues rather than on information or business issues [11].…”

Section: Risk Determinationmentioning

confidence: 99%

See 2 more Smart Citations

Problem Analysis of Traditional IT-Security Risk Assessment Methods – An Experience Report from the Insurance and Auditing Domain

Taubenberger¹,

Jürjens

et al. 2011

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. Traditional information technology (IT) security risk assessment approaches are based on an analysis of events, probabilities and impacts. In practice, security experts often find it difficult to determine IT risks reliably with precision. In this paper, we review the risk determination steps of traditional risk assessment approaches and report on our experience of using such approaches. Our experience is based on performing IT audits and IT business insurance cover assessments within a reinsurance company. The paper concludes with a summary of issues concerning traditional approaches that are related to the identification and evaluation of events, probabilities and impacts. We also conclude that there is a need to develop alternative approaches, and suggest a security requirements-based risk assessment approach without events and probabilities.

show abstract

Section: Risk Determinationmentioning

confidence: 99%

Section: Risk Determinationmentioning

confidence: 99%

Section: Risk Determinationmentioning

confidence: 99%

See 1 more Smart Citation

Problem Analysis of Traditional IT-Security Risk Assessment Methods – An Experience Report from the Insurance and Auditing Domain

Taubenberger¹,

Jürjens

et al. 2011

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

show abstract

“…Both false positives and false negatives come with potential costs and the tools seem to strive for an optimal tradeoff between the two with respect to their users' general needs. However, in practice some users might favor few false alarms in front of high detection and some might work according to the precautionary principle (Stewart 2004), and thus favor detection rate in front of false alarms (e.g. because of extreme security requirements).…”

Section: Rq1: Accuracymentioning

confidence: 99%

A quantitative evaluation of vulnerability scanning

Holm

Sommestad

Almroth

et al. 2011

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Purpose: Evaluate if automated vulnerability scanning accurately identifies vulnerabilities in computer networks and if this accuracy is contingent on the platforms used.Design/methodology/approach: Both qualitative comparisons of functionality and quantitative comparisons of false positives and false negatives are made for seven different scanners. The quantitative assessment includes data from both authenticated and unauthenticated scans. Experiments were conducted on a computer network of 28 hosts with various operating systems, services and vulnerabilities. This network was set up by a team of security researchers and professionals. Findings:The data collected in this study show that authenticated vulnerability scanning is usable. However, automated scanning is not able to accurately identify all vulnerabilities present in computer networks. Also, scans of hosts running Windows are more accurate than scans of hosts running Linux. Research limitations/implications:This paper focuses on the direct output of automated scans with respect to the vulnerabilities they identify. Areas such as how to interpret the results assessed by each scanner (e.g. regarding remediation guidelines) or aggregating information about individual vulnerabilities into risk measures are out of scope. Practical implications:This paper describes how well automated vulnerability scanners perform when it comes to identifying security issues in a network. The findings suggest that a vulnerability scanner is a useable tool to have in your security toolbox given that user credentials are available for the hosts in your network. Manual effort is however needed to complement automated scanning in order to get satisfactory accuracy regarding network security problems. Originality/value: Previous studies have focused on the qualitative aspects on vulnerability assessment. This study presents a quantitative evaluation of seven of the most popular vulnerability scanners available on the market.

show abstract

“…The risk analysis process is a very common activity. The goal of risk analysis is usually to find vulnerabilities so that they can be patched [13]. A review of the literature suggests that the process of risk analysis is usually broken down into three stages [12]:…”

Section: Dependability Risk Modellingmentioning

confidence: 99%

Hands on Dependability Economics

Tsiakis

Katsaros

2009

2009 Second International Conference on Dependability

View full text Add to dashboard Cite

Abstract-Contemporary societies (from individuals to organizations) depend on services delivered by systems to achieve individual goals, meaning that a system must have engineered and guaranteed dependability, regardless of continuous, rapid and unpredictable technological and context changes. The simplest questions that brought out in the surface are to understand on how to evaluate and how much (money) should we spend on dependability. Dependability risk management is an effective process that with simplicity can determine the likelihood of an accident and the severities of the consequences. On the other hand, we also need quantitative methods, in order to assess the cost of the various measures which can be taken to reduce the dependability risk. In this paper, we survey quantitative methods that can play an important role in Dependability Economics. These methods aim in providing estimations for the economic consequences of lowering dependability levels and the costs to implement dependability.

show abstract

On risk: perception and direction

Cited by 40 publications

References 7 publications

Problem Analysis of Traditional IT-Security Risk Assessment Methods – An Experience Report from the Insurance and Auditing Domain

Problem Analysis of Traditional IT-Security Risk Assessment Methods – An Experience Report from the Insurance and Auditing Domain

A quantitative evaluation of vulnerability scanning

Hands on Dependability Economics

Contact Info

Product

Resources

About