Open Access Open Access  Restricted Access Subscription or Fee Access

Methods of Risk Assessment for Information Security Management


(*) Corresponding author


Authors' affiliations


DOI: https://doi.org/10.15866/irecos.v11i2.8233

Abstract


The study showed that mainly for analysis and risk assessment used statistical data on incidents and information security threats. In many countries at the state level, such statistics are not kept, which limits the possibilities of existing tools for national use. It should also be noted that the study sets tools expert certain limitations (on the used set of parameters) and gives him the possibility of applying for evaluation of a wider range of values. Based on this, two methods are presented for analysis and evaluation of risk, which allow you to use a wide range of parameters, giving the opportunity to create a more flexible means of assessment, and calculate risks based on statistics and on expert judgment, made in uncertain, formalized environment with regard to time period, industry, economic and managerial specifics of the enterprise, etc. In addition, the developed methods will make it possible to reproduce the results, both in numerical and in verbal form, for example, using linguistic variable, often used for description of complex systems described by the parameters shown not only in quantitative but also in qualitative form.
Copyright © 2016 Praise Worthy Prize - All rights reserved.

Keywords


Method of Analysis and Information Security Risk Assessment; Risk; Risk Analysis; Risk Assessment; Risk Management; Risk Profile

Full Text:

PDF


References


Information technology. Security techniques. Information security management systems. Requirements: ISO/IEC 27001:2013, International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), 2013, 34 р.
http://dx.doi.org/10.3403/30310928

B.S. Akhmetov, A.G. Korchenko, S.V. Kazmirchook, M.N. Zhekambayeva, Kortezhnaya model’ bazovykh kharakteristik riska (The tuple model of the underlying risk characteristics), Вестник КазНИТУ, №6, pp. 12-19, 2015.

Ciapessoni, E., Cirio, D., Massucco, S., Pitto, A., Silvestro, F., Risk-based security and control framework for power system operation under significant amounts of HVDC-connected wind power generation, (2015) International Review of Electrical Engineering (IREE), 10 (3), pp. 370-380.
http://dx.doi.org/10.15866/iree.v10i3.6042

Kondakci, S., Dependency Analysis of Risks in Information Security, (2013) International Journal on Information Technology (IREIT), 1 (1), pp. 22-30.

H. Kumamoto, E.J. Henley, Probabilistic Risk Assessment and Management for Engineers and Scientists 2nd Ed., ISBN: 0-7803-6017-6, (IEEE Press, 1996).

S. Kondakci, Controlling security risks in large computer networks, International Journal of Computational Intelligence– ICSP' 2003, (ISSN 1304-2386, Vol. 1, No. 2, pp. 7-10, 2003.

S. Kondakci, A New Assessment and Improvement Model of Risk Propagation in Information Security, Int. Journal of Information and Computer Security, Vol. 1, No. 3, pp. 341-366, 2007.
http://dx.doi.org/10.1504/ijics.2007.013959

http://dx.doi.org/10.1504/ijics.2007.013959

E. Ciapessoni, D. Cirio, S. Grillo, S. Massucco, A. Pitto, F. Silvestro, “Operational Risk Assessment and Control: a probabilistic approach”, IEEE PES Innovative Smart Grid Technologies (ISGT) Europe, Chalmers Lindholmen, Gothenburg, Sweden, October 10-13, 2010.
http://dx.doi.org/10.1109/isgteurope.2010.5638975

http://dx.doi.org/10.1109/isgteurope.2010.5638975

Tiwana,A.,and M.keil. ‘Functionality risk in software development’. in IEEE transactions on engineering management,412-425. (2006).
http://dx.doi.org/10.1109/tem.2006.878099

http://dx.doi.org/10.1109/tem.2006.878099

J. Tudor. 2013. “Web Application Vulnerability Statistics 2013,” Context.

Priyadharshini, M., Baskaran, R., Balaji, N., Saleem Basha, M.S., Analysis on countering XML-based attacks in web services, (2013) International Review on Computers and Software (IRECOS), 8 (9), pp. 2197-2204.

A.G. Korchenko, Postroyeniye system zashity informatsii na nechyotkikh mnozhestvakh. Teoriya i prakticheskiye resheniya (Construction of information protection systems on fuzzy sets. Theory and practical solutions), K.: “MK-Press”, 2006., 320 p. (ill. Monography).

B. G. Litvak, Ekspertnyye tehnologii v upravlenii (Expert technology in management): Manual., 2nd Ed., rev., Moscow: Delo, 2004, 400 p.

P. Fishbern, Teoriya poleznosti dlya prinyatiya reshenii (Utility theory for decision making), Moscow: Nauka, 1978, 352 p.

Information technology, Security techniques, Code of practice for information security management: ISO/IEC 27002:2005, International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), 2005, 171 р.
http://dx.doi.org/10.3403/30259620

Mahmood, F., Rizk, M., Sabiha, N., Lehtonen, M., Flashover Probability Distribution and Volt-Time Curves of Medium Voltage Overhead Line Insulation Under Combined AC and Lightning Impulse Voltages, (2015) International Review of Electrical Engineering (IREE), 10 (5), pp. 625-632.
http://dx.doi.org/10.15866/iree.v10i5.7150

Aminudin, N., Marsadek, M., Ramli, N., Rahman, T., Razali, N., Robust Model for Weather-Related Contingency Probability Estimation Used for Risk Based Security Assessment, (2014) International Review on Modelling and Simulations (IREMOS), 7 (5), pp. 854-862.
http://dx.doi.org/10.15866/iremos.v7i5.3766

Zaitar, Y., Risk Assessment in ERP Projects Life Cycle: the Application of FMEA Approach, (2014) International Review on Computers and Software (IRECOS), 9 (11), pp. 1888-1895.
http://dx.doi.org/10.15866/irecos.v9i11.4466


Refbacks




Please send any question about this web site to info@praiseworthyprize.com
Copyright © 2005-2024 Praise Worthy Prize