This paper presents an abstract concept of security planning processes using a simple model to express conditional risk factors. This analytical work emphasizes relationships through major security planning phases. The work discusses the chain of logical events that describe dependence in risk propagation and proves the theorem of the causal risk propagation through the subsequent planning phases. This unique work can provide a useful guidance for efficient security planning and risk management applicable to various engineering fields. Because of its generic feature, it can also be applied to multi-disciplinary dependency analyses, quality control, and to development of risk assessment tools and techniques. This risk analysis method can also provide a theoretical basis in education of information security. Theoretical risk assessment in information security is not thoroughly undertaken. Security researches should provide approaches that are theoretically sound as well as practical and realistic
Copyright © 2013 Praise Worthy Prize - All rights reserved.

H. Kumamoto, E.J. Henley, Probabilistic Risk Assessment and Management for Engineers and Scientists 2nd Ed., ISBN: 0-7803-6017-6, (IEEE Press, 1996).

T. Bedford, Probabilistic Risk Analysis, Foundations and Methods, ISBN: 0-52177320-2, (Cambridge University Press, 2003).

Z. S. Bruske, R. E. Wright, W. D. Geaslen, Potential uses of probabilistic risk assessment techniques for space station development, (NASA STI, USA, 1985).

A. Ashish, H. Dennis, C.A. Pinto, R. Dwayne, T. Rahul, Measuring the Risk-based Value of IT Security Solutions, IT Professional, Vol. 6, No. 6, pp. 35 – 42, Elsevier Inc. 2004.

M. Gerber, S. Rossouw, P. Overbeek, Formalizing Information Security Requirements, Information Management & Computer Security, Vol. 9, No. 1, pp. 32-37, 2001.
http://dx.doi.org/10.1108/09685220110366768

F. Gutierrez, Stingray: A Hands-on Approach to Learning Information Security, Proceedings of SIGITE’06, ACM, (pp. 53-58, 2006).
http://dx.doi.org/10.1145/1168812.1168827

W. Stallings, Cryptography and Computer Security: Principles and practices, 4th ed., (Pearson Education, Inc. ISBN: 0-13-187316-4, Upper Saddle River, NJ 07457 USA, 2007).

J. McCumber, Assessing and Managing Security Risk in IT Systems: A Structured Methodology, (Taylor & Frcis CRS Press, ISBN: 0849322324, 2004).
http://dx.doi.org/10.1201/9780203490426

K. Clark, S. Tyree, J. Dawkins, J. Hale, Qualitative and Quantitative Analytical Techniques for Network Security Assessment, Proc. of the Fifth IEEE System, Man and Cybernetics Information Assurance Workshop, Elsevier Inc., (pp. 321–328, 2004).
http://dx.doi.org/10.1109/iaw.2004.1437834

L. K. Chan, M. L. Wu, Quality Function deployment: A literature review, European Journal of Operational Research, No 143, pp. 463-497, 2003.
http://dx.doi.org/10.1016/s0377-2217(02)00178-9

S. Kondakci, Controlling security risks in large computer networks, International Journal of Computational Intelligence– ICSP' 2003, (ISSN 1304-2386, Vol. 1, No. 2, pp. 7-10, 2003.

National Center for Environmental Decision-making Research, (http://www.ncedr.org/tools/tools/tool1/assessing_risk.htm, 2005).

J. D. Howard An analysis of Security Incidents on the Internet, Ph.D. Thesis, Carnegie Inst. Of Technology, Carnegie Mellon University, 1995.

A. Avizienis, J. C. Laprie, B. Randell, C. Landwehr, Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Transactions on Dependable and Secure Computing, Vol. 1, pp. 11–33, 2004.
http://dx.doi.org/10.1109/tdsc.2004.2

G. P. Im, R. L. Baskerville, A longitudinal Study of Information System Threat Categories: the Enduring Problem of Human Error, SIGMIS Database 36, 4, pp. 68-79, 2005.
http://dx.doi.org/10.1145/1104004.1104010

J. Mirkovic, P. Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, SIGCOMM Comput. Commun. Rev. 34, 2, pp. 39-53, 1004.
http://dx.doi.org/10.1145/997150.997156

E. Maiwald, Network Security A Beginner’s Guide 2nd ed., Emeryville, CA:McGraw-Hill/Osborne (2003)

R. M. Cooke, L. H. J. Goossens, Expert judgment elicitation for risk assessments of critical infrastructures, Jnl of Risk Research, T&F Group, 7(6), pp. 643-656, 2004.
http://dx.doi.org/10.1080/1366987042000192237

S. Kondakci, A New Assessment and Improvement Model of Risk Propagation in Information Security, Int. Journal of Information and Computer Security, Vol. 1, No. 3, pp. 341-366, 2007.
http://dx.doi.org/10.1504/ijics.2007.013959

S. Kondakci, A Remote IT Security Evaluation Scheme: A Proactive Approach to Risk Management, Proceedings of 4th IEEE International Workshop on Information Assurance, pp. 93-100, 2006.
http://dx.doi.org/10.1109/iwia.2006.1

J. R. Sims, K. R. Balkey, B. M. Ayyub, R. E. Feigel, A Common Approach to Risk Analysis for Homeland Security Decision-Making, Engineering Technology Management, Elsevier Inc., pp. 181–186, 2003.
http://dx.doi.org/10.1115/imece2003-42598

N. Balakrishnan, C. Rao, Handbook of Statistics 20: Advances in Reliability, (North Holland, ISBN: 0-444-500078-2, 2001).

S. Ghahramani, Fundamentals of Probability With Stochastic Processes, 3rd ed. (Pearson Education Inc., ISBN: 0-13-129849-6, 2005).

B. Everitt, Chance Rules: An Informal Guide to Probability. Risk and Statistics, (Copernicus 1999 ).
http://dx.doi.org/10.1111/j.1751-5823.2010.00109_12.x