Abstract
Risk analysis is used during the planning of information security to identify security requirements, and is also often used to determine the economic feasibility of security safeguards. The traditional method of conducting a risk analysis is technology-driven and has several shortcomings. First, its focus on technology is at the detriment of considering people and processes as significant sources of security risk. Second, an analysis driven by technical assets can be overly time-consuming and costly. Third, the traditional risk analysis method employs calculations based largely on guesswork to estimate probability and financial loss of a security breach. Finally, an IT-centric approach to security risk analysis does not involve business users to the extent necessary to identify a comprehensive set of risks, or to promote security-awareness throughout an organization. This paper proposes an alternative, holistic method to conducting risk analysis. A holistic risk analysis, as defined in this paper, is one that attempts to identify a comprehensive set of risks by focusing equally on technology, information, people, and processes. The method is driven by critical business processes, which provides focus and relevance to the analysis. Key aspects of the method include a business-driven analysis, user participation in the analysis, architecture and data flow diagrams as a means to identify relevant IT assets, risk scenarios to capture procedural and security details, and qualitative estimation. The mixture of people and tools involved in the analysis is expected to result in a more comprehensive set of identified risks and a significant increase in security awareness throughout the organization.
Chapter PDF
Keywords
References
Barrese, J. and Scordis, N., 2003, “Corporate risk management.” Review of Business 24(3):26.
Baskerville, R., 1991, “Risk analysis as a source of professional knowledge.” Computers & Security 10(8):749–764.
Bennett, S. P. and Kailay, M. P., 1992. An application of qualitative risk analysis to computer security for the commercial sector. Computer Security Applications Conference, Eighth Annual, San Antonio, TX, IEEE.
CERT, 2001, Alberts, C. and Dorofee, A., (January 30, 2001), “An introduction to the OCTAVE method.” from http://www.cert.org/octave/methodintro.html.
CERT, 2005, Keeney, M., Kowalski, E., Cappelli, D., Moore, A, Shimeall, T. and Rogers, S., (May 11, 2005),. Insider threat study: computer system sabotage in critical infrastructure sectors, http://www.cert.org.
Cerullo, V. and Cerullo, M. J., 2004, “Business continuity planning: a comprehensive approach.” Information Systems Management 21(3):70–78.
de Ru, W. G. and Eloff, J. H. P., 1996, “Risk analysis modelling with the use of fuzzy logic.” Computers & Security 15(3):239–248.
Dhillon, G., 2001, “Violation of safeguards by trusted personnel and understanding related information security concerns.” Computers & Security 20(2): 165–172.
Freeman, J. W., Darr, T. C. and Neely, R. B., 1997, Risk assessment for large heterogeneous systems. Computer Security Applications Conference, 1997, San Diego, CA, IEEE.
Gerber, M. and von Solms, R., 2005, “Management of risk in the information age.” Computers & Security 24:16–30.
Halliday, S., Badenhorst, K. and von Solms, R., 1996, “A business approach to effective information technology risk analysis and management.” Information Management & Computer Security 4(1): 19.
Humphreys, E. J., Moses, R. H. and Plate, H. E., 1998, Guide to Risk Assessment and Risk Management. London, British Standards Institute.
ISO/IEC 17799, 2000, Information technology — Code of practice for information security management.
Kolokotronis, N., Margaritis, C. and Papadopoulou, P., 2002, “An integrated approach for securing electronic transactions over the Web.” Benchmarking 9(2): 166–181.
Merriam-Webster Inc., 1996, Merriam-Webster’s Dictionary of Law, Philippines, Merriam-Webster, Inc.
NIST, 2002, Risk Management Guide for Information Technology Systems. Washington, DC, National Institute of Standards and Technology: U.S. Department of Commerce, http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.
NIST, April 19, 2005, Practices & Checklists / Implementation Guides, National Institute of Standards and Technology: U.S. Department of Commerce, http://csrc.nist.gov/pcig/cig.html.
Pfleeger, C. P. and Pfleeger, S. L., 2003, Security in Computing. Upper Saddle River, NJ, Prentice Hall, pp. 462–475.
Siponen, M. T., 2000, “Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice.” Information Management & Computer Security 8(5): 197–210.
Strang, R., 2001, “Recognizing and meeting Title III concerns in computer investigations.” Computer Crimes and Intellectual Property 49(2):8–13.
Suh, B. and Han, I., 2003, “The IS risk analysis based on a business model.” Information & Management 41(2): pp. 149–158.
Tan, D., 2003, Quanitative Risk Analysis Step-by-Step, SANS Institute, http://www.sans.org.
Wade, J., 2004, The weak link in IT security. Risk Management. 51:32–37.
Yazar, Z., 2002, A qualitative risk analysis and management tool — CRAMM, SANS Institute, http://www.sans.org.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Spears, J.L. (2005). A Holistic Risk Analysis Method for Identifying Information Security Risks. In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_12
Download citation
DOI: https://doi.org/10.1007/0-387-31167-X_12
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29826-9
Online ISBN: 978-0-387-31167-8
eBook Packages: Computer ScienceComputer Science (R0)