Abstract
Networked information systems have been a reality in organizations for more than a decade. In addition, these systems are now the key element not only of organization-wide information systems, but also of national and international infrastructures ranging from power plants to air-control systems. These networked information systems, which are basically built around the Internet, are therefore very sensitive to any kind of malfunctioning, so their security is of central concern. However, ensuring their security requires proper risk management which, in the case of such systems, has certain specifics. For this reason traditional risk management methods cannot be applied directly. The analysis of this field presented in this chapter is extended by a new approach to further support decision making in this complex area. The approach is based on a generic model for risk management in contemporary distributed information systems and provides the basis for computational tools for quantitative treatment of risk management in information systems. Through modeling it provides new possibilities for improved decision making under uncertainty, by addressing not only reactive, but also active approaches to risk management. In addition, it also enables simulations for supporting pro-active risk management approaches.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Andrijcic E, Horowitz B (2006) A macro-economic framework for evaluation of cyber security risks related to protection of intellectual property. Risk Anal 26(4):907.
British Standards Institute (1995) Code of practice for information security management, BS 7799, London.
COBIT (1998) COBIT overview. Information Systems Audit and Control Foundation, Rolling Meadows, IL, USA.
Cox LA, Babayev D, Huber W (2005) Some limitations of qualitative risk rating systems. Risk Anal 25(3):651.
Forrester J (1961) Industrial dynamics. MIT, Cambridge.
Gerber M, Von Solms R (2005) Management of risk in the information age. Comput Secur 24(1):16–30.
Gonzalez JJ (ed) (2003) From modeling to managing security – a system dynamics approach. Höyskole Forlaget AS, Kristiansand.
Gonzalez JJ, Sawicka A (2002) A framework for human factors in information security. In: Proceedings of the WSEAS Conference on Security, HW/SW Codesign, E-Commerce and Computer Networks, Rio de Janeiro.
Hariri S, Qu G, Dharmagadda T, Ramkishore M, Cauligi S, Raghavendra A (2003) Impact analysis of faults and attacks in large-scale networks. IEEE Secur Priv September/October, IEEE, 49–54.
HIPAA (2005) Basics of risk analysis and risk management, US Dept. of Health & Human Services, Washington, DC.
International Standards Organization (1989) Information processing systems – open systems interconnection – basic reference model – part 2: Security architecture, ISO 7498–2:1989, Geneva.
International Standards Organization (2000) IT – code of practice for information security management. ISO 17799, Geneva.
International Standards Organization (2004) IT – management of information and communications technology security, part 1: concepts and models for information and communications technology security management. ISO/IEC standard 13335–1, Geneva.
International Standards Organization (2005) IT – security techniques – code of practice for information security management, ISO/IEC 27002, Geneva.
Jones JR (2007) Estimating software vulnerabilities, IEEE Security & Privacy, July and August, IEEE, pp 28–32.
International Standards Organization (2008) Information security risk management, ISO/IEC 27005, Geneva.
Internet Systems Consortium (2006) ICS domain survey: number of internet hosts. http://www.isc.org/index.pl?/ops/ds/host-count-history.php. Last Accessed on 27th of October 2009.
Makridakis S, Ersen A, Carbone R, Fildes R, Hibon M, Lewandowski R, Newton J, Parze NE, Winkler R (1984) The forecasting accuracy of major time series methods. Wiley, New York, NY.
Martin AR (2008) Making security measurable and manageable. In: Proceedings of MILCOM, November 17–19, San Diego, CA, IEEE, Los Alamitos, pp 1–9.
Mell P, Quinn S, Banghart J, Waltermire D (2008) Security content automation protocol (SCAP), v 1.1, NIST Interagency Report 7511 (Draft), Gaithersburg.
MITRE Corp. (2009) Common vulnerabilities and exposures, MITRE, Washington, DC, http://cve.mitre.org/. Last Accessed on 6th September 2010.
NIST (2007) Managing risk from information systems, NIST SP 800–39 Draft, US Dept. of Commerce, Washington, DC.
NIST (2009) US National Vulnerability Database, NIST, Washington, DC, http://nvd.nist.gov/
Raghu TS, Hsinchun C (2007). Cyberinfrastructure for homeland security: Advances in information sharing, data mining, and collaboration systems. Decis Support Syst (online), 2006.
Ryan JJCH, Ryan DJ (2005) Proportional hazards in information security. Risk Anal 25(1):141.
Schneier B (1999) Attack trees. Dr Jobbs J 12, pp 21–29.
Trček D (2005) Managing information systems security and privacy. Springer, Heidelberg/New York, NY.
Trček D (2006) Security models: Refocusing on the human factor. IEEE Comput, 39(11):103–104.
Acknowledgments
The author acknowledges the support of the Slovenian Research Agency ARRS for the support of this research through program P2-0359 and the EU Commission for SEMPOC research grants JLS/2008/CIPS/024 and ABAC 30-CE-0221852/00-43. This research is partially also a result of collaboration within COST Econ@TEL project. The author would also like to thank anonymous reviewers that have provided constructive comments for the first version of this chapter. Last but not least, special thanks go to Prof. Dr. R. Pain – he knows why.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
This appendix provides the complete listing of the model presented in this chapter, Section 5 (the listing is for VensimTM package produced by Ventana Systems):
(01) | actualThreatProbability= |
threatProbability*compensatedThreatProbability | |
Units: Dmnl | |
(02) | adaptationRate=(risk-riskPerception)/TA |
Units: (euro/Day)/Day | |
(03) | amortization=assetValue*amortizationRate |
Units: euro/Day | |
(04) | amortizationRate=0.03 |
Units: 1/Day [0.01,1,0.01] | |
(05) | assetValue= INTEG (-amortization, 100) |
Units: euro | |
Inicialna vrednost sredstva je 100. | |
(06) | compensatedThreatProbability= |
safeguardsInvestments/probabilityNormalization | |
Units: Dmnl [0,1,0.1] | |
(07) | exposureNormalization=20 |
Units: euro/Day [1,100] | |
(08) | exposureRate= |
safeguardsInvestments/exposureNormalization | |
Units: Dmnl [0,1] | |
(09) | expStep=1 |
Units: Day [0.1,100] | |
(10) | FINAL TIME = 366 |
Units: Day | |
The final time for the simulation. | |
(11) | INITIAL TIME = 0 |
Units: Day | |
The initial time for the simulation. | |
(12) | investDelay=1 |
Units: Day [0.1,21,0.1] | |
(13) | probabilityFunction( |
[(0,0)-(366,1)], | |
(0,0.6),(31,0.7),(60,0.4),(91,0.5),(121,0.7),(152,0.5), | |
(182,0.4),(213,0.6),(244,0.9),(274,0.1), | |
(305,0.1),(335,0),(335,0),(350,0.2),(366,0.2)) | |
Units: Dmnl | |
(14) | probabilityNormalization=50 |
Units: euro/Day [1,100] | |
(15) | residual risk=risk-safeguardsInvestments |
Units: euro/Day | |
(16) | risk= |
assetValue*actualThreatProbability*exposureRate/expStep | |
Units: euro/Day | |
(17) | riskPerception= INTEG (adaptationRate,10) |
Units: euro/Day | |
(18) | safeguardsInvestments= |
DELAY FIXED(riskPerception, investDelay, 0) | |
Units: euro/Day | |
(19) | SAVEPER = TIME STEP |
Units: Day [0,?] | |
The frequency with which output is stored. | |
(20) | TA=10 |
Units: Day [0.1,31,1] | |
(21) | threatProbability= |
probabilityFunction(Time) | |
Units: Dmnl | |
(22) | TIME STEP = 0.0078125 |
Units: Day [0,?] | |
The time step for the simulation. |
Rights and permissions
Copyright information
© 2011 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Trček, D. (2011). Computationally Supported Quantitative Risk Management for Information Systems. In: Gülpınar, N., Harrison, P., Rüstem, B. (eds) Performance Models and Risk Management in Communications Systems. Springer Optimization and Its Applications, vol 46. Springer, New York, NY. https://doi.org/10.1007/978-1-4419-0534-5_3
Download citation
DOI: https://doi.org/10.1007/978-1-4419-0534-5_3
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4419-0533-8
Online ISBN: 978-1-4419-0534-5
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)