Abstract
In this article, we present a comparative study of a developed new formal mathematical model of risk assessment (FoMRA) with expert methods of risk assessment in the information systems (IS). Proposed analysis verified the correctness of theoretical assumptions of developed model. In the paper, the examples of computations illustrating the application of FoMRA and known and accepted throughout the world methods of risk assessment: MEHARI and CRAMM were presented and related to a specific unit of the public administration operating in Poland.
Chapter PDF
Similar content being viewed by others
Keywords
References
Datta, A.: Information Technology Capability, Knowledge Assets and Firm Innovation: A Theoretical Framework for Conceptualizing the Role of Information Technology in Firm Innovation. International Journal of Strategic Information Technology and Applications 2, 9–26 (2011)
Raduan, C.R., Jegak, U., Haslinda, A., Alimin, I.I.: A Conceptual Framework of the Relationship Between Organizational Resources, Capabilities, Systems, Competitive Advantage and Performance. Research Journal of International Studies 12, 45–58 (2009)
Van Kleef, J.A.G., Roome, N.J.: Developing capabilities and competence for sustainable business management as innovation: a research agenda. Journal of Cleaner Production 15, 38–51 (2007)
Bhatnagar, A., Ghose, S.: Segmenting consumers based on the benefits and risks of Internet shopping. Journal of Business Research 57, 1352–1360 (2004)
Byeong-Joon, M.: Consumer adoption of the internet as an information search and product purchase channel: some research hypotheses. Int. J. Internet Marketing and Advertising 1, 104–118 (2004)
Bumsuk, J., Ingoo, H., Sangjae, L.: Security threats to Internet: a Korean multi-industry investigation. Information & Management 38, 487–498 (2001)
Posthumus, S., Solms, R.: A framework for the governance of information security. Computers & Security 23, 638–646 (2004)
Baker, W.H., Wallace, L.: Is Information Security Under Control?: Investigating Quality in Information Security Management. IEEE Security & Privacy 5, 36–44 (2007)
Yeh, Q.-J., Chang, A.J.-T.: Threats and countermeasures for information system security: A cross-industry study. Information & Management 44, 480–491 (2007)
Ezingeard, J.N., Bowen, S.M.: Triggers of change in information security management practices. Journal of General Management 32, 53–72 (2007)
Whitman, M.E., Mattord, H.: Principles of Information Security, 3rd edn. Course technology, Boston (2009)
Mellado, D., Blanco, C., Sánchez, L.E., Medina, E.F.: A systematic review of security requirements engineering. Computer Standards & Interfaces 32, 153–165 (2010)
El Fray, I., Kurkowski, M., Pejas, J., Mackow, W.: A New Mathematical Model for Analytical Risk Assessment and Prediction in IT Systems. Control and Cybernetics 41, 1–28 (2012)
Mayer, N., Humbert, J.P.: La gestion des risques pour les systèmes d’information. MISC-Éditions Diamond 24, 1–7 (2006)
Consultative Objective and Bi-functional Risk Analysis (COBRA): C&A Security Risk Analysis Group, UK (1991)
Control Objectives for Information and related Technology (COBIT). Information Systems Audit and Control Association, US (2007)
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE): Carnegie Mellon University, US (2006)
Risk Analysis and Management Method (CRAMM): Central Computing and Telecommunications Agency, United Kingdom (1987)
Méthode Harmonisée d’Analyse de Risques (MEHARI): Club de la Sécurité de l’Information Français, France (2010)
Moeller, R.: IT Audit, Control, and Security. John Wiley & Sons, Inc., Hoboken (2010)
Guideline for Automatic Data Processing Risk Analysis: Federal Information Processing Standard - FIPS 65. National Bureau of Standard, US (1997)
Dray, J.: Computer Security and Crime: Implications for Policy and Action. Information Technology & People 4, 297–313 (1988)
Fisher, T.: ROI in social media: A look at the arguments. Journal of Database Marketing & Customer Strategy Management 16, 189–195 (2009)
Parker, D.B.: Computer Security Management. Reston Publishing Co., Reston (1991)
Rainer, R.K., Snyder, C.A., Carr, H.H.: Risk Analysis for Information Technology. Journal of Management Information Systems Archive 8, 129–147 (1991)
Ferdous, R., Khan, F.I., Veitch, B., Amyotte, P.R.: Methodology for Computer-Aided Fault Tree Analysis. Process Safety and Environmental Protection 85, 70–80 (2007)
Andrews, J.D., Ridley, L.M.: Application of the cause-consequence diagram method to static systems. Reliability Engineering & System Safety 75, 47–58 (2002)
Bartlett, M., Hurdle, E.E., Kelly, E.M.: Integrated system fault diagnostics utilising digraph and fault tree-based approaches. Reliability Engineering & System Safety 94, 1107–1115 (2009)
Jacoub, S.M., Ammar, H.H.: A methodology for architectural-level reliability risk analysis. IEEE Transaction on Software Engineering 28, 529–547 (2002)
Technical manual - Reliability/availability of electrical & mechanical systems for command, control, communications, computer, intelligence, surveillance and reconnaissance . Department of the U.S. Army, US (2007)
Information technology – Security techniques – Code of practice for information security management. ISO/IEC 27002 (2007)
Inventory of Risk Management/Risk Assessment Methods. European Network and information Security Agency (March 2012), http://rm-inv.enisa.europa.eu/methods_tools
Braun, G.: Information Security Risk Analysis and Decision Modelling. BWI-paper Vrije Universiteit De Boelelaan HV Amsterdam, pp. 1–27 (2002)
Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS): Direction Centrale de la Sécurité des Systèmes d’Information, France (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
El Fray, I. (2012). A Comparative Study of Risk Assessment Methods, MEHARI & CRAMM with a New Formal Model of Risk Assessment (FoMRA) in Information Systems. In: Cortesi, A., Chaki, N., Saeed, K., Wierzchoń, S. (eds) Computer Information Systems and Industrial Management. CISIM 2012. Lecture Notes in Computer Science, vol 7564. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33260-9_37
Download citation
DOI: https://doi.org/10.1007/978-3-642-33260-9_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33259-3
Online ISBN: 978-3-642-33260-9
eBook Packages: Computer ScienceComputer Science (R0)