[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/1626195.1626205acmconferencesArticle/Chapter ViewAbstractPublication PagessinConference Proceedingsconference-collections
research-article

Improving risk assessment methodology: a statistical design of experiments approach

Published: 06 October 2009 Publication History

Abstract

In order to manage risks to the IT environments and to satisfy government and industry regulations, most enterprises are required to conduct risk assessments. These risk assessments are used to drive organizational decisions on information security. However, despite this need, current approaches lack granular guidance on some key steps and have focused on qualitative data rather than quantitative data which reduces the value of the results for the decision makers. This paper proposes a statistical design of experiments approach that will enhance the quantitative aspects of the risk assessment exercise and will make risk assessments smarter, more precise and more efficient. Specifically, our paper demonstrates that a Plackett-Burman design can be used to: (a) identify the subset of security controls that are critical to the enterprise; (b) determine the configuration of these controls; and (c) quantitatively analyze the impact of security enhancements. This paper expands on our previous research by applying statistical models at a macro security architecture level as opposed to determining parameters for individual controls.

References

[1]
Druker, P. Management Challenges for the 21st Century. 1999. Collins Business.
[2]
Stoneburner, G., Goguen, A. and Feringa, A. Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30.
[3]
CISM Review Manual. 2006. Information Systems Audit and Control Association.
[4]
Myers, R. H. and Montgomery, D. C. Response Surface Methodology: process and product optimization using design experiments. 1995. John Wiley and Sons, New York.
[5]
Trocine, L. and Malone, L. Finding Important Independent Variables through Screening Designs: A Comparison of Methods. Proceedings of 2000 Winter Simulation Conference. Joines, J. A., Barton, R. R., Kang, K., and Fishwick, P. A., Eds. pp. 749--754.
[6]
Montgomery, D. C. Design and Analysis of Experiments. 1991. Fifth Edition. Wiley.
[7]
Plackett, R. and Burman, J. The Design of Optimum Multifactorial Experiments. Biometrika, Vol. 33, Issue 4. June 1956. pp 305--325.
[8]
Han, M. H., Lee, M. Y. and Cho, T. H. Fuzzy-Based Verification-Probability Determination Method for Dynamic Filtering in Sensor Networks. IJCSNS International Journal of Computer Science and Network Security. VOL. 8, No. 8, August 2008.
[9]
Singh, A. and Lilja, D. A Statistical Approach for Security Parameter Determination. The 2009 International Conference on Security and Management. July 2009.
[10]
Center for Internet Security. http://www.cis.org
[11]
Sun Security Blueprints. http://wikis.sun.com/display/BluePrints/Security+Blueprint
[12]
OCTAVE Information Security Risk Evaluation. http://www.cert.org/octave/
[13]
ISO 27005. ISO/IEC 27005:2008, Information technology--Security techniques-- Information security risk management. International Standards Organization.
[14]
Web Application Security Consortium. http://www.webappsec.org.
[15]
Phyo, A. H. and Furnell, S. M. A Detection-Oriented Classification of Insider IT Misuse. 2004. Proceedings of Third Security Conference, Las Vegas, NV.
[16]
Navathe, S. B., Sharp, G. P. and Enslow, P. H. Assessing Damages of Information Security Incidents and Selecting Control Measures, a Case Study Approach. Fourth Workshop on the Economics of Information Security, WEIS05. 2005. Kennedy School of Government, Harvard University.
[17]
Kark, K. Calculating the Cost of a Security Breach, Forrester Special Report. April 2007. http://www.forrester.com.
[18]
Singh A.&Lilja, D. Criteria and Methodology for GRC Platform Selection. To appear in ISACA (Information System Audit and Control Association) Journal. Volume 6, 2009.

Cited By

View all
  • (2024)Strategic Approaches in Network Communication and Information Security Risk AssessmentInformation10.3390/info1506035315:6(353)Online publication date: 14-Jun-2024
  • (2023)A Review on Information Security Risk Assessment of Smart Systems: Risk Landscape, Challenges, and Prospective Methods2023 10th International Conference on ICT for Smart Society (ICISS)10.1109/ICISS59129.2023.10291306(1-6)Online publication date: 6-Sep-2023
  • (2023)Investigation of Assessment Methodologies in Information Security Risk ManagementInventive Communication and Computational Technologies10.1007/978-981-99-5166-6_26(385-400)Online publication date: 4-Oct-2023
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
SIN '09: Proceedings of the 2nd international conference on Security of information and networks
October 2009
322 pages
ISBN:9781605584126
DOI:10.1145/1626195
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 October 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Plackett-Burman.
  2. control
  3. design of experiments
  4. risk assessment

Qualifiers

  • Research-article

Conference

SIN '09
Sponsor:

Acceptance Rates

Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)18
  • Downloads (Last 6 weeks)0
Reflects downloads up to 22 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Strategic Approaches in Network Communication and Information Security Risk AssessmentInformation10.3390/info1506035315:6(353)Online publication date: 14-Jun-2024
  • (2023)A Review on Information Security Risk Assessment of Smart Systems: Risk Landscape, Challenges, and Prospective Methods2023 10th International Conference on ICT for Smart Society (ICISS)10.1109/ICISS59129.2023.10291306(1-6)Online publication date: 6-Sep-2023
  • (2023)Investigation of Assessment Methodologies in Information Security Risk ManagementInventive Communication and Computational Technologies10.1007/978-981-99-5166-6_26(385-400)Online publication date: 4-Oct-2023
  • (2019)Dying of a hundred good symptoms: why good security can still fail - a literature review and analysisEnterprise Information Systems10.1080/17517575.2019.1605000(1-26)Online publication date: 16-Apr-2019
  • (2018)Knowledge Sharing and IT/Business PartnershipGlobal Business Expansion10.4018/978-1-5225-5481-3.ch037(834-851)Online publication date: 2018
  • (2015)Knowledge Sharing and IT/Business PartnershipHandbook of Research on Effective Project Management through the Integration of Knowledge and Innovation10.4018/978-1-4666-7536-0.ch017(316-331)Online publication date: 2015
  • (2013)A complete tableau procedure for risk analysis2013 International Conference on Risks and Security of Internet and Systems (CRiSIS)10.1109/CRiSIS.2013.6766351(1-8)Online publication date: Oct-2013
  • (2013)Tableau systems for reasoning about riskJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-013-0186-75:2(215-247)Online publication date: 26-Jul-2013
  • (2013)On identifying proper security mechanismsProceedings of the 2013 international conference on Information and Communication Technology10.1007/978-3-642-36818-9_29(285-294)Online publication date: 25-Mar-2013
  • (2012)Towards a Logical Framework for Reasoning about RiskMultidisciplinary Research and Practice for Information Systems10.1007/978-3-642-32498-7_46(609-623)Online publication date: 2012

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media