More Web Proxy on the site http://driver.im/

research-article

Improving risk assessment methodology: a statistical design of experiments approach

Authors:

David LiljaAuthors Info & Claims

SIN '09: Proceedings of the 2nd international conference on Security of information and networks

Pages 21 - 29

https://doi.org/10.1145/1626195.1626205

Published: 06 October 2009 Publication History

Abstract

In order to manage risks to the IT environments and to satisfy government and industry regulations, most enterprises are required to conduct risk assessments. These risk assessments are used to drive organizational decisions on information security. However, despite this need, current approaches lack granular guidance on some key steps and have focused on qualitative data rather than quantitative data which reduces the value of the results for the decision makers. This paper proposes a statistical design of experiments approach that will enhance the quantitative aspects of the risk assessment exercise and will make risk assessments smarter, more precise and more efficient. Specifically, our paper demonstrates that a Plackett-Burman design can be used to: (a) identify the subset of security controls that are critical to the enterprise; (b) determine the configuration of these controls; and (c) quantitatively analyze the impact of security enhancements. This paper expands on our previous research by applying statistical models at a macro security architecture level as opposed to determining parameters for individual controls.

References

[1]

Druker, P. Management Challenges for the 21st Century. 1999. Collins Business.

[2]

Stoneburner, G., Goguen, A. and Feringa, A. Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30.

Digital Library

[3]

CISM Review Manual. 2006. Information Systems Audit and Control Association.

[4]

Myers, R. H. and Montgomery, D. C. Response Surface Methodology: process and product optimization using design experiments. 1995. John Wiley and Sons, New York.

Digital Library

[5]

Trocine, L. and Malone, L. Finding Important Independent Variables through Screening Designs: A Comparison of Methods. Proceedings of 2000 Winter Simulation Conference. Joines, J. A., Barton, R. R., Kang, K., and Fishwick, P. A., Eds. pp. 749--754.

Digital Library

[6]

Montgomery, D. C. Design and Analysis of Experiments. 1991. Fifth Edition. Wiley.

Digital Library

[7]

Plackett, R. and Burman, J. The Design of Optimum Multifactorial Experiments. Biometrika, Vol. 33, Issue 4. June 1956. pp 305--325.

[8]

Han, M. H., Lee, M. Y. and Cho, T. H. Fuzzy-Based Verification-Probability Determination Method for Dynamic Filtering in Sensor Networks. IJCSNS International Journal of Computer Science and Network Security. VOL. 8, No. 8, August 2008.

[9]

Singh, A. and Lilja, D. A Statistical Approach for Security Parameter Determination. The 2009 International Conference on Security and Management. July 2009.

[10]

Center for Internet Security. http://www.cis.org

[11]

Sun Security Blueprints. http://wikis.sun.com/display/BluePrints/Security+Blueprint

[12]

OCTAVE Information Security Risk Evaluation. http://www.cert.org/octave/

[13]

ISO 27005. ISO/IEC 27005:2008, Information technology--Security techniques-- Information security risk management. International Standards Organization.

[14]

Web Application Security Consortium. http://www.webappsec.org.

[15]

Phyo, A. H. and Furnell, S. M. A Detection-Oriented Classification of Insider IT Misuse. 2004. Proceedings of Third Security Conference, Las Vegas, NV.

[16]

Navathe, S. B., Sharp, G. P. and Enslow, P. H. Assessing Damages of Information Security Incidents and Selecting Control Measures, a Case Study Approach. Fourth Workshop on the Economics of Information Security, WEIS05. 2005. Kennedy School of Government, Harvard University.

[17]

Kark, K. Calculating the Cost of a Security Breach, Forrester Special Report. April 2007. http://www.forrester.com.

[18]

Singh A.&Lilja, D. Criteria and Methodology for GRC Platform Selection. To appear in ISACA (Information System Audit and Control Association) Journal. Volume 6, 2009.

Cited By

Alsafwani NFazea YAlnajjar F(2024)Strategic Approaches in Network Communication and Information Security Risk AssessmentInformation10.3390/info1506035315:6(353)Online publication date: 14-Jun-2024
https://doi.org/10.3390/info15060353
Fauzi RSembiring J(2023)A Review on Information Security Risk Assessment of Smart Systems: Risk Landscape, Challenges, and Prospective Methods2023 10th International Conference on ICT for Smart Society (ICISS)10.1109/ICISS59129.2023.10291306(1-6)Online publication date: 6-Sep-2023
https://doi.org/10.1109/ICISS59129.2023.10291306
Rajathi CRukmani P(2023)Investigation of Assessment Methodologies in Information Security Risk ManagementInventive Communication and Computational Technologies10.1007/978-981-99-5166-6_26(385-400)Online publication date: 4-Oct-2023
https://doi.org/10.1007/978-981-99-5166-6_26
Show More Cited By

Index Terms

Improving risk assessment methodology: a statistical design of experiments approach
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Risk Management and Risk Assessment at ENISA: Issues and Challenges
ARES '06: Proceedings of the First International Conference on Availability, Reliability and Security

In this talk, the main directions followed in current and future work in the area of Risk Management and Risk Assessment at ENISA will be presented. The efforts in this area range from an initial inventory of Risk Management /Risk Assessment methods and ...
Taxonomy of information security risk assessment (ISRA)

Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Information Security Risk Assessment Methodology Research: Group Decision Making and Analytic Hierarchy Process
WCSE '10: Proceedings of the 2010 Second World Congress on Software Engineering - Volume 01

Information security risk can be measured by probability of the potential risk incident and its impact. Various quantitative methodologies are given to compute information security risks, but among the existed research, seldom of them considered the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SIN '09: Proceedings of the 2nd international conference on Security of information and networks

October 2009

322 pages

ISBN:9781605584126

DOI:10.1145/1626195

General Chairs:
Atilla Elçi
Eastern Mediterranean University, North Cyprus
,
Oleg Makarevich
Southern Federal University, Russia
,
Mehmet Orgun
Macquarie University, Australia
,
Program Chairs:
Alexander Chefranov
Eastern Mediterranean University, North Cyprus
,
Josef Pieprzyk
Macquarie University, Australia
,
Yuri Anatolievich Bryukhomitsky
Southern Federal University, Russia
,
Sıddıka Berna Örs
İstanbul Technical University, Turkey

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 October 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIN '09

Sponsor:

SIGSAC

SIN '09: 2nd International Conference of Security of Information and Networks

October 6 - 10, 2009

Famagusta, North Cyprus

Acceptance Rates

Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
940
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)2

Reflects downloads up to 22 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alsafwani NFazea YAlnajjar F(2024)Strategic Approaches in Network Communication and Information Security Risk AssessmentInformation10.3390/info1506035315:6(353)Online publication date: 14-Jun-2024
https://doi.org/10.3390/info15060353
Fauzi RSembiring J(2023)A Review on Information Security Risk Assessment of Smart Systems: Risk Landscape, Challenges, and Prospective Methods2023 10th International Conference on ICT for Smart Society (ICISS)10.1109/ICISS59129.2023.10291306(1-6)Online publication date: 6-Sep-2023
https://doi.org/10.1109/ICISS59129.2023.10291306
Rajathi CRukmani P(2023)Investigation of Assessment Methodologies in Information Security Risk ManagementInventive Communication and Computational Technologies10.1007/978-981-99-5166-6_26(385-400)Online publication date: 4-Oct-2023
https://doi.org/10.1007/978-981-99-5166-6_26
Loft PHe YJanicke HWagner I(2019)Dying of a hundred good symptoms: why good security can still fail - a literature review and analysisEnterprise Information Systems10.1080/17517575.2019.1605000(1-26)Online publication date: 16-Apr-2019
https://doi.org/10.1080/17517575.2019.1605000
Alkhaldi D(2018)Knowledge Sharing and IT/Business PartnershipGlobal Business Expansion10.4018/978-1-5225-5481-3.ch037(834-851)Online publication date: 2018
https://doi.org/10.4018/978-1-5225-5481-3.ch037
Alkhaldi D(2015)Knowledge Sharing and IT/Business PartnershipHandbook of Research on Effective Project Management through the Integration of Knowledge and Innovation10.4018/978-1-4666-7536-0.ch017(316-331)Online publication date: 2015
https://doi.org/10.4018/978-1-4666-7536-0.ch017
Cristani MKarafili EVigano L(2013)A complete tableau procedure for risk analysis2013 International Conference on Risks and Security of Internet and Systems (CRiSIS)10.1109/CRiSIS.2013.6766351(1-8)Online publication date: Oct-2013
https://doi.org/10.1109/CRiSIS.2013.6766351
Cristani MKarafili EViganò L(2013)Tableau systems for reasoning about riskJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-013-0186-75:2(215-247)Online publication date: 26-Jul-2013
https://doi.org/10.1007/s12652-013-0186-7
Breier JHudec L(2013)On identifying proper security mechanismsProceedings of the 2013 international conference on Information and Communication Technology10.1007/978-3-642-36818-9_29(285-294)Online publication date: 25-Mar-2013
https://dl.acm.org/doi/10.1007/978-3-642-36818-9_29
Cristani MKarafili EViganò L(2012)Towards a Logical Framework for Reasoning about RiskMultidisciplinary Research and Practice for Information Systems10.1007/978-3-642-32498-7_46(609-623)Online publication date: 2012
https://doi.org/10.1007/978-3-642-32498-7_46

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents