A new mathematical model for analytical risk assessment and prediction in IT systems

• Autorzy: Fray I. E. , Kurkowski M. , Pejaś J. , Maćków W.
• Języki publikacji: EN

Abstrakty

EN

In this paper, we propose a new formal model to describe risk analysis and measurement process for IT systems. Our model complies with international standards and recommendations for non-profit organisations. The model accounts for solutions used in widely known and recommended risk analysis methods and provides for evaluation of efficacy of these solutions. A simple example illustrates the application of the proposed model for effective risk analysis of any IT system.

Słowa kluczowe

EN

risk analysis; risk analysis methods; formal model for risk analysis

• Wydawca: Systems Research Institute, Polish Academy of Sciences
• Czasopismo: Control and Cybernetics
• Rocznik: 2012
• Tom: Vol. 41, no. 1
• Strony: 241--268
• Opis fizyczny: Bibliogr. 32 poz., il., wykr.

Twórcy

autor

Fray I. E.

autor

Kurkowski M.

autor

Pejaś J.

autor

Maćków W.

• 1West Pomeranian University of Technology ul. Żołnierska 49, 70-210 Szczecin, Poland,

Bibliografia

• Baskerville, R. (1994) Information Systems Security Design Methods: Implications for Information Systems Development. Computing Surveys 25 (4), 375-414.
• C&ASecurity Risk Analysis Group (1991) Consultative, Objective and Bi-functional Risk Analysis (COBRA). C&A Systems Security, London.
• CMU - Carnegie Mellon University (2006) Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). CERT, Virginia.
• CCTA- Central Computing and Telecommunications Agency (1987) Risk Analysis and Management Method (CRAMM). United Kingdom Government, London.
• CLUSIF-Club de la Sécurité de l’Information Français (1998) Méthodologie d’Analyse des Risques Informatique et d’Optimalisation par Niveau (MARION). CLUSIF, Paris.
• CLUSIF - Club de la Sécurité de l’Information Français (2010) Méthode Harmonisée D’Analyse de Risques (MEHARI). CLUSIF, Paris.
• Deming, W.E. (2000) Out of the Crisis. MIT Press, Cambridge, Mass.
• DCSSI -Direction Centrale de la Sécurité des Systèmes d’Information (2010) Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS).DCSSI, Paris.
• Dray, J. (1988) Computer Security and Crime: Implications for Policy and Action. Information Technology & People 4 (3), 297-313.
• El Fray, I. (2009) Trust construction for security functions and mechanisms of IT system using results of risk analysis. Measurement Automation and Monitoring 10 (1), 839-843.
• ENISA1 - European Network and Information Security Agency (2010) Total Information Security Management. http://www.enisa.europa.eu/media/press-releases/2008-prs/201cinside-the-matrix-privacy-data-protection-challenges201d/methods_tools
• ENISA2 - European Network and Information Security Agency (2010) Inventory of Risk Management / Risk Assessment Methods. http://rminv. enisa. linebreak europa.eu/ methods_tools
• FIPS 65 - Federal Information Processing Standard (1979) Guideline for Automatic Data Processing Risk Analysis. National Bureau of Standard, Springfield.
• FERMA - Federation of European Risk Management (2003) Risk Management Standard in Dynamic Open Systems. FERMA, London.
• Fisher, T. (2009) ROI in social media: A look at the arguments. Journal of Database Marketing & Customer Strategy Management 16 (3), 189-195.
• ISACA - Information Systems Audit and Control Association (2007) Control Objectives for Information and related Technology (COBIT). IT Governance Institute, Illinois.
• ISO/IEC 27001 (2005) Information technology - Security techniques -information security management systems. International Organization for Standardization, Geneva.
• ISO/IEC 27002 (2007) Information technology - Security techniques - Code of practice for information security management. International Organization for Standardization, Geneva.
• ISO/IEC Guide 73 (2009) Risk management - Vocabulary - Guidelines for use in standards. International Organization for Standardization, Geneva.
• Liderman, K. (2008) Risk Analysis and Information Security in Computer Systems. PWN, Warszawa.
• Microsoft (2010) Microsoft Security Assessment Tool (MSAT). http://technet. Microsoft.com/en-us/security/cc18512.aspx
• NSAA&GAO - National State Auditors Association and the U. S. General Accounting Office (2010) Management Planning Guide for Information Systems Security Auditing. http://www.gao.gov/ special.pubs/ linebreak mgmtpln.pdf.
• Nyman, J.A., Barleen, N.A., Bryan, E. (2009) A Return-on-Investment Analysis of the Health Promotion Program At the University of Minnesota. Journal of Occupational and Environmental Medicine 51 (1), 54-65.
• OECD (2002) Guidelines for the Security of Information Systems and Networks. Towards a Culture of Security. Organization for Economic Co-Operation and Development, Paris.
• Parker, D.B. (1991) Computer Security Management. Reston Publishing Co., Reston, Virginia.
• Rainer, R.K., Snyder, C.A., Carr, H.H. (1991) Risk Analysis for Information Technology. Journal of Management Information Systems archive 8 (1), 129-147.
• Rot, A. (2008) IT Risk Assessment: Quantitative and Qualitative Approach. Proceedings of the World Congress on Engineering and Computer Science, San Francisco. IAENG, 1073-1078.
• Stępien, P. (2010) Project Risk Management. www.skutecznyprojekt.pl
• Stoneburner, G., Goguen A., Feringa, A. (2002) Risk Management Guide for Information Technology System. National Institute of Standards and Technology Special Publication 800-30, Washington, DC.
• Ward, J. (2010) Low Cost Information Risk Management. Presentations of the ENISA-ANACOM Workshop on Risk and Innovation, Lisbon. ANACOM, http://www.anacom.pt/streaming/Jeremy_Ward.pdf.
• Whitman, M.E., Mattord, H. (2009) Principles of Information Security. 3rd ed., Course Technology, Boston, MA.
• Żurek, B. (1999) RMS Program Used in Risk Management. Conference Proceedings Project Management - Experience and Methods. SPMP-Stowarzyszenie Project Management Polska, Gdansk, 37-44.