Abstract
A cyber-risk assessment conducted in a large organization may lead to heterogeneous results due to the subjectivity of certain aspects of the evaluation, especially those concerning the negative consequences (impact) of a cyber-incident. To address this problem, we propose an approach based on the identification of a set of sensitivity features, i.e. certain attributes of the assets or processing activities that are strongly related to the levels of impact of cyber-incidents. We apply our approach to revise the results of a Data Protection Impact Assessment, a mandatory activity for complying with GDPR, conducted in a medium-to-large organization of the Italian Public Administration, and we obtain encouraging results.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Agrawal, V.: A comparative study on information security risk analysis methods. JCP 12(1), 57–67 (2017)
Behnia, A., Rashid, R.A., Chaudhry, J.A.: A survey of information risk analysis methods. Smart Comput. Rev. 2, 79–94 (2012)
Bell, D.E., LaPadula, L.J.: Secure computer systems: mathematical foundations, No. MTR-2547-VOL-1. MITRE CORP BEDFORD MA (1973)
Bijon, K.Z., Krishnan, R., Sandhu, R.: A framework for risk-aware role based access control. In: Proceedings of the IEEE Conference on Communications and Network Security, pp. 462–469. National Harbor, MD, USA, 14–16 October 2013
Karabacak, B., Sogukpinar, I.: ISRAM: information security risk analysis method. Comput. Secur. 24.2, 147–159 (2005)
McEvoy, N., Whitcombe, A.: Structured risk analysis. In: Davida, G., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 88–103. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45831-X_7
Mollaeefar, M., Siena, A., Ranise, S.: Multi-stakeholder cybersecurity risk assessment for data protection. In: Proceedings of the 17th International Joint Conference on e-Business and Telecommunications - SECRYPT, pp. 349–356 (2020)
National Institute of Standards and Technology (NIST). Risk management guide for information technology systems (2001). Special Publication 800-30
Shukla, N., Sachin, K.: A comparative study on information security risk analysis practices. IJCA Special Issue on Issues and Challenges in Networking, Intelligence and Computing Technologies ICNICT 3, 28–33 (2012)
Vose, D.: Risk Analysis: A Quantitative Guide. Wiley (2008)
Wiefling, S., Dürmuth, M., Lo Iacono, L.: What’s in score for website users: a data-driven long-term study on risk-based authentication characteristics. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 361–381. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-64331-0_19
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Mascia, C., Ranise, S. (2022). Asset Sensitivity for Aligning Risk Assessment Across Multiple Units in Complex Organizations. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-08147-7_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08146-0
Online ISBN: 978-3-031-08147-7
eBook Packages: Computer ScienceComputer Science (R0)