Abstract
Classical methods for risk analysis usually rely on probability estimates that are sometimes difficult to verify. In particular, this is the case when the system in question is non-stationary or does not have a history for which reliable statistics is available. These methods focus on risks in relation to threats failing to consider risks in relation to opportunity. The Conflicting Incentives Risk Analysis (CIRA) addresses both these issues. Previously, CIRA has been investigated in analyzing threat risks. The paper contributes by illustrating the concept of opportunity risk in the context of CIRA. We give some theoretical underpinnings of risk acceptance and rejection of CIRA, addressing both risks. Furthermore, the paper explains the extension of CIRA to risk management by outlining the risk treatment (response) measures for threat (opportunity) risks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alberts, C., Dorofee, A.: Managing information security risks, The OCTAVE approach. Addison Wesley (2002) ISBN 0-321-11886-3
ASME Innovative Technologies Institute, LLC. Risk Analysis and Management for Critical Asset Protection (RAMCAP): The Framework, Version 2.0 (May 2006)
Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)
Hillson, D.: Extending the risk process to manage opportunities. International Journal of Project Management 20(3), 235–240 (2002)
ISACA. The Risk IT Framework (2009)
ISO 31000. Risk Management – Principles and Guidelines. ISO (2009)
ISO/IEC 27005. Information technology -Security techniques -Information security risk management. ISO/IEC, 1st edn. (2008)
Olsson, R.: In search of opportunity management: Is the risk management process enough? International Journal of Project Management 25(8), 745–752 (2007)
Rajbhandari, L., Snekkenes, E.: Intended Actions: Risk Is Conflicting Incentives. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 370–386. Springer, Heidelberg (2012)
Rajbhandari, L., Snekkenes, E.: Using the Conflicting Incentives Risk Analysis method. In: Janczewski, L.J., Wolf, H., Shenoi, S. (eds.) SEC 2013. IFIP AICT, vol. 405, pp. 315–329. Springer, Heidelberg (2013)
Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30, Risk Management Guide for Information Technology. NIST (July 2002)
Ward, S., Chapman, C.: Transforming project risk management into project uncertainty management. International Journal of Project Management 21(2), 97–105 (2003)
White, B.E.: Enterprise Opportunity and Risk. In: INCOSE Symposium, Orlando, FL (July 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rajbhandari, L., Snekkenes, E. (2013). Risk Acceptance and Rejection for Threat and Opportunity Risks in Conflicting Incentives Risk Analysis. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds) Trust, Privacy, and Security in Digital Business. TrustBus 2013. Lecture Notes in Computer Science, vol 8058. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40343-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-40343-9_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40342-2
Online ISBN: 978-3-642-40343-9
eBook Packages: Computer ScienceComputer Science (R0)