Computer security methodology: Risk analysis and project definition

doi:10.1016/0167-4048(90)90104-2

Computers & Security

Volume 9, Issue 4, June 1990, Pages 339-346

https://doi.org/10.1016/0167-4048(90)90104-2 Get rights and content

Abstract

A structured, progressive approach to the process of risk analysis, problem identification and project definition will contribute to the successful implementation of computer security in an organization. Potential losses of information technology assets need to be identified and quantified. It is critical for the senior management of an organization to be involved in the decision making process regarding the selection of computer security countermeasures. The objectives of this paper are to address the issue of risk analysis in view of an overall information security plan.

References (18)

K.P. Badenhorst et al.
Framework of a methodology for the life cycle of computer security in an organization
Comput. Secur.
(1989)
J.H.P. Eloff
Computer security policy: important issues
Comput. Secur.
(1988)
G.J.M. English
The quantification of risk in aiding management decisions
B.G.P. Fry et al.
A conceptual methodology for evaluating security requirements for data assets
Comput. Secur.
(1983)
D.J. O'Donnell et al.
End-user computing environments—finding a balance between productivity and control
Inform. Manage.
(August 1987)
A.D. Warren
Evaluating the risks of computer fraud and error
Comput. Secur.
(1983)
C.C. Wood
Information systems security: management success factors
Comput. Secur.
(February 1987)
L.G. Becker
Computer and network security policy: a challenge to organizations' computer security
W.A.J. Bound
Discussing security with top management
Comput. Secur.
(1988)

There are more references available in the full text version of this article.

Cited by (12)

Stochastic comparisons for rooted butterfly networks and tree networks, with random environments
2011, Information Sciences
Citation Excerpt :
Stochastic orderings have been used as instruments both to compare and to bound the waiting times and other random amounts arising from queueing networks (see e.g., [1,11,26,28,30,31,40,41,43]). In addition, stochastic orderings have been applied in computer networks (see e.g., [8,2]). Several probabilistic bounds can be obtained from stochastic comparisons by comparing with some threshold random variables.
Consider a rooted tree network, where the items enter at the system and they proceed away from the root until they reach their destination and exit the system, and they are served by a FIFO policy at each arc (server) of the network. The routing is defined by a discrete probability distribution with a given probability for each destination. For such systems, stochastic modelling of the departure times and the delay times is proposed, by the incorporation of random parameters of the inter-arrival times and of the service times, describing dynamic environments. A mixture model for the departure times is introduced. This mixture has an arbitrary mixing distribution defined by the environmental parameter distributions and the routing distribution. The main results provide conditions to compare stochastically the departure times (delay times) for two rooted tree networks characterized by different routing disciplines or by environmental and correlated random vectors of parameters. Furthermore, bounds for these measures are obtained from some well-known dependence concepts, as the PQD property, and ageing properties of the random environment. Similar results for butterfly networks, tree networks with possible failure during the service and other networks are provided. Within the computer networks, our framework and our results provide explorative tools to assess the design, the performance and the security of communication systems.
A security model for distributed product data management system
2003, Computers in Industry
Product data management (PDM) and distributed product data management (DPDM) systems have made product data a valuable and available commodity for many different kinds of computing applications in production. However, there are worries that this product data will lead to new security risks, and to the invasion of the DPDM system. It is because all people in a manufacturing enterprise will somehow get in touch with the DPDM system. Dealing with these tremendous amounts of interaction between the system and the various users, the utmost importance is to ensure that all data are secured and all users are under controlled and managed. Therefore, the security of DPDM system has been of great concern to individuals and corporations. The paper discusses the security requirements faced by a DPDM system in different organizational contexts. It is argued that access control requires a workspace stratified user management security model to specify. The prominent supporting features of the system including user organization, workspace and security are outlined. A new mixed approach access model for the system is proposed. In this model, user management and two main classical access control methods, the Lampson’s access matrix and Bell and LaPadula (BLP) security labels, are analyzed and adapted to the application with multiple system user and product data in order to support a workspace-oriented DPDM system.
A risk control strategy for corporate computer operations
1995, Computer Audit Update
A comparative framework for risk analysis methods
1993, Computers and Security
The past decade has shown the importance of information security, with special emphasis on network security, disaster recovery and risk management. A number of automated approaches for the facilitation of a risk analysis study have appeared on the software market. Organizations today face the difficult task not only of executing a risk analysis study, but also of selecting a method that will best suit their requirements.
A number of methods are available today, utilizing different terminology for similar concepts. Risk analysis, the most commonly used term in this field, is mostly used to identify objects for protection. “Risk management” might also be included as part of risk analysis, depending on the functionality of the method used. Automated risk analysis methods need to be viewed not only from the internal operation of the method but also from a terminological point of view.
The objective of this paper is to suggest a framework for risk management terminology. The application of the framework will be demonstrated through a high level discussion of the CRAMM, LAVA and MELISA risk analysis methods.
Risk analysis as a source of professional knowledge
1991, Computers and Security
Most severe criticism of computer security risk analysis is founded on a single, positivist, philosophical viewpoint. From this viewpoint, the method lacks objective elementary data points, and its simple statistical decision model fails at least one major test of scientific methods. However, such a method might be scientifically valid as a source for professional knowledge when applied within more appropriate social philosophical frameworks. For example, risk analysis has been, from its earliest descriptions, suitable as an interpretive artifact. The practical implications of these concepts include the importance of experience for practitioners, the ease of misuse, and the danger to the method's validity of naive extensions or adjustments to the original simple method. The practitioner should also recognize the ethical issues raised by the method's communication channel.
Designing a Risk Assessment Tool for Artificial Intelligence Systems
2021, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

View all citing articles on Scopus

¹: received a B.S.c. (computer science) degree at the University of Stellenbosch, South Africa, in 1980. In 1989 she received a Masters degree at the Rand Afrikaans University, Johannesburg, South Africa, and she is currently working towards a Ph.D. degree in computer science at the same university. She has worked as a technical support analyst at major Prime installations. While working for her Masters degree she applied her research by working as a consultant in the field of computer security.

²: received a B.S.c. (computer science) degree at the Rand Afrikaans University, Johannesburg, South Africa in 1978. In 1980 he received an M.Sc. degree in computer science at the same university, his dissertation involved an in-depth study of all the logical aspects of computer security. Part of this research was published in Computers & Security (November 1983) under the title “Selection Process for Security Packages”. In 1985 he received a Ph.D. (computer science) degree with a thesis titled “The Development of a Specification Language for a Computer Security System”. Part of the research done for his Ph.D. degree was published in Computers & Security under the same title. He also delivered papers at IFIP/SEC'84 and IFIP/ SEC'84. He gained practical experience by working as a computer consultant as well as manager of a large information centre. He is currently a professor in computer science at the Rand Afrikaans University, South Africa.

View full text

Computer security methodology: Risk analysis and project definition

Abstract

Comput. Secur.

Comput. Secur.

Comput. Secur.

Inform. Manage.

Comput. Secur.

Comput. Secur.

Computer and network security policy: a challenge to organizations' computer security

Discussing security with top management

Comput. Secur.