skip to main content
10.1145/1593105.1593203acmotherconferencesArticle/Chapter ViewAbstractPublication Pagesacm-seConference Proceedingsconference-collections
research-article

IT security risk management

Published: 28 March 2008 Publication History

Abstract

Threats (accidental or malicious) are potential causes of unwanted events that can result in harm to the assets of the organization and may affect the profit and/or a company reputation. A risk management process (qualitative or quantitative) is needed in order to identify, describe, and analyze the possible vulnerabilities that could affect the company's assets. In this paper, we present the quantitative indexes that are used to measure risk and introduce the scenario-based qualitative approaches via attack trees.

References

[1]
M. Whitman and H. Mattord, Principles of Information Security, Second Edition, Thomson Course Technology, 2005.
[2]
G. Stoneburner, A. Goguen, and A. Feringa, Risk Management Guide for Information Technology Systems. NIST special publication 800--30, National Institute of Standards and Technology, July 2002.
[3]
V. Lee and L. Shao, "Estimating Potential IT Security Losses: An Alternative Quantitative Approach," IEEE Security and Privacy, pp. 44--52, 2006.
[4]
B. Schneier, Attack trees: Modeling security threats, in Dr. Dobb's Journal, December 1999.
[5]
B. Schneier. Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, 2000.
[6]
S. Mauw and M. Oostdijk, "Foundations of attack trees," in Eighth Annual International Conference on Information Security and Cryptology, LNCS. Springer, 2005.
[7]
S. Bistarelli, F. Fioravanti, and P. Peretti, "Defense trees for economic evaluation of security investments," in First International Conference on Availability, Reliability and Security, ARES 2006.
[8]
J. Reavis, "Managing Risk and Reducing the Cost of Web Application Security," Chief Security Officer, White paper series, Jan. 2004.
[9]
S. E. Schechter, "Toward econometric models of the security risk from remote attacks," in 3rd Workshop on Economics and Information Security, Las Vegas, Nevada, pp. 87--92, May 13--14, 2004.
[10]
W. Sonnenreich, J. Albanese, and B. Stout, "Return On Security Investment (ROSI): A practical quantitative model," Journal of Research and Practice in Information Technology, Vol. 38, No. 1, pp. 55--66, 2006.
[11]
S. Losi, "The ROI of Security," http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2006/05/security-matters-2006-05.htm (Accessed 10/29/06)
[12]
S. E. Schechter, Computer Security Strength & Risk: A Quantitative Approach, PhD Thesis, Harvard University, Massachusetts, June 2004.

Cited By

View all
  • (2021)A goal‐driven approach for the joint deployment of safety and security standards for operators of essential servicesJournal of Software: Evolution and Process10.1002/smr.233833:9Online publication date: 12-Sep-2021
  • (2020)Formalizing Security and Safety Requirements by Mapping Attack-Fault Trees on Obstacle Models with Constraint Programming Semantics2020 IEEE Workshop on Formal Requirements (FORMREQ)10.1109/FORMREQ51202.2020.00009(8-13)Online publication date: Aug-2020
  • (2017)Security risk assessment framework for smart car using the attack tree analysisJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-016-0442-89:3(531-551)Online publication date: 27-Jan-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ACMSE '08: Proceedings of the 46th annual ACM Southeast Conference
March 2008
548 pages
ISBN:9781605581057
DOI:10.1145/1593105
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 March 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. ROI
  2. information security
  3. information technology
  4. risk management

Qualifiers

  • Research-article

Conference

ACM SE08
ACM SE08: ACM Southeast Regional Conference
March 28 - 29, 2008
Alabama, Auburn

Acceptance Rates

Overall Acceptance Rate 502 of 1,023 submissions, 49%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)23
  • Downloads (Last 6 weeks)2
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2021)A goal‐driven approach for the joint deployment of safety and security standards for operators of essential servicesJournal of Software: Evolution and Process10.1002/smr.233833:9Online publication date: 12-Sep-2021
  • (2020)Formalizing Security and Safety Requirements by Mapping Attack-Fault Trees on Obstacle Models with Constraint Programming Semantics2020 IEEE Workshop on Formal Requirements (FORMREQ)10.1109/FORMREQ51202.2020.00009(8-13)Online publication date: Aug-2020
  • (2017)Security risk assessment framework for smart car using the attack tree analysisJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-016-0442-89:3(531-551)Online publication date: 27-Jan-2017
  • (2016)A Security Risk Assessment Framework for Smart Car2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS)10.1109/IMIS.2016.42(102-108)Online publication date: Jul-2016
  • (2015)A formal qualitative risk management approach for IT security2015 Information Security for South Africa (ISSA)10.1109/ISSA.2015.7335053(1-8)Online publication date: Aug-2015
  • (2012)An Efficient Method of Risk Assessment Using Intelligent AgentsProceedings of the 2012 Second International Conference on Advanced Computing & Communication Technologies10.1109/ACCT.2012.19(123-126)Online publication date: 7-Jan-2012

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media