ABSTRACT
We suggested a method for quantitative information security risk management in computer networks. We used fuzzy estimations of the risk factors and quantitative risk assessment method under the safeguards. We used analytic hierarchy process for quantitative assessment of qualitative risk and cost/benefit subfactors. We used optimization tasks for selection the best set of safeguards.
- Alberts, C., Dorofee, A. 2002. Managing information security risks. The OCTAVESM approach. Addison Wesley. pp 512. Google ScholarDigital Library
- Anikin, I. 2014. Information Security Risks Assessment Method Based on AHP and Fuzzy Sets. In Proceedings of 2nd Intl' Conference on Advanced in Engineering Sciences and Applied Mathematics (ICAESAM'2014), May 4-5, 2014 Istanbul (Turkey), pp. 11--15. DOI= http://dx.doi.org/10.15242/IIE.E0514043.Google Scholar
- Anikin, I. 2014. Knowledge Representation Model and Decision Support System for Enhanced Oil Recovery Methods. In Proceedings of Intl' conference on Intelligent Systems, Data Mining and Information Technology (ICIDIT'2014), April 21-22, 2014 Bangkok (Thailand), pp. 101--105. DOI= http://dx.doi.org/10.15242/IIE.E0414004.Google Scholar
- Anikin, I. 2015. Vulnerability Risk Assessment Method Based on Fuzzy Logic. In Proceedings of the 2nd National Conference on Information Technology and Computer Science (CITCS 2015), 2015, Shanghai, March 21-22, pp. 1554--1560.Google Scholar
- Anikin, I. V., Gilmullin, T. M. 2013. The Method and Fuzzy Expert System for Information Security Risk Assessment and Management. In Varia Informatica. 2013. Lublin: PIPS Polish Information Processing Society, 2013. -- pp. 55--68.Google Scholar
- Behnia, A., Rashid, R. A., Chaudhry, J. A. 2012. A Survey of Information Security Risk Analysis Methods. Smart Computing Review, vol. 2, No. 1, 2012, pp. 79--94. DOI= http://dx.doi.org/10.6029/smartcr.2012.01.007Google Scholar
- Clymer, C., Stasiak, K., Neely, M., Marchewitz, S., iRisk Ecaluation. SecureState Whitepaper. https//www.securestate.comGoogle Scholar
- Conkling, W. R., Hamilton, Jr, J. A. D. 2008. The importance of information security spending: An economic approach. In Proceedings of the 2008 Spring Simulation Multiconference, SpringSim'08. 2008. Pages 293--300. Google ScholarDigital Library
- CVSS V.2.0. A Complete Guide to the Common Vulnerability Scoring System. http://www.first.org/cvss/cvss-guide.pdf.Google Scholar
- Kanungo, S., Jain, V., Forman, E. H. 2011. Maximizing resource allocation effectiveness for IT security investments. International Journal of Business Information Systems. Volume 7, Issue 2, February 2011, Pages 166--180. Google ScholarDigital Library
- Karabacaka, B., Sogukpinar, I. ISRAM: information security risk analysis method. Computers app. Security, vol. 24, pp. 147--159, 2005. Google ScholarDigital Library
- NIST SP 800-30 Revision 1. 2012. Guide for Conducting Risk Assessments (September 2012).Google Scholar
- Peltier, T. R. 2010. Information Security Risk Analysis, third ed. Auerbach Publications. 2010. 456 pp. Google ScholarDigital Library
- PRINCE User's Guide to CRAMM. Stationery Office Books, 1993. 140 pp.Google Scholar
- Risk Management Insight LLC. FAIR (FACTOR ANALYSIS OF INFORMATION RISK) Basic Risk Assessment Guide. Risk Management Insight LLC, 2006.Google Scholar
- Saaty, T. L. 2001. Decision Making for Leaders: The Analytic Hierarchy Process for Decisions in a Complex World. 3rd Revised edition. RWS Publications. 2001. 323 pp.Google Scholar
Index Terms
- Information security risk management in computer networks based on fuzzy logic and cost/benefit ratio estimation
Recommendations
Complexity Reduction in Information Security Risk Assessment
SIGMIS-CPR '15: Proceedings of the 2015 ACM SIGMIS Conference on Computers and People ResearchResults of research done by Dlamini et al. [5] clearly show information security was once focused around technical issues. However, over time, that approach transitioned to a more strategic governance model where legal and regulatory compliance, risk ...
Rethinking risk-based information security
InfoSecCD '07: Proceedings of the 4th annual conference on Information security curriculum developmentRisk assessment in the insurance and financial industries use processes and empirical data created specifically for their needs. The risk assessment processes used by IT and information security (InfoSec) risk management do not work as well. The ...
Taxonomy of information security risk assessment (ISRA)
Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Comments