The International Experience in Security Risk Analysis Methods

2019 ◽  
pp. 157-169
Author(s):  
Anca Gabriela Petrescu ◽  
Mirela Anca Postole ◽  
Marilena Ciobanasu
Keyword(s):  
Risk Management ◽  
Information Security ◽  
Risk Analysis ◽  
International Experience ◽  
Lessons Learned ◽  
Security Risk ◽  
Security Risks ◽  
Simplified Approach ◽  
Analysis Methods ◽  
Over Time

The goal of information security is to be able not just to put in place measures to detect and mitigate attacks but also to predict attacks, deter attackers from attacking, and thus defend the systems from attack in the first place. Data protection should be based on the lessons learned over time, both within the organization and in other organizations. Over the time, a large number of methodologies for identifying information security risks were proposed and adopted and simplified approach to different methodologies has led to their classification in quantitative and qualitative, especially in terms of metrics used to quantify risk. This chapter proposes an international overview regarding the quantitative and qualitative analysis methods for information risk analysis. In practice almost always use a combination of these methods, depending on the characteristics of the organization investigated the degree of uncertainty associated with the method of analysis and risk management.

scholarly journals Analysis and identification of ways to reduce critical information security risks

2020 ◽  
Vol 44 (4) ◽  
Author(s):  
M. M. Zaporozhchenko ◽  
Keyword(s):  
Risk Management ◽  
Information Security ◽  
Acceptable Level ◽  
Security Risk ◽  
Security Risks ◽  
Critical Information ◽  
Information Security Risk ◽  
Information Assets ◽  
Security Risk Management

One of the key requirements for the protection of an organization's information assets is to ensure proper information security risk management. In the process of risk management, they should be identified, assessed, analyzed and processed in order to change the value of risk to an acceptable level. The article proposes to consider ways to reduce information risks that may be caused by critical categories of threats and vulnerabilities.

scholarly journals From rationale to lessons learned in the cloud information security risk assessment: a study of organizations in Sweden

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Ana Faizi ◽  
Ali Padyab ◽  
Andreas Naess
Keyword(s):  
Risk Assessment ◽  
Risk Management ◽  
Information Security ◽  
Management Practices ◽  
Lessons Learned ◽  
Cloud Services ◽  
Security Risk ◽  
Content Type ◽  
Information Security Risk ◽  
Security Risk Assessment

Purpose This study aims to address the issue of practicing information security risk assessment (ISRA) on cloud solutions by studying municipalities and large organizations in Sweden. Design/methodology/approach Four large organizations and five municipalities that use cloud services and conduct ISRA to adhere to their information security risk management practices were studied. Data were gathered qualitatively to answer the study’s research question: How is ISRA practiced on the cloud? The Coat Hanger model was used as a theoretical lens to study and theorize the practices. Findings The results showed that the organizations aimed to follow the guidelines, in the form of frameworks or their own experience, to conduct ISRA; furthermore, the frameworks were altered to fit the organizations’ needs. The results further indicated that one of the main concerns with the cloud ISRA was the absence of a culture that integrates risk management. Finally, the findings also stressed the importance of a good understanding and a well-written legal contract between the cloud providers and the organizations using the cloud services. Originality/value As opposed to the previous research, which was more inclined to try out and evaluate various cloud ISRA, the study provides insights into the practice of cloud ISRA experienced by the organizations. This study represents the first attempt to investigate cloud ISRA that organizations practice in managing their information security.

Research on Method of Information System Information Security Risk Management

2014 ◽  
Vol 926-930 ◽  
pp. 4105-4109
Author(s):  
Xiao Li Cao
Keyword(s):  
Information System ◽  
Risk Management ◽  
Information Systems ◽  
Information Security ◽  
Risk Analysis ◽  
Management Approach ◽  
Security Risk ◽  
System Risk ◽  
Information Security Risk ◽  
Security Risk Management

With the popularity of the Internet and global information continues to advance organizational information systems have become an important strategic resource for the survival of the importance of information security to protect its widespread concern. Once the information security organization information system is destroyed, the Organization for Security attribute information would cause tremendous impact the organization's business operation, the losses include not only economic, but also likely to organize image, reputation is a strategic competitive advantage even fatal injuries. However, the existing information systems of information security risk management approach to information system risk analysis and assessment with specific organizational environment and business background with fragmentation, lack of risk analysis and description of the formation process, carried only consider "technical" factors security decisions, lack of full expression to achieve the desired goal of a number of decisions on organizational decision-making. Therefore, the information system to carry information security risk management is essential.

scholarly journals Methodology and algorithm of information security risk management for local infrastructure

2018 ◽  
Vol 325 ◽  
pp. 399-410
Author(s):  
Bulai Rodica ◽  
Ciorbă Dumitru ◽  
Poştaru Andrei ◽  
Rostislav Călin
Keyword(s):  
Risk Management ◽  
Information Security ◽  
Risk Analysis ◽  
Management Practices ◽  
Security Requirements ◽  
Security Risk ◽  
Information Management Systems ◽  
Efficient Information ◽  
Information Security Risk ◽  
Security Risk Management

The complexity of information security does not resume to mere technicality, transferring significant liability to proper management. Risk analysis in information security is a powerful tool that comes in handy for managers in making decisions about the implementation of efficient information management systems, in order to achieve the organization's mission. As a part of risk management, risk analysis is the systematic implementation of methods, techniques and management practices to assess the context, identify, analyze, evaluate, treat, monitor and communicate the risks for the information security and systems through which they are processed, stored or transmitted. The ISO/IEC 27005:2011 – Information security risk management, does not specify any particular method for managing the risks associated with information security, but a general approach. It is up to the organization to devise control objectives that would reflect specific approaches to risk management and the degree of assurance required. There are several models, methodologies and tools amongst which those like CRAMM (United Kingdom, Insight Consulting), Risicare/Mehari (France, Clusif), GSTool (Germany, ITGrundschutz). The theoretical model of the mentioned methodologies is hard to put in practice without experience required from the members of the risk analysis team. Using the appropriate risk assessment solution, an organization can devise its own security requirements.

scholarly journals ESTUDIO COMPARATIVO ENTRE LAS METODOLOGÍAS CRAMM Y MAGERIT PARA LA GESTIÓN DE RIESGO DE TI EN LAS MPYMES

UDA AKADEM ◽  
2018 ◽  
pp. 38-47
Author(s):  
Esteban Crespo-Martínez ◽  
Geovanna Cordero-Torres
Keyword(s):  
Risk Management ◽  
Information Security ◽  
Risk Analysis ◽  
Reference Frames ◽  
Security Risk ◽  
Project Proposal ◽  
Palabras Clave ◽  
Security Risk Management ◽  
Iso 27001 ◽  
Risk Analysis And Management

Lograr el objetivo de proponer una metodología de seguridad de la información para la gestión del riesgoinformático, aplicable al entorno empresarial y organizacional, del sector MPYME ecuatoriano, requiere del análisis de las metodologías Magerit y CRAMM (CCTA Risk Analysis and Management Method), las mismas que son internacionalmente utilizadas en la gestión del riesgo de información; contemplando los marcos de referencia que contienen las mejores prácticas de la industria: ISO 27001, 27002, 27005 y 31000.Palabras clave: riesgos, gestión, Magerit, CRAMM, tecnologías de información, TI, seguridad, información, SGSI.AbstractThis paper aims to study the CRAMM (CCTA Risk Analysis and Manage ment Method) and Magerit methodologies used in information risk management. It contemplates international reference frames that contain the best practices in the industry: ISO 27001, 27002, 27005 and 31000.This research is part of a project proposal of “Methodology for information security risk management, applicable to MSMEs” applicable to the Ecuadorian environment. Keywords: Risk, Management, Magerit, CRAMM, Information Technology, IT, Information Security, ISMS.  

Sign in / Sign up

Export Citation Format

Share Document