Business process-based information security risk assessment

Proceedings - 2010 4th International Conference on Network and System Security, NSS 2010

Volumn , Issue , 2010, Pages 199-206

  Khanmohammadi, Kobra ^a   Houmb, Siv Hilde ^b  

^a Central Eye Bank of Iran   (Iran)

^b Secure NOK Ltd   (Norway)

Author keywords

Business process; Information management; Information security; Process management; Risk assessment; Risk management

Indexed keywords

BANKING INDUSTRY; BUSINESS GOALS; BUSINESS PROCESS; CRITICAL ASSET; INFORMATION SECURITY; INFORMATION SECURITY RISK ASSESSMENT; LIMITED INFORMATION; PROCESS MANAGEMENT; SECURITY LEVEL; SECURITY REQUIREMENTS; SECURITY RISK ASSESSMENTS;

BUDGET CONTROL; INFORMATION MANAGEMENT; NETWORK SECURITY; RATING; RISK ANALYSIS; RISK MANAGEMENT;

RISK ASSESSMENT;

EID: 78650393263     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/NSS.2010.37     Document Type: Conference Paper

References (20)

1. International Organization for Standardization, ISO/IEC 27002:2005 Information technology - Code of practice for information security management
2. T. Tsiakis and G. Stephanides, "The economic approach of information security," Computers & Security, vol.24, pp. 105-108, 2005.
3. B. Karabacak and I.Sogukpinar "ISRAM: information security risk analysis method," Computers & Security, vol.24, pp. 147-159, 2005.
4. W. Sonnenreich, "Return On Security Investment (ROSI): A Practical Quantitative Model," A summary of Research and Development conducted at SageSecure, 2002.
5. J. Eom, S. Park, Y. Han, T. Chung, "Risk Assessment Method Based on Business Process-Oriented Asset Evaluation for Information System Security," LECTURE NOTES IN COMPUTER SCIENCE, Springer, 2007.
6. X. Su, D. Bolzoni, P. van Eck, R. Wieringa, "A Business Goal Driven Approach for Understanding and Specifying Information Security Requirements," Arxiv preprint cs.CR/0603129, 2006 - arxiv.org
7. P. Klempt, H. Schmidpeter, S. Sowa, L. Tsinas, "Business Oriented Information Security Management -A Layered Approach," LECTURE NOTES IN COMPUTER SCIENCE, Springer, 2007.
8. S. Houmb, G.Georg, R.France, J. Bieman, and J. Jürjens, "Cost-Benefit Trade-Off Analysis using BBN for Aspect- Oriented Risk-Driven Development," in Proceedings of Tenth IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), Shanghai, China, June 2005, pp. 195-204.
9. S. H. Houmb, G. Georg, J. Jürjens, and R. France, "An Integrated Security Verification and Security Solution Design Trade-Off Analysis," Integrating Security and Software Engineering: Advances and Future Visions, Chapter 9, 2006, 288 pages.
10. R Bojanc, B Jerman-Blazic, "Towards a standar approach for quantifying an ICT security investment," Computer Standards & Interfaces, v.30, n.4, pp. 216-222, May, 2008.
11. B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid, and D. Gollmann, "Towards Operational Measures of Computer Security," Journal of Computer Security, vol. 2, pp. 211-229, 1993.
12. B. Madan, K. Goseva-Popstojanova, K. Vaidyanathan, and K. Trivedi, "Modeling and Quantification of Security Attributes of Software Systems," in Proceedings of the International Conference on Dependable Systems and Networks (DSN'02), vol. 2. IEEE Computer Society, 2002, pp. 505-514.
13. D. Wang, B. Madan, and K. Trivedi, "Security Analysis of SITAR Intrusion Tolerance System," in Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security. ACM Press, 2003, pp. 23-32.
14. S. Houmb and K. Sallhammar, "Modelling System Integrity of a Security Critical System Using Colored Petri Nets," in Proceeding of Safety and Security Engineering (SAFE 2005). Rome, Italy: WIT Press, 2005, pp. 3-12.
15. NVD Common Vulnerability Scoring System, Available: http://nvd.nist.gov/ cvss.cfm
16. S. Houmb, G. Georg, R. France, R. Reddy, and J. Bieman, "Predicting Availability of Systems using BBN in Aspect- Oriented Risk-Driven Development (AORDD)," in Proceedings of the 9th World Multi-Conference on Systemics, Cybernetics and Informatics, Volume X: 2nd Symposium on Risk Management and Cyber-Informatics (RMCI'05). International Institute of Informatics and Systemics, July 2005, pp. 396-403, Orlando, Florida, USA.
17. S. Houmb and V.N.L. Franqueira, "Estimating ToE Risk Level Using CVSS," 2009 International Conference on Availability, Reliability and Security, ares, 2009, pp. 718-725
18. R. Richardson, "2008 CSI Computer Crime and Security Survey," 2008, Available: http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf.Visited on Apr 2010.
19. Shuyuan Jin, Yong Wang, Xiang Cui, Xiaochun Yun, "A review of classification methods for network vulnerability," in Proceedings of the 2009 IEEE international conference on Systems, Man and Cybernetics, San Antonio, TX, USA, p. 1171-1175, October 11-14, 2009.
20. S. Hansman and R. Hunt, A taxonomy of network and computer attacks, Computers & Security, Volume 24, Issue 1, February 2005, Pages 31-43