Title :
A causal model for information security risk assessment
Author :
Kondakci, Suleyman
Author_Institution :
Fac. of Eng. & Comput. Sci., Izmir Univ. of Econ., Balcova, Turkey
Abstract :
This paper presents a probabilistic approach to encode causal relationships among various threat sources and victim systems in order to facilitate quantitative and relational security assessment of information systems. In addition to providing a simple risk analysis approach compared to qualitative methods, it is unique in that it makes no a priori assumptions regarding the test domain. Therefore, it applies equally well to a variety of information systems, software development projects, IT products, and other decision making systems. The entire framework proposes a unique concept to analyse dependence and causality within a network of interdependent assets. Security risk management is mostly considered by security certification authorities, test and evaluation facilities, and some organizations such as CC, CCITT, and ISACA. In order to invent new methods that can facilitate security management, we need to consider risk assessment as a major research topic for evaluation facilities.
Keywords :
decision making; risk analysis; security of data; software engineering; CC; CCITT; ISACA; IT products; causal model; decision making systems; evaluation facilities; information security risk assessment; information systems; quantitative security assessment; relational security assessment; risk analysis approach; risk management; security certification authorities; software development projects; test facilities; threat sources; victim systems; Analytical models; Computational modeling; Information security; Joints; Probabilistic logic; Risk management; Security analysis; risk modeling; test methods and tools; uncertainty inference;
Conference_Titel :
Information Assurance and Security (IAS), 2010 Sixth International Conference on
Conference_Location :
Atlanta, GA
Print_ISBN :
978-1-4244-7407-3
DOI :
10.1109/ISIAS.2010.5604039
