• DocumentCode
    3080592
  • Title

    Business Process-Based Information Security Risk Assessment

  • Author

    Khanmohammadi, Kobra ; Houmb, Siv Hilde

  • Author_Institution
    Central Bank of Iran, Tehran, Iran
  • fYear
    2010
  • fDate
    1-3 Sept. 2010
  • Firstpage
    199
  • Lastpage
    206
  • Abstract
    Limited information security budget in organizations make it necessary to effectively prioritize among security requirements. The goal is to make the most out of the available budget and to achieve a balanced overall security level. This leads to maximize the investment outcome. Many existing information security risk assessment approaches identify and assess risks to critical assets and are asset-driven approaches. These are limited in that it is hard to keep track of dependencies between assets and to produce realistic estimates of their values to an organization. We present a new security risk assessment approach focusing on business goals rather than assets and the processes supporting or contributing to these goals. Risks are identified and evaluated on a business process level and aggregated over all such processes depending on their criticality, role and importance for the organization as a whole. We illustrate our approach using examples from the banking industry, as well as discuss how our approach deals with some of the ambiguities involved in expert intensive and asset-driven information security risk assessment.
  • Keywords
    bank data processing; business data processing; information management; investment; risk management; security of data; asset driven approach; banking industry; business process; information management; information security risk assessment; investment outcome maximization; process management; security requirement; Companies; Information security; Process control; Risk management; Business process; Information management; Information security; Process management; Risk assessment; Risk management;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Network and System Security (NSS), 2010 4th International Conference on
  • Conference_Location
    Melbourne, VIC
  • Print_ISBN
    978-1-4244-8484-3
  • Electronic_ISBN
    978-0-7695-4159-4
  • Type

    conf

  • DOI
    10.1109/NSS.2010.37
  • Filename
    5635519