Business Process-Based Information Security Risk Assessment

Limited information security budget in organizations make it necessary to effectively prioritize among security requirements. The goal is to make the most out of the available budget and to achieve a balanced overall security level. This leads to maximize the investment outcome. Many existing information security risk assessment approaches identify and assess risks to critical assets and are asset-driven approaches. These are limited in that it is hard to keep track of dependencies between assets and to produce realistic estimates of their values to an organization. We present a new security risk assessment approach focusing on business goals rather than assets and the processes supporting or contributing to these goals. Risks are identified and evaluated on a business process level and aggregated over all such processes depending on their criticality, role and importance for the organization as a whole. We illustrate our approach using examples from the banking industry, as well as discuss how our approach deals with some of the ambiguities involved in expert intensive and asset-driven information security risk assessment.