An Approach for Modeling Information Systems Security Risk Assessment

Subhas C. Misra, Vinod Kumar, Uma Kumar

Abstract

In this paper, we present a conceptual modeling approach, which is new in the domain of information systems security risk assessment. The approach is helpful for performing means-end analysis, thereby uncovering the structural origin of security risks in an information system, and how the root-causes of such risks can be controlled from the early stages of the projects. The approach addresses this limitation of the existing security risk assessment models by exploring the strategic dependencies between the actors of a system, and analyzing the motivations, intents, and rationales behind the different entities and activities constituting the system.

References

  1. Aagedal, J.O., Braber, F. D., Dimitrakos, T., Gran, B.A., Raptis, D., Stolen, K.: ModelBased Risk Assessment to Improve Enterprise Security. In Proceedings of the Fifth International Enterprise Distributed Object Computing Conference (EDOC 2002), September 17-20, Lausanne, Switzerland (2002)
  2. Barber, B., and Davey, J.: The use of the CCTA Risk Analysis and Management Methodology (CRAMM) in health information systems. In: Medinfo 92. Amsterdam: North Holland (1992) 1589-1593.
  3. Chung, L., Nixon, B.A., Yu, E., Mylopoulos, J. Non-Functional Requirements in Software Engineering, Kluwer Academic Publishers (2000)
  4. Common Criteria Organization: Common Criteria for Information Technology Security Evaluation. http://www.commoncriteria.org, accessed: 2004 (2002)
  5. Control Objectives for Information and Related Technology, 2002. “COBIT”. http://www.isaca.org/ct-denld.htm (2002)
  6. Donzelli, P., Bresciani, P.: An Agent-Based Requirements Engineering Framework for Complex Socio-Technical Systems. In Proceedings of SELMAS 2003, Portland (2003)
  7. Dubois, E., Yu, E. and Petit, M.: From Early to Late Formal Requirements: a Process Control Case Study. In Proc. 9th International Workshop on Software Specification and Design, April 16-18, Ise-Shima, Japan (1998) 34-42.
  8. Gans, G., Jarke, M., Kethers, S., Lakemeyer, G., Ellrich, L., Funken, C., Meister, M.: Requirements Modeling for Organization Networks: A (Dis)Trust-Based Approach, In Proc. 5th IEEE International Symposium on Requirements Engineering, Toronto (2001)
  9. Mouratidis, H., Giorgini, P., Manson, G., Philip, I.: A Natural Extension of Tropos Methodology for Modeling Security. In Proceedings of the Agent Oriented Methodologies Workshop (OOPSLA 2002), November, Seattle-USA (2002)
  10. Reactive System Design Support: RSDS. http://www.kcl.ac.uk., Sandia National Laboratories (2002)
  11. Schechter, S.E: Computer Security & Risk: A Quantitative Approach. Ph.D. Thesis, Computer Science, Harvard University (2004)
  12. Standards Australia: AS/NZS 4360: Risk Management. AS/NZS 4360 (1999)
  13. Sutcliffe, A.G. and Minocha, S: Linking Business Modeling to Socio-technical System Design, In Proceedings of CaiSE'99 (1999) 73-87.
  14. Vraalsen, F., Braber, F.D., Hogganvik, I., Lund, S., Stolen, K: The CORAS ToolSupported Methodology. SINTEF Report, Report # STF90A04015, February, Norway (2004)
Download


Paper Citation


in Harvard Style

C. Misra S., Kumar V. and Kumar U. (2005). An Approach for Modeling Information Systems Security Risk Assessment . In Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005) ISBN 972-8865-25-2, pages 253-262. DOI: 10.5220/0002561702530262


in Bibtex Style

@conference{wosis05,
author={Subhas C. Misra and Vinod Kumar and Uma Kumar},
title={An Approach for Modeling Information Systems Security Risk Assessment},
booktitle={Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)},
year={2005},
pages={253-262},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002561702530262},
isbn={972-8865-25-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)
TI - An Approach for Modeling Information Systems Security Risk Assessment
SN - 972-8865-25-2
AU - C. Misra S.
AU - Kumar V.
AU - Kumar U.
PY - 2005
SP - 253
EP - 262
DO - 10.5220/0002561702530262