Problem Analysis of Traditional IT-Security Risk Assessment Methods - An Experience Report from the Insurance and Auditing Domain

  title={Problem Analysis of Traditional IT-Security Risk Assessment Methods - An Experience Report from the Insurance and Auditing Domain},
  author={Stefan Taubenberger and Jan J{\"u}rjens and Y. Yu and Bashar Nuseibeh},
Traditional information technology (IT) security risk assessment approaches are based on an analysis of events, probabilities and impacts. In practice, security experts often find it difficult to determine IT risks reliably with precision. In this paper, we review the risk determination steps of traditional risk assessment approaches and report on our experience of using such approaches. Our experience is based on performing IT audits and IT business insurance cover assessments within a… 
Taxonomy of security risk assessment approaches for researchers
  • Ebenezer Paintsil
  • Computer Science
    2012 Fourth International Conference on Computational Aspects of Social Networks (CASoN)
  • 2012
The taxonomy proposed in this article aims at guiding researchers to choose research areas, and to discover new ideas and paradigms in the IS-Security risk assessment discipline.
Privacy and Security Risks Analysis of Identity Management Systems
A balanced approach to risk analysis where systems’ characteristics and tools that are relatively easy to learn are relied upon to analyze privacy and security risks in IDMSs is developed.
An approach to support information security risk assessment
  • Petko Genchev
  • Computer Science
    2020 International Conference on Biomedical Innovations and Applications (BIA)
  • 2020
An attempt has been made to summarize the proposed measures and to build an approach for organizing the functionalities of a software product to support Information security risk assessment, as an element of the information security risk management process.
Security Risk Assessment in Internet of Things Systems
The case for new methodologies to assess risk in this context that consider the dynamics and uniqueness of the IoT while maintaining the rigor of best practice in risk assessment is made.
Study on audit of corporate financial risk based on FMEA method
FMEA was originally designed and applied as a preventative fault evaluation method for industrial quality management. In over 60 years, it has undergone considerable development and wide application.
Assessing Risks and Modeling Threats in the Internet of Things
An IoT attack taxonomy is developed that describes the adversarial assets, adversarial actions, exploitable vulnerabilities, and compromised properties that are components of any IoT attack and is used as the foundation for a joint risk assessment and maturity assessment framework that is implemented as an interactive online tool.
Bridging the gap between business and technology in strategic decision-making for cyber security management
The proposed approach aims to bridge the gap between technical analysis and business analysis making system architectures easier to manage, inspired by an enterprise architecture language called ArchiMate.
Probabilistic modeling and analysis of sequential cyber‐attacks
Continuous‐time Markov chain and semi‐Markov process–based methods are proposed to estimate the occurrence probability of a security risk for systems undergoing the sequential cyber‐attacks.
Readiness Exercises: Are Risk Assessment Methodologies Ready for the Cloud?
This paper points out the essential characteristics that any risk assessment method addressed to cloud computing should incorporate, and suggests three new ones that are more appropriate based on their features, based upon existing literature.
ゲゲWゲゲマWミデ キミ IミデWヴミWデ ラa Tエキミェゲ ゲ ┞ ゲデWマゲ
The case for new methodologies to assess risk in this context which consider the dynamics and uniqueness of IoT, but also the rigour of best practice in risk assessment is made.


A qualitative and quantitative risk assessment method in software security
This paper adopts the combination of the attack tree model analysis and the Bayesian Network analysis, which takes the advantage of both qualitative analysis and quantitative analysis to assess risks of software security.
Empirical and statistical analysis of risk analysis-driven techniques for threat management
A selected set of risk analysis techniques have been evaluated and compared based on a realistic case study and ways to improve or complement these methods are suggested.
From Risk Analysis to Security Requirements
Risk Analysis for Information Technology
A risk analysis process that employs a combination of qualitative and quantitative methodologies is proposed that should provide managers with a better approximation of their organization's overall information technology risk posture.
Model-based risk assessment – the CORAS approach
The EU-funded CORAS project (IST-2000-25031) is developing a framework for model-based risk assessment of security-critical systems. This framework is characterised by: (1) A careful integration of
A business approach to effective information technology risk analysis and management
There is a need for an approach that is more suitable for smaller organizations, as well as organizations requiring a quicker, more simplified and less resource‐intensive approach to effective information technology risk analysis and management.
Formalizing information security requirements
To successfully protect information, the security controls must not only protect the infrastructure, but also instill and enforce certain security properties in the information resources.
An analysis of the traditional IS security approaches: implications for research and practice
The main finding is that the traditional ISS methods regurgitate several features and assumptions that are required to be dealt with by traditionalISS methods developers and practitioners.
Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development
This paper analyzes Secure Tropos, the language supporting the eponymous agent-based IS development, and suggests improvements in the light of an existing reference model for IS security risk management, thereby improving the conceptual appropriateness of the language.
On risk: perception and direction