Information Technology Reference
In-Depth Information
A Systematic Approach to Define the Domain
of Information System Security Risk
Management
Éric Dubois, Patrick Heymans, Nicolas Mayer, and Raimundas Matulevicius
Abstract
Today, security concerns are at the heart of information systems, both
at technological and organizational levels. With over 200 practitioner-oriented risk
management methods and several academic security modelling frameworks avail-
able, a major challenge is to select the most suitable approach. Choice is made even
more difficult by the absence of a real understanding of the security risk manage-
ment domain and its ontology of related concepts. This chapter contributes to the
emergence of such an ontology. It proposes and applies a rigorous approach to build
an ontology, or domain model, of information system security risk management. The
proposed domain model can then be used to compare, select or otherwise improve
security risk management methods.
1 Introduction
During the last two decades, the impact of security concerns on the development
and exploitation of Information Systems (IS) never ceased to grow, be it in public
or private sectors. In this context, security Risk Management (RM) has become
paramount because it helps companies identify and implement security require-
ments in a cost-effective manner. Indeed, security threats are so numerous that it
is outright impossible to act on all of them, because (1) every technological security
solution has a cost, and (2) companies have limited resources. Hence, companies
need assurance that they adopt only solutions that will provide significant Return on
Investment (ROI). This is done by comparing the cost of a solution with the risk of
not using it, e.g., the cost of a business disruption due to a successful security attack.
In this sense, security RM plays an important role in the alignment of a company's
business strategy with its Information Technology (IT) strategy.
Search WWH ::
Custom Search