A Systematic Approach to Define the Domain of Information System Security Risk Management - Intentional Perspectives on Information Systems Engineering

Information Technology Reference

In-Depth Information

methods was proposed. Our work has a different scope, that is, ISSRM. Here, the

core concept to consider is risk . Yet, risk is not an isolated concept. A risk (i)

depends on the security needs placed on the IS assets and (ii) is the subject of risk

treatments . These are the concepts that we include in our first iteration on step 1,

but our scope is likely to expand along the way. Conversely, specific usages of our

concept alignment table could consider only subsets of it if not all concepts are

needed.

4.2 Overview of the Alignment Table

In this section, we analyse the concept of risk starting from the definitions found in

the sources listed in Sects. 3.1 and 3.2. We focussed on RM standards and security

standards; RMmethods and RE security frameworks are addressed in [ 38] . Content-

wise, we focus on the notion of risk and its associated components. Risk-related

metrics [ 9, 15, 52] like, for example, its value or its likelihood, are currently not

considered.

4.2.1 Risk Management Standards

ISO Guide 73 gives the following definition of a risk:

Risk: combination of the probability of an event and its consequence.

AS/NZS 4360 proposes a similar definition in its glossary:

Risk: the chance of something happening that will have an impact on objectives

NOTE 1: A risk is often specified in terms of an event or circumstance and the consequences

that may flow from it.

Both sources indicate that a risk is composed of two related elements: a cause, called

event or “something happening”; and a consequence, also called impact. This con-

sideration is valid in all risk-related domains. To refine our analysis, we compare

the above definitions with the ones from the security domain.

4.2.2 Security Related Standards

In ISO/IEC 27001 [ 25] , the concept of risk is not present in the glossary, but in an

excerpt of the standard presenting the risk identification step, we find:

Identify the risks .

1)

Identify the assets within the scope of the ISMS, and the owners of these assets.

2)

Identify the threats to those assets.

3)

Identify the vulnerabilities that might be exploited by the threats.

4)

Identify the impacts that losses of confidentiality, integrity and availability may have on

the assets.

Search WWH ::

Custom Search

Home