A Systematic Approach to Define the Domain of Information System Security Risk Management - Intentional Perspectives on Information Systems Engineering

Information Technology Reference

In-Depth Information

carry out an attack; hacker with considerable technical skills, well equipped and

strongly motivated by the money he could make.

Note: A threat agent can be characterised by expertise, available resources and

motivation.

Attack method - standard means by which a threat agent carries out a threat.

Examples: system intrusion; theft of media or documents .

Risk treatment-related concepts describe what decisions, requirements and con-

trols should be defined and implemented in order to mitigate possible risks. The

different risk treatment-related concepts are different levels of design decisions on

the IS.

Risk treatment - the decision of how to treat the identified risks. A treatment

satisfies a security need, expressed in generic and functional terms, and can lead to

security requirements. Categories of risk treatment decisions include:

•

Avoiding the risk (risk avoidance decision) - decision not to become involved in,

or to withdraw from, a risk. Functionalities of the IS are modified or discarded

for avoiding the risk;

•

Reducing the risk (risk reduction decision) - action to lessen the probability, neg-

ative consequences, or both, associated with a risk. Security requirements are

selected for reducing the risk;

•

Transferring the risk (risk transfer decision) - sharing with another party the

burden of loss from a risk. A third party is thus related to the (or part of the) IS,

ensuing sometimes some additional security requirements about third parties;

•

Retaining the risk (risk retention decision) - accepting the burden of loss from a

risk. No design decision is necessary in this case.

Examples: not connecting the IS to the Internet (risk avoidance); taking measures

to avoid network intrusions (risk reduction); taking an insurance for covering a loss

of service (risk transfer); accepting that the service could be unavailable for 1 hour

(risk retention).

Note: Risk treatment is basically a shortcut for risk treatment decision, according

to the state of the art.

Security requirement - a condition over the phenomena of the environment that

we wish to make true by installing the IS, in order to mitigate risks. This definition

is inspired from [26] . Examples: appropriate authentication methods shall be used

to control access by remote users; system documentation shall be protected against

unauthorised access.

Note 1: Risk reduction decisions lead to security requirements. Sometimes, risk

transfer decisions need some security requirements about third parties. Avoiding

risk and retaining risk do not need any security requirement.

Note 2: Each security requirement contributes to cover one or more risk

treatments for the target IS.

Control (also called countermeasure or safeguard ) - a designed means to

improve security, specified by a security requirement, and implemented to com-

ply with it. Security controls can be processes, policies, devices, practices or other

Intentional Perspectives on Information Systems Engineering

Search WWH ::

Custom Search

Home