Information Technology Reference
In-Depth Information
should be different from today's tools, so that they meet the information security
requirements of organizations today.
The risk analysis methods that were designed for yesterday's simple information
systems are complex in nature. Complicated mathematical and statistical instruments are
the main components of these risk analysis tools. Thus, applying these complex risk
analysis tools into today's complicated information technologies is no longer feasible.
Because the success and continuity of organizations vastly depends on the availability
of information technologies, the responsibility of protection of information technologies
has increased. In the 1980's, the member of staff responsible for the protection of
information technologies was the head of the computer systems department of an
organization. Today, the company managers are taking this responsibility. Thus,
managers of organizations have to understand the risk analysis process that directly
affects the protection of information technologies. Moreover, managers may desire to
participate in the risk analysis process. Yesterday's complex risk analysis methods are
not structured in a way that allows the participation of managers.
As stated previously, basically there are two types of risk analysis methods according
to the tools used inside them. Quantitative risk analysis methods use mathematical and
statistical tools to represent risk. Qualitative risk analysis methods do not use any
mathematics; instead risk is stated with the help of adjectives. Risk analysis methods that
use intensive quantitative measures are not suitable for information security risk analysis.
Contrary to past decades, today's information systems have a complicated structure and
their use is widespread. Therefore, intensive mathematical measures to model risk for
complex environments make the process difficult. Calculations performed during the risk
analysis process are very complicated. Quantitative methods may not be able to model
today's complex risk scenarios. Risk analysis methods which use qualitative measures
are more suitable for today's complex risk environment of information systems. But, one
important drawback for qualitative risk analysis methods is their nature in yielding
inconsistent results. Because qualitative methods do not use tools like mathematics and
statistics to model the risk, the result of the method is vastly dependent on the ideas of
those who conduct the risk analysis. There is a risk of giving a subjective result while
using qualitative risk analysis methods.
To give two examples, TUAR is a quantitative tool which uses fault trees and fuzzy
logic to express the risk. RaMEX is a qualitative tool which does not use any
mathematical or statistical instruments.
Both qualitative and quantitative risk analysis methods may be supported by software.
Contrary to this, risk analysis methods which are executed without assistance of software
are called paper-based methods. There are a number of risk analysis methods that are
supported by software. The risk analysis methods that are supported by software have
certain disadvantages. Firstly, the cost of the method will usually be high. Secondly, the
main frame of the risk analysis process is drawn by software. Thus, some necessary
variations during the risk analysis process may not be achieved. Paper-based risk analysis
methods consist of meetings, discussions and working sheets. Paper-based methods are
more flexible than the methods supported by software. One important drawback for the
paper-based method is its duration. Because of the nature of meetings, paper-based
methods may take a long time to give risk results.
The Buddy System and Cobra are examples of risk analysis methods supported by
software. The Buddy System is quantitative; Cobra is qualitative. The European Security
Forum is an example of a paper-based method.
Search WWH ::
Custom Search