When planning any kind of project, especially an information security project, risk analysis is very important. Risk analysis, in the context of information security, is the process of assessing potential threats to an organization and the overall risk they pose to the continued operation of the organization. There are multiple approaches to risk analysis, and multitudes of literature have been published on the subject.
In their paper published in 2012, Bhattacharjee and associates introduced two approaches to the risk assessment of an information security system. Bhattacharjee and associates’ method is a two-stage method, with a consolidated analysis, identifying a single risk value for each asset, and a detailed analysis, which defines a threat-vulnerability pair for each risk factor (Bhattacharjee, Sengupta, Mazumdar, & Sankar Barik, 2012).
The method first identifies assets and defines seven requirements factors for each: confidentiality, integrity, availability, authenticity, non-repudiation, legal, and impact of loss. Each of these factors is assigned a sliding scale value based upon the intensity of the specific requirement (Bhattacharjee, Sengupta, Mazumdar, & Sankar Barik, 2012). Once all assets have been given their requirements values, the overall asset value is defined. This value is combined with the security concern value, “a function of threats and vulnerabilities associated with an asset” (Bhattacharjee, Sengupta, Mazumdar, & Sankar Barik, 2012). to assign an overall risk factor value to the asset.
Once the consolidated step is completed a detailed risk analysis is performed. This analysis begins by identifying security requirements that have been assigned a value of greater than two. Threats and vulnerabilities for these requirements are then defined. From these values a risk value is generated, which is a function of the security requirement value and the threat value (Bhattacharjee, Sengupta, Mazumdar, & Sankar Barik, 2012).
Another work by Breier and Hudec, explores the use of security metrics to support risk analysis. Breier and Hudec propose that risk analysis can heavily benefit from the use of information security metrics to “help the management decide whether the control objectives are fulfilled or not” (Breier & Hudec, 2011). The authors define four major security frameworks (Control Objectives for Information Technology, ISO/IEC 17799, Information Technology Infrastructure Library, and US NIST SP 800 Series) which can be used to help “quantify the effectiveness of security controls” (Breier & Hudec, 2011). Breier and Hudec go on to show that the ISO 27000 standards contain control objectives that should be used within an organization to ensure that security needs are being met. The authors show that metrics pulled from these standard control objectives can be utilized to determine if a particular risk factor is adequately accounted for. Finally, Breier and Hudec define a mathematical model for defining the risk...