A Quantitative Model for Information-Security Risk Management

Bojanc, Rok; Jerman-Blažič, Borka

doi:10.1080/10429247.2013.11431972

Cited by 29 publications

(13 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many works in the literature explored the economic perspective of information security and cyber threats, regarding its costs, potential losses and necessary investments. There are models for supporting decision makers in evaluating different security investment strategies (Comes, Hiete, Wijngaards, & Schultmann, 2011;Fielder, Panaousis, Malacaria, Hankin, & Smeraldi, 2016), for estimating the return on security investments (Cavusoglu, Mishra, & Raghunathan, 2004;Purser, 2004), and works discussing the assessment and management of risks exposure due to information security threats (Bojanc & Jerman-Blažič, 2008, 2013. Dutta and McCrohan (2002) argue that most of these works did not take into consideration elements such as organizational politics, psychological and cognitive biases.…”

Section: Related Workmentioning

confidence: 99%

Towards the Definition of a Dynamic and Systemic Assessment for Cybersecurity Risks

et al. 2018

View full text Add to dashboard Cite

Nowadays, our society is increasingly becoming economically and socially dependent on the cyberspace. However, the cyberspace is exposed to numerous risks, and there is a constant threat of exploitable vulnerabilities, which could cause significant reputational and economic damages. For addressing these threats, the Italian National Cyber Security Framework was developed to offer an approach to assessing cyber risks into organizations, as well as to help improve the related security through focused investments. Still, this evaluation is not a straightforward endeavour. Using the principles of the Systems Thinking paradigm, this work puts into causal relationships the self‐assessment risk‐categories by associating them to the various aspects of an organization structure used as a case study (composed of business areas and process). Finally, it presents a systemic causal‐effect relationship map capable of evidencing how a change in one or more categories could impact other security‐related elements of the company. © 2018 John Wiley & Sons, Ltd.

show abstract

Section: Related Workmentioning

confidence: 99%

Towards the Definition of a Dynamic and Systemic Assessment for Cybersecurity Risks

et al. 2018

View full text Add to dashboard Cite

show abstract

“…A risk is defined as the effect of uncertainty on objectives [4]; while risk assessment is the process of identifying, evaluating and prioritising risks [5]. Information security risks lead to a deviation from the expected results for which security controls were implemented, and they impact the objectives of the information asset including its financial, safety or productivity goals.…”

Section: Introductionmentioning

confidence: 99%

Cyber risk assessment in cloud provider environments: Current models and future needs

Akinrolabu

Nurse

Martin

et al. 2019

Computers & Security

View full text Add to dashboard Cite

show abstract

“…The use of cyber-physical systems (CPSs) is constantly increasing, which means that most organizations are becoming increasingly reliant on information systems [1]. Information security governance is an increasingly critical component of organizational management, and an overall system security structure that covers the attributes of a CPS environment is required [2] [3]. Currently, organizations are collectively measuring and evaluating the capability of information security management; however, objectively evaluating a target system is difficult because security-level evaluation systems are not based on the individual characteristics of an organization or the organization's information security activities [4].…”

Section: Introductionmentioning

confidence: 99%

Advanced approach to information security management system utilizing maturity models in critical infrastructure

You¹,

Oh²,

Kim

et al. 2018

KSII TIIS

View full text Add to dashboard Cite

As the area covered by the CPS grows wider, agencies such as public institutions and critical infrastructure are collectively measuring and evaluating information security capabilities. Currently, these methods of measuring information security are a concrete method of recommendation in related standards. However, the security controls used in these methods are lacking in connectivity, causing silo effect. In order to solve this problem, there has been an attempt to study the information security management system in terms of maturity. However, to the best of our knowledge, no research has considered the specific definitions of each level that measures organizational security maturity or specific methods and criteria for constructing such levels. This study developed an information security maturity model that can measure and manage the information security capability of critical infrastructure based on information provided by an expert critical infrastructure information protection group. The proposed model is simulated using the thermal power sector in critical infrastructure of the Republic of Korea to confirm the possibility of its application to the field and derive core security processes and goals that constitute infrastructure security maturity. The findings will be useful for future research or practical application of infrastructure ISMSs.

show abstract

A Quantitative Model for Information-Security Risk Management

Cited by 29 publications

References 18 publications

Towards the Definition of a Dynamic and Systemic Assessment for Cybersecurity Risks

Towards the Definition of a Dynamic and Systemic Assessment for Cybersecurity Risks

Cyber risk assessment in cloud provider environments: Current models and future needs

Advanced approach to information security management system utilizing maturity models in critical infrastructure

Contact Info

Product

Resources

About