Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process

Caralli, Richard A.; Stevens, James; Young, Lisa R.; Wilson, W. R. D.

doi:10.21236/ada470450

Cited by 228 publications

(227 citation statements)

References 1 publication

Supporting

Mentioning

206

Contrasting

Unclassified

Order By: Relevance

“…Using system scanning tools would improve identifying technical issues in the SRA, but tool-based vulnerability identification is time-consuming and momentum is lost (Caralli et al, 2007).…”

Section: Vulnerability Results Accuracy At the Ara And Sramentioning

confidence: 99%

“…In the approaches of InnerhoferOberperfler and Breu (Innerhofer-Oberperfler and Breu, 2006), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) (Alberts et al, 2003), OCTAVE Allegro (Caralli et al, 2007), conditions or situations that can threaten an organization's information assets" (Caralli et al, 2007): 18) can be used for vulnerability identification. In NIST SP 800-30 (Stoneburner et al, 2002), vulnerability knowledge bases, system security testing and a security requirements' checklist are all used for vulnerability identification.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Resolving vulnerability identification errors using security requirements on business process models

Taubenberger

Jürjens

et al. 2013

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Purpose -In any information security risk assessment, vulnerabilities are usually identified by information-gathering techniques. However, vulnerability identification errors -wrongly identified or unidentified vulnerabilities -can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost-effectively.Design/methodology/approach -This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models. Business process models have been selected for use, because there is a close relationship between business process objectives and risks.Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.Findings -Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.Research limitations/implications -Security requirements should be explicitly evaluated in risk assessments considering the business context. Results of any evaluation of security requirements could be used to indicate the security of information. The approach was only tested in the insurance domain and therefore results may not be applicable to other business sectors.Originality/value -It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

show abstract

Section: Vulnerability Results Accuracy At the Ara And Sramentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Resolving vulnerability identification errors using security requirements on business process models

Taubenberger

Jürjens

et al. 2013

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

show abstract

“…Several RA methodologies and tools have been developed; some focus on the assets (CRAMM, 2010;Caralli et al, 2007; http://www.ar-tools.com/en/tools/pilar/) and others on the business processes (de Haes and Debreceny, 2013;Simonsson et al, 2007). Other methodologies focus on the risk derived from CI dependencies (Stergiopoulos et al, 2016a;Kotzanikolaou et al, 2013aKotzanikolaou et al, , 2013bKotzanikolaou et al, , 2013cAlpcan and Bambos, 2009) and their potential cascading effects.…”

Section: Motivationmentioning

confidence: 99%

“…Asset-based methodologies like MAGERIT, CORAS and MEHARI involve their users in the assessment (Amutio et al, 2014;CLUSIF, 2010;CORAS, 2010). CRAMM, OCTAVE and RiskSafe require extensive standardised documentation throughout RA to ensure traceability of results (CRAMM, 2010;Platinum Squared, 2014;Caralli et al, 2007). In addition, each of these RA methods demands a knowledgeable team (analysts, system administrators, users, etc.)…”

Section: Literature Reviewmentioning

confidence: 99%

A process-based dependency risk analysis methodology for critical infrastructures

Stergiopoulos

Kouktzoglou

Theocharidou

et al. 2017

IJCIS

View full text Add to dashboard Cite

This paper applies research in dependency modelling to a process-based risk assessment methodology suitable for critical infrastructures. The proposed methodology dynamically assesses the evolution of cascading failures over time between assets involved in a business process of an infrastructure. This approach can be applied by a CI operator/owner to explore how a failure in a single component (asset) affects the other assets and relevant business processes. It could also be applied in an analysis that includes multiple CI operators in the same supply chain to explore the dependencies between their assets and explore how these affect the provision of key societal services. The paper presents a proof-of-concept tool, based on business-process risk assessment and graph modelling, and a realistic case example of a rail scheduling process. The approach allows risk assessors and decision makers to analyse and identify critical dependency chains and it can reveal underestimated risks due to dependencies.Keywords: risk assessment; business process; asset; dependency; cascading failures; risk chains; likelihood; impact; critical infrastructure. A process-based dependency risk analysis methodology 185Reference to this paper should be made as follows: Stergiopoulos, G., Kouktzoglou, V., Theocharidou, M. and Gritzalis, D. (2017) 'A process-based dependency risk analysis methodology for critical infrastructures', Int.

show abstract

“…Most academic approaches suggest a graphical notation, starting from the seminal work on Anti-Goals [1] to [2] and more recently [3]. Industry opts for tabular models like OCTAVE [4], ISO 27005 and NIST 800-30. Microsoft STRIDE [5] is the exception on the industry side and SREP [6] is the exception on the academic side.…”

Section: Introductionmentioning

confidence: 99%

On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment

Labunets

Massacci

Paci

2017

Requirements Engineering: Foundation for Software Quality

View full text Add to dashboard Cite

Abstract.[Context] Many security risk assessment methods are proposed both in academia (typically with a graphical notation) and industry (typically with a tabular notation).[Question] We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments).[Results] Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent.[Contribution] A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.

show abstract

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process

Cited by 228 publications

References 1 publication

Resolving vulnerability identification errors using security requirements on business process models

Resolving vulnerability identification errors using security requirements on business process models

A process-based dependency risk analysis methodology for critical infrastructures

On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment

Contact Info

Product

Resources

About