Introduction to the OCTAVE Approach

Alberts, Christopher; Dorofee, Audrey; Stevens, James; Woody, Carol

doi:10.21236/ada634134

Cited by 201 publications

(172 citation statements)

References 0 publications

Supporting

Mentioning

164

Contrasting

Unclassified

Order By: Relevance

“…CORAS (Braber et al, 2007;Vorster and Labuschagne, 2005;Bornman and Labuschagne, 2004;Aagedal et al, 2002;Fredriksen et al, 2002;Raymond, 1993;Lund et al, 2011;Dahl, 2008;Refsdal, 2011a,b) iii. OCTAVE (Vorster and Labuschagne, 2005;Bornman and Labuschagne, 2004;Alberts et al, 2003;Sarkheyli and Ithnin, 2010;Albert and Dorofee, 2001;Alberts et al, 2001;Elky, 2006;Visintine, 2003) The reason for the selection of various types of methods for comparison is because they have been well documented. The majority of ISRA methods are proprietary with very little publicly available information apart from marketing literature.…”

Section: Information Security Risk Management Methodologiesmentioning

confidence: 99%

See 1 more Smart Citation

A conceptual framework of info structure for information security risk assessment (ISRA)

Shamala

Ahmad

Yusoff

2013

Journal of Information Security and Applications

View full text Add to dashboard Cite

Section: Information Security Risk Management Methodologiesmentioning

confidence: 99%

“…Table 1 illustrates the list of ISRA methodologies issued by organizations. All the ISRA methodologies have been developed along with supporting tools and documentation that tailor security control implementations to organizations (Braber et al, 2007;Alberts et al, 2003;Stolen et al, 2002;Yazar, 2002).…”

Section: Background Of Risk Assessmentmentioning

confidence: 99%

A conceptual framework of info structure for information security risk assessment (ISRA)

Shamala

Ahmad

Yusoff

2013

Journal of Information Security and Applications

View full text Add to dashboard Cite

“…In the approaches of InnerhoferOberperfler and Breu (Innerhofer-Oberperfler and Breu, 2006), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) (Alberts et al, 2003), OCTAVE Allegro (Caralli et al, 2007), conditions or situations that can threaten an organization's information assets" (Caralli et al, 2007): 18) can be used for vulnerability identification. In NIST SP 800-30 (Stoneburner et al, 2002), vulnerability knowledge bases, system security testing and a security requirements' checklist are all used for vulnerability identification.…”

Section: Related Workmentioning

confidence: 99%

Resolving vulnerability identification errors using security requirements on business process models

Taubenberger

Jürjens

et al. 2013

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Purpose -In any information security risk assessment, vulnerabilities are usually identified by information-gathering techniques. However, vulnerability identification errors -wrongly identified or unidentified vulnerabilities -can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost-effectively.Design/methodology/approach -This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models. Business process models have been selected for use, because there is a close relationship between business process objectives and risks.Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.Findings -Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.Research limitations/implications -Security requirements should be explicitly evaluated in risk assessments considering the business context. Results of any evaluation of security requirements could be used to indicate the security of information. The approach was only tested in the insurance domain and therefore results may not be applicable to other business sectors.Originality/value -It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

show abstract

“…This step depends on the risk methodologies used. Most of the existing methods rely on the combination on knowledge extracted from questionnaires and interviews [19] [20]. Others [10] [21], use predefined risk factors for each identified vulnerability, based on the estimation of experts who studied the likelihood of occurrence of vulnerability exploits.…”

Section: B Risk Identificationmentioning

confidence: 99%

Towards the Security Evaluation of Biometric Authentication Systems

El-Abed¹,

Giot²,

Hemery³

et al. 2012

IJET

View full text Add to dashboard Cite

Abstract-Despite the obvious advantages of biometric authentication systems over traditional security ones (based on tokens or passwords), they are vulnerable to attacks which may considerably decrease their security. In order to contribute in resolving such problematic, we propose a modality-independent evaluation methodology for the security evaluation of biometric systems. It is based on the use of a database of common threats and vulnerabilities of biometric systems, and the notion of risk factor. The proposed methodology produces a security index which characterizes the overall security level of biometric systems. We have applied it on two different biometric systems (one research laboratory implementation of keystroke dynamics and a commercial system for physical access control using fingerprints) for clarifying its benefits.

show abstract

Introduction to the OCTAVE Approach

Cited by 201 publications

References 0 publications

A conceptual framework of info structure for information security risk assessment (ISRA)

A conceptual framework of info structure for information security risk assessment (ISRA)

Resolving vulnerability identification errors using security requirements on business process models

Towards the Security Evaluation of Biometric Authentication Systems

Contact Info

Product

Resources

About