Key Issues In The Development Of Risk Analysis Methodologies And Tools
Price
Free (open access)
Transaction
Volume
82
Pages
10
Published
2005
Size
326 kb
Paper DOI
10.2495/SAFE050131
Copyright
WIT Press
Author(s)
G. Carducci, P. Migliaccio & E. Montolivo
Abstract
This paper describes the real-world experience of the authors that in the past three years have been involved in a project aiming at the definition of a risk analysis methodology and at the development of an automated risk management tool (named Defender ManagerĀ©) which is suitable for information security applications. Keywords: risk analysis, risk management, information security, threats, vulnerabilities. 1 Introduction Risk analysis is the process of estimating potential losses that may result from the occurrence of certain threats. It forms the basis for establishing a costeffective risk management program suitable to reduce these losses to an acceptable level. Despite risk analysis usually being considered the only consistent approach to the selection of the most appropriate safeguards, a well defined and largely accepted risk analysis methodology suitable for information security applications (including the information and communication technology scenarios) is still lacking and even taxonomy in this sector is often a little bit confusing. This paper describes the real-world experience of the authors that in the past three years have been involved in a project aiming at the definition of a risk analysis methodology and at the development of a proprietary automated risk management tool (named Defender ManagerĀ©) suitable for information security applications. Key issues in the definition of risk analysis methodologies, as they arose during the project, are analysed. These include: defining a taxonomy for threats, attacks, vulnerabilities and risk; defining a metric for rating vulnerabilities and safeguards; building a database of threats, attacks and
Keywords
risk analysis, risk management, information security, threats, vulnerabilities.