Information Security Risk Assessment: Comparison
View Latest Version
Please note this is a comparison between Version 2 by Nora Tang and Version 1 by Ievgeniia Kuzminykh.

Information security risk assessment is an important part of enterprises’ management practices that helps to identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Risk management refers to a process that consists of identification, management, and elimination or reduction of the likelihood of events that can negatively affect the resources of the information system to reduce security risks that potentially have the ability to affect the information system, subject to an acceptable cost of protection means that contain a risk analysis, analysis of the “cost-effectiveness” parameter, and selection, construction, and testing of the security subsystem, as well as the study of all aspects of security.

  • information risk management
  • security risk assessment
  • risk classification
  • OCTAVE
  • CRAMM
  • RiskWatch
  • fuzzy logic
Please wait, diff process is still running!

References

  1. ISO Standard. Information Technology—Security Techniques—Information Security Risk Management; ISO/IEC 27005:2018; ISO Standard: Geneva, Switzerland, 2018.
  2. Knight, F.H. Risk, Uncertainty and Profit; Hart, Schaffner and Marx, Houghton Mifflin: Boston, MA, USA, 1921.
  3. NIS Cooperation Group; European Commission. Cybersecurity Incident Taxonomy. 2018. Available online: (accessed on 11 January 2021).
  4. Launius, S.M.; Evaluation of Comprehensive Taxonomies for Information Technology Threats. SANS Institute. 2018. Available online: (accessed on 11 January 2021).
  5. Model Risk Management: Quantitative and Qualitative Aspects. Management Solutions. 2014. Available online: (accessed on 11 January 2021).
  6. Wheeler, E. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up, 1st ed.; Syngress: Burlington, MA, USA; Elsevier Inc.: Waltham, MA, USA, 2011.
  7. Buriachok, V.; Sokolov, V.; Skladannyi, P. Security Rating Metrics for Distributed Wireless Systems Threats. In Proceedings of the 8th International Conference on “Mathematics, Information Technologies, Education”, Lviv, Ukraine, 2–4 June 2019; Volume 2386, pp. 222–233.
  8. Williams, J.; OWASP Risk Rating Methodology. OWASP. Available online: (accessed on 11 January 2021).
  9. Kuzminykh, I.; Yevdokymenko, M.; Ageyev, D. Analysis of Encryption Key Management Systems: Strengths, Weaknesses, Opportunities, Threats. In Proceedings of the IEEE International Scientific-Practical Conference Problems of Infocommunication, Science and Technology (PIC S&T-2020), Kyiv, Ukraine, 6–9 October 2020.
  10. Kuzminykh, I.; Ghita, B.; Shiaeles, S. Comparative Analysis of Cryptographic Key Management Systems. In Internet of Things, Smart Spaces, and Next Generation Networks and Systems; Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y., Eds.; Springer: Cham, Switzerland, 2020; Volume 12526, pp. 80–94.
  11. Yang, S.; Ishtiaq, M.; Anwar, M. Enterprise risk management practices and firm performance, the mediating role of competitive advantage and the moderating role of financial literacy. J. Risk Financ. Manag. 2018, 11, 35.
  12. Rios, E.; Rego, A.; Iturbe, E.; Higuero, M.; Larrucea, X. Continuous quantitative risk management in smart grids using attack defense trees. Sensors 2020, 20, 4404.
  13. Generalov, I.G.; Suslov, S.A. Methodological approaches to assessing the competitiveness of organizations. Vestnik NGIJeI 2016, 9, 31–38.
  14. Kuzminykh, I.; Carlsson, A. Analysis of Assets for Threat Risk Model in Avatar-Oriented IoT Architecture. In Internet of Things, Smart Spaces, and Next Generation Networks and Systems; Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y., Eds.; Springer: Cham, Switzerland, 2018; Volume 11118, pp. 52–63.
  15. Kuzminykh, I. Avatar Conception for “Thing” Representation in Internet of Things. In Proceedings of the 14th Swedish National Computer Networking Workshop, Karlskrona, Sweden, 31 May–1 June 2018.
  16. NIST Special Publication (SP) 800-30, Revision 1. Guide for Conducting Risk Assessments. Available online: (accessed on 22 July 2021).
  17. GB/T 20984-2007. Information Security Technology: Risk Assessment Norm of Information System; National Standard of the People’s Republic of China; Standardization Administration of PRC: Beijing, China, 2007.
  18. Cole, E. (Ed.) Chapter 4—Risk-Based Approach to Security. In Advanced Persistent Threat; Syngress: Waltham, MA, USA, 2013; pp. 77–96.
  19. Wawrzyniak, D. Information Security Risk Assessment Model for Risk Management. In Trust and Privacy in Digital Business (TrustBus); Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4083, pp. 21–30.
  20. Lee, M.-C. Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method. Int. J. Comp. Sci. Inf. Tech. 2014, 6, 29–45.
  21. Alexander, D.; Finch, A.; Sutton, D.; Taylor, A. Information Security Management Principles; BCS Learning & Development Ltd.: Swindon, UK, 2013.
  22. Watson, D.; Jones, A. Chapter 5: Risk management. In Digital Forensics Processing and Procedures, 1st ed.; Syngress: Waltham, MA, USA, 2013.
  23. Gritzalis, D.; Iseppi, G.; Mylonas, A.; Stavrou, V. Exiting the Risk Assessment Maze: A Meta-Survey. ACM Comput. Surv. 2018, 51, 1–30.
  24. Ionita, D. Current Established Risk Assessment Methodologies and Tools. Master’s Thesis, University Twente, Enschede, The Netherlands, 2013. Available online: (accessed on 29 June 2021).
  25. Lutskiy, M.G.; Ivanchenko, E.V.; Kazmirchuk, S.V.; Okhrimenko, A.A. Modern Information Risk Management. Inf. Prot. 2012, 1, 1–6.
  26. ENISA. Inventory of Risk Management. Risk Assessment Methods. Available online: (accessed on 29 June 2021).
  27. CRAMM Version 5.1 User Guide; Insight Consulting: 2005. Available online: (accessed on 29 June 2021).
  28. Peltier, T.R. Facilitated Risk Analysis Process (FRAP). In Information Security Risk Analysis, 1st ed.; Auerbach Publications: New York, NY, USA, 2001.
  29. Caralli, R.A.; Stevens, J.F.; Young, L.R.; Wilson, W.R. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process; CMU/SEI-2007-TR-012 Technical Report; Software Engineering Institute, Carnegie Mellon University: Pittsburgh, PA, USA, 2007.
  30. Alberts, C.; Dorofee, A. OCTAVE Threat Profiles. Software Engineering Institute, Carnegie Mellon University. Available online: (accessed on 11 January 2021).
  31. Wangen, G.; Hallstensen, C.; Snekkenes, E. A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 2018, 17, 681–699.
  32. Manage Risk Meet Compliance Improve Security. Available online: (accessed on 11 January 2021).
  33. Goel, S.; Chen, V. Information Security Risk Analysis—A Matrix-Based Approach. Available online: (accessed on 11 January 2021).
  34. Kure, H.I.; Islam, S.; Razzaque, M.A. An integrated cyber security risk management approach for a cyber-physical system. Appl. Sci. 2018, 8, 898.
  35. Mehari. Risk Analysis and Treatment Guide. CLUSIF. 2010. Available online: (accessed on 29 June 2021).
  36. Yermalovich, P.; Mejri, M. Risk Forecasting Automation on the Basis of MEHARI. In International Information Security Conference; Venter, H., Loock, M., Coetzee, M., Eloff, M., Eloff, J., Botha, R., Eds.; Springer: Cham, Switzerland, 2020; Volume 1339, pp. 34–49.
  37. Lund, M.S.; Solhaug, B.; Stolen, K. Model-Driven Risk Analysis; Springer: Berlin/Heidelberg, Germany, 2011.
  38. Korchenko, A.G.; Ivanchenko, E.V.; Kazmirchuk, S.V. Integrated Presentation of Risk Parameters. Inf. Prot. 2011, 1, 96–101.
  39. Zhao, D.-M.; Liu, J.-X.; Zhang, Z.-H. Method of risk evaluation of information security based on neural networks. In Proceedings of the 2009 International Conference on Machine Learning and Cybernetics, Baoding, China, 12–15 July 2009; pp. 1127–1132.
  40. Shang, K.; Hossen, Z. Applying Fuzzy Logic to Risk Assessment and Decision-Making; Project Report; Casualty Actuarial Society, Canadian Institute of Actuaries, Society of Actuaries: Ottawa, ON, Canada, 2013; 59p.
  41. Paltrinieri, N.; Comfort, L.; Reniers, G. Learning about risk: Machine learning for risk assessment. Saf. Sci. 2019, 118, 475–486.
  42. Changwei, Y.; Zonghao, L.; Xueyan, G.; Wenying, Y.; Jing, J.; Liang, Z. Application of BP Neural Network Model in Risk Evaluation of Railway Construction. Complexity 2019, 2019, 2946158.
  43. Nota, G.; Aiello, R.; Di Gregorio, M.P. Ontology Based Risk Management. In Decision Theory and Choices: A Complexity Approach; Faggini, M., Vinci, C.P., Eds.; Springer: Milano, Italy, 2010.
  44. Palmer, C.; Urwin, E.N.; Niknejad, A.; Petrovic, D.; Popplewell, K.; Young, R.I. An ontology supported risk assessment approach for the intelligent configuration of supply networks. J. Intell. Manuf. 2018, 29, 1005–1030.
  45. TajDini, M.; Sokolov, V.; Kuzminykh, I.; Shiaeles, S.; Ghita, B. Wireless Sensors for Brain Activity—A Survey. Electronics 2020, 9, 2092.
  46. Pileggi, S.F.; Indorf, M.; Nagi, A.; Kersten, W. CoRiMaS—An Ontological Approach to Cooperative Risk Management in Seaports. Sustainability 2020, 12, 4767.
  47. Mozzaquatro, B.A.; Agostinho, C.; Goncalves, D.; Martins, J.; Jardim-Goncalves, R. An Ontology-Based Cybersecurity Framework for the Internet of Things. Sensors 2018, 18, 3053.
More
© Text is available under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/)
Feedback