Information risk: research methods and techniques, models and methods of risk identification
DOI:
https://doi.org/10.18372/2410-7840.15.5731Keywords:
Information security, standards of risk management of information security, risk assessment methods, research investment in information security, psycho of attackersAbstract
Legal documents in the field of information security, information risk assessment methods are considered, including economic-cost models to identify the probability parameters and structure of information risks, and applying these models to analyze investment in information security. Of course, for an adequate assessment of information risks and optimizing investments in information security used approaches and procedures, which are based on existing international standards of information security risk management. Unfortunately, these standards are more conceptual and advisory in nature. Based on this situation, many factors aren’t considered into account, which significantly affects the accuracy and objectivity of risk assessment. Economic-cost approach for analysis of risks, including well-known model of Gordon-Loeb, is focused mainly on the study of optimization aspects of risk management, but virtually eliminates the possibility of considering into account the specificity of these studies, the risk of a real object. It’s suggested that models, which use heuristic cost-motivational mechanisms to determine the parameters and structure of risks. These models allow combining methods of analysis and risk assessment methods, which are set out in international standards, with the possibilities of optimization researches of risk, inherent in the Gordon-Loeb model. In order to ensure more adequacy of these models to requirements of practical application, it’s proposed to input into their structure the psycho - social characteristics of the attacker.
References
Андрощук Г.А., Крайнев П.П. Экономическая безопасность предприятия: защита коммерческой тайны. — К.: Изд. Дом «Ин Юре», 2000. — 400с.
Архипов А.Е. Применение среднего риска для оценивания эффективности защиты информационных систем.// Правове, нормативне та метрологічне забезпечення системи захисту інформації в Україні.// науково-техн. зб. — Київ,
- Вип. 1(14). - с.60-67.
Архипов А.Є., Архипова С.А. Применения мотивационно-стоимостных моделей для описания вероятностных соотношений в системе «атака-защита» / /Правове, нормативне та метрологічне забезпечення системи захисту інформації в Україні, 1(16) вип., 2008р.
Архипов А.Е. Об особенностях оценивания вероятностей, используемых для вычисления информационных рисков. // Інтелектуальні системи прийняття рішень та проблеми обчислювального інтелекту: Матеріали міжнародної наукової конфе¬ренції (ISDMCI '2010). Том 2. — Херсон: ХНТУ, 2010. - 590с, с.515-517.
Архипов А.Е. Применение экономико-мотивационных соотношений для оценивания вероятностных параметров информационных рисков // Захист інформації — 2011. — №2 (51) — С.69-76.
Архипов А.Е. Особенности анализа рисков в информационно-коммуникационных системах / / Захист інформації — 2012. — №4 (57) — С.18-27.
Левченко Є.Г., Рабчун А.О. Оптимізаційні задачі менеджменту інформаційної безпеки // Сучасний захист інформації. — 2010.- №1. — С.16-23.
Левченко Є.Г., Демчишин М.В., Рабчун А.О. Математичні моделі економічного менеджменту інформаційної безпеки // Системні дослідження та інформаційні технології. — 2011-№4. — С.88-96.
Марцынковский Д.А., «Руководство по риск- менеджменту» / Марцынковский Д.А., Влади-мирцев А.В., Марцынковский О.А. / / Ассоциация по сертификации «Русский Регистр». — Санкт- Петербург: Береста, 2007. 10.
Олександрович Г.Я. Автоматизация оценки информационных рисков компании/ Олександрович Г.Я., Нестеров С.А., Петренко С.А / / Защита информации. Конфидент. — 2003 — № 2 — С. 78-81.
Симонов С. Анализ рисков, управление рисками // Jetlnfo — № 1 — 1999 .
Симонов С. Технологии и инструментарии для управления рисками // Jet Info — № 2 — 2003.
AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009 — Principles and Guidelines on Implementation).
BS 31100:2011 Risk management. Code of practice and guidance for the implementation of BS ISO 31000.
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management.
Gordon L.A., Loeb M.P. (2002), "The Economics of Information Security Investment", ACM Transaction on Information and System Security, Vol.5, No4, pp.438-457.
Huang, C.D./ Hu, Q., and Behara, R.S., Economics of Information Security Investment in the Case of Simultaneous Attacks, Proceedings of the Fifth
Workshop on the Economics of Information Security. June 26-28, 2006, Cambridge, England.
ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes - Risk management.
ISO/IEC 17799:2005 — Information technology — Security techniques — Code of practice for information security management.
ISO/IEC 27005 — Information security risk management.
ISO/IEC TR 13335-3:1998 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security.
ISO/IEC TR 13335-4:2000 Information technology - Guidelines for the management of IT Security — Part 4: Selection of safeguards.
LAWRENCE A. GORDON and MARTIN P. LOEB “The Economics of Information Security Investment” ACM Transaction on Information and System Security, Vol.5, No4, November 2002, Pages 438-457.
NIST Special Publication 800-30 - Risk Management Guide for Information Technology Systems — Recommendations of the National Institute of Standards.
Willemson J., Extending the Gordon&Loeb Model for Information Security Investment. The Fifth International Conference on Availability, Reliability and Security ARES 2010, IEEE, 2010.
Androschuk G.A, Kraynev P.P. (2000), “Economic safety of company: Security of commercial information”, K. Ed. House" Eun Ure.
Arhypov A.E. (2007), “Application of average risk for assessment of effectiveness of information systems”, Legal, regulatory and metrology systems of information security in Ukraine, Issue 1(14), pp.60-67.
Arhypov A.E., Arhypova A.S. (2008), "Application of motivational-cost models for descriptions of probability value in the system" attack — defense", Legal, regulatory and metrological assurance of information security in Ukraine, Vol. 1(16).
Arhypov A.E. (2010), “About the features of estimation the probabilities used to calculate information risks”, Intelligent Decision Support Systems and Problems of Computational Intelligence: Proceedings of the International Scientific Conference (ISDMSI '2010), Vol2., pp.515-517.
Arhypov A.E. (2011), “Application of economic and motivational-cost for descriptions of probability value of information risks”, Information Security, Vol.2 (51), pp.69-76.
Arhypov A.E. (2012), “Features of the analysis of risks in information and communication systems”, Information Security, Vol.4 (57), pp.18-27.
Levchenko E.G., Rabchun A.O. (2010), “Optimization problem of information security management”, Modern information security, Vol.1, pp.16-23.
Levchenko E.G., Demchishin M.V., Rabchun A.O. (2011), “Mathematical model of economic management of information security”, System Research and Information Technology, Vol.4, pp.88 -96.
Martsynkovsky D.A., Vladimirtsov A.V., Martsynkovsky O.A. (2007), “Guide to Risk Management”, Association of certification for "Russian Rehystr”.
Oleksandrovych G.Y, Nesterov S.A., Petrenko S.A. (2003), “Automation Location of information risks”, Information Security. Konfydent, Vol.2, pp. 78-81.
Simonov S. (2003), “Risk Analysis, Risk Management”, Jet Info Vol.1.
Simonov S. (2003), “Technology and instruments for Risk management”, Jet Info Vol.2.
AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009 - Principles and Guidelines on Implementation).
BS 31100:2011 Risk management. Code of practice and guidance for the implementation of BS ISO 31000.
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management.
Gordon L.A., Loeb M.P. (2002), "The Economics of Information Security Investment", ACM Transaction on Information and System Security, Vol.5, No4, pp.438-457.
Huang, C.D./ Hu, Q., and Behara, R.S., Economics of Information Security Investment in the Case of Simultaneous Attacks, Proceedings of the Fifth Workshop on the Economics of Information Security. June 26-28, 2006, Cambridge, England.
ISO / IEC 16085:2006 Systems and software engineering - Life cycle processes - Risk management.
ISO / IEC 17799:2005 - Information technology - Security techniques - Code of practice for information security management.
ISO / IEC 27005 - Information security risk management.
ISO / IEC TR 13335-3:1998 Information technology- Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security.
ISO / IEC TR 13335-4:2000 Information technology- Guidelines for the management of IT Security - Part 4 : Selection of safeguards.
LAWRENCE A. GORDON and MARTIN P. LOEB “The Economics of Information Security Investment” ACM Transaction on Information and System Security, Vol.5, No4, November 2002, Pages 438-457.
NIST Special publication 800-30 - Risk Management Guide for Information Technology Systems - Recommendations of the National Institute of Standards.
Willemson J. (2010), “Extending the Gordon & Loeb Model for Information Security Investment”, The Fifth International Conference on Availability, Reliability and Security ARES 2010, IEEE, 2010.
Downloads
Issue
Section
License
Authors who publish with this journal agree to the following terms:- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).