A quantitative approach To assess information security related risks

Abstract

Nowadays providing information security (IS) assurance becomes one of key aspects for many organizations worldwide. This is caused not only by desire of management to protect sensitive information fed by growing hackers' activity but also by recent enforcement of legal requirements and industry regulations. One of the required procedures to manage information security is regular performing of IS risk assessment. Though there already are several approaches proposed to measure IS related risk, they are either inapplicable to real enterprises' IT landscapes or are of qualitative nature (based on subjective decisions of implementation team) and thus could suffer from significant degree of speculation. The purpose of this paper is to present a quantitative approach for effective and efficient assessment of IS related risks which can be easily applied to any enterprise. A key feature of proposed approach is that it does not suffer from subjective considerations and relies on statistical data. Other relevant features are: maintenance cost reduction and possibility to prioritize and compare security initiatives. © 2009 IEEE.