@INPROCEEDINGS{Schmidt2010:Quantitative,
AUTHOR="Stephan Schmidt and Sahin Albayrak",
TITLE="A Quantitative Framework for {Dependency-Aware} Organizational {IT} Risk
Management",
BOOKTITLE="The Tenth International Conference on Intelligent System Design and
Applications (ISDA 2010)",
ADDRESS="Cairo, Egypt",
DAYS=29,
MONTH=11,
YEAR=2010,
KEYWORDS="IT Risk Management, Quantitative Methods, Risk Assessment, Risk Mitigation",
ABSTRACT="In this paper, we introduce a new scheme for performing IT Risk Management
within organizational domains. It adopts a business process-oriented view
which integrates risk assessment, vulnerability assessment and risk
mitigation into a quantitative framework. Taking the asset dependencies
into account, we map business process values to IT hardware components in a
hierarchical fashion and combine it with IT system vulnerability and threat
analysis to derive risk scores on a IT hardware system level. We then apply
mathematical algorithms for computing cost-optimal quantitative mitigation
strategies given a set of available mitigation actions. We illustrate the
entire integrated process by means of a case study and show that
considerable risk savings can be obtained."
}