A Quantitative Framework for Dependency-Aware Organizational IT Risk Management

Abstract

In this paper, we introduce a new scheme for performing IT Risk Management within organizational domains. It adopts a business process-oriented view which integrates risk assessment, vulnerability assessment and risk mitigation into a quantitative framework. Taking the asset dependencies into account, we map business process values to IT hardware components in a hierarchical fashion and combine it with IT system vulnerability and threat analysis to derive risk scores on a IT hardware system level. We then apply mathematical algorithms for computing cost-optimal quantitative mitigation strategies given a set of available mitigation actions. We illustrate the entire integrated process by means of a case study and show that considerable risk savings can be obtained.

@INPROCEEDINGS{Schmidt2010:Quantitative,
AUTHOR="Stephan Schmidt and Sahin Albayrak",
TITLE="A Quantitative Framework for {Dependency-Aware} Organizational {IT} Risk
Management",
BOOKTITLE="The Tenth International Conference on Intelligent System Design and
Applications (ISDA 2010)",
ADDRESS="Cairo, Egypt",
DAYS=29,
MONTH=11,
YEAR=2010,
KEYWORDS="IT Risk Management, Quantitative Methods, Risk Assessment, Risk Mitigation",
ABSTRACT="In this paper, we introduce a new scheme for performing IT Risk Management
within organizational domains. It adopts a business process-oriented view
which integrates risk assessment, vulnerability assessment and risk
mitigation into a quantitative framework. Taking the asset dependencies
into account, we map business process values to IT hardware components in a
hierarchical fashion and combine it with IT system vulnerability and threat
analysis to derive risk scores on a IT hardware system level. We then apply
mathematical algorithms for computing cost-optimal quantitative mitigation
strategies given a set of available mitigation actions. We illustrate the
entire integrated process by means of a case study and show that
considerable risk savings can be obtained."
}
Autoren:
Stephan Schmidt, Sahin Albayrak
Kategorie:
Tagungsbeitrag
Jahr:
2010
Ort:
Proc. of the 10th Int. Conf. on Intelligent System Design and Applications (ISDA 2010)