Developing a Risk Management System for Information Systems Security Incidents

Get BibTex-formatted data

Author

Fariborz Farahmand

Entry type

phdthesis

Key alpha

Farahmand

School

Georgia Institute of Technology

Publication Date

2001-01-01

List of Tables..................................................................................................................x List of Figures....................................................................................xi Summary..........................................................................................xii Chapter 1 Overview of Research............................................................................1 Chapter 2 Information Security: Practice and Threats in Organizations......................................................................................6 2.1 The State of the Art of Security Practice in Businesses.................................7 2.2 The Nature of Security Threats...........................................................10 2.3 Deploying Resources in Information Security..........................................13 2.4 Security Standards and Overview of Common Criteria..............................15 Chapter 3 Costs Resulting from Information Security Incidents...........................................................................................20 3.1 A Critical Overview........................................................................20 3.2 Insurance and Risk Mitigation............................................................22 3.2.1 Liability Issues.....................................................................23 3.2.2 Information Systems Disasters .................................................25 3.2.3 Working with the Insurance Industry..........................................26 3.2.4 Limiting Cases.....................................................................29 3.3 Cost of an Incident.........................................................................30 3.4 Variability of Losses Resulting from Similar Exploitation...........................31 3.5 Quantifying the Cost of Security Incidents.............................................32 3.6 Analysis of Cost of Security Breach Announcements.................................37 Chapter 4 Probability of Security Incidents.......................................45 4.1 Subjective Probability Assessment......................................................45 4.2 Possible Pitfalls of Subjective Analysis.................................................45 4.3 Scope of Subjective Analysis.............................................................47 4.4 Probability Assessment....................................................................48 Chapter 5 Classification of Security Threats in Information Systems.............................................................................................52 5.1 A Review of Existing Taxonomies.......................................................53 5.2 A Model for Threat Classification and Control Measures.............................54 Chapter 6 Developing a Risk Management System............................63 6.1 A Critical Overview........................................................................63 6.2 A Risk Management System..............................................................68 6.2.1 Resource and Application Value Analysis....................................69 6.2.2 Vulnerability and Risk Analysis................................................69 6.2.3 Computation of Losses due to Threats and Benefits of Countermeasures...............................................................70 6.2.4 Selection of Countermeasures...................................................70 6.5 Implementation of Alternatives..........................................................73 Chapter 7 Case Studies....................................................................75 7.1 First Round of Interviews.................................................................75 7.2 Summary of Answers in First Round....................................................82 7.3 Round Two and Summary of Results...................................................84 Chapter 8 Contributions and Conclusions.........................................89 Chapter 9 Future Work .......................................................................93 Bibliography.....................................................................................96

Location

A hard-copy of this is in the Papers Cabinet

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Phdthesis{ Farahmand,
	title = "Developing a Risk Management System for Information Systems Security Incidents",
	author = "Fariborz Farahmand ",
	school = "Georgia Institute of Technology",
	contents = "List of Tables..................................................................................................................x 
List of Figures....................................................................................xi 
Summary..........................................................................................xii 
 
Chapter 1 Overview of Research............................................................................1 
 
Chapter 2 Information Security: Practice and Threats in 
Organizations......................................................................................6 
2.1  The State of the Art of Security Practice in Businesses.................................7 
2.2  The Nature of Security Threats...........................................................10 
2.3  Deploying Resources in Information Security..........................................13 
2.4  Security Standards and Overview of Common Criteria..............................15 
 
Chapter 3 Costs Resulting from Information Security  
Incidents...........................................................................................20 
3.1 A Critical Overview........................................................................20 
3.2 Insurance and Risk Mitigation............................................................22 
3.2.1 Liability Issues.....................................................................23 
3.2.2 Information Systems Disasters .................................................25 
3.2.3 Working with the Insurance Industry..........................................26 
3.2.4 Limiting Cases.....................................................................29 
3.3  Cost of an Incident.........................................................................30 
3.4 Variability of Losses Resulting from Similar Exploitation...........................31 
3.5  Quantifying the Cost of Security Incidents.............................................32 
3.6  Analysis of Cost of Security Breach Announcements.................................37 
 
Chapter 4 Probability of Security Incidents.......................................45 
4.1  Subjective Probability Assessment......................................................45 
4.2  Possible Pitfalls of Subjective Analysis.................................................45 
4.3 Scope of Subjective Analysis.............................................................47 
4.4 Probability Assessment....................................................................48 
 
Chapter 5 Classification of Security Threats in Information  
Systems.............................................................................................52  
5.1 A Review of Existing Taxonomies.......................................................53 
5.2 A Model for Threat Classification and Control Measures.............................54 
 
Chapter 6 Developing a Risk Management System............................63 
6.1  A Critical Overview........................................................................63 
6.2  A Risk Management System..............................................................68 
6.2.1 Resource and Application Value Analysis....................................69 
6.2.2 Vulnerability and Risk Analysis................................................69 
6.2.3  Computation of Losses due to Threats and Benefits  
of Countermeasures...............................................................70 
6.2.4 Selection of Countermeasures...................................................70 
6.5 Implementation of Alternatives..........................................................73 
 
Chapter 7 Case Studies....................................................................75 
7.1 First Round of Interviews.................................................................75 
7.2  Summary of Answers in First Round....................................................82 
7.3  Round Two and Summary of Results...................................................84 
 
Chapter 8 Contributions and Conclusions.........................................89 
 
Chapter 9 Future Work .......................................................................93 
 
Bibliography.....................................................................................96 
",
}