Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.6.1595

Effective Risk Level Assessment Using Three-Dimensional Vector Visualization  

Lee, Ju-young (Graduate School of Information Security, Korea University)
Cho, In-hyun (Graduate School of Information Security, Korea University)
Lee, Jae-hee (Graduate School of Information Security, Korea University)
Lee, Kyung-ho (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.6, 2015 , pp. 1595-1606 More about this Journal
Abstract
Risk analysis is utilized in devising measures to manage information security risk to an acceptable level. In this risk management decision-making, the visualization of risk is important. However, the pre-existing risk visualization method is limited in visualizing risk factors three-dimensionally. In this paper, we propose an improved risk visualization method which can facilitate the identification of risk from the perspective of confidentiality, integrity, and availability respectively or synthetically. The proposed method is applied to an enterprise's risk analysis in order to verify how effective it is. We argue that through the proposed method risk levels can be expressed three-dimensionally, which can be used effectively for information security decision-making process for internal controls.
Keywords
Risk Analysis; Information Security Decision Making; 3-dimensional Visualization;
Citations & Related Records
연도 인용수 순위
  • Reference
1 ISACA (2006), "CISA Review Manual 2006. Information Systems Audit and Control Association," p. 85. ISBN 1-933284-15-3.
2 ISO/IEC 13335-1 : 1996, "Guidelines for the Management of Security - Part 1 : Concepts and Models of IT Security," 1996.
3 Artur Rot, "IT Risk Assessment: Quantitative and Qualitive Approach," Proceedings of the World Congress on Engineering and Computer Science, Oct 22-24, 2008, San Francisco, USA
4 Christopher Alberts, Audrey Dorofee, James Stevens and Carol Woody, "Introduction to the OCTAVE(R)," Aug. 2003.
5 Yazar and Zeki, "A qualitative risk analysis and management tool-CRAMM," SANS InfoSec Reading Room White Paper (2002).
6 Boritz and J. Efrim, "IS Practitioners' Views on Core Concepts of Information Integrity," International Journal of Accounting Information Systems. Elsevier. Retrieved 12, Aug. 2011.
7 ANNEX TO NISTISSI No. 4011, INFORMATION SYSTEMS SECURITY : A COMPREHENSIVE MODEL
8 Loukas, G. and Oke, G., (September 2010) [August 2009]. "Protection Against Denial of Service Attacks: A Survey," Comput. J. 53 (7): 1020-1037. doi:10.1093/comjnl/bxp078.   DOI
9 ISO 7498-2, Information processing Systems - Open Systems Interconnection - Basic Reference Model -Part 2 : Security Architecture
10 NIST SP. "800-33, Underlying Technical Models for Information Technology Security." National Institute for Standards and Technology (2001)
11 Rainer Jr, Rex Kelly, Charles A. Snyder, and Houston H. Carr., "Risk analysis for information technology," Journal of Management Information Systems (1991): 129-147.
12 Cox Jr and Louis Anthony Tony. "Some limitations of "Risk= Threat$\times$ Vulnerability$\times$ Consequence" for risk analysis of terrorist attacks." Risk Analysis 28.6 (2008): 1749-1761.
13 Sung won Kim, Hui young Kim, Young chan Kwon, Ho sang Yun and Chul ho Kim, "Risk analysis and assessment Methodology Research for network based Real-time Risk Management," KCC, vol. 34, no. 1.
14 Kwo-jean Farn et al., "A study on information security management system evaluation-assets, threat and vulnerability," Computer Standards & interfaces 26 (2004) 501-513.   DOI
15 Hank Marquis, "10 Steps to Do It Yourself CRAMM," vol.4.50, December 17, 2008.
16 Caralli and Richard A., et al., "Introducing octave allegro: Improving the information security risk assessment process," No. CMU/SEI-2007-TR-012. CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST, 2007.
17 NIST, SP. "800-30 Risk Management Guide for Information Technology Systems," National Institute for Standards and Technology (2002).
18 Ferson and Scott. "Bayesian methods in risk assessment," Technical report for the Waste and Storage Unit, Service Environnement & Procedes, Bureau de Recherches Geologiques et Minieres, France. Available at: www.ramas.com/bayes.pdf, 2003.
19 ISACA. "The it practitioner guide. Technical report," ISACA, USA, 2009
20 Inhyun Cho and Jaehee Lee, "Study on scenario-based Personnel Risk Analysis," Research Briefs on Informaiton & Communication Technology Evolution (ReBICTE), Vol. 1, Article No. 12 (January 15, 2015)
21 CSE, RCMP. "Harmonized Threat and Risk Assessment (TRA) Methodology," TRA-1 Date: October 23 (2007).
22 ISO27k implementer's forum,"Matrices for Asset Valuation and Risk Analysis," www.ISO27001security.com, 2009.
23 Christopher Alberts and Audrey Dorofee, "OCTAVESM*Threat Profiles," Software Engineering Institute Carnegie Mellon University's White Paper.
24 "Threat risk assessment working guide," 1999, Government of Canada, Communications Security Establishment, p 73.
25 British Standards Institute (BSI), "Information security management systems - part 3: Guidelines for information security risk management," BSI Standard 7799-3:2006, 2006.
26 Brewer and David. "An Introduction to ISO/IEC 27001: 2013," London: Bristish Standards (2013).
27 Chung, Yoon Jung, et al. "Security risk vector for quantitative asset assessment," Computational Science and Its Applications-ICCSA 2005. Springer Berlin Heidelberg, 274-283.
28 Eppler, Martin J., and Markus Aeschimann. "A systematic framework for risk visualization in risk management and communication," Risk Management 11.2 (2009): 67-89.   DOI
29 Lipkus, Isaac M., and J. G. Hollands. "The visual communication of risk," Journal of the National Cancer Institute. Monographs 25 (1998): 149-163.
30 Smerecnik, Chris MR, et al. "Understanding the positive effects of graphical risk information on comprehension: measuring attention directed to written, tabular, and graphical risk information," Risk analysis 30.9 (2010): 1387-1398.   DOI
31 Dezfuli, Homayoon, et al. "NASA Risk Management Handbook. Version 1.0," (2011).