Effective Risk Level Assessment Using Three-Dimensional Vector Visualization |
Lee, Ju-young
(Graduate School of Information Security, Korea University)
Cho, In-hyun (Graduate School of Information Security, Korea University) Lee, Jae-hee (Graduate School of Information Security, Korea University) Lee, Kyung-ho (Graduate School of Information Security, Korea University) |
1 | ISACA (2006), "CISA Review Manual 2006. Information Systems Audit and Control Association," p. 85. ISBN 1-933284-15-3. |
2 | ISO/IEC 13335-1 : 1996, "Guidelines for the Management of Security - Part 1 : Concepts and Models of IT Security," 1996. |
3 | Artur Rot, "IT Risk Assessment: Quantitative and Qualitive Approach," Proceedings of the World Congress on Engineering and Computer Science, Oct 22-24, 2008, San Francisco, USA |
4 | Christopher Alberts, Audrey Dorofee, James Stevens and Carol Woody, "Introduction to the OCTAVE(R)," Aug. 2003. |
5 | Yazar and Zeki, "A qualitative risk analysis and management tool-CRAMM," SANS InfoSec Reading Room White Paper (2002). |
6 | Boritz and J. Efrim, "IS Practitioners' Views on Core Concepts of Information Integrity," International Journal of Accounting Information Systems. Elsevier. Retrieved 12, Aug. 2011. |
7 | ANNEX TO NISTISSI No. 4011, INFORMATION SYSTEMS SECURITY : A COMPREHENSIVE MODEL |
8 | Loukas, G. and Oke, G., (September 2010) [August 2009]. "Protection Against Denial of Service Attacks: A Survey," Comput. J. 53 (7): 1020-1037. doi:10.1093/comjnl/bxp078. DOI |
9 | ISO 7498-2, Information processing Systems - Open Systems Interconnection - Basic Reference Model -Part 2 : Security Architecture |
10 | NIST SP. "800-33, Underlying Technical Models for Information Technology Security." National Institute for Standards and Technology (2001) |
11 | Rainer Jr, Rex Kelly, Charles A. Snyder, and Houston H. Carr., "Risk analysis for information technology," Journal of Management Information Systems (1991): 129-147. |
12 | Cox Jr and Louis Anthony Tony. "Some limitations of "Risk= Threat Vulnerability Consequence" for risk analysis of terrorist attacks." Risk Analysis 28.6 (2008): 1749-1761. |
13 | Sung won Kim, Hui young Kim, Young chan Kwon, Ho sang Yun and Chul ho Kim, "Risk analysis and assessment Methodology Research for network based Real-time Risk Management," KCC, vol. 34, no. 1. |
14 | Kwo-jean Farn et al., "A study on information security management system evaluation-assets, threat and vulnerability," Computer Standards & interfaces 26 (2004) 501-513. DOI |
15 | Hank Marquis, "10 Steps to Do It Yourself CRAMM," vol.4.50, December 17, 2008. |
16 | Caralli and Richard A., et al., "Introducing octave allegro: Improving the information security risk assessment process," No. CMU/SEI-2007-TR-012. CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST, 2007. |
17 | NIST, SP. "800-30 Risk Management Guide for Information Technology Systems," National Institute for Standards and Technology (2002). |
18 | Ferson and Scott. "Bayesian methods in risk assessment," Technical report for the Waste and Storage Unit, Service Environnement & Procedes, Bureau de Recherches Geologiques et Minieres, France. Available at: www.ramas.com/bayes.pdf, 2003. |
19 | ISACA. "The it practitioner guide. Technical report," ISACA, USA, 2009 |
20 | Inhyun Cho and Jaehee Lee, "Study on scenario-based Personnel Risk Analysis," Research Briefs on Informaiton & Communication Technology Evolution (ReBICTE), Vol. 1, Article No. 12 (January 15, 2015) |
21 | CSE, RCMP. "Harmonized Threat and Risk Assessment (TRA) Methodology," TRA-1 Date: October 23 (2007). |
22 | ISO27k implementer's forum,"Matrices for Asset Valuation and Risk Analysis," www.ISO27001security.com, 2009. |
23 | Christopher Alberts and Audrey Dorofee, "OCTAVESM*Threat Profiles," Software Engineering Institute Carnegie Mellon University's White Paper. |
24 | "Threat risk assessment working guide," 1999, Government of Canada, Communications Security Establishment, p 73. |
25 | British Standards Institute (BSI), "Information security management systems - part 3: Guidelines for information security risk management," BSI Standard 7799-3:2006, 2006. |
26 | Brewer and David. "An Introduction to ISO/IEC 27001: 2013," London: Bristish Standards (2013). |
27 | Chung, Yoon Jung, et al. "Security risk vector for quantitative asset assessment," Computational Science and Its Applications-ICCSA 2005. Springer Berlin Heidelberg, 274-283. |
28 | Eppler, Martin J., and Markus Aeschimann. "A systematic framework for risk visualization in risk management and communication," Risk Management 11.2 (2009): 67-89. DOI |
29 | Lipkus, Isaac M., and J. G. Hollands. "The visual communication of risk," Journal of the National Cancer Institute. Monographs 25 (1998): 149-163. |
30 | Smerecnik, Chris MR, et al. "Understanding the positive effects of graphical risk information on comprehension: measuring attention directed to written, tabular, and graphical risk information," Risk analysis 30.9 (2010): 1387-1398. DOI |
31 | Dezfuli, Homayoon, et al. "NASA Risk Management Handbook. Version 1.0," (2011). |