Go with the flow: toward workflow-oriented security assessment
Proceedings of the 2013 workshop on New security paradigms workshop
Securing business processes using security risk-oriented patterns
Computer Standards & Interfaces
| Hi-index | 0.00 |
Limited information security budget in organizations make it necessary to effectively prioritize among security requirements. The goal is to make the most out of the available budget and to achieve a balanced overall security level. This leads to maximize the investment outcome. Many existing information security risk assessment approaches identify and assess risks to critical assets and are asset-driven approaches. These are limited in that it is hard to keep track of dependencies between assets and to produce realistic estimates of their values to an organization. We present a new security risk assessment approach focusing on business goals rather than assets and the processes supporting or contributing to these goals. Risks are identified and evaluated on a business process level and aggregated over all such processes depending on their criticality, role and importance for the organization as a whole. We illustrate our approach using examples from the banking industry, as well as discuss how our approach deals with some of the ambiguities involved in expert intensive and asset-driven information security risk assessment.