Algebraic specification of network security risk management
Proceedings of the 2003 ACM workshop on Formal methods in security engineering
ICALT '05 Proceedings of the Fifth IEEE International Conference on Advanced Learning Technologies
Risky trust: risk-based analysis of software systems
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
A framework for comparing different information security risk analysis methodologies
SAICSIT '05 Proceedings of the 2005 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries
InfoSecCD '06 Proceedings of the 3rd annual conference on Information security curriculum development
Considering Operational Security Risk during System Development
IEEE Security and Privacy
Network externalities, layered protection and IT security risk management
Decision Support Systems
Security auditing course development
Proceedings of the 8th ACM SIGITE conference on Information technology education
A new assessment and improvement model of risk propagation in information security
International Journal of Information and Computer Security
ACM Transactions on Internet Technology (TOIT)
Security incidents management system based on multiagent systems
ICCOMP'09 Proceedings of the WSEAES 13th international conference on Computers
A security incidents management for a CERT based on swarm intelligence
WSEAS Transactions on Computers
Study on an approach for ranking the critical information assets
CCDC'09 Proceedings of the 21st annual international conference on Chinese control and decision conference
Security considerations for the wireless HART protocol
ETFA'09 Proceedings of the 14th IEEE international conference on Emerging technologies & factory automation
Risk-based access control systems built on fuzzy inferences
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Dependability metrics
Basis for an integrated security ontology according to a systematic review of existing proposals
Computer Standards & Interfaces
Decision support for Cybersecurity risk planning
Decision Support Systems
Supporting requirements engineers in recognising security issues
REFSQ'11 Proceedings of the 17th international working conference on Requirements engineering: foundation for software quality
DITIS: virtual collaborative teams for home healthcare
Journal of Mobile Multimedia
Expert Systems with Applications: An International Journal
Assessing the risk of an information infrastructure through security dependencies
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
Through the description of attacks: a multidimensional view
SAFECOMP'06 Proceedings of the 25th international conference on Computer Safety, Reliability, and Security
Attack graph based evaluation of network security
CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security
Information Resources Management Journal
Governing Information Security: Governance Domains and Decision Rights Allocation Patterns
Information Resources Management Journal
A review of research on risk analysis methods for IT systems
Proceedings of the 17th International Conference on Evaluation and Assessment in Software Engineering
Selection of optimal countermeasure portfolio in IT security planning
Decision Support Systems
Information Sciences: an International Journal
RiskMon: continuous and automated risk assessment of mobile applications
Proceedings of the 4th ACM conference on Data and application security and privacy
Engineering Security Agreements Against External Insider Threat
Information Resources Management Journal
Hi-index | 0.00 |
From the Book:Many people seem to be looking for a silver bullet when it comes to information security. They often hope that buying the latest tool or piece of technology will solve their problems. Few organizations stop to evaluate what they are actually trying to protect (and why) from an organizational perspective before selecting solutions. In our work in the field of information security, we have found that security issues tend to be complex and are rarely solved simply by applying a piece of technology. Most security issues are firmly rooted in one or more organizational and business issues. Before implementing security solutions, you should consider characterizing the true nature of the underlying problems by evaluating your security needs and risks in the context of your business. Considering the varieties and limitations of current security evaluation methods, it is easy to become confused when trying to select an appropriate method for evaluating your information security risks. Most of the current methods are "bottom-up" they start with the computing infrastructure and focus on the technological vulnerabilities without considering the risks to the organization's mission and business objectives. A better alternative is to start with the organization itself and determine what needs to be protected, why it is at risk, and develop solutions requiring both technology- and practice-based solutions. A comprehensive information security risk evaluation approach incorporates assets, threats, and vulnerabilities enables decision-makers to develop relative priorities based on what is important to the organization incorporates organizational issuesrelated to how people use the computing infrastructure to meet the business objectives of the organization incorporates technological issues related to the configuration of the computing infrastructure should be a flexible method that can be uniquely tailored to each organizationOne way to create a context-sensitive evaluation approach is to define a basic set of requirements for the evaluation and then develop a series, or family, of methods that meet those requirements. Each method within the approach could be targeted at a unique operational environment or situation. The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) project was conceived to define a systematic, organization-wide approach to evaluating information security risks comprising multiple methods consistent with the approach. We also designed the approach to be self directed, enabling people to learn about security issues and improve their organization's security posture without unnecessary reliance on outside experts and vendors. An evaluation by itself only provides a direction for an organization's information security activities. Meaningful improvement will not occur unless the organization follows through by implementing the results of the evaluation and managing its information security risks. OCTAVE is an important first step of an information security risk management approach. History of OCTAVEBefore we developed OCTAVE, we performed expert-led Information Security Evaluations (ISEs) for organizations. A team of security experts would visit a site, interview selected information technology personnel and users of key systems, and examine se pieces of the computing infrastructure for technological weaknesses. The assessors used their expertise to create a list of organizational and technological weaknesses (vulnerabilities). When the managers at a site received the list of vulnerabilities and corresponding recommendations, they often did not know where to begin to address the weaknesses. Should they address the organizational issues first, or should they address the technological issues? With limits on the funds and staff available, which five things should be addressed first? These are good questions. Unfortunately, when you only examine vulnerabilities, it is hard to establish appropriate priorities. You need to look at the vulnerabilities in the context of what the organization is trying to achieve before you can start establishing priorities. In addition to our experience with vulnerability evaluations, we had also developed and applied a variety of software development risk evaluation and management techniques Williams 00 and Dorofee 96. These techniques focused on the critical risks that could affect project objectives. With these experiences, we decided to focus on a risk-based approach rather than a vulnerability-based approach. A risk-based approach could help people understand how information security affects their organizations' missions and business objectives, establishing which assets are important to the organization and how they are at risk. Vulnerability evaluations could then performed in the context of risk information. Because information security risks are tied to an organizations' missions and business objectives, it became necessary to include staff members from an organization's business lines in addition to information technology personnel in the evaluation. A second important observation from our vulnerability evaluation days concerned the level of involvement of a site and their subsequent ownership of the results. Because the vulnerability evaluations were highly dependent on the expertise of the assessors, there was little participation of site personnel involved in the process. When we were able to go back to a site, we saw the same vulnerabilities from one visit to the next. There had been little or no organizational learning. People in those organizations did not feel "ownership" of the evaluations' results and had not followed through by implementing the findings. We decided that sites needed to be more involved in security evaluations, enabling them to learn about their security processes and participate in developing improvement recommendations. We started to develop a self-directed evaluation approach that focused on risks to information assets focused on practice-based mitigation using recognized, good security practices included personnel from business lines as well as from the information technology department involved a site's personnel in all aspects of the evaluation.In June 1999, we published a report describing the OCTAVE framework Alberts 99, a specification for an information security risk evaluation. This was refined into the OCTAVE Method Alberts 01a, which was developed for large-scale organizations. In addition, we are developing a second method targeted at small organizations. During these efforts, we determined that the OCTAVE framework did not sufficiently ca general approach, or requirements, for self-directed information security risk evaluations that we wanted. We refined the framework into the OCTAVE criteria Alberts 01b, a set of principles, attributes, and outputs that define the OCTAVE approach. Contents of This BookThis book focuses on the following key subjects: defining an approach for self-directed information security risk evaluations (OCTAVE criteria) illustrating how the evaluation approach can be implemented in an organization using the OCTAVE Method showing how the OCTAVE Method can be tailored to different types of organizations describing how this approach provides a foundation for managing information security risks To address the key subjects, we have divided the contents of the book into the following three parts: Part 1, the Introduction, summarizes the OCTAVE approach and presents the principles, attributes, and outputs of self-directed information security risk evaluations. Part 2, The OCTAVE Method, illustrates one way in which the OCTAVE approach can be implemented in an organization. This part of the book begins with an "executive summary" of the OCTAVE Method and then presents the details of the method. Finally, Part 3, Variations on the OCTAVE Approach, describes ideas for tailoring the OCTAVE Method for different types of organizations. This part of the book also presents basic concepts related to managing information security risks after the evaluation. The appendices contain additional, detailed material. The following appendices are provided in this book: A. S example scenario B. OCTAVE Method Worksheets and Instructions C. Catalog of Practices (a structured collection of commonly used good security practices)Who Should Read This Book?This book is written for a varied audience. Some familiarity with security issues may be helpful, but not essential; we define all concepts and terms as they appear. The book should satisfy people who are new to security as well as experts in security and risk management. Information security risk evaluations are appropriate for anyone who uses networked computers to conduct business and, thus, may have critical information assets at risk. This book is for people who need to perform information security risk evaluations and who are interested in using a self-directed method that addresses both organizational and information technology issues. Managers, staff members, and information technology personnel concerned about and responsible for protecting critical information assets will find this book useful. In addition, consultants who provide information security services to other organizations may be interested in seeing how the OCTAVE approach or the OCTAVE Method might be incorporated into their existing products and services. Consumers of information security risk evaluation products and services can use the principles, attributes, and outputs of the OCTAVE approach to understand what constitutes a comprehensive approach for evaluating information security risks. Consumers can also use the principles, attributes, and outputs as a benchmark for selecting products and services that are provided by vendors and consultants.The OCTAVE Method requires an interdisciplinary analysis team to perform the evaluation and act as a focal point for security improvement efforts. The primary audience for this book, then, is anyone who might be on the analysis team or work with them. The book includes "how to" information for conducting an evaluation as well as concepts related to managing risks after the evaluation. For an analysis team, the entire book is applicable. For those who want to understand OCTAVE approach, read Part 1. For those who just want an overview of the OCTAVE Method and a general idea of how it might be used, read Chapters 1 and 3. For those who already perform information security risk evaluations and are looking for additional ideas for improvement, read Chapters 1 and 3, and then decide which areas to explore further. Those ready to start learning how to conduct self-directed information security evaluations in their organizations, should read Part 2. Finally, for people who are interested in tailoring the OCTAVE Method or learning about what to do after an evaluation, read Part 3.