Improving risk assessment methodology: A statistical design of experiments approach

Anand Singh, David Lilja

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

In order to manage risks to the IT environments and to satisfy government and industry regulations, most enterprises are required to conduct risk assessments. These risk assessments are used to drive organizational decisions on information security. However, despite this need, current approaches lack granular guidance on some key steps and have focused on qualitative data rather than quantitative data which reduces the value of the results for the decision makers. This paper proposes a statistical design of experiments approach that will enhance the quantitative aspects of the risk assessment exercise and will make risk assessments smarter, more precise and more efficient. Specifically, our paper demonstrates that a Plackett-Burman design can be used to: (a) identify the subset of security controls that are critical to the enterprise; (b) determine the configuration of these controls; and (c) quantitatively analyze the impact of security enhancements. This paper expands on our previous research by applying statistical models at a macro security architecture level as opposed to determining parameters for individual controls.

Original languageEnglish (US)
Title of host publicationSIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks
Pages21-29
Number of pages9
DOIs
StatePublished - Nov 9 2009
Event2nd International Conference on Security of Information and Networks, SIN'09 - Famagusta, Cyprus
Duration: Oct 6 2009Oct 10 2009

Publication series

NameSIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks

Other

Other2nd International Conference on Security of Information and Networks, SIN'09
CountryCyprus
CityFamagusta
Period10/6/0910/10/09

Keywords

  • Control
  • Design of experiments
  • Plackett-Burman
  • Risk assessment

Fingerprint

Dive into the research topics of 'Improving risk assessment methodology: A statistical design of experiments approach'. Together they form a unique fingerprint.

Cite this