TY - GEN
T1 - Improving risk assessment methodology
T2 - 2nd International Conference on Security of Information and Networks, SIN'09
AU - Singh, Anand
AU - Lilja, David
PY - 2009/11/9
Y1 - 2009/11/9
N2 - In order to manage risks to the IT environments and to satisfy government and industry regulations, most enterprises are required to conduct risk assessments. These risk assessments are used to drive organizational decisions on information security. However, despite this need, current approaches lack granular guidance on some key steps and have focused on qualitative data rather than quantitative data which reduces the value of the results for the decision makers. This paper proposes a statistical design of experiments approach that will enhance the quantitative aspects of the risk assessment exercise and will make risk assessments smarter, more precise and more efficient. Specifically, our paper demonstrates that a Plackett-Burman design can be used to: (a) identify the subset of security controls that are critical to the enterprise; (b) determine the configuration of these controls; and (c) quantitatively analyze the impact of security enhancements. This paper expands on our previous research by applying statistical models at a macro security architecture level as opposed to determining parameters for individual controls.
AB - In order to manage risks to the IT environments and to satisfy government and industry regulations, most enterprises are required to conduct risk assessments. These risk assessments are used to drive organizational decisions on information security. However, despite this need, current approaches lack granular guidance on some key steps and have focused on qualitative data rather than quantitative data which reduces the value of the results for the decision makers. This paper proposes a statistical design of experiments approach that will enhance the quantitative aspects of the risk assessment exercise and will make risk assessments smarter, more precise and more efficient. Specifically, our paper demonstrates that a Plackett-Burman design can be used to: (a) identify the subset of security controls that are critical to the enterprise; (b) determine the configuration of these controls; and (c) quantitatively analyze the impact of security enhancements. This paper expands on our previous research by applying statistical models at a macro security architecture level as opposed to determining parameters for individual controls.
KW - Control
KW - Design of experiments
KW - Plackett-Burman
KW - Risk assessment
UR - http://www.scopus.com/inward/record.url?scp=70350647564&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70350647564&partnerID=8YFLogxK
U2 - 10.1145/1626195.1626205
DO - 10.1145/1626195.1626205
M3 - Conference contribution
AN - SCOPUS:70350647564
SN - 9781605584126
T3 - SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks
SP - 21
EP - 29
BT - SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks
Y2 - 6 October 2009 through 10 October 2009
ER -