78-85
The Methodology of Risk Analysis in Assessing Information Security Threats
Authors: Andrey S. Kopyrin, Simon Zh. Simavoryan , Arsen R. Simonyan, Elena I. Ulitina
Number of views: 446
Information security is not an IT problem and cannot be reduced to the IT department. Effective preservation of confidentiality, integrity and availability must be anchored throughout the organization. To meet this challenge efficiently, a risk-based approach is required. First, the organizational context must be determined. When implementing the risk management process, the quality of the risk identification is crucial. Risks that are not identified here are missing in the subsequent risk analysis and valuation and thus also in the risk treatment. There are several approaches to methodological risk identification, two of which are presented: the predominantly impact-based event-based approach and the cause-based approach based on values, threats and vulnerabilities. In order for the implementation of risk identification to be successful in practice, various prerequisites must be fulfilled. The decisive factor is that the top management performs its leadership role effectively and effectively. The key challenge is to keep the scope of risk identification manageable. For this purpose, the procedures of focusing and coarsening have proven themselves in practice. Finally, through the process of continuous improvement, an initially crude but unambiguous image of information security risks can be refined step by step and adapted to current requirements and threats.