Information Security Risk identification in today’s
methodologies is asset-centric, thus making it tedious and time
consuming. It is subjective and depends a lot on expertise of
information security practitioners conducting the risk
assessment. This paper has proposed a methodology for Risk
Identification that drives away from an asset-centric approach by
incorporating the concept of Risk Indicators, which is the
foundation of Risk Identification in finance and medicine. This
Risk Identification approach enables statistical analysis for Risk
Assessment making it objective and scientific thus inspiring
greater confidence among stakeholders.
Upasna Saluja : completed her Masters in Statistics in 1992 and a
Bachelor degree in English and Economics in 1989 from Punjab
University. She also completed a Post BS Diploma in Computer
Applications from Kuruskshetra University, India in 1990. She has
over 15 years of experience including teaching and vital risk
management and consulting roles in multinational companies such
as Malaysia HP (2008-2010), Thomson Reuters (2010-2014) and
most recently at ANZ Banking group (since May 2014). Prior to 2008
she worked in numerous Information Security consulting companies
in India (2 Years) and Malaysia (4 years). She has industry leading
certifications such as CISSP, CISA, CRISC, ISO 27001 and BS
25999. She has over 20 papers, articles and presentations on her
name. She won a best paper award for her paper Information Risk
Management - Qualitative or Quantitative? Cross Industry lessons
from the medical and financial field at The 8th International
Symposium on Risk Management and Cyber-Informatics: RMCI
2011, held in Florida, USA.
Norbik Bashah Idris : is Professor of "Software Engineering & Informatio
n
Security" at Advanced Informatics School, Universit
i Teknologi
Malaysia. He is also Founder of the SCAN Group of c
ompanies with
a niche on information security. He is a CISSP and
CISM.
Information Security
Risk Assessment
Risk
Identification
This paper has presented a new approach for Information
Security Risk Identification which is objective in nature.
Being more objective, this approach provides
scientifically determined Risk Indicators as a reliable
input for Statistical Risk Analysis. Further it reduces
subjectivity, assessor bias that is mandatory for
qualitatively managed risk assessments.
[1] Rowe, W.D., An anatomy of risk. 1977: Wiley.
[2] ISO, ISO 31000 - Risk management. 2009.
[3] Yazar, Z. A qualitative risk analysis and management
tool. GSEC 2002 [cited Version 1.3.
[4] Radack, S., CONDUCTING INFORMATION
SECURITY-RELATED RISK ASSESSMENTS. 2012,
National Institute of Standards and Technology U.S.
Department of Commerce].
[5] Clint Witchalls, J.C., Information risk Managing digital
assets in a new technology landscape, in The
Economist. 2013.
[6] Chapelle, A. The importance of preventative KRIs.
Operational Risk & Regulation 2013.
[7] Jorion, P., Financial Risk Manager Handbook Second
Edition 2003, USA: John Wiley & Sons.
[8] Young, P.J., THE USE OF KEY RISK INDICATORS
BY BANKS AS AN OPERATIONAL RISK
MANAGEMENT TOOL, in International conference
“Improving Financial institutions: the proper balance
between regulation and governance". 2012: Helsinki,.
[9] Leisch, A.M.a.F., semPLS: Structural Equation
Modeling Using Partial Least Squares. 2012.
[10] Svante Wold, M.S., Lennart Eriksson, PLS-regression:
a basic tool of chemometrics. Chemometrics and
Intelligent Laboratory Systems 58 2001 109–130 ˇ,
2001. [11] Shugan, S.M., Marketing Science, Models, Monopoly
Models, and Why We Need Them. MARKETING SCIENCE Vol. 21, No. 3, Summer 2002, pp. 223–228,
2002.