Abstract

This study equates a choice of methods that allow an organization to weigh their information security risk. The initial models went through two selection iterations before we end up with the final three Risks assessment models. The main purpose of the study is to compare and clarify the different activities, inputs and outputs required by each information security risk assessment models and also analyze which ones address information security risk effectively. The resulting information helps evaluating the models' applicability to an organization and their specific needs. In order to verify and validate the conclusions taken from the theoretical study of the three final models, a practical experience was put into practice in a real organization.

References

• K. V. D. Kiran "A Novel Risk Analysis and Mitigation methods in Distributed banking system ",International Journal of Advances in Engineering & Technology , Vol 6,No 4,2012 pp:1593-1602.
• Sun, L. . , Srivastava, R. , Mock, T. : An Information systems Security Risk Assessment Model under Dempster-Shafer Theory of Belief Functions. Journal of Management Information Systems, Vol. 22, No. 4, Spring 2006: 109-142 (2006)
• Alberts, C. : Common Elements of Risk. Technical Note CMU/SEI-2006-TN-014, Carnegie Mellon University (April 2006)
• SPRINT: Risk Analysis For Information Systems, User Guide, Version 1. 0. The European Security Forum (1997)
• Bayne, J. : An Overview of Treath and Risk Assessment. SANS Institute, as part of the Information Security Reading Room (2002)
• A Risk Management Standard. AIRMIC, ALARM, IRM, London (2002)
• Jeremy Hilton,Pete Burnap and Anas Tawileh: Methods for the identification of Emerging and Future Risk, ENISA (2007)
• Inventory of risk assessment and risk management methods. ENISA ad hoc working group on risk assessment and risk management (2006)
• Alberts, C. and Dorofee, A. 2001. An Introduction to the OCTAVE Method. Software Engineering Institute, Carnegie Mellon University, USA.