Article Preview
TopIntroduction
Risk analysis has existed as a formal discipline for a long time in fields such as finance, nuclear energy, aviation, pharmaceuticals, etc. However, information security risk analysis poses unique issues, such as complexity of the computing infrastructure as well as lack of data and formal models requiring a rethinking of the entire process. Complex interdependencies between systems and assets make the risk analysis process unwieldy and onerous (Anderson, 2001a). These dependencies need to be carefully examined to conduct a meaningful risk analysis (Soo Hoo, 2000). An innocuous vulnerability in an obscure system could seriously influence the security of crucial data and systems as well as affect privacy and safety. Humans form a critical link in the information security chain. Consequently, risk modeling requires behavioral approaches that can capture user behavior as well as hacker motivations. Identifying these interdependencies is the most critical, and perhaps the hardest step in risk analysis (Loch, Carr, & Warkentin, 1992). Once the interdependencies are identified, the second step involves collecting data that will quantify these interdependencies and translate them into monetary losses. This is a challenging task since the data currently available is neither reliable nor static, necessitating large investment of resources in collecting and updating such data. The final step requires identification of risk controls and quantification of their effect on reducing exposure. This again, is a data intensive problem that poses significant challenges. Incomplete determination of interdependencies or lack of accurate data can lead to too many or too few resources committed towards security management.
Rapid evolution in the field of information technology makes risk analysis even more burdensome since changes can make the risk analysis obsolete in the short term. Due to the difficulties associated with a formal information security risk analysis and the cost involved, most organizations base their security strategy on standard guidelines issued by government agencies (NIST, 1996) and vendors of security solutions rather then carefully examining their specific needs. Without understanding their security requirements, they instinctively react to security bulletins rather than prepare rationally planned responses to potential threats.
Fundamentally, risk analysis is an economic problem where a cost-benefit analysis needs to be performed to determine the appropriate set of controls for the risks. Several formal models have also been proposed for estimating the economic impact of security breaches (Bodin, Gordon, & Loeb, 2005; Gordon & Loeb, 2002; Butler, 2002; Meadows, 2001; Schechter, 2005; Cerullo & Shelton, 1981; Cavusoglu, Mishra, & Raghunathan, 2004); however, the problem of information security risk analysis remains difficult. Not all organizations are the same and each has different assets, vulnerabilities, and threats, ultimately leading to dissimilar security requirements. For instance, a college may have very different needs than a large defense contractor where information is export-sensitive and proprietary. Similarly, an Internet-based business whose primary revenue stream is generated through the network has a greater need to protect itself from Denial-of-Service attacks than a manufacturer that uses a website primarily for disseminating information to employees and customers. Instead of basing controls on generic checklists and guidelines, controls should be customized to the specific assets, vulnerabilities, and threats of the organization through information security risk analysis. In order to increase the adoption of risk analysis practices in organizations and facilitate rationalization of the data, the process needs to be streamlined and made transparent. An innovative methodology is required that is operational in the dynamic security environment and defensible based on rigorous mathematical analysis. This work attempts to address this problem by proposing an approach to quantitative risk analysis.