Managing Risk of Information Systems Security Incidents
Dr. Fariborz Farahmand - Purdue University/CERIAS
Sep 28, 2005
AbstractThe Internet and information systems have enabled businesses to reduce costs, attain greater market reach, and develop closer business partnerships along with improved customer relationships. However, using the Internet has led to new risks and concerns. This research provides a management perspective on the issues confronting CIOs and IT managers. It develops a model for classification of threats and control measures. It also develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. It involves assessment of information assets and probabilities of success of attacks on those assets in organizations and evaluates the expected damages of these attacks. The research outlines some suggested control measures and presents some cost models for quantifying damages from these attacks and compares the tangible and intangible costs of these attacks. This research also proposes a risk management system for information systems security incidents in five stages: 1- Resource and application value analysis, 2- Vulnerability and risk analysis, 3- Computation of losses due to threats and benefits of control measures, 4- Selection of control measures, and 5- Implementation of alternatives. We are currently developing a formal methodology to estimate the effectiveness of control measures on one or different threats. We are considering parameters for control measures measurements such as, cost, level, and the effectiveness and the tradeoff among these parameters.
About the SpeakerFariborz Farahmand received his Ph.D. from the College of Computing at Georgia Institute of Technology in 2004. He is currently a Visiting Assistant Professor of Management at the Krannert School of Management and CERIAS at Purdue University, and a Fellow of I3P, Institution for Information Infrastructure Protection. His research interests are in the security of information systems and databases, vulnerability and risk assessment of information systems, and cost-benefit analysis of information technology investments, particularly in the context of security and control measures.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.