Application of Process Approach to Evaluate the Information Security Risk and its Implementation in an Iranian Private Bank

Every organization is continually subject to new damages and threats which can be resulted from their operations or their goal accomplishment. Methods of providing the security of space and applied tools have been widely changed with increasing application and development of information technology (IT). From this viewpoint, information security management systems were evolved to construct and prevent reiterating the experienced methods. In general, the correct response in information security management systems requires correct decision making, which in turn requires the comprehensive effort of managers and everyone involved in each plan or decision making. Obviously, all aspects of work or decision are not defined in all decision making conditions; therefore, the possible or certain risks should be considered when making decisions. This is the subject of risk management and it can influence the decisions. Investigation of different approaches in the field of risk management demonstrates their progress from quantitative to qualitative methods with a process approach.

• Isa Nakhai Kamal Abadi
• Esmaeel Saberi
• Ehsan Mirjafari

• Risk Management
• Information Security
• Methodology
• Probability.

[1] A. Arora, D. Hall, A. Pinto, D. Ramsey, and R. Telang. Measuring the
risk-based value of IT security solutions. IEEE IT PRO,
November/December 2004.
[2] Atsec information security corporation,"ISMS Implementation Guide"
,2007,www.atsec.com
[3] B. Blakley. A measure of information security in dollars. In Proceedings
(online) of the First Annual Workshop on Economics and Information
Security (WEIS-02), Berkeley, CA, May 2002.
[4] C. Alberts and A. Dorofee. An introduction to the OCTAVE method,
January 2001. http:
[5] //www.cert.org/octave/methodintro.html.
[6] Christopher Alberts, Audrey Dorofee, James Stevens & Carol Woody,
"OCTAVE-S Implementation Guide-Volume 1: Introduction to
OCTAVE-S",January 2005
[7] Christopher Alberts, Audrey Dorofee, James Stevens & Carol Woody,
"OCTAVE-S Implementation Guide-Volume 2: Preparation
Guidance",January 2005
[8] Christopher Alberts, Audrey Dorofee, James Stevens & Carol Woody,
"OCTAVE-S Implementation Guide-Volume 10: Example
Scenario",January 2005
[9] D. Greer, K. Hoo, and A. Jacquith. Information security: Why the future
belongs to the quants. IEEE Security and Privacy, pages 24-32,
July/August 2003.
[10] D. Tan. Quantitative risk analysis step-by-step, 2002. SANS Institute
Reading Room paper#849.
http://www.sans.org/reading_room/whitepapers/auditing/849.php.
[11] J. Meritt. A method for quantitative risk analysis. In Proceedings of the
22nd National Information Security Systems Conference, Arlington,
VA, October 1999.
[12] K. Soo Hoo. How Much Security Is Enough? A Risk Management
Approach to Security. PhD thesis, June 2000.
[13] L. Gordon, M. Loeb, and T. Sohail. A framework for using insurance for
cyber risk management. Communications of ACM, pages 81-85, March
2003.
[14] Mohammed A. Bashir and Nicolas Christin , "Three Case Studies in
Quantitative Information Risk Analysis" , 2007
[15] Secure insight analysis, 2007. http://wwwdastet.msbai.com/.