Modeling the Impact of Controls on Information System Risks
Information system risk management helps to reduce
or eliminate risk by implementing appropriate controls. In this paper,
we propose a quantification model of controls impact on information
system risks by automatizing the residual criticality estimation step of
FMECA which is based on a inductive reasoning. For this, we defined
three equations based on type and maturity of controls. For testing,
the values obtained with the model were compared to estimated
values given by interlocutors during different working sessions and
the result is satisfactory. This model allows an optimal assessment of
controls maturity and facilitates risk analysis of information system.
[1] G. Stoneburner, A. Goguen, and A. Feringa, Risk Management Guide
for Information Technology Systems, National Institute of Standards and
Technology, Sweden: Special Publication 800-30, July 2002.
[2] Risk Management and Accreditation of Information Systems, National
Infrastructure Security, August 2005.
[3] G. Hardy, J. Heschl, Aligning CobiT 4.1, ITIL V3 and ISO/IEC 27002
for Business Benefit, IT Governance Institute, 2008.
[4] Risk Assessment and Risk Management Methods: Information Packages
for Small and Medium Sized Enterprises (SMEs), ENISA adhoc working
group on risk assessment and risk management: Deliverable 2, Final
version, March 2006.
[5] K. Kohout, IT Risk Register, Faculty of informatics and statistics, Prague,
December 2012.
[6] M. Gehrmann, Combining ITIL, COBIT and ISO/IEC 27002 for
structuring comprehensive information technology for management in
organizations, Navus Revista de Gesto e Tecnologia. Florianpolis: ISSN
2237-4558, August 2012.
[7] I. Mukherjee, Cloud Security through COBIT, ISO 27001 ISMS Controls,
Assurance and Compliance, ISACA, RSA Conference ASIA PACIFIC,
Singapore, 2013.
[8] V. Arora, Comparing different information security standards: COBIT v
s. ISO 27001, Carnegie Mellon University, Qatar.
[9] A. Syalim,Y. Hori and K. Sakurai, Comparison of Risk Analysis Methods:
Mehari, Magerit, NIST800-30 and Microsoft’s Security Management
Guide, Kyushu University, Fukuoka, Japan.
[10] CMS Information Security Acceptable Risk Safeguards (ARS), CMS
Minimum Security Requirements (CMSR), Enterprise Information
Security Group, Baltimore, Maryland: FINAL Version 2.0, September
20, 2013.
[11] Residual Risk Assessment for the Pulp & Paper, EPAs Office of Air
Quality Planning and Standards Office of Air and Radiation, December
2011.
[12] L. Lipol and J. Haq, Risk Analysis Method: FMEA/FMECA in the
Organizations, University of Boras, Sweden:IJBAS-IJENS Vol: 11 No:05,
2011.
[13] G. Tolbert, Residual Risk Reduction, Georgia, November 2005.
[14] B. Jenkins, Risk Analysis helps establish a good security posture; Risk
Management keeps it that way, Countermeasures Inc., 1998.
[15] L. Lipol, J. Haq, COBIT Mapping: Mapping of ITIL V3 with COBIT
4.1, IT Governance Institute, USA: ISBN 978-1-60420-035-5, 2008.
[1] G. Stoneburner, A. Goguen, and A. Feringa, Risk Management Guide
for Information Technology Systems, National Institute of Standards and
Technology, Sweden: Special Publication 800-30, July 2002.
[2] Risk Management and Accreditation of Information Systems, National
Infrastructure Security, August 2005.
[3] G. Hardy, J. Heschl, Aligning CobiT 4.1, ITIL V3 and ISO/IEC 27002
for Business Benefit, IT Governance Institute, 2008.
[4] Risk Assessment and Risk Management Methods: Information Packages
for Small and Medium Sized Enterprises (SMEs), ENISA adhoc working
group on risk assessment and risk management: Deliverable 2, Final
version, March 2006.
[5] K. Kohout, IT Risk Register, Faculty of informatics and statistics, Prague,
December 2012.
[6] M. Gehrmann, Combining ITIL, COBIT and ISO/IEC 27002 for
structuring comprehensive information technology for management in
organizations, Navus Revista de Gesto e Tecnologia. Florianpolis: ISSN
2237-4558, August 2012.
[7] I. Mukherjee, Cloud Security through COBIT, ISO 27001 ISMS Controls,
Assurance and Compliance, ISACA, RSA Conference ASIA PACIFIC,
Singapore, 2013.
[8] V. Arora, Comparing different information security standards: COBIT v
s. ISO 27001, Carnegie Mellon University, Qatar.
[9] A. Syalim,Y. Hori and K. Sakurai, Comparison of Risk Analysis Methods:
Mehari, Magerit, NIST800-30 and Microsoft’s Security Management
Guide, Kyushu University, Fukuoka, Japan.
[10] CMS Information Security Acceptable Risk Safeguards (ARS), CMS
Minimum Security Requirements (CMSR), Enterprise Information
Security Group, Baltimore, Maryland: FINAL Version 2.0, September
20, 2013.
[11] Residual Risk Assessment for the Pulp & Paper, EPAs Office of Air
Quality Planning and Standards Office of Air and Radiation, December
2011.
[12] L. Lipol and J. Haq, Risk Analysis Method: FMEA/FMECA in the
Organizations, University of Boras, Sweden:IJBAS-IJENS Vol: 11 No:05,
2011.
[13] G. Tolbert, Residual Risk Reduction, Georgia, November 2005.
[14] B. Jenkins, Risk Analysis helps establish a good security posture; Risk
Management keeps it that way, Countermeasures Inc., 1998.
[15] L. Lipol, J. Haq, COBIT Mapping: Mapping of ITIL V3 with COBIT
4.1, IT Governance Institute, USA: ISBN 978-1-60420-035-5, 2008.
@article{"International Journal of Business, Human and Social Sciences:72333", author = "M. Ndaw and G. Mendy and S. Ouya", title = "Modeling the Impact of Controls on Information System Risks", abstract = "Information system risk management helps to reduce
or eliminate risk by implementing appropriate controls. In this paper,
we propose a quantification model of controls impact on information
system risks by automatizing the residual criticality estimation step of
FMECA which is based on a inductive reasoning. For this, we defined
three equations based on type and maturity of controls. For testing,
the values obtained with the model were compared to estimated
values given by interlocutors during different working sessions and
the result is satisfactory. This model allows an optimal assessment of
controls maturity and facilitates risk analysis of information system.", keywords = "Information System, Risk, Control, FMECA.", volume = "10", number = "2", pages = "621-6", }
