A Business aware Information Security Risk Analysis Method

Sadok, Moufida and Spagnoletti, Paolo (2010) A Business aware Information Security Risk Analysis Method. In: Information Technology and Innovation Trends in Organizations. Springer, HEIDELBERG -- DEU, p. 100-108. ISBN 978-3-7908-2631-9. (In Press)

Corporate Creators

Institute of Technology in Communications at Tunis, Techno park El Ghazala, CeRSI - LUISS Guido Carli

PDF (post-print)
Download (325kB)


Securing the organization critical information assets from sophisticated insider threats and outsider attacks is essential to ensure business continuity and efficiency. The information security risk management (ISRM) is the process that identifies the threats and vulnerabilities of an enterprise information system, evaluates the likelihood of their occurrence and estimates their potential business impact. It is a continuous process that allows cost effectiveness of implemented security controls and provides a dynamic set of tools to monitor the security level of the information system. However, the examination of existing practices of the enterprises reveals a poor effectiveness of information security management processes such as stated in the information security breaches surveys. In particular, the enterprises experience difficulties in assessing and managing their security risks, in implementing appropriate security controls, as well as in preventing security threats. The available ISRM models and frameworks mainly focus on the technical modules related to the development of security mitigation and prevention and do not pay much attention to the influence of business variables affecting the reliability of the provided solutions. This paper discusses the major business related factors for risk analysis and shows their interference in the ISRM process. These factors include the enterprise strategic environment, the organizational structure features, the customer relationship and the value chain configuration.


1. 2009 CSI Computer Crime and Security Survey. Computer Security Institute, available at: http://www.gocsi.com/. 2. 2008 Information security breaches survey, available at: www.security-survey.gov.uk. 3. Iso/iec 17799:2000 (part 1), Information technology-code of practice for information security management. 4. Spagnoletti P., Resca A. (2008), The duality of Information Security Management: fighting against predictable and unpredictable threats, Journal of Information Systems Security, Vol. 4 - Issue 3, 2008 5. Åhlfeldt R.M., Spagnoletti P. and Sindre G. (2007) Improving the Information Security Model by using TFI. In “New Approaches for Security, Privacy and Trust in Complex Environments”, IFIP Springer Series, Springer Boston, Volume 232/2007, 73-84 6. Humphreys, E. (2008) Information security management standards: Compliance, governance and risk management, Information security technical report 13: 247–255. 7. Bandyopadhyay, K., P. P. Mykytyn and K. Mykytyn (1999) A framework for integrated risk management in information technology, Management Decision 37(5):437-444. 8. Eloff, J., L. Labuschagne and K. P. Badenhorst (1993) A comparative framework for risk analysis methods, Computers & Security 12: 597-603. 9. Tchankova, L. (2002) Risk identification - basic stage in risk management, Environmental Management and Health 13(3): 290-297. 10. Finne, T. (2000) Information Systems Risk Management: Key Concepts and Business Processes, Computers & Security 19: 234-242. 11. Broderick, J. S. (2001) Information Security Risk Management –When Should It be Managed?, Information Security Technical Report 6 (3) : 12-18. 12. Suh, B. and I. Han (2003) The IS risk analysis based on a business model, Information & Management 41: 149–158. 13. Gerber, M. and R. von Solms (2005) Management of risk in the information age, Computers & Security 24, 16-30. 14. Hamdi M. and N. Boudriga (2005) Computer and network security risk management: Theory, challenges, and countermeasures, International journal of communication systems 18:763–793. 15. Krichene, J. (2008) Managing Security Projects in Telecommunication Networks Ph.D. Thesis Engineering School of Communications, SUP’COM. 16. Stonebumer, G., A. Grogen, and A. Fering, Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology. Special publication 800-830. 17. Alberts C. and A. Dorofee (2002) Managing Information Security Risks: The OCTAVE Approach Addison Wesley Professional. 18. Krichene, J. and N. Boudriga (2007) Network security project management: A security policy-based approach, in Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, (SMC 2007) Montréal, Canada October 7-10.

Item Type: Monograph Section
Research documents and activity classification: Book Sections > Monograph's chapters
Books > Editorships
Divisions: Department of Business and Management > CeRSI (Information Systems Research Centre)
Uncontrolled Keywords: Information security, business models, risk analysis
MIUR Scientific Area: Area 13 - Economics and Statistics > SECS-P/10 Business Organisation
Deposited by: Paolo Spagnoletti
Date Deposited: 31 Aug 2011 17:52
Last Modified: 21 Apr 2015 23:14
URI: http://eprints.luiss.it/id/eprint/956


Downloads per month over past year

Repository Staff Only

View Item View Item