ISRAM: information security risk analysis method

Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today\u27s information security risks properly. Some of these methods are supported by a software package. In this study, a survey based quantitative approach is proposed to analyze security risks of information technologies by taking current necessities into consideration. The new method is named as Information Security Risk Analysis Method (ISRAM). Case study has shown that ISRAM yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization

A quantitative method for ISO 17799 gap analysis

ISO/IEC 17799:2005 is one of the leading standards of information security. It is the code of practice including 133 controls in 11 different domains. There are a number of tools and software that are used by organizations to check whether they comply with this standard. The task of checking compliance helps organizations to determine their conformity to the controls listed in the standard and deliver useful outputs to the certification process. In this paper, a quantitative survey method is proposed for evaluating ISO 17799 compliance. Our case study has shown that the survey method gives accurate compliance results in a short time with minimized cost

A Novel Approach to Information Security Risk Analysis

A number of risk analysis methods became obsolete because of the profound changes in information technologies. Revolutionary changes in information technologies have converted many risk analysis methods into inconsistent, long lasting and expensive instruments. Therefore, risk analysis methods should be adaptively modified or redesigned according to the changes in information technologies, so that they meet the information security requirements of the organizations. By taking these requirements into consideration, a survey based approach is proposed for analyzing the risks of information technologies. This new method is named as Risk Analysis Method for Information Security (RAMIS). A case study is conducted to show the steps of RAMIS in detail and to obtain the risk results. To verify the results of the case study, simulation is performed based on the real statistical data. The results of simulation showed that RAMIS yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization