Risk Mitigation Decisions for IT Security

Information Security Risk Assessment, Aggregation, and Mitigation

As part of their compliance process with the Basel 2 operational risk management requirements, banks must define how they deal with information security risk management. In this paper we describe work in progress on a new quantitative model to assess and aggregate information security risks that is currently under development for deployment. We show how to find a risk mitigation strategy that i...

Dynamic Risk Measurement and Mitigation for Proactive Security Configuration Management

The factors on which security depends are of dynamic nature. These include emergence of new vulnerabilities and threats, policy structure and network traffic. Due to the dynamic nature of these factors, objectively identifying and measuring security metrics is a major challenge. However, such an evaluation can significantly help security professionals in decision making such as choosing between...

QSec: Supporting Security Decisions on an IT Infrastructure

A global vulnerability of an IT infrastructure is a set of vulnerabilities in its nodes that enables a sequence of attacks where an agent acquires the privileges that each attack requires as a result of the previous attacks in the sequence. This paper presents QSec, a tool to support decision on the infrastructure security that queries a database with information on global vulnerabilities and t...

Software Safety and Security Risk Mitigation in Cyber-physical Systems

Risk Management in IT Service Security

This article brings a novel approach for optimized risk management in IT service information security. The new method is based on widely used international standards – best practices – for IT service management (ISO/IEC 20000) and Information security management system (ISO/IEC 27000). Firstly, the IT service information security approach is developed (based on a Service level management extens...