growing dependence of organizations on technologies
to conduct their businesses, to create a competitive
advantage and achieving higher ROI. Organizations
must consider how they are going to succeed to the
continuous changing risk environment, since the
technical controls mechanisms alone are no longer
guaranteed, but mainly dependent on other security
requirements such as legislation, culture or
environment (Onwubiko and Lenaghan, 2009).
Recognized organizations such as ENISA (European
Network and Information Security Agency) and
OECD (Organization for Economic Cooperation and
Development) are making strong efforts to promote a
culture of security, focusing in the development of
information systems security and improve security
communications and the adoption of new ways of
thinking and behaving by all participants when using
information systems and communicating
technologies.
According to ENISA and OECD raising
information awareness is the first and huge
challenge to any organization (OECD, 2009).
Organizations need to evolve security management
strategies according to the evolvement of
information security management strategies in
response to emerge of new information security
requirements. A properly security strategy demands
for a rigorous process, where every agent interacting
with critical resources need to be aware and
participate in security management, both adopting
secure behaviours and continuous evaluating
security control’s performance (CCMB, 2006).
The Information Security Management Systems
(ISMS) is a concept introduced in the security
standard ISO/IEC 27000 and provides a model,
named PDCA (Plan-Do-Check-Act), to establish,
implement, operate, monitor, review, maintain and
improve the protection of information assets, which
are critical to the operational activity of the
organization and requires adequate protection
against the loss of relevant properties such as
confidentiality, integrity and availability, to achieve
business objectives based on a risk assessment and
risk acceptance levels of the organization, designed
to effectively deal with and manage risks (ISO/IEC,
2009). In other words, the ISMS reflects the
organization’s approach to risk assessment and risk
management, the level of risk that an organization is
willing to accept and the controls to be implemented.
An adequate information security risk management
process requires a security planning in order to
collect information for awareness, followed by the
implementation of the necessary mechanism
required in a risk analysis process.
In following section it will be introduced an
overview of the information security risk analysis.
3 SECURITY RISK ANALYSIS
Information security risks analysis is an integral part
of information security management activities and
consists in the systematic use of information to
identify sources and to estimate risks
(ISO/IEC_JTC1, 2008). This activity is especially
important when the organization heavily depends on
IT-based systems to remain viable. These decisions
are performed based on the cost-benefit evaluation
of applying controls and assessments of acceptable
risk of the secured systems.
In all organizations, regardless of their business
activity, the security risk management process
should comprise the following actions:
• Identification of critical assets of the
organization;
• Investigation of the vulnerabilities inherent to
the assets;
• Identification of threats the assets;
• Evaluation of the implemented controls;
• Identification of the impacts that losses of
confidentiality, integrity and availability may have
on the assets.
The identification of the assets should address a
substantial level of detail in order to provide enough
information for the risk assessment. The result
should be a list of assets to be risk-managed, and a
list of business process related to the assets and their
importance (or value) to the organization.
The threats identification results from incident
reviewing and surveying users, as well as other
sources including external threat references. The
collected information will enable to produce a list of
threats with identification of threat type and source.
The investigated vulnerabilities consist in
finding the assets’ weaknesses, which can be
exploited by a threat. The vulnerabilities should be
continually monitored and reviewed. Concerning
information technologies there are a lot of automatic
scanning tools, which are good in discovering
known vulnerabilities. However, concerning new
technologies and in particularly the human
interaction and misbehaviour (a very important
source of vulnerabilities), a lot of specific and
reflexive work needs to be done.
The identification of implemented controls
intends to evaluate the organization defence
capacity, analysing if the controls putted in practice
KEOD2012-InternationalConferenceonKnowledgeEngineeringandOntologyDevelopment
462