Title :
An Empirically Derived Loss Taxonomy Based on Publicly Known Security Incidents
Author :
Innerhofer-Oberperfler, Frank ; Breu, Ruth
Author_Institution :
Res. Group Quality Eng., Univ. of Innsbruck, Innsbruck
Abstract :
In this paper we focus on the losses related to information and IT security incidents. The loss dimension in terms of business impacts is often treated only superficially in current standards, best practices and the research literature. The main focus lies often on the impacts on properties of information and services like confidentiality, integrity and availability. We make a step in the direction of filling this gap by developing a more systematic taxonomy of losses. For this purpose publicly announced security incidents have been analysed using cause- consequence diagrams to identify different types of losses. The identified causes of incidents and the resulting types of losses have been classified using an enterprise model to distinguish different levels of abstraction. This exploratory and descriptive research yielded a) a preliminary taxonomy of losses related to security incidents, b) a validation of the enterprise model used as a frame for the analysis and c) different paths of propagation of causes of incidents.
Keywords :
business data processing; security of data; IT security incidents; empirically derived loss taxonomy; information security incidents; publicly announced security incidents; publicly known security incidents; unit questioning risk managers; Availability; Computer security; Costs; Guidelines; IEC standards; ISO standards; Information security; Reliability engineering; Risk management; Taxonomy; Risk assessment;
Conference_Titel :
Availability, Reliability and Security, 2009. ARES '09. International Conference on
Conference_Location :
Fukuoka
Print_ISBN :
978-1-4244-3572-2
Electronic_ISBN :
978-0-7695-3564-7
DOI :
10.1109/ARES.2009.85
