Title :
Integrated security risk management for IT-intensive organizations
Author :
Mounzer, Jeffrey ; Alpcan, Tansu ; Bambos, Nicholas
Author_Institution :
Electr. Eng., Stanford Univ., Stanford, CA, USA
Abstract :
Security risk management is becoming increasingly important in a variety of areas related to information technology (IT), such as telecommunications, cloud computing, banking information systems, etc. In this paper, we develop a systematic quantitative framework for security risk management in IT-intensive organizations. This framework provides a unified viewpoint for considering a wide array of security risk factors which can disrupt business continuity. Our approach integrates the three phases of security risk management, namely risk modeling, assessment, and control/mitigation, through a formulation based on directed graphs, cascades of failures, and mathematical optimization. We consider how security events can propagate through an organization and how resource allocation decisions can be made in order to mitigate the amount of damage they cause. The applicability and effectiveness of our framework is demonstrated through a numerical study which shows significant cost reductions when compared to heuristic methods.
Keywords :
directed graphs; optimisation; organisational aspects; risk management; security of data; IT-intensive organizations; business continuity; directed graphs; integrated security risk management; mathematical optimization; resource allocation decisions; risk assessment; risk modeling; security risk factors; Computer hacking; Investments; Mathematical model; Organizations; Risk management; Servers;
Conference_Titel :
Information Assurance and Security (IAS), 2010 Sixth International Conference on
Conference_Location :
Atlanta, GA
Print_ISBN :
978-1-4244-7407-3
DOI :
10.1109/ISIAS.2010.5604086
