Primož Žvanut (2011) Information systems risk management based on network theory. EngD thesis.
Effective risk management is an important component of any successful security program. The main objective of risk managing is helping the organization to carry out its mission. Risk management is an important part of the organization as a whole, including the executives. The result of risk assessment is a report on the risks that threaten the organization and recommendations of actions that eliminate or reduce the realization of the threat. The threat takes advantage of a vulnerability of a particular asset in the organization. In the world of IT, assets are called information assets and include servers, computers, laptops, data, etc.. An asset is considered everything in the organization that serves its operation and contains a certain degree of vulnerability. If there is an asset, there is also asset's vulnerability and the threat that can exploit it. The purpose of risk assessment is to find as many such vulnerabilities as possible, evaluate them and present a list of actions which can prevent the realization of threats. The primary purpose of this risk assessment tool was assistance for security experts in managing and processing data on risk assessments. The ultimate objective is identification of the greatest risks in the organization which are obtained with a uniform methodology. The problem that arises is that there is a lot of data which can not be handled easily. An additional problem is the presentation of obtained results to the executives, where they should be presented in easy and light way. The proposed solution to the problem is a network presentation. General knowledge of networks can assist with deducing certain rules and relationships between nodes of the network which represent the threats. Threats are related to each other based on common vulnerabilities. The network would also serve for the presentation of results.
Actions (login required)