An Approach to Select Cost-Effective Risk Countermeasures Exemplified in CORAS

TL;DR

This paper presents a generic approach that integrates cost assessment into risk analysis, aiding managers in selecting cost-effective security countermeasures using decision diagrams, exemplified through the CORAS method.

Contribution

It introduces a novel method to incorporate cost and effect estimates into risk models for better decision support in risk management.

Findings

Supports decision making with cost-effectiveness analysis

Uses decision diagrams for risk treatment options

Applied in the CORAS security risk analysis method

Abstract

Risk is unavoidable in business and risk management is needed amongst others to set up good security policies. Once the risks are evaluated, the next step is to decide how they should be treated. This involves managers making decisions on proper countermeasures to be implemented to mitigate the risks. The countermeasure expenditure, together with its ability to mitigate risks, is factors that affect the selection. While many approaches have been proposed to perform risk analysis, there has been less focus on delivering the prescriptive and specific information that managers require to select cost-effective countermeasures. This paper proposes a generic approach to integrate the cost assessment into risk analysis to aid such decision making. The approach makes use of a risk model which has been annotated with potential countermeasures, estimates for their cost and effect. A calculus is then employed to reason about this model in order to support decision in terms of decision diagrams. We exemplify the instantiation of the generic approach in the CORAS method for security risk analysis.