Why 2 times 2 ain't necessarily 4 - at least not in IT security risk   assessment

Jens Braband

arXiv:1603.03710·cs.CR·March 14, 2016

Why 2 times 2 ain't necessarily 4 - at least not in IT security risk assessment

Jens Braband

PDF

Open Access

TL;DR

This paper critically analyzes a new semi-quantitative IT security risk assessment method, exposing flaws and proposing an improved hybrid approach combining semi-quantitative assessment with threat and risk analysis.

Contribution

It identifies systematic flaws in the IEC 62443-3-2 draft's risk assessment approach and proposes a novel hybrid method integrating semi-quantitative and qualitative analysis.

Findings

01

Exposes flaws in the IEC 62443-3-2 draft approach

02

Proposes a hybrid risk assessment method

03

Enhances accuracy of IT security risk evaluation

Abstract

Recently, a novel approach towards semi-quantitative IT security risk assessment has been proposed in the draft IEC 62443-3-2. This approach is analyzed from several different angles, e.g. embedding into the overall standard series, semantic and methodological aspects. As a result, several systematic flaws in the approach are exposed. As a way forward, an alternative approach is proposed which blends together semi-quantitative risk assessment as well as threat and risk analysis.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsInformation and Cyber Security · Risk and Safety Analysis · Smart Grid Security and Resilience