A causal model for information security risk assessment

Abstract

This paper presents a probabilistic approach to encode causal relationships among various threat sources and victim systems in order to facilitate quantitative and relational security assessment of information systems. In addition to providing a simple risk analysis approach compared to qualitative methods, it is unique in that it makes no a priori assumptions regarding the test domain. Therefore, it applies equally well to a variety of information systems, software development projects, IT products, and other decision making systems. The entire framework proposes a unique concept to analyse dependence and causality within a network of interdependent assets. Security risk management is mostly considered by security certification authorities, test and evaluation facilities, and some organizations such as CC, CCITT, and ISACA. In order to invent new methods that can facilitate security management, we need to consider risk assessment as a major research topic for evaluation facilities. © 2010 IEEE.