Kondakçı, Süleyman2023-06-162023-06-1620109.78E+12https://doi.org/10.1109/ISIAS.2010.5604039https://hdl.handle.net/20.500.14365/35732010 6th International Conference on Information Assurance and Security, IAS 2010 -- 23 August 2010 through 25 August 2010 -- Atlanta, GA -- 82434This paper presents a probabilistic approach to encode causal relationships among various threat sources and victim systems in order to facilitate quantitative and relational security assessment of information systems. In addition to providing a simple risk analysis approach compared to qualitative methods, it is unique in that it makes no a priori assumptions regarding the test domain. Therefore, it applies equally well to a variety of information systems, software development projects, IT products, and other decision making systems. The entire framework proposes a unique concept to analyse dependence and causality within a network of interdependent assets. Security risk management is mostly considered by security certification authorities, test and evaluation facilities, and some organizations such as CC, CCITT, and ISACA. In order to invent new methods that can facilitate security management, we need to consider risk assessment as a major research topic for evaluation facilities. © 2010 IEEE.eninfo:eu-repo/semantics/closedAccessRisk modelingSecurity analysisTest methods and toolsUncertainty inferenceAnalysis approachCausal modelCausal relationshipsDecision-making systemsInformation security risk assessmentIT productsProbabilistic approachesQualitative methodResearch topicsRisk modelingSecurity analysisSecurity assessmentSecurity certificationSecurity managementSoftware development projectsTest and evaluationTest methodUncertainty inferenceInformation systemsQuality controlRisk analysisRisk assessmentRisk managementRisk perceptionSecurity systemsSoftware designUncertainty analysisSecurity of dataConference Object10.1109/ISIAS.2010.56040392-s2.0-78349282314