During the period when I was pursuing my Masters Degree in Information Security at The Cardiff University, My Supervisor Dr.Pete Burnap
suggested me to research on ISO 27001 Risk assessment as part of the
curriculum. Now that the results are out and I had been awarded a
distinction, I thought its best if I was make my work available for all
in the academic community to share without restriction. So here you go!
Abstract
Although successful Risk Assessment (RA) methodologies have been developed over the years to model complex systems, Conventional Risk Management (RM) techniques are outdated, increasingly becoming daunting and complex with a steep decline in the ability to mitigate emerging or unknown threats. Much of RA conducted within an organization is based on an individual’s perception of risk and most controls are implemented with doubt and uncertainty since prediction is inherently hard.
Typical RA reports are treated as classified and are self contained within Organizations as they believe that it could potentially compromise their security leverage against “Real World Threats (RWT)” or competing Organizations. A clear case of clouded uncertainty exists when assigning tolerance indicators and risk metrics leading to bad decision making among managerial authority to which we shall refer to as “Cognitive bias”. An ill-informed RM strategy could cost dearly to the organization. The problem is complex, however the solution need not be.
This work aims to make Risk Management more approachable & standardized by suggesting a framework following the ISO 27001 methodology where anonymized (Privacy Preservation of public data achieved by K-anonymity) RA reports can be shared among various organizations grouped across industry sectors to enable mutual and collaborative defense against cyber crime and facilitate informed decisions about “True security risks” without the fear of specific privacy disclosure. This could potentially help managerial authority make efficient decisions that can be validated & to focus on improving security controls within organization and worry less on ball parking likelihood of probable risk, its risk factors and flawed estimates.
Embedded PDF
Abstract
Although successful Risk Assessment (RA) methodologies have been developed over the years to model complex systems, Conventional Risk Management (RM) techniques are outdated, increasingly becoming daunting and complex with a steep decline in the ability to mitigate emerging or unknown threats. Much of RA conducted within an organization is based on an individual’s perception of risk and most controls are implemented with doubt and uncertainty since prediction is inherently hard.
Typical RA reports are treated as classified and are self contained within Organizations as they believe that it could potentially compromise their security leverage against “Real World Threats (RWT)” or competing Organizations. A clear case of clouded uncertainty exists when assigning tolerance indicators and risk metrics leading to bad decision making among managerial authority to which we shall refer to as “Cognitive bias”. An ill-informed RM strategy could cost dearly to the organization. The problem is complex, however the solution need not be.
This work aims to make Risk Management more approachable & standardized by suggesting a framework following the ISO 27001 methodology where anonymized (Privacy Preservation of public data achieved by K-anonymity) RA reports can be shared among various organizations grouped across industry sectors to enable mutual and collaborative defense against cyber crime and facilitate informed decisions about “True security risks” without the fear of specific privacy disclosure. This could potentially help managerial authority make efficient decisions that can be validated & to focus on improving security controls within organization and worry less on ball parking likelihood of probable risk, its risk factors and flawed estimates.
Embedded PDF
No comments:
Post a Comment