To see the other types of publications on this topic, follow the link: Information security risk.
Dissertations / Theses on the topic 'Information security risk'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Information security risk.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Posthumus, Shaun Murray. "Corporate information risk : an information security governance framework." Thesis, Nelson Mandela Metropolitan University, 2006. http://hdl.handle.net/10948/814.
Full textAbstract:
Information Security is currently viewed from a technical point of view only. Some authors believe that Information Security is a process that involves more than merely Risk Management at the department level, as it is also a strategic and potentially legal issue. Hence, there is a need to elevate the importance of Information Security to a governance level through Information Security Governance and propose a framework to help guide the Board of Directors in their Information Security Governance efforts. IT is a major facilitator of organizational business processes and these processes manipulate and transmit sensitive customer and financial information. IT, which involves major risks, may threaten the security if corporate information assets. Therefore, IT requires attention at board level to ensure that technology-related information risks are within an organization’s accepted risk appetite. However, IT issues are a neglected topic at board level and this could bring about enronesque disasters. Therefore, there is a need for the Board of Directors to direct and control IT-related risks effectively to reduce the potential for Information Security breaches and bring about a stronger system of internal control. The IT Oversight Committee is a proven means of achieving this, and this study further motivates the necessity for such a committee to solidify an organization’s Information Security posture among other IT-related issues.
2
Faizi, Ana. "Information Security Risk Assessment in Cloud." Thesis, Luleå tekniska universitet, Datavetenskap, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-76120.
Full textAbstract:
This research addresses the issue of information security risk assessment (ISRA) on cloud solutions implemented for large companies. Four companies were studied, of which three used cloud services and conducted ISRA, while one provided cloud services and consultancy to customers on ISRA. Data were gathered qualitatively to (1) analyze the cloud using companies’ practices and (2) to identify regularities observed by the cloud providing company. The COAT-hanger model, which focuses on theorizing the practices, was used to study the practices. The results showed that the companies aimed to follow the guidelines, in the form of frameworks or their own experience, to conduct ISRA; furthermore, the frameworks were altered to fit the companies’ needs. The results further indicated that one of the main concerns with the cloud ISRA was the absence of a culture that integrates risk management. In addition, the companies’ boards lacked interest in and/or awareness of risks associated with the cloud solutions. Finally, the finding also stressed the importance of a good understanding and a well written legal contract between the cloud providers and the companies utilizing the cloud services.
3
Lurain, Sher. "Networking security : risk assessment of information systems /." Online version of thesis, 1990. http://hdl.handle.net/1850/10587.
Full text
4
Cho, Sungback. "Risk analysis and management for information security." Thesis, Royal Holloway, University of London, 2003. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.404796.
Full text
5
Ogbanufe, Obiageli. "Three Essays on Information Security Risk Management." Thesis, University of North Texas, 2018. https://digital.library.unt.edu/ark:/67531/metadc1157576/.
Full textAbstract:
Today's environment is filled with the proliferation of cyber-attacks that result in losses for organizations and individuals. Hackers often use compromised websites to distribute malware, making it difficult for individuals to detect. The impact of clicking through a link on the Internet that is malware infected can result in consequences such as private information theft and identity theft. Hackers are also known to perpetrate cyber-attacks that result in organizational security breaches that adversely affect organizations' finances, reputation, and market value. Risk management approaches for minimizing and recovering from cyber-attack losses and preventing further cyber-attacks are gaining more importance. Many studies exist that have increased our understanding of how individuals and organizations are motivated to reduce or avoid the risks of security breaches and cyber-attacks using safeguard mechanisms. The safeguards are sometimes technical in nature, such as intrusion detection software and anti-virus software. Other times, the safeguards are procedural in nature such as security policy adherence and security awareness and training. Many of these safeguards fall under the risk mitigation and risk avoidance aspects of risk management, and do not address other aspects of risk management, such as risk transfer. Researchers have argued that technological approaches to security risks are rarely sufficient for providing an overall protection of information system assets. Moreover, others argue that an overall protection must include a risk transfer strategy. Hence, there is a need to understand the risk transfer approach for managing information security risks. Further, in order to effectively address the information security puzzle, there also needs to be an understanding of the nature of the perpetrators of the problem – the hackers. Though hacker incidents proliferate the news, there are few theory based hacker studies. Even though the very nature of their actions presents a difficulty in their accessibility to research, a glimpse of how hackers perpetrate attacks can be obtained through the examination of their knowledge sharing behavior. Gaining some understanding about hackers through their knowledge sharing behavior may help researchers fine-tune future information security research. The insights could also help practitioners design more effective defensive security strategies and risk management efforts aimed at protecting information systems. Hence, this dissertation is interested in understanding the hackers that perpetrate cyber-attacks on individuals and organizations through their knowledge sharing behavior. Then, of interest also is how individuals form their URL click-through intention in the face of proliferated cyber risks. Finally, we explore how and why organizations that are faced with the risk of security breaches, commit to cyberinsurance as a risk management strategy. Thus, the fundamental research question of this dissertation is: how do individuals and organizations manage information security risks?
6
Hayat, Mohammed Zia. "Information Security Risk Management for Ubiquitous Computing." Thesis, University of Southampton, 2007. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.484894.
Full textAbstract:
The potential for rapid and diverse interconnectivity between devices utilising heterogeneous communications interfaces has enabled a truly ubiquitous computing environment. However this has resulted in equally ubiquitous security risks due principally to . the number and complexity of services being run over such networks. As technology advances towards the realisation of a ubiquitous computing environment, what impact does this have on the need to preserve the key information security requirements of: confidentiality: integrity and availability? And how does this influence, future information security solutions, particularly in light of 'always-on' business processes which require real-time information sharing? This thesis describes research conducted into answering these questions from a risk management perspective, using key industrial projects as case studies.
7
He, Ying. "Generic security templates for information system security arguments : mapping security arguments within healthcare systems." Thesis, University of Glasgow, 2014. http://theses.gla.ac.uk/5773/.
Full textAbstract:
Industry reports indicate that the number of security incidents happened in healthcare organisation is increasing. Lessons learned (i.e. the causes of a security incident and the recommendations intended to avoid any recurrence) from those security incidents should ideally inform information security management systems (ISMS). The sharing of the lessons learned is an essential activity in the “follow-up” phase of security incident response lifecycle, which has long been addressed but not given enough attention in academic and industry. This dissertation proposes a novel approach, the Generic Security Template (GST), aiming to feed back the lessons learned from real world security incidents to the ISMS. It adapts graphical Goal Structuring Notations (GSN), to present the lessons learned in a structured manner through mapping them to the security requirements of the ISMS. The suitability of the GST has been confirmed by demonstrating that instances of the GST can be produced from real world security incidents of different countries based on in-depth analysis of case studies. The usability of the GST has been evaluated using a series of empirical studies. The GST is empirically evaluated in terms of its given effectiveness in assisting the communication of the lessons learned from security incidents as compared to the traditional text based approach alone. The results show that the GST can help to improve the accuracy and reduce the mental efforts in assisting the identification of the lessons learned from security incidents and the results are statistically significant. The GST is further evaluated to determine whether users can apply the GST to structure insights derived from a specific security incident. The results show that students with a computer science background can create an instance of the GST. The acceptability of the GST is assessed in a healthcare organisation. Strengths and weaknesses are identified and the GST has been adjusted to fit into organisational needs. The GST is then further tested to examine its capability to feed back the security lessons to the ISMS. The results show that, by using the GST, lessons identified from security incidents from one healthcare organisation in a specific country can be transferred to another and can indeed inform the improvements of the ISMS. In summary, the GST provides a unified way to feed back the lessons learned to the ISMS. It fosters an environment where different stakeholders can speak the same language while exchanging the lessons learned from the security incidents around the world.
8
Farahmand, Fariborz. "Developing a Risk Management System for Information Systems Security Incidents." Diss., Georgia Institute of Technology, 2004. http://hdl.handle.net/1853/7600.
Full textAbstract:
The Internet and information systems have enabled businesses to reduce costs, attain
greater market reach, and develop closer business partnerships along with improved
customer relationships. However, using the Internet has led to new risks and concerns.
This research provides a management perspective on the issues confronting CIOs and IT
managers. It outlines the current state of the art of information security, the important
issues confronting managers, security enforcement measure/techniques, and potential
threats and attacks. It develops a model for classification of threats and control measures.
It also develops a scheme for probabilistic evaluation of the impact of security threats
with some illustrative examples. It involves validation of information assets and
probabilities of success of attacks on those assets in organizations and evaluates the
expected damages of these attacks. The research outlines some suggested control
measures and presents some cost models for quantifying damages from these attacks and
compares the tangible and intangible costs of these attacks. This research also develops a
risk management system for information systems security incidents in five stages: 1-
Resource and application value analysis, 2- Vulnerability and risk analysis, 3-
Computation of losses due to threats and benefits of control measures, 4- Selection of
control measures, and 5- Implementation of alternatives. The outcome of this research
should help decision makers to select the appropriate control measure(s) to minimize
damage or loss due to security incidents. Finally, some recommendations for future work
are provided to improve the management of security in organizations.
9
Lategan, Neil. "Epirismm: an enterprise information risk management model." Thesis, Nelson Mandela Metropolitan University, 2006. http://hdl.handle.net/10948/541.
Full textAbstract:
Today, information is considered a commodity and no enterprise can operate without it. Indeed, the information and the supporting technology are pivotal in all enterprises. However, a major problem being experienced in the business environment is that enterprise risk cannot be managed effectively because business and information-related risk are not congruently aligned with risk management terminology and practices. The business environment and information technology are bound together by information. For this reason, it is imperative that risk management is synergised in the business, ICT (Information and Communication Technology) and information environments. A thorough, all inclusive, risk analysis exercise needs to be conducted in business and supporting environments in order to develop an effective internal control system. Such an internal control system should reduce the exposure of risk and aid the safeguarding of assets. Indeed, in today’s so-called information age, where business processes integrate the business and ICT environments, it is imperative that a unary internal control system be established, based on a holistic risk management exercise. To ensure that the enterprise, information and ICT environments operate free of the risks that threaten them, the risks should be properly governed. A model, EPiRISMM (Enterprise Information Risk Management Model) is proposed that offers to combine risk management practices from an ICT, information, governance, and enterprise perspective because there are so many overlapping aspects inherent in them. EPiRISMM combines various well-known standards and frameworks into one coherent model. By employing EPiRISMM, an enterprise will be able to eliminate the traditional segmented approach of the ICT department and thus eliminate any previous discontinuity in risk management practices.
10
Sedlack, Derek J. "Reducing Incongruity of Perceptions Related to Information Risk: Dialogical Action Research in Organizations." NSUWorks, 2012. http://nsuworks.nova.edu/gscis_etd/299.
Full textAbstract:
A critical overreliance on the technical dimension of information security has recently shifted toward more robust, organizationally focused information security methods to countermand $54 billion lost from computer security incidents. Developing a more balanced approach is required since protecting information is not an all or nothing proposition. Inaccurate tradeoffs resulting from misidentified risk severity based on organizational group perceptions related to information risk form information security gaps. This dissertation applies dialogical action research to study the information security gap created by incongruent perceptions of organizational members related to information risk among different stakeholder communities. A new model, the Information Security Improvement model, based on Technological Frames of Reference (TFR), is proposed and tested to improve information security through reduced member incongruity. The model proved useful in realigning incongruent perceptions related to information risk within the studied organization. A process for identifying disparate information characteristics and potential influencing factors is also presented. The research suggested that the model is flexible and extensible, within the organizational context, and may be used to study incongruent individual perceptions (micro) or larger groups such as departments or divisions.
11
Casas, Victoriano. "An information security risk assessment model for public and university administrators /." View online, 2006. http://ecommons.txstate.edu/arp/109.
Full text
12
Frey, Rüdiger, Lars Rösler, and Dan Lu. "Corporate Security Prices in Structural Credit Risk Models with Incomplete Information." Wiley, 2017. http://dx.doi.org/10.1111/mafi.12176.
Full textAbstract:
The paper studies structural credit risk models with incomplete information of the asset value. It is shown that the pricing of typical corporate securities such as equity, corporate bonds or CDSs leads to a nonlinear filtering problem. This problem cannot be tackled with standard techniques as the default time does not have an intensity under full information. We therefore transform the problem to a standard filtering problem for a stopped diffusion process. This problem is analyzed via SPDE results from the filtering literature. In particular we are able to characterize the default intensity under incomplete information in terms of the conditional density of the asset value process. Moreover, we give an explicit description of the dynamics of corporate security prices. Finally, we explain how the model can be applied to the pricing of bond and equity options and we present results from a number of numerical experiments.
13
Hedlund, Filip, and Emma Loots. "Information Security Risk Assessment : An Analysis of a Medical Aid Service." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-284151.
Full textAbstract:
Security in the healthcare sector has historically been insufficient, seeing several high-profile cyber-attacks crippling availability of equipment and vital services with demands of ransom sums, and intrusions collecting sensitive patient data en masse. For this reason, digital services intended for medical use need to be convincingly secure in order to be adopted. This report investigates how to implement sufficient information security for a system involving a digital pill organiser with mobile application connectivity intended for professional medical use. Each component of the currently-indevelopment Dosis Pro system is systematically evaluated in order to assess which security measures need to be taken for the service to be considered adequately secure. The analysis is structured around the ISO IEC 27001:2013 guidelines, and potential solutions are suggested on a per-component basis based on a broad literature study in related research. The result is practical solutions for 19 highlighted problem areas, which should achieve a reasonable level of security overall in combination with the careful data flow of the service. Further, to achieve an exceptionally secure system it is advisable to test the solutions on a complete system, and continuously carry out similar evaluations and improve its design throughout several years of operation.Hälsovårdssektorn har genom tiderna utstått många angrepp mot sina digitala verktyg och tjänster. Det har rådit allt från storskaliga dataintrång till förhindrande av kritiska offentliga tjänster med krav på lösensummor. På grund av det här måste digitala produkter avsedda för medicinskt bruk visas vara säkra för att bli accepterade. I detta examensarbete undersöks det hur man kan implementera fullgod datasäkerhet för ett system kring en digital pillerdosa med appanslutning avsedd för bruk inom vården. I rapporten undersöks systematiskt varje komponent av Dosis Pro-tjänsten för att avgöra vilka säkerhetsrisker som existerar och vilka åtgärder som behöver vidtas för att tjänsten ska kunna konstateras vara säker. Analysen struktureras enligt riktlinjerna från ISO IEC 27001:2013, lösningar föreslås komponentvis utifrån en bred litteraturstudie inom relaterad forskning. Resultatet är praktiska lösningar för 19 identifierade problemområden, vilka tillsammans bör uppnå en godkänd säkerhetsnivå medräknat tjänstens försiktiga data-flöde. Vidare, för att uppnå ett exceptionellt säkert system, rekommenderas det att testa lösningarna i ett färdigt system, och kontinuerligt utföra liknande utvärderingar för att göra förbättringar under flera år av drift.
14
Pak, Charles. "Near Real-time Risk Assessment Using Hidden Markov Models." NSUWorks, 2011. http://nsuworks.nova.edu/gscis_etd/267.
Full textAbstract:
Business objectives and methods in an organization change periodically. Their supporting Information Systems (ISs) change even more dynamically for various reasons: system upgrades, software patches, routine maintenance, and intentionally or unintentionally induced attacks. Unless regular, routine, and timely risk assessments are conducted, changes in IS risks may never be noticed. Risk assessments need to be performed more frequently and faster in order to discover potential threats and to determine the changes that must be made to corporate computing environments to address them. Furthermore, conducting risk assessments on organizational assets can be time consuming, burdensome, and misleading in many cases because of the dynamically changing security states of assets. In theory, each asset can change its security states from one of secure, mitigated, vulnerable, or compromised. However, the secure state is only temporary and imaginary; it may never exist. Therefore, it is more accurate to say that each asset changes its security state from mitigated, vulnerable, or compromised. If we can predict an asset's future security state based on its current security state, we would have a good indicator of risk for the organization's mission-critical assets. Similarly, if risk factors of each mission critical asset could be quantified in near real-time, a risk assessment could be valuable in informing organizational stakeholders of the level of risk of their mission critical assets, which would then aid in their risk mitigation decisions. Quantifying organizational IS risk factors could be meaningful to an organization because quantifying risk levels could prompt a solution space in mitigating risks.
In this research, we introduce an effective risk assessment using hidden Markov models (HMMs) in order to predict future security states and to quantify dynamically changing organizational IS assets by exploring possible security states from an insider user's perspective. HMMs have been used in many scientific fields to predict future states based on current states. Using these models, organizational mission critical assets could be assessed for their risk levels in a near real-time basis to determine the future risk level of each dynamically changing asset due to internally or externally induced threats.
15
Tansley, Natalie Vanessa. "A methodology for measuring and monitoring IT risk." Thesis, Nelson Mandela Metropolitan University, 2007. http://hdl.handle.net/10948/772.
Full textAbstract:
The primary objective of the research is to develop a methodology for monitoring and measuring IT risks, strictly focusing on internal controls. The research delivers a methodology whereby an organization can measure its system of internal controls, providing assurance that the risks are at an acceptable level. To achieve the primary objective a number of secondary objectives were addressed: What are the drivers forcing organizations to better corporate governance in managing risk? What is IT risk management, specifically focusing on operational risk. What is internal control and specifically focusing on COSO’s internal control process. Investigation of measurement methods, such as, Balance Scorecards, Critical Success Factors, Maturity Models, Key Performance Indicators and Key Goal Indicators. Investigation of various frameworks such as CobiT, COSO and ISO 17799, ITIL and BS 7799 as to how they manage IT risk relating to internal control.
16
van, Deursen Hazelhoff Roelfze Nicole. "HI-Risk : a socio-technical method for the identification and monitoring of healthcare information security risks in the information society." Thesis, Edinburgh Napier University, 2014. http://researchrepository.napier.ac.uk/Output/6921.
Full textAbstract:
This thesis describes the development of the HI-risk method to assess socio-technical information security risks. The method is based on the concept that related organisations experience similar risks and could benefit from sharing knowledge in order to take effective security measures. The aim of the method is to predict future risks by combining knowledge of past information security incidents with forecasts made by experts. HI-risks articulates the view that information security risk analysis should include human, environmental, and societal factors, and that collaboration amongst disciplines, organisations and experts is essential to improve security risk intelligence in today's information society. The HI-risk method provides the opportunity for participating organisations to register their incidents centrally. From this register, an analysis of the incident scenarios leads to the visualisation of the most frequent scenario trees. These scenarios are presented to experts in the field. The experts express their opinions about the expected frequency of occurrence for the future. Their expectation is based on their experience, their knowledge of existing countermeasures, and their insight into new potential threats. The combination of incident and expert knowledge forms a risk map. The map is the main deliverable of the HI-risk method, and organisations could use it to monitor their information security risks. The HI-risk method was designed by following the rigorous process of design science research. The empirical methods used included qualitative and quantitative techniques, such as an analysis of historical security incident data from healthcare organisations, expert elicitation through a Delphi study, and a successful test of the risk forecast in a case organisation. The research focused on healthcare, but has potential to be further developed as a knowledge-based system or expert system, applicable to any industry. That system could be used as a tool for management to benchmark themselves against other organisations, to make security investment decisions, to learn from past incidents and to provide input for policy makers.
17
Mortazavi-Alavi, Reza. "A risk-driven investment model for analysing human factors in information security." Thesis, University of East London, 2016. http://roar.uel.ac.uk/5379/.
Full textAbstract:
Information systems are of high importance in organisations because of the revolutionary industrial transformation undergone by digital and electronic platforms. A wide range of factors and issues forming the current business environments have created an unprecedented level of uncertainty and exposure to risks in all areas of strategic and operational activities in organisations including IT management and information security. Subsequently, securing these systems, which keep assets safe, serves organisational objectives. The Information Security System (ISS) is a process that organisations can adopt to achieve information security goals. It has gained the attention of academics, businesses, governments, security and IT professionals in recent years. Like any other system, the ISS is highly dependent on human factors as people are the primary concern of such systems and their roles should be taken into consideration. However, identifying reasoning and analysing human factors is a complex task. This is due to the fact that human factors are hugely subjective in nature and depend greatly on the specific organisational context. Every ISS development has unique demands both in terms of human factor specifications and organisational expectations. Developing an ISS often involves a notable proportion of risk due to the nature of technology and business demands; therefore, responding to these demands and technological challenges is critical. Furthermore, every business decision has inherent risk, and it is crucial to understand and make decisions based on the cost and potential value of that risk. Most research is solely concentrated upon the role of human factors in information security without addressing interrelated issues such as risk, cost and return of investment in security. The central focus and novelty of this research is to develop a risk-driven investment model within the security system framework. This model will support the analysis and reasoning of human factors in the information system development process. It contemplates risk, cost and the return of investment on security controls. The model will consider concepts from Requirements Engineering (RE), Security Tropos and organisational context. This model draws from the following theories and techniques: Socio-technical theory, Requirements Engineering (RE), SWOT analysis, Delphi Expert Panel technique and Force Field Analysis (FFA). The findings underline that the roles of human factors in ISSs are not being fully recognised or embedded in organisations and there is a lack of formalisation of main human factors in information security risk management processes. The study results should confirm that a diverse level of understanding of human factors impacts security systems. Security policies and guidelines do not reflect this reality. Moreover, information security has been perceived as being solely the domain of IT departments and not a collective responsibility, with the importance of the support of senior management ignored. A further key finding is the validation of all components of the Security Risk-Driven Model (RIDIM). Model components were found to be iterative and interdependent. The RIDIM model provides a significant opportunity to identify, assess and address these elements. Some elements of ISSs offered in this research can be used to evaluate the role of human factors in enterprise information security; therefore, the research presents some aspects of computer science and information system features to introduce a solution for a business-oriented problem. The question of how to address the psychological dimensions of human factors related to information security would, however, be a rich topic of research on its own. The risk-driven investment model provides tangible methods and values of relevant variables that define the human factors, risk and return on investment that contribute to organisations’ information security systems. Such values and measures need to be interpreted in the context of organisational culture and the risk management model. Further research into the implementation of these measurements and evaluations for improving organisational risk management is required.
18
Blackwood, Matthew Joseph. "Local Emergency Planning Committees: Collaboration, Risk Communication, Information Technology and Homeland Security." Diss., Virginia Tech, 2003. http://hdl.handle.net/10919/26354.
Full textAbstract:
Local emergency planning committees (LEPCs) were designed to develop emergency response plans and provide information through community right-to-know programs. A literature review identified operational effectiveness, collaboration, risk communication, information technology (IT), and homeland security as important issues for LEPCs. However, a lack of research on the interaction of these fields raises several questions that were addressed in this study:
1. How is the operational effectiveness of LEPCs related to their organizational characteristics?
2. To what extent does collaboration exist between LEPCs and other groups?
3. What types of risk communication strategies are used by LEPCs? How are these initiatives mediated through technology?
4. To what degree and to what purposes are LEPCs utilizing information technologies?
5. How will homeland security initiatives influence emergency planning and community right-to-know programs? How will potential opportunities and constraints posed by homeland security affect the future role of LEPCs?
The sample for this study was randomly selected from LEPCs in US EPAâ s Region III, including the states of Delaware, Maryland, Pennsylvania, Virginia, and West Virginia. Phase one involved mailing out 156 surveys; 66 were returned for a response rate of 42%. Phase two involved case studies of LEPCs in Greenbrier County, WV; Tazewell County, VA; and Elk County, PA.
Findings indicate that LEPC activity level is lower than previously reported. This research shows that IT is considered important, but its use is limited. Respondents reported using computers for word processing and, on a limited basis, for planning. The level of IT use for data management, emergency response activities, and risk communication was unexpectedly low. The research did not find a significant relationship between LEPC characteristics and the level of IT use. Barriers to IT use and operational status related to lack of funding and training. Data from surveys, interviews, and physical evidence were used to triangulate these findings.
This research is significant in its identification of the current operation of LEPCs. It provides an assessment of collaborative initiatives being used within LEPCs and highlights methods employed to develop and implement risk communication programs. These findings can be used to evaluate the potential role of LEPCs in homeland security initiatives, which will likely focus on emergency planning with a decreased emphasis on risk communication.Ph. D.
19
Gutta, Ramamohan. "Managing Security Objectives for Effective Organizational Performance Information Security Management." ScholarWorks, 2019. https://scholarworks.waldenu.edu/dissertations/7147.
Full textAbstract:
Information is a significant asset to organizations, and a data breach from a cyberattack harms reputations and may result in a massive financial loss. Many senior managers lack the competencies to implement an enterprise risk management system and align organizational resources such as people, processes, and technology to prevent cyberattacks on enterprise assets. The purpose of this Delphi study was to explore how the managerial competencies for information security and risk management senior managers help in managing security objectives and practices to mitigate security risks. The National Institute of Standards and Technology framework served as the foundation for this study. The sample was made up of 12 information security practitioners, information security experts, and managers responsible for the enterprise information security management. Participants were from Fortune 500 companies in the United States. Selection was based on their level of experience and knowledge of the topic being studied. Data were collected using a 3 round Delphi study of 12 experts in information security and risk management. Statistical analysis was performed on the collected data during a 3 round Delphi study. The mean, standard deviation, majority agreement, and ranges were used to determine the final concensus for this research study. Findings of this study included the need for managerial support, risk management strategies, and developling the managerial and technical talent to mitigate and respond to cyberattacks. Findings may result in a positive social change by providing information that helps managers to reduce the number of data breaches from cyberattacks, which benefits companies, employees, and customers.
20
Njenga, Kennedy Nduati. "Conceptualising improvisation in information security risk management activities : a South Africa case study." Doctoral thesis, University of Cape Town, 2009. http://hdl.handle.net/11427/5664.
Full textAbstract:
Includes abstract.Includes bibliographical references (leaves 286-299).
The aim of this research was to understand how functionalist approaches and the incremental approaches are manifested in ISRM activities. New insights and meaning to the ISRM activities were presented when the incrementalist approaches to ISRM and the functionalist approaches to ISRM were examined holistically. Improvisation, for the purpose of this research, was used to explain this holistic understanding.
21
Garay, Daniel Felipe Carnero, Antonio Carbajal Ramos Marcos, Jimmy Armas-Aguirre, and Juan Manuel Madrid Molina. "Information security risk management model for mitigating the impact on SMEs in Peru." IEEE Computer Society, 2020. http://hdl.handle.net/10757/656577.
Full textAbstract:
El texto completo de este trabajo no está disponible en el Repositorio Académico UPC por restricciones de la casa editorial donde ha sido publicado.This paper proposes an information security risk management model that allows mitigating the threats to which SMEs in Peru are exposed. According to studies by Ernst Young, 90% of companies in Peru are not prepared to detect security breaches, and 51% have already been attacked. In addition, according to Deloitte, only 10% of companies maintain risk management indicators. The model consists of 3 phases: 1. Inventory the information assets of the company, to conduct the risk analysis of each one; 2. Evaluate treatment that should be given to each risk, 3. Once the controls are implemented, design indicators to help monitor the implemented safeguards. The article focuses on the creation of a model that integrates a standard of risk management across the company with a standard of IS indicators to validate compliance, adding as a contribution the results of implementation in a specific environment. The proposed model was validated in a pharmaceutical SME in Lima, Peru. The results showed a 71% decrease in risk, after applying 15 monitoring and training controls, lowering the status from a critical level to an acceptable level between 1.5 and 2.3, according to the given assessment.
Revisión por pares
22
Holmstedt, Malena. "Social Media Risk Management : and the impact on organization IT security." Thesis, Luleå tekniska universitet, Digitala tjänster och system, 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-79296.
Full textAbstract:
The purpose of this study was to investigate and try to describe how social media risk management is performed and what impact social media risk management could have on organizations IT security. The outcome of this study is possible knowledge for researchers and for practitioners in the field, of how social media risk management was handled in some organizations in Sweden and what impact the chosen social media risk management could have on the IT security. This study looked at social media risk management and what impact it could have on organizations IT security through prior studies done and through data collected from semi structured interviews and surveys. Social media risk management was according to this study performed mostly reactive and a majority of the organizations did not have risk management specifically for social media. More organizations had a social media policy than performed risk management for social media. The risk management for social media in the IT organizations in this study was described in the interviews as reactive due to several reasons: old systems that made it hard to be proactive, lack of time for prioritizing social media risks or risk management for social media was currently being worked on. The proactive IT organizations described themselves to have a general security policy and risk management plans for basically everything. Social media risks can lead to risks that impacts organization IT security. In the interview notes five quotes was found that could be considered to suit the risks themes found in prior studies.
23
Friman, Nelly. "Security Analysis of Smart Buildings." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-279423.
Full textAbstract:
In recent years, buildings have been starting to become more automated to match the demand forenergy efficient and sustainable housing. Subsystems, or so-called Building Management Systems(BMS), such as heating, electricity or access control, are gradually becoming more automated. Thenext step is to integrate all BMS in a building within one system, which is then called a smartbuilding. However, while buildings are becoming more and more automated, the concerns ofcybersecurity grow larger. While integrating a wide range of Internet of Things (IoT) devices withthe system, the attack surfaces is larger, and this, together with the automation of criticalsubsystems in the building leads to that attacks in worse case can harm the occupants of thebuilding.In this paper, the threats and risks are analyzed by using a security threat model. The goal isto identify and analyze potential threats and risks to smart buildings, with the purpose to giveinsight in how to develop secure systems for them. The process of the model includes five phases ofwhich this study focuses on phase one and three, identifying losses after a successful attack, anddetermine goals and intentions of the attackers for specific attacks, respectively.As a result of the security analysis potential threats were defined, in which the ones withhighest threat event frequency included data leaks and disabling the heating system. Somevulnerabilities and recommendations to improv the system is also discussed, which is of importanceso that occupants can continue to live and work in sustainable, reliable and secure facilities.På senare år har fastigheter utvecklats till att bli mer automatiserade för att matcha efterfrågan påenergieffektiva och hållbara bostäder. Fastighetslösningarna (Building Management Systems,BMS), såsom värme- eller passersystem, blir gradvis mer automatiserade. Nästa steg är att integreraalla BMS i en byggnad till ett gemensamt system, som då kallas för en smart fastighet. Medanbyggnader blir alltmer automatiserade, växer oron kring cybersäkerhet eftersom man delsintegrerar ett stort antal Internet of Things (IoT)-enheter med systemet och samtidigt automatiserarmånga kritiska fastighetslösningar. I värsta fall skulle därför en utomstående attack kunna leda tillfysisk skada på fastigheter eller personer som befinner sig där.I denna studie utförs en säkerhetsanalys där dessa hot och risker analyseras med hjälp av enhotmodellering. Målet är att identifiera och analysera potentiella hot och risker för smartafastigheter, med syftet att ge insikt i hur man bör säkra dessa system. Modelleringen innehåller femfaser, av vilka denna studie fokuserar på fas ett och tre. I första fasen identifieras vilka förluster somfinns för företag och boende efter en framgångsrik attack och i fas tre identifieras angriparnas måloch avsikter för specifika attacker.Ett resultat av säkerhetsanalysen är att av de potentiella hot som definierats, är de medhögsta antalet försök till attack per år (Threat Event Frecquency, TEF) dataläckage och attinaktivera värmesystemet. Några sårbarheter med smarta fastigheter och rekommendationer för attförbättra systemet diskuteras också. Att utveckla säkra system till smarta fastigheter är av störstavikt för att personer kan fortsätta bo och arbeta i hållbara, pålitliga och säkra byggnader.
24
Baker, Wade Henderson. "Toward a Decision Support System for Measuring and Managing Cybersecurity Risk in Supply Chains." Diss., Virginia Tech, 2017. http://hdl.handle.net/10919/85128.
Full textAbstract:
Much of the confusion about the effectiveness of information security programs concerns not only how to measure, but also what to measure — an issue of equivocality. Thus, to lower uncertainty for improved decision-making, it is first essential to reduce equivocality by defining, expanding, and clarifying risk factors so that metrics, the "necessary measures," can be unambiguously applied. We formulate a system that (1) allows threats to be accurately measured and tracked, (2) enables the impacts and costs of successful threats to be determined, and (3) aids in evaluating the effectiveness and return on investment of countermeasures. We then examine the quality of controls implemented to mitigate cyber risk and study how effectively they reduce the likelihood of security incidents. Improved control quality was shown to reduce the likelihood of security incidents, yet the results indicate that investing in maximum quality is not necessarily the most efficient use of resources. The next manuscript expands the discussion of cyber risk management beyond single organizations by surveying perceptions and experiences of risk factors related to 3rd parties. To validate and these findings, we undertake in an in-depth investigation of nearly 1000 real-world data breaches occurring over a ten-year period. It provides a robust data model and rich database required by a decision support system for cyber risk in the extended enterprise. To our knowledge, it is the most comprehensive field study ever conducted on the subject. Finally, we incorporate these insights, data, and factors into a simulation model that enables us study the transfer of cyber risk across different supply chain configurations and draw important managerial implications.Ph. D.
25
Curran, Theresa. "Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements." Diss., NSUWorks, 2018. https://nsuworks.nova.edu/gscis_etd/1038.
Full textAbstract:
Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance.
The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists.
26
Bellefeuille, Cynthia Lynn. "Quantifying and managing the risk of information security breaches participants in a supply chain." Thesis, Massachusetts Institute of Technology, 2005. http://hdl.handle.net/1721.1/33313.
Full textAbstract:
Thesis (M. Eng. in Logistics)--Massachusetts Institute of Technology, Engineering Systems Division, 2005.Includes bibliographical references (leaf 70).
Technical integration between companies can result in an increased risk of information security breaches. This thesis proposes a methodology for quantifying information security risk to a supply chain participant. Given a system responsible for supply chain interaction and the vulnerabilities attributed to the system, the variables that determine the probability and severity of security incidents were used to create a model to quantify the risk within three hypothetical information systems. The probability of an incident occurring was determined by rating the availability and ease of performing an exploit, the attractiveness of the target and an estimate of the frequency of the attack occurring Internet wide. In assigning a monetary value to the incident, the outcome from an attack was considered in terms of the direct impact on the business process and the potential impact on partnerships. A method for determining mitigation strategies was then proposed based on a given set of monetary constraints and the realization of corporate security policy.
by Cynthia Lynn Bellefeuille.
M.Eng.in Logistics
27
Saleh, Mohamed S. M. "Analysis of Information Security Risks and Protection Management Requirements for Enterprise Networks." Thesis, University of Bradford, 2011. http://hdl.handle.net/10454/5414.
Full textAbstract:
With widespread of harmful attacks against enterprises¿ electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures.
This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed.
The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness.
28
Saleh, Mohamed Saad Morsy. "Analysis of information security risks and protection management requirements for enterprise networks." Thesis, University of Bradford, 2011. http://hdl.handle.net/10454/5414.
Full textAbstract:
With widespread of harmful attacks against enterprises' electronic services, information security readiness of these enterprises is becoming of increasing importance for establishing the required safe environment for such services. Various approaches are proposed to manage enterprise information security risks and to assess its information security readiness. These approaches are, however, not adequate to manage information security risks, as all required information security components of its structural and procedural dimensions have not considered. In addition, current assessment approaches lack numerical indicators in assessing enterprise information security readiness. Furthermore, there is no standard approach for analysing cost versus benefit in selecting recommended protection measures. This thesis aims at contributing to the knowledge by developing comprehensive Enterprise Information Security Risk Management (EISRM) framework that integrates typical approaches for information security risk management, and incorporates main components of key risk management methodologies. In addition, for supporting phases of the proposed EISRM framework, analytical models for enterprise information security readiness assessment and cost-benefit analysis are developed. The practical evaluation, using the proposed enterprise information security readiness assessment model has been performed depending on a developed investigation form that used to investigate nine enterprises inside Saudi Arabia. The results demonstrate the effectiveness of the model in assessing and comparing enterprises information security readiness at all levels of the model, using numerical indicators and graphical representations. The EISRM framework and the analytical models presented in this research can be used by enterprises as single point of reference for assessing and cost effectively improving their information security readiness.
29
Dresner, Daniel Gideon. "A study of standards and the mitigation of risk in information systems." Thesis, University of Manchester, 2011. https://www.research.manchester.ac.uk/portal/en/theses/a-study-of-standards-and-the-mitigation-of-risk-in-information-systems(d316550b-f305-4802-a037-688bb44bdc48).html.
Full textAbstract:
Organisations from the multinational Organisation for Economic Cooperation and Development through to national initiatives such as the UK's Cabinet Office, have recognised that risk - the realisation of undesirable outcomes - needs a firm framework of policy and action for mitigation. Many standards have been set that implicitly or explicitly expect to manage risk in information systems, so creating a framework of such standards would steer outcomes to desirable results.This study applies a mixed methodology of desk enquiries, surveys, and action research to investigate how the command and control of information systems may be regulated by the fusion and fission of tacit knowledge in standards comprising the experience and inductive reasoning of experts. Information system user organisations from the membership of The National Computing Centre provided the working environment in which the research was conducted in real time. The research shows how a taxonomy of risks can be selected, and how a validated catalogue of standards which describe the mitigation of those risks can be assembled taking the quality of fit and expertise required to apply the standards into account. The work bridges a gap in the field by deriving a measure of organisational risk appetite with respect to information systems and the risk attitude of individuals, and linking them to a course of action - through the application of standards - to regulate the performance of information systems within a defined tolerance. The construct of a methodology to learn about a framework of ideas has become an integral part of the methodology itself with the standards forming the framework and providing direction of its application.The projects that comprise the research components have not proven the causal link between standards and the removal of risk, leaving this ripe for a narrowly scoped, future investigation. The thesis discusses the awareness of risk and the propensity for its management, developing this into the definition of a framework of standards to mitigate known risks in information systems with a new classification scheme that cross-references the efficacy of a standard with the expertise expected from those who apply it. The thesis extends this to the idea that the framework can be scaled to the views of stakeholders, used to detect human vulnerabilities in information systems, and developed to absorb the lessons learnt from emergent risk. The research has clarified the investigation of the security culture in the thrall of an information system and brought the application of technical and management standards closer to overcoming the social and psychological barriers that practitioners and researchers must overcome.
30
Kula, Michal Damian. "Implementing Honeypots to Build Risk Profiles for IoT Devices in a Home-Based Environment." Thesis, Luleå tekniska universitet, Institutionen för system- och rymdteknik, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-86513.
Full textAbstract:
Honeypots have been implemented in network security for years now, from the simplesystems where they could only mimic one vulnerable service and gather information aboutan intruder they have morphed in to advanced and complicated environments.Unfortunately, hackers have not left that untouched, and constantly try to detect honeypotsbefore being caught. This ongoing battle can be damaging to unexperienced internet users,who have no idea about securing devices in their small home-based network environment.The purpose of this research is to perform a technical study using IoT devices placed in a homeenvironment in a specially separated segment, and capture traffic between them and externalagents. This data is then analysed and used to build risk profiles of tested IoT devices aimingto provide security recommendations.The results indicate creating risk profiles for IoT devices could be used to gather more preciseinformation about external attacks and provide instant answer to what type of attacks couldbe generated against a selected IoT device. More development would be required to improvethis process, this includes redesign of the network and an automatic software-based toolcapable of generating risk profiles.
31
Schuessler, Joseph H. "General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large versus Small Businesses." Thesis, University of North Texas, 2009. https://digital.library.unt.edu/ark:/67531/metadc9829/.
Full textAbstract:
This research sought to shed light on information systems security (ISS) by conceptualizing an organization's use of countermeasures using general deterrence theory, positing a non-recursive relationship between threats and countermeasures, and by extending the ISS construct developed in prior research. Industry affiliation and organizational size are considered in terms of differences in threats that firms face, the different countermeasures in use by various firms, and ultimately, how a firm's ISS effectiveness is affected. Six information systems professionals were interviewed in order to develop the appropriate instruments necessary to assess the research model put forth; the final instrument was further refined by pilot testing with the intent of further clarifying the wording and layout of the instrument. Finally, the Association of Information Technology Professionals was surveyed using an online survey. The model was assessed using SmartPLS and a two-stage least squares analysis. Results indicate that a non-recursive relationship does indeed exist between threats and countermeasures and that countermeasures can be used to effectively frame an organization's use of countermeasures. Implications for practitioners include the ability to target the use of certain countermeasures to have desired effects on both ISS effectiveness and future threats. Additionally, the model put forth in this research can be used by practitioners to both assess their current ISS effectiveness as well as to prescriptively target desired levels of ISS effectiveness.
32
Sun, Jean-huan, and 孫震寰. "Information Security Risk Assessment of Bancassurance Information System." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/53053857178291666972.
Full textAbstract:
碩士銘傳大學
風險管理與保險學系碩士在職專班
97
Information technology has been a key role in organizations and enterprises of nowadays to bring better operation efficiencies. As the internet is making accessing to information easier, it is also exposing the enterprises to higher risks. The report from III is indicating that information security is crucial to the operation of financial institutions. The Bancassurance in Taiwan now have become a significant selling channel for insurance products in last decade. Admirably, the banks and its subsidiaries like China Trust Insurance Brokers Co., overwhelmed all the insurance companies in premium commission income since 2004. Bancassurance, and its information security are therefore becoming worthwhile topics for related research. This article brings an extensive evaluation over 46 bancassurance agencies. The survey introduced the process developed by Taiwan’s Ministry of Economic Affairs for assessing the security level of information systems in SME. This article intends to discover the major elements that a comprehensive security strategy should be taking care of in its development process. The interactions of these elements are also explored. Both the methodologies of quantitative (with frequency and damage estimation) and descriptive (for risk perception) are used in the survey. A summary is developed for how to strategize the information security policy with evaluation results. The survey indicates the network security brings the most problems to the overall information security, while the government regulation brings the least. The survey also finds higher the damage that a problem causes, more the awareness from the administrator of it. The survey shows the MIS managers and staffs have insufficient knowledge with information security. They very often under-estimate the probability and damage of network security problems, and over-estimate the influences from other elements. For the Information security strategy of Taiwan’s bancassurance enterprises, this article suggests ‘prevention’ policy to deal with problems in computer security, business application systems and network security, ‘prevention’ and ‘transferring’ policy for problems of staff security and outsource management, and ‘acceptance’ policy for requirement of regulations. It is highly recommended to reinforce the knowledge level of MIS crews and the general management. Risk perception is a convenient tool to determine the comprehensiveness of information security of an enterprise. It plays key role both in the policy making of risk management, and also in the process for related communication within the enterprise.
33
LIN, CHEN-CHU, and 林宸竹. "An Information Security Risk Management System Considering Compliance and Risk Information Visualization." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/44401301548316036567.
Full textAbstract:
碩士國立臺灣科技大學
資訊管理系
98
Considering security and convenience in information systems and services of organizations, organizations need to implement information security risk management processes to identify potential information security incidents and to evaluate loss expectancy of the incidents. Consequently, organizations can adopt appropriate or cost-effective countermeasures to control the incidents. To establish risk management processes, an organization needs to maintain huge amount of data about risks or potential incidents. Obviously, it would be a tedious work to maintain the data. Therefore, this study proposes an information system, called Risk Patrol, for an organization to perform risk management processes. While many organizations establish information security management systems based on ISO 27001, the proposed system follow ISO 27005 to help organizations to comply the requirements about risk management in ISO 27001. In addition, the proposed system also contributes to provide an integrated view for managers or stakeholders of an organization to know risks of the organization. The managers and stakeholders can then decide how to treat the risks based on the system. Therefore, the proposed system can contribute to improve organizational security.
34
HOU, WEN-TSUNG, and 侯文宗. "Application of Information Security Risk Assessment Method to Evaluate Risk of Information Room." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/9tyx99.
Full text
35
Chen, Kuan-Chang, and 陳冠彰. "The Fallacies of Information Security Risk Analysis." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/30985264143993682867.
Full textAbstract:
碩士淡江大學
資訊管理學系碩士班
93
Risk assessment is a critical step before performing information security management. Usually, risk is a subjective judgment, hence qualitative risk analysis methods are widely use for risk assessment. However, important information assets are often being omitted while using many popular risk analysis methods. For this reason, this thesis will point out the problem in using qualitative risk analysis methods, especially in rationality of assets calculation and the rank reversal phenomenon. The cautious when using qualitative risk analysis methods are then being addressed. Furthermore, the most common referred international standards and guides are reviewed. Suggestions for using those methods are also proposed.
36
Bornman, Werner George. "Information security risk management: a holistic framework." Thesis, 2008. http://hdl.handle.net/10210/265.
Full textAbstract:
Information security risk management is a business principle that is becoming more important for organisations due to external factors such as governmental regulations. Since due diligence regarding information security risk management (ISRM) is necessitated by law, organisations have to ensure that risk information is adequately communicated to the appropriate parties. Organisations can have numerous managerial levels, each of which has specific functions related to ISRM. The approaches of each level differ and this makes a cohesive ISRM approach throughout the organisation a daunting task. This task is compounded by strategic and tactical level management having specific requirements imposed on them regarding risk management. Tactical level management has to meet these requirements by instituting processes that can deliver on what is required. Processes in turn should be executed by operational level management. However, the available approaches of each managerial level make it impossible to communicate and consolidate information from the lower organisational levels to top level management due to the differing terminology, concepts and scope of each approach. This dissertation addresses the ISRM communication challenge through a systematic and structured solution. ISRM and related concepts are defined to provide a solid foundation for ISRM communication. The need for and institutions that impose risk management requirements are evaluated. These requirements are used to guide the solution for ISRM communication. At strategic level, governmental requirements from various countries are evaluated. These requirements are used as the goals of the communication processes. Different approaches at tactical and operational level are evaluated to determine if they can meet the strategic level requirements. It was found that the requirements are not met by most of the evaluated approaches. The Bornman Framework for ISRM Methodology Evaluation (BFME) is presented. It allows organisations to evaluate ISRM methodologies at operational level against the requirements of strategic management. This framework caters for the ability of ISRM methodologies to be adapted to organisational requirements. Developed scales allow for a qualitative comparison between different methodologies. The BFME forms the basis of the Bornman Framework for ISRM Information Communication (BFIC). This communication framework communicates the status of each ISRM component. This framework can be applied to any ISRM methodology after it has been evaluated by the BFME. The Bornman Risk Console (BRC) provides a practical implementation of the BFIC. The prototype utilises an existing ISRM methodology’s approach and provides decision-enabling risk information to top level management. By implementing the BRC and following the processes of the BFME and BFIC the differences in the approaches at each managerial level in different organisational structures are negated. These frameworks and prototype provide a holistic communication framework that can be implemented in any organisation.Prof. L. Labuschagne
37
Chen, Liang-Hsi, and 陳亮僖. "Rapid implementation of information security risk assessment." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/60140942717710985616.
Full textAbstract:
碩士國防大學理工學院
資訊科學碩士班
99
As internet becomes the most important way to exchange information and makes our lives more convenient,but there's a hazard behind it-Information Security. Applying the concept of risk management for information security management is an essential method. However, most of the current information security risk assessment has the following problems: risk assessment is time-consuming and cumbersome. Risk assessment will be emphasized in the qualitative analysis. But it's lack of the qualified or suitable person to control the risk evaluation process. Also, participants in evaluation workshop do not have enough training and preparations. In this research,we propose a quantitative risk assessment model based on the combination of OCTAVE-S and AHP. The work designs a semi-automatic evaluation system to assist the implementation of the risk assessment. It will reduce the man-made mistakes and save costs and resources of risk assessment. Keywords:Risk assessment , OCTAVE-S, AHP
38
Mayer, Nicolas. "Model-based Management of Information System Security Risk." Phd thesis, 2009. http://tel.archives-ouvertes.fr/tel-00402996.
Full textAbstract:
Durant les vingt dernières années, l'intérêt pour la sécurité lors du développement et l'exploi\-tation des systèmes d'information n'a cessé de croître. Les méthodes de gestion des risques de sécurité sont des outils méthodologiques, qui aident les organisations à prendre des décisions rationnelles sur la sécurité de leur système d'information. Les retours d'expérience sur l'utilisation de telles approches montrent une réduction considérable des pertes liées aux problèmes de sécurité. Aujourd'hui, ces méthodes sont généralement construites autour d'un processus bien structuré. Cependant, le produit issu des différentes étapes de la gestion des risques est encore très largement informel et souvent pas assez analytique. Ce manque de formalisme est un frein à l'automatisation de la gestion des informations relatives aux risques. Un autre inconvénient des méthodes actuelles est qu'elles sont généralement destinées à évaluer a posteriori comment les systèmes d'information déjà existants gèrent les risques, et sont difficilement applicables a priori, pendant la conception de tels systèmes. Enfin, chaque méthode utilisant souvent une terminologie qui lui est propre, il est difficile de combiner plusieurs méthodes afin de profiter des points forts de chacune. Afin de répondre aux problèmes mentionnés ci-dessus, notre contribution propose une approche basée sur la modélisation de la gestion des risques, utilisable dans les phases amont de conception de systèmes d'information. Cette approche est fondée sur une étude des concepts propres au domaine.Notre démarche scientifique se compose de trois étapes successives. La première étape vise à définir un modèle conceptuel de référence relatif à la gestion des risques de sécurité. La méthode de recherche adoptée propose de fonder le modèle sur une étude approfondie de la littérature. Les différents standards de gestion des risques et/ou de sécurité, un ensemble de méthodes représentatives de l'état actuel de la pratique, ainsi que les travaux scientifiques se rapportant au domaine, ont été analysés. Le résultat est une grille d'alignement sémantique des concepts de la gestion des risques de sécurité, mettant en évidence les concepts-clés intervenant dans une telle démarche. Sur base de cet ensemble de concepts est ensuite construit le modèle du domaine de la gestion des risques. Ce modèle a été confronté aux experts du domaine, provenant du monde de la standardisation, des méthodes de gestion des risques et du monde scientifique.
La deuxième étape de notre recherche enrichit ce modèle du domaine avec les différentes métriques utilisées lors de l'application d'une méthode de gestion des risques. La démarche proposée combine deux approches pour la détermination des métriques. La première est la méthode Goal-Question-Metric (GQM) appliquée sur notre modèle de référence. Elle permet de se focaliser sur l'atteinte du meilleur retour sur investissement de la sécurité. La seconde enrichit les métriques identifiées par la première approche, grâce à une étude de la littérature basée sur les standards et méthodes étudiés lors de la première étape. Une expérimentation sur un cas réel de ces métriques a été réalisée, dans le cadre de l'accompagnement d'une PME vers la certification ISO/IEC 27001.
Enfin, dans une troisième étape, nous relevons dans la littérature un ensemble de langages de modélisation conceptuelle de la sécurité de l'information. Ces langages sont issus essentiellement du domaine de l'ingénierie des exigences. Ils permettent donc d'aborder la sécurité lors des phases initiales de la conception de systèmes d'information. Nous avons évalué le support conceptuel proposé par chacun d'eux et donc le manque à combler afin d'être à même de modéliser intégralement les différentes étapes de la gestion des risques. Le résultat de ce travail permet de formuler une proposition d'extension du langage Secure Tropos et une démarche d'utilisation de cette évolution dans le cadre de la gestion des risques, illustrée par un exemple.
39
Zhao, Xia 1977. "Economic analysis on information security and risk management." Thesis, 2007. http://hdl.handle.net/2152/3377.
Full textAbstract:
This dissertation consists of three essays that explore economic issues on information security and risk management. In the first essay, we develop an economic mechanism which coordinates security strategies of Service Providers (SPs). SPs are best positioned to safeguard the Internet. However, they generally do not have incentives to take such a responsibility in the distributed computing environment. The proposed certification mechanism induces SPs to voluntarily accept the liability of Internet security. SPs who take the liability signal their capability in conducting secure computing and benefit from such recognition. We use a game-theoretic model to examine SPs' incentives and the social welfare. Our results show that the certification mechanism can generate a more secure Internet communication environment. The second essay studies the impact of cyberinsurance and alternative risk management solutions on firms' information security strategies. In the existing literature, cyberinsurance has been proposed as a solution to transfer information risks and reduce security spending. However, we show that cyberinsurance by itself is deficient in addressing the overinvestment issue. We find that the joint use of cyberinsurance and risk pooling arrangement optimizes firms' security investment. In the case with a large number of firms, we show that firms will invest at the socially optimal level. The third essay examines the information role of vendors' patching strategies. Patching after software release has become an important stage in the software development cycle. In the presence of quality uncertainty, we show that vendors can leverage the patch release times to signal the quality of their software products. We define a new belief profile and identify two types of separating equilibria in a dynamic setting.
40
Chan, Wei-Ming, and 詹偉銘. "Analyzing Information Security Outsourcing Intention: A Risk Perspective." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/69031461510577930837.
Full textAbstract:
碩士國立臺灣大學
資訊管理學研究所
98
When information security has become a must-have function for a corporation, outsourcing information security begins to be recognized as a strategy to obtain security resources. However, most of information system managers are still confronted with difficulties when deciding whether to outsource information security or not. This research objective is to develop an integrative framework based on transaction cost theory and agency theory in assessing information security outsourcing intention. To test the usefulness of the research framework, this research adopt a quantitative method by surveying IT managers and security professionals in Taiwan. Results show that there is a strong relationship between information security outsourcing risk and information security outsourcing intention. In addition, although several predictors of information security outsourcing risk are not significant, this research found that uncertainty is the important influence on information security outsourcing risk.
41
Chen, Wan-Jia, and 陳婉佳. "Information Security Risk Assessment Considering Interdependences between Controls." Thesis, 2012. http://ndltd.ncl.edu.tw/handle/68550641633469867854.
Full textAbstract:
博士國立交通大學
資訊管理研究所
100
Risk assessment is an important key step of the core process for information security risk management. Organizations use risk assessment to determine the risks within information systems and provide sufficient means to reduce the identified risks. In practical application, security controls applied to the information system areas are not completely independent, therefore during the process of risk assessment it is crucial to consider the interdependences among control families. In this thesis, a hybrid procedure for evaluating and identifying risk levels of information system security while considering interdependences amongst control families is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) method to construct interrelations amongst security control areas. Secondly, using the results from DEMATEL, the Analytic Network Process (ANP) method is used to obtain the likelihood ratings of risks; as a result, the proposed procedure can detect interdependences and feedback between security control families as well as identify priorities of areas requiring security measures in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic opinions. An application in company X was examined to verify the proposed procedure. After analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas as well as identifies information systems with higher risk levels where prioritized safeguard tactics should be considered.
42
HUNG, YUN-RU, and 洪韻茹. "Missing Personal Information Project for Information Security Risk Assessment Anomaly Detection." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/2ba464.
Full textAbstract:
碩士國立高雄科技大學
金融資訊系
107
Nowadays, enterprises and companies rely more and more on computer system. Information security and risk assessment become an important key to protect information in the organization. Utilizing information technology to enhance working efficiency can become competitive, which strengthen the importance of information security. The assessment is an effective way to improve information security. However, those data and results may be wrong due to personal negligence. For many cases, risk assessments always rely on some specific person’s experience and their own definition. Everyone has their personal recognition and tolerance to “Risk.” As a result, even people use the same way to do evaluation, the risk rating may be different because of subjective bias or evaluation error. This thesis is to establish an effective detection mechanism through machine learning. This mechanism can detect and markup those error field in personal information rapidly and accurately. It can minimize the range of abnormal information and reduce the time that inspectors execute risk assessments. Therefore, with the mechanism of machine learning, organization can not only reduce cost in human resource but enhance the accuracy and efficiency in execute detection.
43
Cheng, Yu-Shu, and 鄭羽舒. "Quantitative Risk Assessment Of Information Security For Cloud Services." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/40401686206799890799.
Full textAbstract:
碩士開南大學
資訊管理學系
99
This research refers to the following report of European Network and Information Security Agency (ENISA): “Cloud Computing: Benefits, risks and recommendations for information security.” The purpose of this research is to identify the information risk of the cloud computing which can be directed against the risks for cloud services. We can thereafter use OCTAVE methods and risk matrix for quantitative risk assessment, and analyze the risk data of simulation in order to explore and indicate solutions for reducing the risks of cloud computing.
44
Liang, Po Jui, and 梁珀瑞. "An Ontological Evaluation on Information Security Risk Modeling Languages." Thesis, 2012. http://ndltd.ncl.edu.tw/handle/42410458411422020483.
Full textAbstract:
碩士長庚大學
資訊管理學系
100
Information system modeling languages can support the analysts to represent user requirements. Because information security has been taken seriously, information security modeling languages have been developed. This study is based on the Bunge-Wand-Weber (BWW) ontology to evaluate the extended i* modeling language. We propose some propositions as the results of applying the BWW ontology to analyze the extended i* language. The elements of the analyzed language are divided into two groups. One group called Fundamental Elements which represent the building block of the language. The other group called Advanced Elements the definition of which can be derived from an element in the Fundamental Elements. To reduce the subjectivity that our ontological analysis may produce, we conducted an investigation based on the Delphi method to the analysis results on the Fundamental Elements. The propositions we proposed are as below: (1)Resource is-a-kind-of Thing; (2)Task is-a-kind-of Process; (3)Actor is-a-kind-of Thing; (4)Goal is-a-kind-of Lawful State Space; (5)Actor is-a-kind-of System; (6)Softgoal is-a-kind-of Lawful State Space; (7)Vulnerability is-a-kind-of Lawful State Space; (8)Dependency is-a-kind-of Coupling; (9)Decomposition have no ontology mapping; (10)Means-end have no ontology mapping; (11)Contribution, Vulnerability Effect, Countermeasure and Exploit all have no ontology mapping; (12)Attacker, Malicious Task, Malicious Goal and Malicious Softgoal are all elements extended form Fundamental Elements. The study also proposes some suggestions to improve the extended i* modeling language. Because the scarcity of experts in i* and BWW available to this study, there is still a limitation in applying the propositions proposed in this study. Another limitation may arise when it comes to the validity of Advanced Elements because they are not validated as their counterparts in a Delphi survey.
45
Lin, ShihYao, and 林士堯. "Risk Analysis of the Information Security on Logistics Systems." Thesis, 2012. http://ndltd.ncl.edu.tw/handle/27650463337182389413.
Full textAbstract:
碩士華梵大學
資訊管理學系碩士班
100
The information technology developments had facilitated and bring the convenience to organization management efficiency. However, relative to its security issues also being challenged and questioned at the same time. So the aim of this study is to provide a practical information security governance model and to establish a systematic logistics information security system evaluation criterion, which will enable to use as a reference to develop the most suitable information security management standards for an organization upon implementation. The international Information Security Standard, ISO 27001, with addition of Personal Data Protection Act are use as the foundation standards in this study. Whereas, the risk assessment items are formed through the questionnaires, interviews and professional journals, follow by the Analytic Hierarchy Process to determine the prior consideration factor which comprises of five dimensions namely “Human Resources Management”、“System and Operations Management” 、“Organization Policy and Standard”、“Internet Services” & “Equipments and Physical Environment” in order to summarize and develop a logistics information system evaluation criteria and to identify the root causes that affected logistics system security to reach the overall security by eliminating the possible risks.
46
Lin, Jing-Han, and 林京漢. "Study on Architecture-Oriented Information Security Risk Management Model." Thesis, 2015. http://ndltd.ncl.edu.tw/handle/hvqty6.
Full textAbstract:
碩士正修科技大學
資訊管理研究所
103
In this study, we adopt the structure behavior coalescence methodology to construct an architecture-oriented information security risk management model (AOISRMM), which is integrated structure and behavior of the risk management model. AOISRMM solves many difficulties caused by the process-oriented approach in ISO 27001:2013 of information security risk assessment such as uneven distribution of resources, poor safety performance and high risk. We find out the vice president’s office, information security consultant, project manager and risk management system are the key roles for the success of the risk management from structure behavior coalescence diagram. The feedback mechanism in the enterprise is essential to report and respond to the incidents for reducing the risk. AOISRMM represents multiple views of information security risk management by integrating the structure and behavior of the risk management. We conclude that AOISRMM, being an integration model, enables enterprise organization, IT system, internal risk management processes to be a single interface to the vice president and department heads. The staffs can effectively understand the whole picture of information security risk management through AOISRMM, which shall clarify the duties for each unit and flexible sources allocation for the enterprise. Also AOISRMM have a good communication effect of organization and external environment.
47
CHANG, LI-YUN, and 張力允. "Applying Deep Learning to the Information Security Risk Assessment." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/7bkqz6.
Full textAbstract:
博士華梵大學
機電工程學系
106
The rapid advancement of science and technology has directly affected people's use of information. Under such circumstances, how organizations should protect the security of information has always been a very important issue. The three main elements of information security are: Confidentiality, Integrity and Availability. How the organization should protect and control, and provide information services under secure and convenient conditions, will be an issue worthy of discussion in organizations. In information security management and risk assessment is a very critical activity. Organizations can directly or indirectly identify the potential consequences or assess occurrence of risks of an organization, and finally provide the assess results for decision makers to carry out risk management. Most of the current risk assessment activities are conducted manually. The assessment process may be comparatively subjective. This dissertation will use decision tree, support vector machine, linear regression, and deep learning to conduct data analysis, and then manually review the results of the assessment. Using the above four methods for data analysis, experimental results deep learning gets the optimal accuracy. This dissertation proposes applying deep learning to the information security risk assessment.
48
Lee, Chenyi, and 李振儀. "Security Risk Evaluation for Information System of Financial Holdings." Thesis, 2013. http://ndltd.ncl.edu.tw/handle/42873926420848041727.
Full textAbstract:
碩士東吳大學
資訊管理學系
101
The goal of information security risk management is to protect the confidentiality, integrity and usability of information assets. It can prevent the occurrences of information security events and then ensure the sustainable development of company. In order to understand the threat and vulnerability that information system may meet, information security risk management should be implemented continuously. If we record the threat and vulnerability in table manually and evaluate the risk, it will be time-consuming and easy to make mistake. In this paper, take financial holding for example, we analyze the information flow in a information system based on the system with cross-selling characteristics. Then take the analyzed information flow data as the input data of evaluation. Base on the structure of logistics supply chain and refer to information security risk evaluation, we can evaluate the information flow risk. The risk value is the probability of the event occurrence multiplied the impact of the event. And the probability of the event occurrence is decided by node connection type and structure. The unified impact value is transformed from curve fitting. We use MATLAB to implement the evaluation model and get the risk value by inputting source data. For enhanced module, we estimate the improved event probability, input them into module and recalculate the risk value. In addition, if the information flow nodes are changed, the risk value also can be recalculated immediately.
49
Bernardino, Teresa Pereira. "A conceptual framework to support information security risk management." Doctoral thesis, 2012. http://hdl.handle.net/1822/20869.
Full textAbstract:
Tese de doutoramento em Technologies and Information SystemsNowadays organizations strongly rely on technology, in particular on the performance of their information systems, and therefore become more exposed to security risks. Additionally the rapid advances of information and communication technologies have promoted the speed and accessibility of operations resulting in significant changes in the way organizations conduct their business. As a consequence of this technological evolution, sophisticated and underestimated attacks will transcend. In this scenario, organizations are forced to adequate security procedures to manage information security and promote security awareness. Its objectives are educating first through information security awareness initiatives and then identify, address and mitigate risks before they become serious threats. Despite the intense efforts made by ENISA and OECD to enhance knowledge and to positively influence public behaviour towards information security and to provide any private and public organizations with good practices and key issues in the information security domain, security is still a critical activity, which concerns a great number of organizations and governments worldwide. On the other hand, the research community is making efforts to alert managers to the need to put information security risk into the hands of professional risk managers instead of IT specialist, given the knowledge specificities that this area demands and the security risks the organizations are daily subject of. It is observed that a significant number of organizations use the security standards ISO and NIST. However, according to the security managers these standards do not cover all their conceptual security needs, since they suggest abstract implementation for risk mitigation and thus concrete countermeasures or combinations thereof are mostly missing. This requires new and easier methodologies to support the security management, specially the security risk analysis process. In turn, this has motivated the challenge of achieving a simple, flexible and consistent conceptual model to assist the security risk management process. In this way, this thesis proposes a conceptual model grounded on hierarchical concepts, structured in an ontology based on the security standard ISO/IEC_JTC1, to support security risk management process. The definition of the security concepts and established relationships, which are represented in the hierarchical structure of the ontology, are provided. A framework was developed and evaluated by interviews performed to security experts. The framework developed first incorporates the concepts hierarchically defined in the ontology, and secondly is a mean to support the organizations to manage their information security risk. The implemented interviews aim to assess, in the first instance, the relevance of the concepts defined and its hierarchy, and then the analysis of the practical usability of the methodology for the implementation of a risk analysis. The results, demonstrate the importance and applicability of the defined conceptual model, revealing the proposed solution ensures a commitment to simplicity, flexibility and consistency of the conceptual model devised, addressing the needs of security risk analysis of organizations.
Nowadays organizations strongly rely on technology, in particular on the performance of their information systems, and therefore become more exposed to security risks. Additionally the rapid advances of information and communication technologies have promoted the speed and accessibility of operations resulting in significant changes in the way organizations conduct their business. As a consequence of this technological evolution, sophisticated and underestimated attacks will transcend. In this scenario, organizations are forced to adequate security procedures to manage information security and promote security awareness. Its objectives are educating first through information security awareness initiatives and then identify, address and mitigate risks before they become serious threats. Despite the intense efforts made by ENISA and OECD to enhance knowledge and to positively influence public behaviour towards information security and to provide any private and public organizations with good practices and key issues in the information security domain, security is still a critical activity, which concerns a great number of organizations and governments worldwide. On the other hand, the research community is making efforts to alert managers to the need to put information security risk into the hands of professional risk managers instead of IT specialist, given the knowledge specificities that this area demands and the security risks the organizations are daily subject of. It is observed that a significant number of organizations use the security standards ISO and NIST. However, according to the security managers these standards do not cover all their conceptual security needs, since they suggest abstract implementation for risk mitigation and thus concrete countermeasures or combinations thereof are mostly missing. This requires new and easier methodologies to support the security management, specially the security risk analysis process. In turn, this has motivated the challenge of achieving a simple, flexible and consistent conceptual model to assist the security risk management process. In this way, this thesis proposes a conceptual model grounded on hierarchical concepts, structured in an ontology based on the security standard ISO/IEC_JTC1, to support security risk management process. The definition of the security concepts and established relationships, which are represented in the hierarchical structure of the ontology, are provided. A framework was developed and evaluated by interviews performed to security experts. The framework developed first incorporates the concepts hierarchically defined in the ontology, and secondly is a mean to support the organizations to manage their information security risk. The implemented interviews aim to assess, in the first instance, the relevance of the concepts defined and its hierarchy, and then the analysis of the practical usability of the methodology for the implementation of a risk analysis. The results, demonstrate the importance and applicability of the defined conceptual model, revealing the proposed solution ensures a commitment to simplicity, flexibility and consistency of the conceptual model devised, addressing the needs of security risk analysis of organizations.
50
Ho, Kuan-Shiang, and 何寬祥. "Information Security Risk Assessment Based on Analytic Hierarchy Process." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/86513574033991881824.
Full textAbstract:
碩士國立交通大學
工學院工程技術與管理學程
102
With the higher level of business informatisation, information security issues become more and more complex. Thus, ISO27001, which had been established based on BS 7799 of British Standards Institution, was published in 2005 as the international standard of information security. It has become the set of standard specifications for enterprises to follow to evaluate, build up, and implement information security systems. The possibility of information security risks of high-tech manufacturing industries increases under exposure of high level of business informatisation. Information security systems can be approached and well managed by implementing it with ISO27001. It also can minimize the risks of business operations and improve the professional skills of information technology employees. The principle concept of ISO27001 is based on risk management which fits into the "Plan-Do-Check-Act" (PDCA) model and successive reduces risks. The most important factor of this process is risk evaluation and assessment which determines if the risks can be effectively controlled. The bottleneck of the company of this case study, after performing the risk evaluation and assessment for two years, is the high-value information assets can no longer to be reduced. This was a questionnaire-based study. The results were analyzed in order to adjust and obtain a comprehensive risk evaluation and assessment method. A suitable and reasonable method will be developed by rearranging the items and their weights according to the characteristics of the company. Thus, the risks will be controlled and reduced once again.