DOI: https://doi.org/10.20535/2411-1031.2018.6.2.153494

Risk assessment presentation of information security by the risks map

Volodymyr Mokhor, Oleksandr Bakalynskyi, Vasyl Tsurkan

Abstract


The risk assessment presentation features of information security by the risk maps are considered. In practice, such map is displayed on the coordinate plane. Its axes denote information security risk parameters. This is the risks and the losses magnitude. This determines the acceptability of separate or group information security risks. It is established by choosing the scale of assessment (qualitative, quantitative, or qualitative-quantitative); risk map dimensionality (equal in size, different in size). When used risks maps of information security equally in size and different in size, linguistic rating scales mainly apply (for example, "very low", "low", "medium", "high", "very high"). This approach is limited by the complexity of comparing possible parameters estimates of risk possibility and the losses magnitude. This leads to the difficulty of determining the information security risk assessments acceptability and, as a result, the decision to process them. This limitation is overcome by a combination of linguistic and ordinal scales. The combination of scales allows overcoming the comparing information security risk assessments limitations and establishing clear boundaries on the map. The use of discrete maps with clear (discrete) limits is complemented by color symbols. Acceptable assessments highlight in green, unacceptable in red. The level of acceptability is established by the expert and depends on his knowledge, skills, preparedness, and experience. The adequacy of using discrete information security risk maps is determined by its dimensionality. Therefore, if necessary, it can be increased. On the one hand, it is possible to take into account the intermediate values of the information security risk. On the other hand, it will lead to the enumeration of a large number of pairs (risks, the losses magnitude), difficulties of their perception and the increase in time for deciding whether or not to handle unacceptable information security risks. Thus, the use of discrete maps is limited by the difficulties, firstly, the assessment, comparison and accounting of pairs (the probability of the risks, the losses magnitude). Accounting for these difficulties is possible through the presentation risk assessment of information security by the continuous map.


Keywords


Information security risk; information security risk assessment; rating scale; risk map; discrete risk map; continuous risk map.

References


International Organization for Standardization. (2013, Oct. 01). ISO/IEC 27001. Information technology. Security techniques. Information security management systems. Requirements. [Online]. Available: https://www.iso.org/standard/54534.html.

International Organization for Standardization. (2013, Oct. 01). ISO/IEC 27002. Information technology. Security techniques. Code of practice for information security controls. [Online]. Available: https://www.iso.org/standard/54533.html.

International Organization for Standardization. (2011, June 10). ISO/IEC 27005. Information technology. Security techniques. Information security risk management. [Online]. Available: https://www.iso.org/standard/56742.html.

International Organization for Standardization. (2018, Febr. 15). ISO 31000. Risk management. Guidelines. [Online]. Available: https://www.iso.org/standard/65694.html.

International Organization for Standardization. (2009, Nov. 27). IEC 31010. Risk management. Risk assessment techniques. [Online]. Available: https://www.iso.org/standard/51073.html.

A. G. Badalova, and A. V. Panteleev, Risk management of the enterprise. Moskow, Russia: Vuzovskaia knika, 2016.

V. Mokhor, O. Bakalynskyi, and V. Tsurkan, “Analysis of information security risk assessment representation methods”, Information Technology and Technology, vol. 6, iss. 1, 2018. doi: 10.20535/2411-1031.2018.6.1.153189.

S. A. Petrenko, and S. V. Simonov, Information risk management. Cost-effective security. Moskow, Russia: DMK Press, 2004.

I. D. Vishniakov, and N. N. Radaev, General risk theory. Moskow, Russia: Publ. “Akademiia”, 2007.

A. M. Astakhov, The art of information risk management. Moskow, Russia: DMK Press, 2010.




ISSN 2411-1031 (Print), ISSN 2518-1033 (Online)