The following information was submitted:
Transactions: Please, select the Journal that you submit to
Transactions ID Number: 19-153
Full Name: Naoki Satoh
Position: Ph.D. Candidate
Age: ON
Sex: Male
Address: 36-1, Yoshida-honmachi, Sakyoku, Kyoto, 606-8501 JAPAN
Country: JAPAN
Tel:
Tel prefix:
Fax:
E-mail address: Sato@sys.i.kyoto-u.ac.jp
Other E-mails: kumamoto@i.kyoto-u.ac.jp
Title of the Paper: Viewpoint of Probabilistic Risk Assessment in Information Security Audit
Authors as they appear in the Paper: Naoki Satoh, Hiromitsu Kumamoto
Email addresses of all the authors: Sato@sys.i.kyoto-u.ac.jp, kumamoto@i.kyoto-u.ac.jp
Number of paper pages: 9
Abstract: After the information security audit, the auditor commonly points out the importance of information assets, the vulnerability of the audited information system, and the need of countermeasures. On such an occasion, the audited often ask the auditor for the quantitative assessment of the risk so that they can take specific measures. Nevertheless, in reality, the auditor can hardly meet this requirement because they do not have any appropriate methods to assess the risk quantitatively and systematically. Therefore, this paper proposes the approach that makes it possible to identify the scenarios of information security accidents systematically, to assess the risk of the occurrence of the scenario quantitatively, and to point out the importance of taking countermeasures by incorporating Probabilistic Risk Assessment in information security audit. For the concrete description and explanation of this approach, this paper takes the case of the audit of password manage!
ment as an example. By enumerating the possible scenarios that indicate how initiating events, the vulnerability of mitigation systems, and the failures of operations can allow illegal accesses to the information assets, this paper shows that it is possible to assess the security risks by the pair of defenseless time span and its occurrence frequency of each scenario. Finally, since the parameters necessary for risk quantification such as the occurrence frequency of password theft, the probability of theft detection, and the probability of taking countermeasure after the theft have uncertainty, the uncertainty of the occurrence of the scenario itself is assessed by propagating the incompleteness of the knowledge of these parameters with random digits.
Keywords: information Security AuditC Probabilistic Risk Assessment, Scenario, Defenseless Time Span, Occurrence Frequency
EXTENSION of the file: .doc
Special (Invited) Session: An Application of Probabilistic Risk Assessment to Information Security Audit
Organizer of the Session: 618-481
How Did you learn about congress:
IP ADDRESS: 203.141.92.14