A Quantitative Framework for Dependency-Aware Organizational IT Risk Management

AutorStephan Schmidt, Sahin Albayrak
QuelleProc. of the 10th Int. Conf. on Intelligent System Design and Applications (ISDA 2010) 

In this paper, we introduce a new scheme for performing IT Risk Management within organizational domains. It adopts a business process-oriented view which integrates risk assessment, vulnerability assessment and risk mitigation into a quantitative framework. Taking the asset dependencies into account, we map business process values to IT hardware components in a hierarchical fashion and combine it with IT system vulnerability and threat analysis to derive risk scores on a IT hardware system level. We then apply mathematical algorithms for computing cost-optimal quantitative mitigation strategies given a set of available mitigation actions. We illustrate the entire integrated process by means of a case study and show that considerable risk savings can be obtained.