Abstract
Information security management is one of the most important issues to be resolved. The key element of this process is risk analysis. The standards are (ISO/IEC 27000, ISO/IEC 31000) based on the complex and time consuming process of defining vulnerabilities and threats for all organisation assets. In the article we present a new approach to analysing the risk of an attack on information systems. We focus on human factor - motivation, and show its relation to hacker profiles, as well as impacts. At the beginning we introduce a new model of motivation-based risk analysis. Then we describe case study illustrating our approach for a simple set of organisation processes.
Chapter PDF
References
Barber, R.: Hackers Profiled - Who Are They and What Are Their Motivations? Computer Fraud & Security 2(1), 14–17 (2001)
Gao, J., Zhang, B., Chen, X., Luo, Z.: Ontology-Based Model of Network and Computer Attacks for Security Assessment. Journal of Shanghai Jiaotong University 18(5), 554–562 (2013)
Gerber, M., Solms, R.: Management of risk in the information age. Computer & Security 14, 16–30 (2005)
Grunske, L., Juoyce, D.: Quantitative risk-based security prediction for component-based systems with explicity modeled attack profiles. Journal of Systems and Software 81(8), 1327–1345 (2008)
Ksiezopolski, B., Kotulski, Z.: Adaptable security mechanism for the dynamic environments. Computers & Security 26, 246–255 (2007)
Ksiezopolski, B.: QoP-ML: Quality of Protection modelling language for cryptographic protocols. Computers & Security 31(4), 569–596 (2012)
Ksiezopolski, B., Rusinek, D., Wierzbicki, A.: On the efficiency modelling of cryptographic protocols by means of the Quality of Protection Modelling Language (QoP-ML). In: Mustofa, K., Neuhold, E.J., Tjoa, A.M., Weippl, E., You, I. (eds.) ICT-EurAsia 2013. LNCS, vol. 7804, pp. 261–270. Springer, Heidelberg (2013)
Rogers, M.K.: A two-dimensional circumplex approach to the development of a hacker taxonomy. Digital Investigation 3(2), 97–102 (2006)
Rogers, M.K., Seigfried, K., Tidke, K.: Self-reported computer criminal behavior: A psychological analysis. Digital Investigation 3, 116–120 (2006)
Othmane, L., Weffers, H., Klabbers, M.: Using Attacker Capabilities and Motivations in Estimating Security Risk. In: SOUPS (2013)
NIST SP 800-30: Risk Management Guide for IT Systems (2008)
Sheyner, O., Haines, J., Jha, S., Lippman, R., Wing, J.M.: Automated generation and analysis of attack graphs. S&Pi (2002)
Vavoulas, N., Xenakis, C.: A Quantitative Risk Analysis Approach for Deliberate Threats. In: Xenakis, C., Wolthusen, S. (eds.) CRITIS 2010. LNCS, vol. 6712, pp. 13–25. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Niescieruk, A., Ksiezopolski, B. (2014). Motivation-Based Risk Analysis Process for IT Systems. In: Linawati, Mahendra, M.S., Neuhold, E.J., Tjoa, A.M., You, I. (eds) Information and Communication Technology. ICT-EurAsia 2014. Lecture Notes in Computer Science, vol 8407. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55032-4_45
Download citation
DOI: https://doi.org/10.1007/978-3-642-55032-4_45
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55031-7
Online ISBN: 978-3-642-55032-4
eBook Packages: Computer ScienceComputer Science (R0)