• Refine Query
  • Source
  • Publication year
  • to
  • Language
  • 1
  • 1
  • Tagged with
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • About
  • The Global ETD Search service is a free service for researchers to find electronic theses and dissertations. This service is provided by the Networked Digital Library of Theses and Dissertations.
    Our metadata is collected from universities around the world. If you manage a university/consortium/country archive and want to be added, details can be found on the NDLTD website.
1

The Risk Assessment based on international standards, a credibility evaluation: A case study on international standards of Risk Assessment and Management in the Information Security context

Hedian, Daniel, Silva Neto, Gil January 2015 (has links)
Summary Organizations face risks regardless of the type of industry or government. Historically risks have been undertaken in various processes and coped with differently by society. An appropriate application of risk management is widely acknowledged as one of the most critical aspects of undertaking business activities across all sectors in society, public and private. In order to carry out this activity as part of the crucial actions the organizations implement as part of their culture, many standards have been developed at the international level. These standards provide the groundwork for entities to start implementing these processes and reduce the risk they face with a standardized set of procedures across sectors. Risk assessment faces abundant arguments that lead to doubt the credibility of the standards implemented by different organizations, as not a single method or definition is agreed upon across cultural and sectorial barriers. Therefore, the credibility of the standardized assessment is doubted. This study aims to evaluate the credibility of standardized risk assessments with a focus on the Information Security Risk Assessment Standards, in particular ISO 27005 and NIST 800-30 in collaboration with the Swedish Armed Forces. The research adapts the frameworks available in literature to evaluate credibility of risk assessments to the international standardized assessment procedure. The standards credibility will be evaluated with different criteria divided in five categories considered applicable to the standardised risk assessment procedure. Also, input from experts in organizations currently employing the standards and academic experts in the field will also be utilized. This study utilizes a qualitative case study approach. The credibility evaluation performance of each international standard is similar; the only category that NIST 800-30 has a significant better performance is the category related to the final Risk Assessment Results (Report). The NIST provides a further step in the process as well as the guidelines and templates in order to develop different parts of the assessment process including the report, which is considered a best practice of a standardised risk assessment. The findings of the research contradict four criteria of the framework found in the literature, related to with what can be learned from past risk assessments, to the wide ranging of the required scope of a risk assessment, the relevance of the disclosure of information on the final risk assessment report related to the composition of the assessment group and finally the procedure for finding consensus among stakeholders. The research question “How credible are standardized risk assessments?” provide a holistic understanding of the credibility of the standards previously mentioned, determining that these provide a solid framework for companies to start assessing the risks in a regulated and standardized procedure. These oversee the problems embedded in the subjectivity of a risk assessment and the ever-changing (intrinsic and extrinsic) aspects of stakeholder behaviour with a lack of a systemic approach to solve these issues, which also include the lack of proper handling of risk uncertainty and the lack of transparency on the final risk assessment report. The study provides a groundwork which can be used in order to develop future research. This study also provides a grounded framework which can be used by entities utilizing the standards in order to reflect their procedures of their risk assessment activities. Keywords: Credibility, risk assessment, risk management, international standards, risk, information security, ISO 27005, NIST 800-30.
2

Hodnocení přístupů k analýze bezpečnostních rizik / Assessment of approaches to security risk analysis

Koudela, Radek January 2010 (has links)
Risk management is a process through which organizations are methodically devoted to the risks associated with their activities in order to get the biggest benefit from their business. It is also a rapidly developing field, where there is a variety of different approaches, methods, methodologies and standards in which may be little confusing. Therefore, this work offers a comprehensive and systematic view on the issue of risk analysis and management. Risk analysis is a cornerstone for effective security management of each company used for identification, description and quantification of risks, which should lead to acceptance of suitable measures for risk treatment. That is the reason why it requires a careful and methodical procedure described in this work. The main objective of this work is to analyse different approaches to risk analysis and management and thus highlight the importance of information security and protection of corporate assets. This approaches need to be understood as a different levels of detail of conducted risk analysis which will depend on initial maturity level (according to the CMM -- Capability Maturity Model) of information security process. The theoretical part of this thesis will explain relevant methodologies, techniques and procedure of risk analysis based on the ISO 27005 standard. From this part reader should learn what risk analysis is, what is it used for, how can it be carried out and what standards and methods can be used. The practical part will solve a real risk analysis project, which will demonstrate application of information obtained in the theoretical part.

Page generated in 0.022 seconds