Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Problem analysis of traditional IT-security risk assessment methods - an experience report from the insurance and auditing domain

: Taubenberger, S.; Jürjens, J.; Yu, Y.; Nuseibeh, B.


Camenisch, J.L. ; International Federation for Information Processing -IFIP-, Technical Committee Security and Privacy Protection in Information Processing Systems:
Future challenges in security and privacy for academia and industry. 26th IFIP TC 11 International Information Security Conference, SEC 2011 : Lucerne, Switzerland, June 7 - 9, 2011; proceedings
Berlin: Springer, 2011 (IFIP advances in information and communication technology 354)
ISBN: 978-3-642-21423-3
ISBN: 3-642-21423-1
ISBN: 978-3-642-21424-0
International Information Security Conference (SEC) <26, 2011, Lucerne>
Conference Paper
Fraunhofer ISST ()

Traditional information technology (IT) security risk assessment approaches are based on an analysis of events, probabilities and impacts. In practice, security experts often find it difficult to determine IT risks reliably with precision. In this paper, we review the risk determination steps of traditional risk assessment approaches and report on our experience of using such approaches. Our experience is based on performing IT audits and IT business insurance cover assessments within a reinsurance company. The paper concludes with a summary of issues concerning traditional approaches that are related to the identification and evaluation of events, probabilities and impacts. We also conclude that there is a need to develop alternative approaches, and suggest a security requirements-based risk assessment approach without events and probabilities.