Options
2014
Conference Paper
Titel
An asset to security modeling? Analyzing stakeholder collaborations instead of threats to assets
Abstract
Risk assessment in information security traditionally analyzes threats to assets. An asset is a persistent item or property of value and has an owner. Attacks damage assets; security controls prevent attacks to preserve their value. Expected attack loss is calculated from the value of the attacked assets. This common analytic approach works satisfyingly if an IT system runs in an enclosed environment within an organization. Nowadays, IT systems are accessed and used across organizational boundaries by a multitude of independent stakeholders employing them for their own interests and with particular expectations regarding their trustworthiness. The asset paradigm cannot support estimating consequences of security incidents that may harm these complex stakeholder collaborations. We propose t o model the stakeholder collaboration networks and to analyze scenarios of how security incidents affect relationships between stakeholders. Collaboration continuously creates value for all participants. Security incidents change the behavior of stakeholders and their willingness to collaborate, but in complicated ways. Transmission factors characterizing a relationship help us to assess the impact of incidents. We apply the conventional method and our new approach to a case study and compare the results.
Author(s)