KTH-SEECS Applied Information Security Lab

National University of Sciences and Technology (NUST)

An Improved Security Risk Management Framework

Domain:Security Management

Status: Active

Contact Person(s): Haleemah Zia , Rahat Masood

Information Security Risk Management (ISRM) is the process of identifying critical assets of an organization, analyzing vulnerabilities and threats associated with them, the impact of risks that emanate from those threats and determining justified solutions to mitigate those risks. In any public or private sector organization, ISRM ensures smooth running of business processes by reducing all perceived risks to an acceptable impact level. Currently, there are various risk assessment/ management methodologies in use by the industry. These include OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), CRAMM (CCTA Risk Analysis and Management Method), NIST SP800-30, FMEA (Failure mode and effects analysis) etc. In order to get compliance certifications, organizations follow standard ISRM practices as laid down by (one or more of) these methodologies. In the past three years however, researchers have been identifying and publishing the dilemma of organizations being standards-compliant yet not considerably risk free. The reason for this are certain deficiencies that occur in the implementation of these risk assessment methodologies. In-comprehensive asset identification, inaccurate risk estimation or prediction and infrequent risk assessment are the major limitations identified in literature. Moreover, traditional ISRM methods do not incorporate risk assessment of knowledge assets and have been rendered unsuitable for the purpose. While the mentioned deficiencies are currently being highlighted by various researchers, there exists no complete and technically approved solution that could adequately fill the gap.  This research project aims to design, implement and evaluate such a framework in order to achieve significant improvement in the overall ISRM process.
The framework would be practically tested in a small organization and evaluated through qualitative surveys. A specification document giving out detailed steps with examples and guidelines would also be developed.