Creator of Knowledge
Information Resources Management Association
Advancing the Concepts & Practices of Information Resources Management in Modern Organizations

Information Security Risk Analysis: A Matrix-Based Approach

Information Security Risk Analysis: A Matrix-Based Approach
View Free PDF
Author(s): Sanjay Goel (University at Albany, USA) and Vicki Chen (General Electric Energy, USA)
Copyright: 2005
Pages: 4
Source title: Managing Modern Organizations Through Information Technology
Source Editor(s): Mehdi Khosrow-Pour (Information Resources Management Association, USA)
DOI: 10.4018/978-1-59140-822-2.ch054


This paper presents an information security risk analysis methodology that links the assets, vulnerabilities, threats and controls of an organization. The approach uses a sequence of matrices that correlate the different elements in the risk analysis. The data is aggregated and cascaded across the matrices to correlate the assets with the controls such that a prioritized ranking of the controls based on the assets of the organization is obtained. The approach does not obfuscate the intermediate data in the analysis, thereby providing transparency to the risk analysis process and allowing rationalization of the data. This approach allows organizations to start with sparse data with low fidelity and the analysis can be gradually refined as additional (and high quality) data is collected over time. A sample case study based on a study at a NY State agency is presented. This methodology was applied at General Electric and some preliminary results of the case study are presented in this paper.

Body Bottom