Share:


Information technology risk assessment methods and improvement solutions

Abstract

The legal tools applied in the context of IT technology development failing to solve the problems facing society. On the other hand, the development of innovation is sometimes hindered. The intensity of the development of information systems and technologies requires highly flexible and adaptive approaches to cybersecurity. One of these approaches is IT risk assessment. There are currently many methodologies that can be used to effectively assess cyber threats. For institutions with multiple exposures, the correlation between different positions may not be correctly estimated. Measuring known risk is a common problem in risk assessment practice. In order to develop a simple IT risk assessment method, the article examines existing IT risk assessment methods, proposes IT risk assessment solutions and presents the results of practical application.


Informacinių technologijų rizikos vertinimo metodai ir tobulinimo sprendimai


Santrauka 


IT plėtros konteksto atžvilgiu taikomos teisinės priemonės nesugeba išspręsti problemų, su kuriomis tenka susidurti visuomenei, antra vertus, tam tikrais atvejais stabdoma inovacijų plėtra. Informacinių sistemų ir technologijų plėtros intensyvumas reikalauja labai lanksčių ir adaptyvių kibernetinės saugos užtikrinimo metodų taikymo būdų. Vienas iš šių metodų – IT rizikos vertinimas. Šiuo metu yra daug metodologijų, kuriomis remiantis būtų galima efektyviai vertinti kibernetinių grėsmių riziką. Įstaigai, turinčiai daugybę rizikų, skirtingų pozicijų koreliacija gali būti neteisingai įvertinta. Žinomos rizikos matavimas yra dažna rizikos vertinimo praktikos problema. Siekiant sukurti paprastą IT rizikos vertinimo metodą, straipsnyje nagrinėjami esami IT rizikos vertinimo metodai, siūlomi IT rizikos vertinimo sprendimai ir pateikiami praktinio pritaikymo rezultatai.


Reikšminiai žodžiai: IT rizikos, metodas, kibernetinis saugumas, pažeidžiamumas, grėsmės.

Keyword : IT risks, method, cybersecurity, vulnerabilities, threats

How to Cite
Jevsejev, R. (2020). Information technology risk assessment methods and improvement solutions. Mokslas – Lietuvos Ateitis / Science – Future of Lithuania, 12. https://doi.org/10.3846/mla.2020.10562
Published in Issue
Jan 30, 2020
Abstract Views
1156
PDF Downloads
257
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

References

Alberts, C. J., & Dorofee, A. J. (2001). OCTAVE method implementation guide version 2.0. Carnegie Mellon University. https://doi.org/10.21236/ADA634140

Alberts, C. J., & Dorofee, A. J. (2002). Managing information security risks – the OCTAVE approach. Boston: Addison Wesley. https://doi.org/10.21236/ADA634134

Bjørn, A. G. (2002). CORAS, a platform for risk analysis on security critical systems − model-based risk analysis targeting security. In International Conference on Telemedicine (ICT2002), Regenburg. Prieiga per internetą: http://www.ewics.org/attachments/security-subgroup-boppard-2002/CORAS+framework.pdf

Chandrashekhar, A. M., Sachin Kumar, H. S., & Huded, Y. (2015). Advances in information security risk practices. International Journal of Advanced Research in Datamining and Cloud Computing, 3, 47-48.

Committee on National Security Systems. (2015, April 6). Committee on National Security Systems (CNSS) Glossary (No. 4009). Prieiga per internetą: https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf

Committee on National Security Systems. (2005). National Policy on certification and Accreditation of National Security Systems (No. 6). Prieiga per internetą: http://www.cnss.gov/Assets/pdf/CNSSP-6.PDF

CORAS Tool 2.0. (n.d.). Programinės įrangos paketai. Prieiga per internetą: https://sourceforge.net/projects/coras/

Dimitrakos, T., Ritchie, B., Raptis, D., & Stølen, K. (2002). Model based security risk analysis for web applications: the CORAS approach. In EuroWeb 2002 Conference, St Anne’s College, Oxford, UK.

International Organization for Standardization. (2000). Information technology — Security techniques — Code of practice for information security management (No. 1799-1). Prieiga per internetą: http://antoanthongtin.vn/Portals/0/UploadImages/kiennt2/Tieu-ChuanKyThuat/TCQT/ISO%20IEC%2017799-2005%20en.pdf

International Organization for Standardization. (2001). Information technology — Guidelines for the management of IT Security (No. TR 13335). Prieiga per internetą: https://www.sis.se/api/document/preview/897890/

Insight Consulting. (2003). CRAMM expert walkthrough and overview. Prieiga per internetą: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-tools/t_cramm.html

International Electrotechnical Commission. (1999). Functional safety of electrical/electronic/programmable electronic safety-related systems (Nr. 61508). Prieiga per internetą: http://www.cechina.cn/eletter/standard/safety/iec61508-2.pdf

International Organization for Standardization. (2018). Information technology – Security techniques – Information security risk management (ISO/IEC No. 27005). Prieiga per internetą: https://view.elaba.lt/standartai/view?search_from=a-leph&id=1273235

National Institute of Standards and Technology. (2012). Guide for conducting risk assessments (NIST SP No. 800-30). Prieiga per internetą: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

National Institute of Standards and Technology. (2014). FIPS publication 200: minimum security requirements for federal information and information systems. Prieiga per internetą: https://csrc.nist.gov/publications/detail/fips/200/final

Stulz, M. (2008). Risk management failures: what are they and when do they happen? Journal of Applied Corporate Finance, 4, 58-67. https://doi.org/10.2139/ssrn.1278073

Standards Australia/Standards New Zealand Committee. (1999). Risk management (No. 4360). Prieiga per internetą: http://www.epsonet.eu/mediapool/72/723588/data/2017/AS_NZS_4360-1999_Risk_management.pdf