Decision Support for Assessment of IT-Security Risks

摘要

IT-security risks can have a great impact on organizations and can cause high financial damage. To address security issues and avoid problems, knowledge about risks is vital. Therefore, a risk assessment process, which addresses security of IT-systems, is essential. However, risk assessment methods based on qualitative or quantitative approaches involve some difficulties and limitations. Therefore, in this research, we propose a risk assessment method based on semi-quantitative approach. The method provides decision support for security experts during evaluation of IT-security risks and enables assessment of threats both at a detailed level and as a whole. Imprecise information is captured from expert judgment and expressed numerically in interval form. The method is applied to a scenario in order to demonstrate its usage. We utilize a decision tool to present the outcomes. Moreover, sensitivity analysis is performed to point out most critical values.