Evaluation of quantitative assessment extensions to a qualitative riskanalysis method

The usage of information systems (IS) within organizations has become crucial. Information is one of the most vulnerable resources within an enterprise. Information can be exposed, tampered or made non-accessible, where the integrity, confidentiality or availability becomes affected. The ability to...

Full description

Bibliographic Details
Main Author: Svensson, Louise
Format: Others
Language:English
Published: Linköpings universitet, Databas och informationsteknik 2017
Subjects:
Online Access:http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-143597
id ndltd-UPSALLA1-oai-DiVA.org-liu-143597
record_format oai_dc
spelling ndltd-UPSALLA1-oai-DiVA.org-liu-1435972017-12-15T05:35:33ZEvaluation of quantitative assessment extensions to a qualitative riskanalysis methodengUtvärdering av kvantitativa bedömningsutvidgningar till en kvalitativ riskanalysmetodSvensson, LouiseLinköpings universitet, Databas och informationsteknik2017Risk analysisHybrid risk analysisQuantitative risk analysisRisk managementRisk assessmentComputer SystemsDatorsystemThe usage of information systems (IS) within organizations has become crucial. Information is one of the most vulnerable resources within an enterprise. Information can be exposed, tampered or made non-accessible, where the integrity, confidentiality or availability becomes affected. The ability to manage risks is therefore a central issue in enterprises today. In order to manage risks, the risks need to be identified and further evaluated. All kind of threats with the possibility to negatively affect the confidentiality, integrity, or availability of the organization need to be reviewed. The process of identifying and estimating risks and possible measures is called risk analysis. There are two main categories of risk analysis, qualitative and quantitative. A quantitative method involves interpreting numbers from data and is based on objective inputs. A qualitative method involves interpreting of subjective inputs such as brainstorming and interviews. A common approach is to apply a qualitative method, however a lot of criticism has been raised against using subjective inputs to assessing risks. Secure State is a consulting company with specialist expertise in the field of information security. They help their customers to build trust in the customers systems and processes, making their customers businesses operate with consideration to information security. One service offered by Secure State is risk analysis, and currently they perform qualitative risk analysis. Given all criticisms against a qualitative approach for assessing risks, this study developed a quantitative risk analysis method for Secure State. According to participants, who attended at a risk analysis where the developed quantitative risk analysis method was used, the quantitative risk analysis method improved the risk assessment. Since risks and their effects are decomposed into smaller components in the proposed quantitative risk analysis method, interpretations of risks and their meaning during assessments less likely differed. Therefore, the common understanding of a risk increases, which makes the quality of the evaluation of risks increase. Furthermore, the usage of statistical data increases in the developed quantitative risk analysis method. Additionally, the quantitative method handles the fact that all data used is imperfect. The data is imperfect since it is used to describe the future, and the future has not happened yet. Student thesisinfo:eu-repo/semantics/bachelorThesistexthttp://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-143597application/pdfinfo:eu-repo/semantics/openAccess
collection NDLTD
language English
format Others
sources NDLTD
topic Risk analysis
Hybrid risk analysis
Quantitative risk analysis
Risk management
Risk assessment
Computer Systems
Datorsystem
spellingShingle Risk analysis
Hybrid risk analysis
Quantitative risk analysis
Risk management
Risk assessment
Computer Systems
Datorsystem
Svensson, Louise
Evaluation of quantitative assessment extensions to a qualitative riskanalysis method
description The usage of information systems (IS) within organizations has become crucial. Information is one of the most vulnerable resources within an enterprise. Information can be exposed, tampered or made non-accessible, where the integrity, confidentiality or availability becomes affected. The ability to manage risks is therefore a central issue in enterprises today. In order to manage risks, the risks need to be identified and further evaluated. All kind of threats with the possibility to negatively affect the confidentiality, integrity, or availability of the organization need to be reviewed. The process of identifying and estimating risks and possible measures is called risk analysis. There are two main categories of risk analysis, qualitative and quantitative. A quantitative method involves interpreting numbers from data and is based on objective inputs. A qualitative method involves interpreting of subjective inputs such as brainstorming and interviews. A common approach is to apply a qualitative method, however a lot of criticism has been raised against using subjective inputs to assessing risks. Secure State is a consulting company with specialist expertise in the field of information security. They help their customers to build trust in the customers systems and processes, making their customers businesses operate with consideration to information security. One service offered by Secure State is risk analysis, and currently they perform qualitative risk analysis. Given all criticisms against a qualitative approach for assessing risks, this study developed a quantitative risk analysis method for Secure State. According to participants, who attended at a risk analysis where the developed quantitative risk analysis method was used, the quantitative risk analysis method improved the risk assessment. Since risks and their effects are decomposed into smaller components in the proposed quantitative risk analysis method, interpretations of risks and their meaning during assessments less likely differed. Therefore, the common understanding of a risk increases, which makes the quality of the evaluation of risks increase. Furthermore, the usage of statistical data increases in the developed quantitative risk analysis method. Additionally, the quantitative method handles the fact that all data used is imperfect. The data is imperfect since it is used to describe the future, and the future has not happened yet.
author Svensson, Louise
author_facet Svensson, Louise
author_sort Svensson, Louise
title Evaluation of quantitative assessment extensions to a qualitative riskanalysis method
title_short Evaluation of quantitative assessment extensions to a qualitative riskanalysis method
title_full Evaluation of quantitative assessment extensions to a qualitative riskanalysis method
title_fullStr Evaluation of quantitative assessment extensions to a qualitative riskanalysis method
title_full_unstemmed Evaluation of quantitative assessment extensions to a qualitative riskanalysis method
title_sort evaluation of quantitative assessment extensions to a qualitative riskanalysis method
publisher Linköpings universitet, Databas och informationsteknik
publishDate 2017
url http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-143597
work_keys_str_mv AT svenssonlouise evaluationofquantitativeassessmentextensionstoaqualitativeriskanalysismethod
AT svenssonlouise utvarderingavkvantitativabedomningsutvidgningartillenkvalitativriskanalysmetod
_version_ 1718563859693830144