A two-phase quantitative methodology for enterprise information security risk analysis

Enterprises possess assets required for executing their business processes and activities. However, the assets contain vulnerabilities that can be exploited by threats to disrupt the business activities. The term risk in this context refers to the harm that can potentially occur if the threats exploit the vulnerabilities to cause damage to the assets. As the enterprise information infrastructure is becoming more complex and connected, the risks to enterprises' assets are also increasing. Hence, the process of identification, analysis, and mitigation of information security risks has assumed utmost importance. This paper presents a quantitative information security risk analysis methodology for enterprises. The methodology consists of two approaches - while the consolidated approach provides an overview of the risk profile of assets, the detailed approach identifies the threat-vulnerability pairs responsible for the risks. Based on the severity of risks to them, assets are categorized into three different risk zones, namely high, medium and low-risk zones. While the high-risk assets need high-end infrastructure for protection, the medium-risk assets may be safeguarded with the help of security policies, guidelines and procedures. The low-risk assets, on the other hand, may not need any explicit protection mechanism. This paper extends a previous work of the authors by incorporating a formal model of asset dependency, and detailing the activities and processes for the implementation of the proposed methodology. Moreover, the paper includes a detailed comparative survey of the existing risk analysis methodologies and tools.