Enterprise Information Security Risk Analysis: A Comprehensive Report

Verified

Added on 2020/05/11

AI Summary

This report provides an analysis of enterprise information security risks, focusing on various methodologies and tools used to mitigate threats. It discusses the OCTAVE, Ten Step Process, and FRAAP methods for risk assessment, alongside tools like COBRA, CORAS, and CRAMM. The report highlights the importance of confidentiality, integrity, availability, and non-repudiation in securing information systems. It also presents two proposed approaches: the consolidated approach, which evaluates a specific risk factor, and the detailed approach, which identifies threat-vulnerability pairs. The analysis emphasizes the role of enterprise information systems in improving business processes and the associated risks and threats, ultimately offering insights into effective risk management strategies. The report references key literature, including works by Bhattacharjee et al., Jerman-Blazic, Laudon & Laudon, and Peltier.

Running head: SUMMARY OF ARTICLE
Summary of Article
Name of the Student
Name of the University
Author’s Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
SUMMARY OF ARTICLE
A Two-Phase Quantitative Methodology for Enterprise Information Security Risk Analysis
Summary: Enterprise information system is responsible for improving the overall functions of a particular
enterprise. Computer networks, however, are vulnerable to all type of security risks and threats
(Bhattacharjee et al., 2012). These types of attacks or threats can be mitigated by certain systematic
approaches and strategies.
There are few methodologies for analyzing any type of information security risks or threats
(Jerman-Blazic, 2012). The first method is the OCTAVE method, which allows any organization to take
decisions based on integrity, availability and confidentiality of IT assets. The second method is the Ten
Step Process method, which has several steps like identification, prioritization of threats, calculation of
the factors of risk, safeguards identification and ranking, and the preparation of report of risk analysis
(Peltier, 2013). The third approach is the FRAAP method, which attempts to recognize the threats with
respect to the effects on business processes. The three tools for analysis of information security risk are
COBRA, CORAS and CRAMM.
There are few requirements for the method of information security risk analysis (Jerman-Blazic,
2012). The confidentiality and integrity requirements refer to the overall protection and accuracy of
information from any type of unauthorized access. The availability requirement makes sure that the
information is available to the authorized users. Authenticity refers to the verification of information,
while, non-repudiation refers to the ability of prevention of denial of services (Laudon & Laudon, 2016).
Loss impact refers to the requirement of a particular asset in enterprise and legal and contractual
requirement is the set of contractual requirements, which a particular organization claims to fulfill.
There are two types of proposed approaches in securing the information, data or services in an
enterprise. Moreover, the approaches even help to recognize the threats or risks in the information system.
The first approach is the consolidated approach, which evaluates a specific risk factor value for a
particular asset (Bhattacharjee et al., 2012). It segments that asset in the classification of low, medium or
high risk. The second approach is the detailed approach. It not only evaluates a specific risk factor, but
also recognizes that particular pair of threat vulnerability, that has caused the risk.
Enterprise information system helps to improve the functions of business processes. There are
risks and threats associated to this information system. Various methods are present to identify and

2
SUMMARY OF ARTICLE
analyze the risks or threats in this information system. The proposed approaches for this purpose are the
consolidated and detailed approaches.

3
SUMMARY OF ARTICLE
References
Bhattacharjee, J., Sengupta, A., Mazumdar, C., & Barik, M. S. (2012, September). A two-phase
quantitative methodology for enterprise information security risk analysis. In Proceedings of the
CUBE International Information Technology Conference (pp. 809-815). ACM.
Jerman-Blazic, B. (2012). Quantitative Model for Economic Analyses of information Security investment
in an Enterprise information System. Organizacija, 45(6), 276.
Laudon, K. C., & Laudon, J. P. (2016). Management information system. Pearson Education India.
Peltier, T. R. (2013). Information security fundamentals. CRC Press.