DEVELOPMENT OF A MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Abstract

A risk is the possibility that an undesirable event could happen. Several risk management software tools have been developed in the past to address pressing industrial concerns such as risk identification and estimation, risk exposure, mitigation and to keep track of risk positions and respective management plans. Several methods have been developed and used in risk assessments. Two specific methods of interest in this work are: “Risk Matrices” and “Risk Registers”. In this work, A generic Risk Register application module and an updatable Risk Matrix module has been designed. This research work studies risk management techniques and employs a custom model for the automated assessment of Information Security risks. This model was implemented in phases corresponding to its aspects which are Establishing the context, identification of risk and Risk assessment. The Assessment methods of interest to this work are Risk Registers, Risk Matrices and the Scenario Geek. What-if analysis is a data-intensive simulation whose goal is to inspect the behavior of a complex system under some given hypotheses called scenarios. What-ifs are used to generate qualitative descriptions of potential problems in the form of questions and responses lists of recommendations for preventing problems. The Risk Assessor was developed using Microsoft’s Visual Basic.Net with Active Server Pages (ASP.Net) Technologies on .Net Framework 4.0. This work, if adopted will help keep track of the sources which can hamper the operations of organization that are dependant on information technology.