Combined Risk Assessment Model (C-RAM) for organizational information security

Abstract

Information security risk assessment plays an important role in the organization’s future strategic planning. Generally, there are two types of risk assessment approaches: quantitative risk assessment and qualitative risk assessment. The quantitative risk assessment is an objective study of the risk that use numerical data but it is difficult to conduct a purely quantitative risk assessment method, because of the difficulty to comprehend numerical data alone without a subjective explanation. On the other hand, the qualitative risk assessment is a subjective evaluation based on judgment and experiences which does not operate on numerical data. If implemented in silos, the limitations of both quantitative and qualitative methods may increase the likelihood of direct and indirect losses of an organization. In order to address this limitation, this thesis proposes to combine both quantitative and qualitative approaches to risk assessment. Hence, the proposed model is coined as Combined Risk Assessment Model (C-RAM). C-RAM incorporates a literal estimation of the identified security risks through a checklist and mathematical evaluation of risk probability. This model is adapted from the international standards for risk management (ISO 31000) and information security management (ISO 27002), and studies from information security risk management and risk assessment. The processes in C-RAM include risk identification, risk rating, risk calculation and result reporting. In order to interpret and apply the model, a prototype of risk assessment for information security was developed. Through this prototype, feedback from experts in information security and risk management was sought through qualitative approach using semi-structured interviews to evaluate the proposed model. The data collected from the participants was transcribed in verbatim and coded sentence-by-sentence in order to identify the themes and subthemes. Thus, a thematic analysis of the data was manually done in accordance with the responses provided by the participants. The feedback from experts supported the proposed model and agreed to the combination of the qualitative and quantitative risk assessment methods. The implementation of C-RAM can assist organizations to perform adequate risk assessment in order to manage information security impacts from natural and causal risks. C-RAM contributes to the significance of information security risk assessment/management studies in terms of research and practices. It can help organizations to manage and assess their information security risks for good decision-making purposes.