Quantitative Risk Management: a Survey of Adaptive Approaches to Risk Management for Information and Communication Systems
International Journal of u- and e- Service, Science and Technology
Over the last few years, perspectives in information security have been drawn, to a large extent, by risk management. The extensive use of risk management methodologies in organizations relying on an IT infrastructure proves the potential of the practice. In this survey we discuss the characteristics of the quantitative risk management methodologies, compare them and provide an overview on how these methodologies are entwined with the concept of adaptive security. We also discuss the challenges
... cuss the challenges of quantitative risk management and adaptive security models and propose reliable criteria to compare the different approaches in the literature. adaptive security models could rely on these measures in order manage security efficiently and in real time. Surveys about quantitative and adaptive risk management / assessment / analysis approaches are traced in the literature [1, 2, 3] . This survey paper provides an overview of the state of the art models applied to different domains, from software security to networks and communication, and establishes the link between quantitative risk management and adaptive security models. It also presents a detailed and comparative state of the art of the quantitative approaches to ICT risk management, as well as the mathematical models used to define the security metrics while measuring the risks. In section II we give an overview of the state of the art of quantitative risk assessment methodologies. A variety of models, their application fields, requirements and shortages are presented. In section III we present the abstract mathematical models developed to measure risks and their properties in the IT fields. The objectives and conditions of each model are proposed. In section IV, state of the art of various security metrics, used to quantify risks, are given. These metrics are the parameters that are defined in order to provide a reliable method. We argue that experts in the discipline do not agree on fundamental issues and definitions  . Although standard organizations have set concepts and methods for risk management, it seems that there is a lack of consensus on terminology. Thus, the standardization effort that took place was aimed at the qualitative approaches underlying the claim made by researchers in the 1980s that the risk management discipline cannot be considered as a scientific discipline because of uncertainties affecting the procedure. Approaches based on weak estimations of probabilities and impacts may not be reliable and could even be misleading  . The scientific community has kept on trying to develop methods to calculate as objectively as possible the risk values through quantitative approaches and models, in spite of the absence of a systematic terminology and divergence in definitions. Quantitative Risk Assessment Methodologies: State of the Art This section discusses a selection of quantitative risk assessment methodologies in the literature. A critical and comparative approach is used to assess these methodologies. The diversity of approaches toward quantitative risk assessment is due to the absence of an established terminology in the discipline. Besides, there is a lack of a core model that integrates a wide spectrum of security issues regarding information and communication systems. Quantitative methodologies usually concentrate on one aspect of security, for example application security, project management security, network security. The main challenge is modeling all the aspects of security in creating quantitative parameters that cover all the aspects of security (like the ISO sub-categories). Hybrid risk assessment methodologies like [5, 6, 7] use a quantitative approach in their core framework. However when the quantification metrics are taken into consideration, these methods use scales and approximations in order to quantify the attributes or metrics. The main indicators used in this survey are: -The risk coverage: This criterion shows whether the methodology covers different aspects of security when applied to a scope or developed for only one aspect. -Cyclic risk management: This indicates whether the assessment methodology is designed to be used in a risk management cycle, or it is an independent risk assessment technique. -Complexity: It indicates the methodology can be used immediately in an enterprise environment or if it is too complex and time consuming to be put in practice. -Quantification parameters: This category lists the different parameters used to quantify the risks and how these parameters are used in the process.