Author(s)

G. Carducci, P. Migliaccio & E. Montolivo

Abstract

This paper describes the real-world experience of the authors that in the past three years have been involved in a project aiming at the definition of a risk analysis methodology and at the development of an automated risk management tool (named Defender Manager©) which is suitable for information security applications. Keywords: risk analysis, risk management, information security, threats, vulnerabilities. 1 Introduction Risk analysis is the process of estimating potential losses that may result from the occurrence of certain threats. It forms the basis for establishing a costeffective risk management program suitable to reduce these losses to an acceptable level. Despite risk analysis usually being considered the only consistent approach to the selection of the most appropriate safeguards, a well defined and largely accepted risk analysis methodology suitable for information security applications (including the information and communication technology scenarios) is still lacking and even taxonomy in this sector is often a little bit confusing. This paper describes the real-world experience of the authors that in the past three years have been involved in a project aiming at the definition of a risk analysis methodology and at the development of a proprietary automated risk management tool (named Defender Manager©) suitable for information security applications. Key issues in the definition of risk analysis methodologies, as they arose during the project, are analysed. These include: defining a taxonomy for threats, attacks, vulnerabilities and risk; defining a metric for rating vulnerabilities and safeguards; building a database of threats, attacks and

Keywords

risk analysis, risk management, information security, threats, vulnerabilities.