University of Twente Student Theses
Residual risk management : a quantitative approach to information security
Roos, J. (2008) Residual risk management : a quantitative approach to information security.
![[img]](http://essay.utwente.nl/style/images/fileicons/application_pdf.png) |
PDF
2MB |
| Abstract: | Companies have become increasingly dependent on the correct operation of their information and communication systems. While business environments become more complex and volatile, losses increase because of mismanagement of (information) security and because of companies failing to perform effective risk management [2, 122]. Managing this information risk is not just a matter of implementing good practices'. Sometimes, more risk will be present than acceptable and additional countermeasures have to be chosen to bring the risk down to an acceptable level. This brings forward the need for a method that gives control over, and a more detailed insight in the residual information risk of an organisation. This thesis focusses on a quantitative approach to residual risk management in contrast to a qualitative approach. Earlier generations of quantitative approaches had the drawbacks of being excessively complex, unable to deal with uncertainty and being highly dependent on the availability of (sparse) information. Failing to generate useful results because of these drawbacks, the quantitative approach got the bad reputation of being overly complex, resource intensive and giving incorrect claims of loss and damage. Nevertheless, the currently often used qualitative approaches do not give the desired results in all situations, indicating the need for a different approach. By adding an applicable (quantitative) computational method to a suitable (qualitative) risk assessment methodology, we try to get insight in the usability of a quantitative approach in the current residual information risk management practice. By conducting expert interviews and by doing extensive literature review, requirements have been formulated on the applicability of a computational method and on the suitability of current risk assessment methodologies. |
| Item Type: | Essay (Master) |
| Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
| Subject: | 85 business administration, organizational science |
| Programme: | Business Information Technology MSc (60025) |
| Link to this item: | https://purl.utwente.nl/essays/58106 |
| Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Show download statistics for this publication
Show download statistics for this publicationRepository Staff Only: item control page