IDEAS home Printed from https://ideas.repec.org/a/wly/syseng/v5y2002i4p286-314.html
   My bibliography  Save this article

Assessing and managing risks to information assurance: A methodological approach

Author

Listed:
  • Gregory A. Lamm
  • Yacov Y. Haimes

Abstract

Recent events such as the September 11th attack, the Yahoo! denial‐of‐service attack, the I Love You virus, and the Code Red worm have sparked a dramatic interest in assuring the future security of information infrastructures. Information systems are increasingly interconnected, interdependent, and complex. Information assurance (IA) attempts to answer critical questions of trust and credibility associated with our digital environment. It presents myriad considerations and decisions that transcend many dimensions: technological advancement, legal, political, economic, social, cultural, institutional, organizational, and educational. Despite the millions of dollars spent on firewalls, encryption technologies, and intrusion detection software, information infrastructure vulnerabilities and disruptive incidents continue. These trends have a significant impact on military operations now and for the next decades. This paper identifies and develops a methodological framework for assessing and managing IA risks. The methodology is based on the systems engineering design process as well as on the guiding principles of risk assessment and management. It builds on hierarchical holographic modeling (HHM) and risk filtering, ranking, and management (RFRM). HHM identifies a plethora of risk scenarios and sources of risk that are innate in current complex information systems. The flexibility of the HHM philosophy permits limitless representations of systems perspectives, constrained only by the knowledge, creativity, and imagination of the analyst and the appropriateness of the modeling efforts. RFRM is an eight‐phase process that filters the hundreds of risk scenarios down to a manageable few (10–20), and ranks them. The risk management phase then identifies the acceptable policy options and analyzes the tradeoffs among them by using quantifiable risk management tools. This process analyzes the wealth of statistical data on losses due to system failures, to intrusions, or to vulnerabilities of information assurance. © 2002 Wiley Periodicals, Inc. Syst Eng 5: 286–314, 2002

Suggested Citation

  • Gregory A. Lamm & Yacov Y. Haimes, 2002. "Assessing and managing risks to information assurance: A methodological approach," Systems Engineering, John Wiley & Sons, vol. 5(4), pages 286-314.
  • Handle: RePEc:wly:syseng:v:5:y:2002:i:4:p:286-314
    DOI: 10.1002/sys.10030
    as

    Download full text from publisher

    File URL: https://doi.org/10.1002/sys.10030
    Download Restriction: no

    File URL: https://libkey.io/10.1002/sys.10030?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. M. Granger Morgan & H. Keith Florig & Michael L. DeKay & Paul Fischbeck, 2000. "Categorizing Risks for Risk Ranking," Risk Analysis, John Wiley & Sons, vol. 20(1), pages 49-58, February.
    2. Stanley Kaplan & B. John Garrick, 1981. "On The Quantitative Definition of Risk," Risk Analysis, John Wiley & Sons, vol. 1(1), pages 11-27, March.
    3. Stan Kaplan & Yacov Y. Haimes & B. John Garrick, 2001. "Fitting Hierarchical Holographic Modeling into the Theory of Scenario Structuring and a Resulting Refinement to the Quantitative Definition of Risk," Risk Analysis, John Wiley & Sons, vol. 21(5), pages 807-807, October.
    4. Yacov Y. Haimes & Stan Kaplan & James H. Lambert, 2002. "Risk Filtering, Ranking, and Management Framework Using Hierarchical Holographic Modeling," Risk Analysis, John Wiley & Sons, vol. 22(2), pages 383-397, April.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. James H. Lambert & Rachel K. Jennings & Nilesh N. Joshi, 2006. "Integration of risk identification with business process models," Systems Engineering, John Wiley & Sons, vol. 9(3), pages 187-198, September.
    2. Sean S. Baggott & Joost R. Santos, 2020. "A Risk Analysis Framework for Cyber Security and Critical Infrastructure Protection of the U.S. Electric Power Grid," Risk Analysis, John Wiley & Sons, vol. 40(9), pages 1744-1761, September.
    3. Tarashevskyi Maksym, 2018. "The analysis of methodical approaches of the risk assessment organization," Technology audit and production reserves, 3(41) 2018, Socionet;Technology audit and production reserves, vol. 3(4(41)), pages 34-40.
    4. Avner Engel & Miryam Barad, 2003. "A methodology for modeling VVT risks and costs," Systems Engineering, John Wiley & Sons, vol. 6(3), pages 135-151.
    5. Srivastava, Rajendra P. & Kogan, Alexander, 2010. "Assurance on XBRL instance document: A conceptual framework of assertions," International Journal of Accounting Information Systems, Elsevier, vol. 11(3), pages 261-273.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Barry M. Horowitz & Yacov Y. Haimes, 2003. "Risk‐based methodology for scenario tracking, intelligence gathering, and analysis for countering terrorism," Systems Engineering, John Wiley & Sons, vol. 6(3), pages 152-169.
    2. James H. Lambert & Rachel K. Jennings & Nilesh N. Joshi, 2006. "Integration of risk identification with business process models," Systems Engineering, John Wiley & Sons, vol. 9(3), pages 187-198, September.
    3. James H. Lambert & Benjamin L. Schulte & Priya Sarda, 2005. "Tracking the complexity of interactions between risk incidents and engineering systems," Systems Engineering, John Wiley & Sons, vol. 8(3), pages 262-277, September.
    4. Hong Sun & Fangquan Yang & Peiwen Zhang & Yunxiang Zhao, 2023. "Flight Training Risk Identification and Assessment Based on the HHM-RFRM Model," Sustainability, MDPI, vol. 15(2), pages 1-20, January.
    5. Ioanna Ioannou & Jaime E. Cadena & Willy Aspinall & David Lange & Daniel Honfi & Tiziana Rossetto, 2022. "Prioritization of hazards for risk and resilience management through elicitation of expert judgement," Natural Hazards: Journal of the International Society for the Prevention and Mitigation of Natural Hazards, Springer;International Society for the Prevention and Mitigation of Natural Hazards, vol. 112(3), pages 2773-2795, July.
    6. Maria Leung & James H. Lambert & Alexander Mosenthal, 2004. "A Risk‐Based Approach to Setting Priorities in Protecting Bridges Against Terrorist Attacks," Risk Analysis, John Wiley & Sons, vol. 24(4), pages 963-984, August.
    7. Barry Charles Ezell, 2007. "Infrastructure Vulnerability Assessment Model (I‐VAM)," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 571-583, June.
    8. Wenjun Zhang & Yingjun Zhang & Weiliang Qiao, 2022. "Risk Scenario Evaluation for Intelligent Ships by Mapping Hierarchical Holographic Modeling into Risk Filtering, Ranking and Management," Sustainability, MDPI, vol. 14(4), pages 1-18, February.
    9. Elizabeth B. Connelly & Lisa M. Colosi & Andres F. Clarens & James H. Lambert, 2015. "Risk Analysis of Biofuels Industry for Aviation with Scenario‐Based Expert Elicitation," Systems Engineering, John Wiley & Sons, vol. 18(2), pages 178-191, March.
    10. Yacov Y. Haimes & Stan Kaplan & James H. Lambert, 2002. "Risk Filtering, Ranking, and Management Framework Using Hierarchical Holographic Modeling," Risk Analysis, John Wiley & Sons, vol. 22(2), pages 383-397, April.
    11. Yacov Y. Haimes, 2012. "Systems‐Based Guiding Principles for Risk Modeling, Planning, Assessment, Management, and Communication," Risk Analysis, John Wiley & Sons, vol. 32(9), pages 1451-1467, September.
    12. Matthew H. Henry & Yacov Y. Haimes, 2009. "A Comprehensive Network Security Risk Model for Process Control Networks," Risk Analysis, John Wiley & Sons, vol. 29(2), pages 223-248, February.
    13. Amro Nasr & Oskar Larsson Ivanov & Ivar Björnsson & Jonas Johansson & Dániel Honfi, 2021. "Towards a Conceptual Framework for Built Infrastructure Design in an Uncertain Climate: Challenges and Research Needs," Sustainability, MDPI, vol. 13(21), pages 1-19, October.
    14. Yacov Y. Haimes & Alfred Anderegg, 2015. "Sequential Pareto‐Optimal Decisions Made During Emergent Complex Systems of Systems: An Application to the FAA NextGen," Systems Engineering, John Wiley & Sons, vol. 18(1), pages 28-44, January.
    15. Clyde Chittister & Yacov Y. Haimes, 2010. "Harmonizing high performance computing (HPC) with large‐scale complex systems in computational science and engineering," Systems Engineering, John Wiley & Sons, vol. 13(1), pages 47-57, March.
    16. Jalal Ali & Joost R. Santos, 2015. "Modeling the Ripple Effects of IT‐Based Incidents on Interdependent Economic Systems," Systems Engineering, John Wiley & Sons, vol. 18(2), pages 146-161, March.
    17. Henrik Hassel & Alexander Cedergren, 2019. "Exploring the Conceptual Foundation of Continuity Management in the Context of Societal Safety," Risk Analysis, John Wiley & Sons, vol. 39(7), pages 1503-1519, July.
    18. Kenneth G. Crowther & Yacov Y. Haimes, 2005. "Application of the inoperability input—output model (IIM) for systemic risk assessment and management of interdependent infrastructures," Systems Engineering, John Wiley & Sons, vol. 8(4), pages 323-341.
    19. Yacov Y Haimes, 2012. "Strategic Preparedness for Recovery from Catastrophic Risks to Communities and Infrastructure Systems of Systems," Risk Analysis, John Wiley & Sons, vol. 32(11), pages 1834-1845, November.
    20. Michael J. Pennock & Yacov Y. Haimes, 2002. "Principles and guidelines for project risk management," Systems Engineering, John Wiley & Sons, vol. 5(2), pages 89-108.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:syseng:v:5:y:2002:i:4:p:286-314. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1002/(ISSN)1520-6858 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.