Proactively Managing Security Risk

Proactively Managing Security Risk
Naresh Verma, Yih Huang, and Arun Sood

The information technology revolution has changed the way business is transacted, governments operate, and national defense is conducted. Protection of these systems is essential and continuous efforts to protect them have resulted in exponential growth in reported security incidents. There are threats from hackers, spies, corporate raiders, terrorists, professional criminals, and vandals -- all of whom have a vested interest and well defined objectives for challenging the technology for financial and political gain, leading to damages to the enterprise infrastructure.

Expand all | Post comment

Proactively Managing Security Risk 2007-11-14
BelSec

I've read this paper with great interest, however I don't feel like this way of approaching risk holds up in a corporate environment. I feel like the approach views threats only as coming from the outside while different studies have already proven that inside threats are just as, if not more, important to be considered. I think risk modelling as layed out in the OSSTMM framework, where all vectors are considered, is a more viable way of assessing risk for a specific component in an information infrastructure.

An example: if a server is reachable on port 80 with user/password authentication only, risk is higher then when it is reachable over port 443 with client/server authentication based on certificates and user authentication based on tokens.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1896/1013#1013

Proactively Managing Security Risk 2008-01-04
Anonymous Coward (1 replies)

Re: Proactively Managing Security Risk 2008-01-05
premo

Proactively Managing Security Risk 2008-01-07
Confused

Proactively Managing Security Risk 2008-01-07
AnyMouse

Proactively Managing Security Risk 2008-02-01
Mr T.