Journal of Information Processing Systems

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Two-Dimensional Qualitative Asset Analysis Method based on Business Process-Oriented Asset Evaluation

  • Eom, Jung-Ho (Department of Information and Communication Engineering, Sungkyunkwan University) ;
  • Park, Seon-Ho (Department of Information and Communication Engineering, Sungkyunkwan University) ;
  • Kim, Tae-Kyung (Department of Information and Communication Engineering, Sungkyunkwan University) ;
  • Chung, Tai-Myoung (Department of Information and Communication Engineering, Sungkyunkwan University)
  • Published : 2005.12.01
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we dealt with substantial asset analysis methodology applied to two-dimensional asset classification and qualitative evaluation method according to the business process. Most of the existent risk analysis methodology and tools presented classification by asset type and physical evaluation by a quantitative method. We focused our research on qualitative evaluation with 2-dimensional asset classification. It converts from quantitative asset value with purchase cost, recovery and exchange cost, etc. to qualitative evaluation considering specific factors related to the business process. In the first phase, we classified the IT assets into tangible and intangible assets, including human and information data asset, and evaluated their value. Then, we converted the quantitative asset value to the qualitative asset value using a conversion standard table. In the second phase, we reclassified the assets using 2-dimensional classification factors reflecting the business process, and applied weight to the first evaluation results. This method is to consider the organization characteristics, IT asset structure scheme and business process. Therefore, we can evaluate the concrete and substantial asset value corresponding to the organization business process, even if they are the same asset type.

Keywords

References

  1. ISO/IEC TR 13335 (Part 1): Concepts and Models for IT Security, ISO/IEC JTC1/SC 27, 1996
  2. ISO/IEC TR 13335 (Part 2): Managing and Planning IT Security, ISO/IEC JTC1/SC 27, 1997
  3. ISO/IEC TR 13335 (Part 3): Techniques for the Management of IT Security, ISO/IEC JTC1/SC 27, 1997
  4. NIST Special Publication 800-30: Computer Security-Risk Management Guide, NIST, 2001
  5. B. D. Jenkins, 'Security risk analysis and management' Countermeasures, Inc, 1998
  6. BS 7799-Guide to Risk Assessment and Risk management, BSI, 1998
  7. Christopher J. Alberts et al, 'OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation, Software Engineering Institute Carnegie Mellon, 1999
  8. CSE MG-3: A Guide to Risk Assessment and Safeguard Selection For Information Technology Systems, Communications Security Establishment, January 1996
  9. Bingyang Zhou, 'Risk Analysis and Assessment using Object-Oriented Techniques', IEEE Computer Society, Volume 137255, pp. 42-145, 1999
  10. James W. Freeman et al, 'Risk Assessment for Large Heterogeneous Systems', IEEE Computer Security Applications, Volume 60412, pp. 44-53, 1997
  11. Frank J. Groen, et al, 'QRAS-The Quantitative Risk Assessment System', IEEE Reliability and Maintainability Symposium, Volume 21871, pp. 349-355, 2002
  12. Risk Analysis and Management Standards for Public Information Systems Security-Concepts and Models, TTA-Korea, 1998
  13. Risk Analysis and Management Standards for Public Information Systems Security-Risk Analysis, TTAKorea, 2000
  14. Jung Ho Eom, Sang Hoon Lee and Tai M. Chung, 'A study on the Simplified Cost-Benefit Analysis to Select Safeguards against Risks in the Risk Management, SAM 2002, pp. 292-297, June, 2002

Cited by

  1. A comprehensive security control selection model for inter-dependent organizational assets structure vol.23, pp.2, 2015, https://doi.org/10.1108/ICS-12-2013-0090