An Integrated Approach To Security Risk Management For It-Intensive Organizations

Security risk management is becoming increasingly important in a variety of areas related to information technology (IT), such as telecommunications, cloud computing, banking information systems, etc. In this paper, we develop a systematic quantitative framework for security risk management in IT-intensive organizations. This framework provides a unified viewpoint to consider a wide array of security risk factors which can disrupt business continuity. Our approach integrates the three phases of security risk management, namely risk modeling, assessment, and control/mitigation, through a formulation based on directed graphs, cascades of failures, and dynamic programming. We consider how security events can propagate through an organization and how resource allocation decisions can be made in order to optimally mitigate the amount of damage they cause. The applicability and effectiveness of our framework is demonstrated through a simple numerical study which shows significant cost reductions when compared to heuristic methods.