ComputerScienceandInformationTechnology,pp.

617628

ProceedingsoftheInternationalMulticonferenceon

ISSN18967094 2007PIPS

Integrated,BusinessOriented,TwoStage RiskAnalysis
AndrzejBiaas,KrzysztofLisek
InstituteofInnovationsandInformationSociety 40954Katowice,ul.WitaStwosza7,Poland {Andrzej.Bialas, Krzysztof.Lisek}@insi.pl

Abstract:Thispaperpresentsanintegrated,businessoriented,twostagerisk analysis method related to the Information Security Management Systems (ISMS) concept. The current state of the work is presented, including risk analysis methods and their implementation. The concept assumes the integration of preliminary overviews as well as high and lowlevel risk analyses.Highlevelriskanalysisworkswiththeneedsofbusinessprocesses andpresentscriticalityoftheseprocesses.Lowlevelriskanalysisworkswith assetsandselectssafeguardsinacosteffectivemanner.Itisassumedthatthe presented risk analysis concept can be used in other management systems: business continuity and IT services management. The paper concludes the currentstateoftheworkanddefinesitsfurtherdirections. Keywords:Informationsecuritymanagement,Riskanalysis.

1Introduction
Thepaperpresentsabusinessorientedapproachtoriskmanagementforinformation andebusinessmanagement.Riskmanagementisasignificantpartoftheextended versionoftheISMSframework[1],[2],basedonthePDCA(PlanDoCheckAct) scheme. PresentdayInformationandCommunicationTechnologies(ICT)arewidelyused for the management of large businesses, critical information infrastructures, or emerging eservices, upholding ebusiness, egovernment or ehealth applications. Thissituationdemandstechnicallyandeconomicallyefficientsolutionsthatshould providetherightassurancefortheirstakeholdersandusers.Suchdemandscanbe satisfiedbythecommonapproachwhichtakesintoaccount: theneedsofbusinessprocesseswithrespecttoinformationandeservicessecurity, effectiveuseofICTprovidingmanagedITservicesforbusinessprocesses, detailedriskcharacteristics,includingcost/benefitaspects,
617

618

AndrzejBiaas,KrzysztofLisek

dependableandtrustworthysolutionsprovidingtherightassurance. Most of these issues are addressed in the information security management systems, where all activities concerning information security are based on risk analysis.Riskanalysisisthekeytoestablishacosteffectiveandbusinessoriented managementsystem.Forthisreason,theauthorshavedevelopedanewapproachto riskmanagementwiththefollowingmainassumptions: possibility to thoroughly recognize business processes and management expectations; gradationofbusinessprocesseswithrespecttosecurity; enhanced,twostage,UMLmodelbasedriskanalysisthatallowstoassesstherisk accordingtoqualitativeand/orquantitativemeasures,withabuiltinROI(Return onInvestment)typemechanismthatallowstoselectdifferentsafeguards; compliancewith riskmanagementrequirementscontainedinISO/IEC27001[1] andfurtherrequirementswhichwillbecontainedinISO27005(currentlyunder development). Theconceptofatwostageriskanalysisforriskbasedinformationandeservices securitymanagementhasbeenelaboratedonthebasisof: astudyoftheneedsandrequirementsofvariousorganizations, ananalysisofthecurrentstateofstandards,legalrequirementsandtechnology (overviewofexistingmethodologiesandtools), experiencessampledduringdeploymentandcasestudiespreparedinthecourseof the specific targeted project Complex information and services security managementsystem[3]. Thepaperpresentsaholisticapproachtoriskmanagementwhichallowstocreatea businessorientedandhighlyintegratedriskanalysis.Thepaperalsoconcludesthe currentstateoftheworkanddefinesitsdirectionsforthenearestfuture.

2 NeedsandRequirementsforBusinessOrientedRiskAnalysis CompatiblewithISO/IEC27001
Modernorganizations,whichwanttoensureinformationsecurityoftheirassets,need toestablishandmaintaineffectiveinformationsecuritymanagementsystems.These systems,inturn,mustintegrateawellbalancedsetofsafeguardsselectedonthebasis of the existing risks and business needs. Thus the following requirements were formulatedtobetterspecifythecharacteristicsandneedsoftheorganizationsfora riskanalysiscompatiblewithISO/IEC27001:

Integrated,BusinessOriented,TwoStageRiskAnalysis

619

topdownapproachbeginningfrompreliminaryorganizationoverviews,security needsofbusinessprocessesanalyses,highandlowlevelriskanalyses;theimple mentedISMSisrefinedstepbystepbutstillfocusesonbusinessneeds[4,5]; identificationoftheneedsofbusinessprocessesandcriticalityoftheseprocesses; identificationofbasicfactorsinfluencingthesecurityofeachasset,relatedtothe givenbusinessprocess,e.g.possiblethreats,possiblevulnerabilities,environment; possibilitytoselectcosteffectivesafeguardsandcreatearisktreatmentplan; possibilitytousesomeelementsoftheriskanalysisintheriskmanagementpartof business continuity management and IT services management contained in the IntegratedSecurityPlatform(ISP)[4].

3SummarizingtheCurrentStateoftheArt
Thedevelopmentofriskanalysisrequirestoperformanextensivestudyofthecurrent stateoftheartincludingallavailableriskmanagementstandards,recommendations, best practices, guidelines, case studies, methodologies, their implementations and renownedsupportingtools,particularly: keystandardsdealingwithinformationsecuritymanagementsystems,i.e.ISO/IEC 27001 and ISO/IEC 17799 (now ISO/IEC 27002) to properly understand the ISMSimplementationrequirementsinthefieldofriskmanagement; auxiliarydocuments,i.e.ITsecurityandriskmanagementmethodologies,suchas: ISO/IEC[6],USNISTpublications[7],GermanITGrundschutz[8]tosupple mentorextendtheriskanalysisfeaturesandfacilities;themotivationfortwostage riskanalysismethodology(calledcombinedapproach)isdiscussedin[6]; stateoftheartinbusinessprocessesmodellingtoidentifytheirrelationshipswith theabovementionedmanagementsystems,especiallyinformationsecurityandIT services;businessorientationisthekeyissuefortheriskanalysis; methodsandtoolsrelatedtoriskmanagementintheinformationsecuritydomain; ICTandgeneraltechnicalissues(communicationprotocols,networkequipment, cryptographicapplications,physicalprotection)asacontextofriskmanagement; businesscontinuitymanagement,e.g.[9],ITservicesmanagement[10],[11],as wellasquality,environmental,occupationalsafetyandhealthmanagementsystems which coexist in the organization to better understand risk management requirementsinsuchsystems; potentialsourcesofstatisticalinformationonthreatstoserveasinputdatainrisk analysis. Thereareanumberoftools,likeCobra[12],Cora[13],Coras[14],Cramm[15], Ebios[16],Ezrisk[17],Mehari(Risicare)[18],Octave[19],andRiskpack[20]that

620

AndrzejBiaas,KrzysztofLisek

specializeinriskmanagement.However,theydonotcoverallaspectsofbusiness orientedriskanalysiscompatiblewithISO/IEC27001.TheyfocusonITaspectsonly ordonotsetenoughstorebythesignificanceofbusinessprocessfortheorganization. Ebioscanperformadetailedriskfactorsanalysisbutcannotoperateonmonetary valuesduringtheriskanalysis.CoracanperformtheROIanalysis.ThereisaUML based advanced model of risk implemented in Coras, which uses the safety risk management methods (Hazop, FME(C)A, FTA) and allows a simple causality analysis.Theavailableriskanalysismethodsfocusratheronadetailedriskanalysis forthewholeofICTsystemsintheorganization.Only[8],[21]assumetoimplement thecombinedapproach[5]whichallowstoidentifythesecuritydomainsofsimilar securityrequirementsduringthepreliminaryhighlevelriskanalysis.Inthefurther courseoftheprocess,thisapproachalsoallowstoperformadetailedriskanalysis onlyforthecriticaldomains,andtoapplybaselineprotectionforothers.Thanksto this approach it is possible to avoid a costly detailed risk analysis for the entire organization,howeveritisnotfullycompatiblewithISO/IEC27001. Pleasenotethattheassetsinventoriesthatfocusonriskmanagementaredifferent fromthosethatfocusonsecurity,businesscontinuityorITservicesmanagement. Additionally,therearesomedifferencesbetweenriskanalysisrequirementsinsuch systems.MeharianditsRisicarerisksupportingtoolareabletoidentifyrelationships betweenITservicequalityandriskvalue. Risk analysis also need s some sources of information about threats. This informationhelpstoprepareabetterriskanalysisbased,tothehighestpossibleextent, onrealfactors.Currently,thesesourcesarescatteredandtheinformationhastobe obtainedfromdifferentplaces,e.g.informationaboutcurrentlevelsofthreatinthe InternetcanbeobtainedfromthePolishCERT[22]. Thereareafewriskanalysismethodsandtoolsbuteachofthemisonlypartially compliantwiththeoptimumriskanalysischaracteristicsdescribedabove.Thereview ofthecurrentstateoftechnology,includingstandards,bestpractices,methodsand tools,helpedtoselectthemostusefulfeaturesforriskanalysisandtodevelopnew features,especiallyintermsofbusinessflexibilityandusability.

4ConceptofBusinessOrientedRiskAnalysis
Information securitymanagement,safeguardsselection,andincidentsmanagement arebasedonafundamentalriskanalysis.AccordingtoISMSrequirements,every assetoftheorganizationshouldbeidentified.Moreover,foreachoftheseassetsitis necessarytoidentify threats,vulnerabilitiesand impactsthatmaycause losses of informationconfidentiality,integrityandavailability.Intheend,asatisfactoryrisk

Integrated,BusinessOriented,TwoStageRiskAnalysis

621

treatment plan should be made. Although the risk analysis is compliant with the ISO/IEC27001requirement,suchriskmanagementistooflatinrelationtotodays business needs. In modern organizations, the management focuses on business processes,theiroptimizationandsecurity[23].Therefore,modernriskanalysisalso should be businessoriented and should include business processes in the risk assessmentapproach.
class Risk analysis model

Business oriented, tw o stage risk analysis

High-lev el risk analysis

Low -lev el risk analysis

Fig.1.Businessoriented,twostageriskanalysis.

Theresultsofthepreliminarybusinessanalysisconductedintheabovementioned specific targeted project [3] allow to define a concept of businessoriented risk analysiswhichcarriesoutaholisticapproachtoallaspectsofriskmanagement,asit isshownintheFig.1. Thetwostageriskanalysisconceptisbasedonearlierworks[4],[5].Duringthe developmentprocessnewfactorsandanintegratedmethodofsafeguardsselection wereadded.Thefactorsareresponsibleforvisualizingamutual relationbetween businessprocessesandassets.Theriskanalysisdividesalltasksconnectedwithrisk managementintotwostages:oneforthetasksconnectedwithsecurityassessmentof businessprocesses(highlevelriskanalysis)andthesecondforthetasksconnected withsecurityassessmentofassetsrelatedtothesebusinessprocesses,toperformthe risktreatmentandselectionofsafeguards(lowlevelriskanalysis). 4.1HighLevelRiskAnalysis Highlevelriskanalysiscomprisesthefirstphaseoftheriskmanagementprocessand detectsthelevelofinformationsecurityriskforeachbusinessprocessrecognizedin theorganization.Thispartoftheanalysisisresponsibleforcreatingtheimagethat

622

AndrzejBiaas,KrzysztofLisek

presentsthestateofbusinessprocessescriticalityfortheorganizationwithrespectto informationsecurity. Duringthisphaseofriskmanagementeveryidentifiedbusinessprocessisanalyzed intermsofconfidentiality,availabilityandintegrity.Theanalysisprocessisbasedon information obtained as a result of preliminary activities conducted prior to the analysis.Mostimportantaretheresultsofthegeneralorganizationoverviewprepared in accordancewiththeOrganizationOverviewCriteria(OOC)[4],aswell asthe resultsofthedetailedorganizationoverviewpreparedinaccordancewiththeBasic SecurityNeedsCriteria(BSNC)carriedoutinthephaseoftheISMSimplementation priortoriskanalysis.Riskmanagementencompassesthefollowingstepsindicating whatshouldbedoneforeverybusinessdomain: 1. Characterizebusinessprocessescriticalityfortheorganization(C4O) 2. Characterize business domain dependency on ICT (ITDD), man dependency degree(MDD),andthedependencyonotherpredefinedcriteria(xDD). 3. Identifyprotectionneeds(PN)concerningintegrity,confidentialityandavailability. 4. Determine business impact (BI) concerning integrity, confidentiality and availability. 5. Calculate highlevel risk (HLRx) concerning integrity, confidentiality and availability. Highlevel risk HLRn (where n stands for, respectively: I for integrity, C for confidentialityandAforavailability)accumulatesthelevelsofC4O,ITDD,MDD, xDD,PNn,andBIninthefollowingway:
HLRI [ j ]=C4O [ j ] ITDD [ j ] MDD [ j ] xDD [ j ] PNI [ j ]BII [ j ] HLRC [ j ]=C4O [ j ] ITDD [ j ] MDD [ j ] xDD [ j ] PNC [ j ]BIC [ j ] HLRA[ j ]=C4O [ j ] ITDD [ j ]MDD [ j ] xDD [ j ] PNA[ j ]BIA[ j ]

(1) (2) (3)

AggregatedresultsrepresentgeneralsecurityimportanceHLRofthejthbusiness process:

HLR[ j ] =

HLRI [ j ] + HLRC[ j ] + HLRA[ j ] 3

(4)

wherejrepresentsthejthbusinessprocess.

Integrated,BusinessOriented,TwoStageRiskAnalysis

623

Process 1 6 4 Process 5 2 0 Process 2 Current HLR value Average HLR value for organization

Process 4

Process 3

Fig.2.Securityriskmapdiagram.

Finally,basedonHLR[j]results,itispossibletocreateasecurityriskmap(SRM) forthewholeorganization,presentedintheFig.2.SRM graphicallypresentsthe calculatedlevelofinformationsecurityforeachbusinessprocessinrelationtothe averageone.WithSRM,mostcriticalbusinessprocessesfortheorganizationcanbe recognizedtobetterperformthedetailedriskanalysisandrisktreatmentprocess. 4.2Lowlevelriskanalysis Lowlevelriskanalysisisthenextimportantphaseoftheriskmanagementprocess. Its objectiveis toidentifyanddetermine theriskvolume foreachassetwhichis vulnerabletothreatsand,atthesametime,exposedinthethreatenvironment.The preliminaryversion[5]isenhancedandnewfactors,representingbusinesssecurity needsareadded.Theriskvolumeisafunctionofthefollowing: Assetvalue Eventpossibility Vulnerabilityseverity Efficiencyoftheexistingorplannedcontrols Specialfactorsrelatedtobusinessprocesses,towhichagivenassetbelongs. Theriskanalysiscomprisestheidentificationofallpossibleriskcasesandthenthe estimationoftheriskvolume.Inotherwords,onehastoidentifyallpotentialevents whichmayhavenegativeinfluenceontheorganizationsoperationsandwhosesource areITsystemsandtheirenvironment.Thentheeventpossibilityisestimated.Other factors that have to be assessed are threats severity and the probability of their occurrenceinreality.Thisnegativeinfluenceisthesocalledimpactrelatedtotheloss

624

AndrzejBiaas,KrzysztofLisek

orviolationofassets.Thenegativeeventspossibilitydependsonmanyfactorsthat havetobetakenintoaccountintheabovementionedestimations: howattractiveisagivenassettothepotentialintruder? whatiseventpossibilityorfrequencyofoccurrence? howeasilycantheassetvulnerabilitybeexploited? whatistheimpactforabusinessprocessresultingfromlossorviolationofagiven asset? LowlevelriskanalysisusestheinformationaboutassetsgatheredintheCommon AssetsInventory(CAI)[4].Themostimportantoneistheassetsbusinessvaluewhich says how much a given asset is worth for the organization. Risk value can be estimatedbymeansoftheCourtneymethodwhichassumesthatriskvalueisthe productoftwofactors:theoccurrencerateoftheevent(eventpossibility)andthe volume of its consequences. Since it is difficult to obtain reliable data on the occurrencerate,itisestimatedindirectly.Weproposethefollowing:theproductof threatseverity(TS) andvulnerabilityseverity (VS),withrespecttotheirmaximal values.Thediscretepredefinedmeasuresareused.Below,onecanfindariskvolume assessmentmethodthatisanextensionofthisconcept. Riskvalue(RV[i]),determinedinthecourseoftheithanalysisandexpressedwith respecttoanarbitrarypointscaleappliedtoestimatethevalueoftheorganizations assets,is:

RV [i ] =

VS[i ] TS [i ] * AV [i ] * PS [ i ] * RF [ i ] * PIF [ i ] VS MAX TS MAX

(5)

where VS[i] is vulnerability severity level; VS MAX maximum arbitrary level of vulnerabilityseverity;TS[i]threatseveritylevel;TS MAXmaximumarbitrarylevel ofthreatseverity,AV[i]assetvalueinpointsestimatedinthecourseoftheith analysis,PS[i]proportionalassetvaluelossasaresultofthethreatanalyzedinthei thanalysis,RF[i]riskfactorrepresentingthebusinessprocesslevelofcriticality, andPIF[i]processimpactfactor. The latter two factors show a mutual relation between business processes and assets,thereforetheyneedsomeexplanation.Riskfactor(RF)iscalculatedthebasis ofhighlevelriskanalysis,wherethemostcriticalbusinessprocesshasthemaximum valueandtheleastcriticalonetheminimum.TheotherprocesseshavetheRFvalue calculatedproportionallytotheHLRvalue.RFhasthesamevalueforeachassetin thesamebusinessprocess.Processimpactfactor(PIF)representsbusinessprocess lossintheeffectofassetlossorviolationfortheanalyzedthreatvulnerabilitypair. PIFisassessedforeachassetinthegivenbusinessprocess. ComparingthevolumesofRV[i](inthestepi)andRV[i+1](stepi+1)allowsto estimatetheeffectofthecontrolsappliedtoreduceRV[i].ThevolumesofVS[i+1]

Integrated,BusinessOriented,TwoStageRiskAnalysis

625

andTS[i+1],withrespecttothenewsituation(proposedcontrolsimplemented),are estimatedandonthisbasisRV[i+1]iscalculated.Inotherwords,itispossibleto estimatetheefficiencyoftheactionsundertaken. Eachorganizationshouldkeepundercontrolnotonlyitssecuritybutalsothecost of achieving and maintaining this security. The objective of all activities and investmentsinthedomainofsecurityistoimprovetheorganizationspositiononthe marketorinthesociety.Economicefficiencycanbeachievedwhenonesimpleruleis obeyedoneshouldapplyonlythosesecuritymeasureswhicharenecessaryand sufficient.Thiscanbedonebyimplementingmoreandmoreefficientmanagement methodsandtoolswhichcombinequalitativeandquantitative(monetary)methods andallowsimplecost/benefitanalyses,includingROI.Thecalculationcoverscurrent situationvalues(i)andnewsafeguardsvalues(i+1).

ROI =

RVC [ i ] RVC [ i +1] SC [ i +1] SC [ i ]

(6)

RiskvalueexpressedincurrencyRVCcanbepresentedas:

RVC[i ] = RV [i ] *UV [cur ]

(7 )

whereUV[cur]isunitvalueexpressedincurrency. Safeguardscosts(SC)shouldbecalculatedwithrespecttocomparableperiodsof time(thebestthingtodoistogivetheiraverageannualvalues).Incaseagiven safeguardispurchased,thevalueinquestionwillnotbeitstotalpurchasecostbutthe valuedepreciatedinthecourseofagivenyearplusthecostofworkdevotedtothe maintenanceofthesafeguardthroughouttheyear. After analyzing different variants of safeguards (having different cost and risk reductionpossibilities),themostcosteffectivevariantischosenforimplementation. Thiswaytheorganizationalwayschoosesthesafeguardsthataremostsuitabletothe needsofitsbusinessprocessesand,ontheotherhand,areeconomicallyjustified. Example1.Simplelowlevelriskanalysis The s ample organization has Asset 1 working in the business process of marketing.Previousriskassessmentforthisassetgivesthefollowinginformation: RV[i] =157 assessedcurrentriskvalue, RVC[i] =15700 assessedannualizedriskvalueincurrency, SC[i] =1000 currentannualizedsafeguardscost, RF[i]=RF[i+1]=6 criticalityofmarketingprocess(derivedforhigh levelriskanalysis).

626

AndrzejBiaas,KrzysztofLisek

Asset1starts tobe usedin avery importantprojectand therisk needs tobe reduced below 100. Risk reduction can be achieved by choosing 1 of 3 different possiblesafeguardshavingdifferentcostspresentedinTable1.Foreachofthemthe riskwasassessed:
Table1.Simplelowlevelriskanalysis

Safeguards 1 2 3

SC[i+1] 1500 5000 3000

RV[i+1] 99 50 80

ROI 11.6 2.675 3.85

The best choice is safeguard 1 because it has a risk level acceptable to the organizationand,additionally,hasthebestROIvalueoftheanalyzedsafeguards.

5Conclusions
Therearealotofmethodsandtoolsdevelopedintherealmofrisksecurityanalysis. Theyneedconstantimprovementtocatchupwiththedevelopmentanddissemination ofnewtechnologiesindifferentareasofbusinessandsociety.Thepaperdealswith theriskanalysismethodaddressingtheneedsofbusinessprocesses.Themotivation forthebusinessoriented,holistic,twostageriskanalysisincludesthefollowing: theneedtointegrateassetsriskanalysiswiththebusinessprocessesinformation securityneeds, the need to provide modular and scalable solutions for different types of organizations, theneedtoprovideanenhancedriskanalysismethodadaptabletootherriskbased systems(businesscontinuitymanagement,ITservicesmanagement). Pleasenote thatthepresentedmethodfacilitatescontinuousriskanalysisinthe organization.Theassumptionsforthisprojectwerespecifiedandevaluatedonthe basisof: theinvestigationofneedsandrequirementsconcerningriskanalysisindifferent management systems which deal with business processes, their information security,continuity,ITservices,quality,environment,etc., thecurrentstateoftechnologyandstandardsoverview. Theconceptoftwostageriskanalysiswasvalidatedinthecourseofthespecific targetedproject[3].Withintheprojectacasestudyworkshopwasconductedduring whichtheprocessofriskassessmentwastestedintheareaofchangemanagementin the software accessible on the basis of outsourcing agreements. Additionally, a

Integrated,BusinessOriented,TwoStageRiskAnalysis

627

computer supporting tool is being developed on the basis of the presented risk analysismethod.Duringthisprocesssomeelementsmustbedeveloped,includingthe following: supporttographicalbusinessprocessesmodelling, analyticalandstatisticalfacilities, preconfiguredriskscenariosfordifferenttypesofassets. TheROImodelshouldbeextendedtoconsiderprogressinITtechnologymore efficientsafeguardscanbecheaperthankstothisprogress.Inthefuturethepresented businessoriented, twostage risk analysis method can be used in other riskbased management systems, such as business continuity management or IT services management.ThiswillbepossiblethankstotheuseoftheRFandPIFfactorsthat linkbusinessprocessesandtheirsecurityneedswithassetsriskanalysisanddescribe thecriticalityoftheseprocesses.AccordingtothelatestinformationfromISO/IEC [24]thereareeffortstobaseothermanagementsystems(i.e.quality)onrisk,sothis methodcanbeusedmorewidely.

References
1. 2. 3. ISO/IEC27001.ISMSRequirements(2005). ISO/IEC17999.Codeofpracticeforinformationsecuritymanagement(2005). ReportsfromthespecifictargetedprojectNo6ZR92005C/06667Complexinformation and services security management system, ISS/EMAG, COIG S. A., 20062007, (in Polish). Biaas A.: Development ofan Integrated, Riskbased Platform for Informationand E services Security, In: Grski J.: Computer Safety, Reliability, and Security, 25th InternationalConferenceSAFECOMP2006,SpringerLectureNotesinComputerScience (LNCS4166),SpringerVerlagBerlinHeidelbergNewYork2006,ISBN3540457623, pp.316329. Biaas A.: Bezpieczestwo informacji i usug w nowoczesnej instytucji i firmie (Information and services security in a modern organization and company), WNT PublishingHouse,Warsaw2006(inPolish). ISO/IEC133353,GuidelinesforthemanagementofITSecurity(GMITS),Part3. NationalInstituteofStandardsandTechnology,http://www.nist.gov ITGrundschutz,http://www.bsi.bund.de BS259991.Businesscontinuitymanagement,Part1:CodeofPractice(2006). ISO/IEC200001.ITServicemanagement,Specification(2005). ISO/IEC200002.ITServicemanagement,Codeofpractice(2005). Cobra.http://www.riskworld.net Cora.http://www.istusa.com/ Coras.http://coras.sourceforge.net

4.

5.

6. 7. 8. 9. 10. 11. 12. 13. 14.

628

AndrzejBiaas,KrzysztofLisek

15. 16. 17. 18. 19. 20. 21.

Cramm.http://www.ogc.goc.uk Ebios.http://www.ssi.gouv.fr Ezrisk.http://www.ezrisk.co.uk/ Mehari,Risicare.http://www.clusif.asso.fr;http://www.risicare.fr/ Octave.http://www.sei.cmu.edu Riskpack.http://www.cpacsweb.com BiaasA.: The ISMS Business Environment ElaborationUsingaUML Approach, In: Zieliski K., Szmuc T. (eds.): Software Engineering: Evolution and Emerging Technologies.IOSPressAmsterdam(2005)pp.99110. 22. CERTPolska.http://www.cert.pl 23. RummlerG.A.,BracheA.P.:ImprovingPerformance:HowtoManagetheWhiteSpace intheOrganizationChart, 2ndEdition,JosseyBassInc.Publishers1995,ISBN:9780 787900908. 24. AndrukiewiczE.:ISO/IEC27005Zarzdzanieryzykiemwprocesiebudowaniasystemu zarzdzaniabezpieczestweminformacji(Riskmanagementintheprocessofbuildingan informationsecuritymanagementsystem), PresentationfromtheConference:Wyzwania bezpieczestwainformacji(InformationSecurityChallenge),Warsaw2006(inPolish).