外文翻译--一个识别信息安全风险的整体风险分析方法.docVIP

毕业论文外文翻译 原文 A HOLISTIC RISK ANALYSIS METHOD FOR DENTIFYING INFORMATION ECURITY RISK Janine L. Spears The Pennsylvania State University, Smeal College of Business, University Park, PA 16802 Abstract: Risk analysis is used during the planning of information security to identify security requirements, and is also often used to determine the economic feasibility of security safeguards. The traditional method of conducting a risk analysis is technology-driven and has several shortcomings. First, its focus on technology is at the detriment of considering people and processes as significant sources of security risk. Second, an analysis driven by technical assets can be overly time-consuming and costly. Third, the traditional risk analysis method employs calculations based largely on guesswork to estimate probability and financial loss of a security breach. Finally, an IT-centric approach to security risk analysis does not involve business users to the extent necessary to identify a comprehensive set of risks, or to promote security awareness throughout an organization. This paper proposes an alternative, holistic method to conducting risk analysis. A holistic risk analysis, as defined in this paper, is one that attempts to identify a comprehensive set of risks by focusing equally on technology, information, people, and processes. The method is driven by critical business processes, which provides focus and relevance to the analysis. Key aspects of the method include a business-driven analysis, user participation the analysis, architecture and data flow diagrams as a means to identify relevant IT assets, risk scenarios to capture procedural and security details, and qualitadve esdmadon. The mixture of people and tools involved in the analysis is expected to result in a more comprehensive set of idendfied risks and a significant increase in security awareness throughout the organizadon. Keywords: risk analysis, informadon security, risk management, business process, data fl