Available online at www.sciencedirect.

com

Energy Procedia 17 (2012) 1288 – 1294

A Survey on the Evolution of Risk Evaluation for Information

Systems Security
Yu Zhiweia,Ji Zhongyuanb
a
Ningbo Institute of Technology, Zhejiang University,Ningbo, China
Email:nityzw@gmail.com
b
Lishui University ,Lishui, China
Email: 5525@ls0578.net

Abstract

In order to study the risk evaluation of the information systems security effectively and the laws of the developments
of risk evaluation, we have made a detailed analysis from the purpose, the objective, the process methodology of risk
evaluation according to the role ,the structure and the environment of information system.The tendency of risk
evaluation is asserted with the current informatization background and an idea of business process-oriented risk
evaluation methodology of information systems security is presented.

©
© 2012
2011 Published
Publishedby
byElsevier
ElsevierLtd.
Ltd.Selection and/or
Selection peer-review
and/or under
peer-review responsibility
under of Hainan
responsibility University.
of [name organizer]
Open access under CC BY-NC-ND license.
Keywords:information systems; information systems security; risk evaluation; business processes-oriented

1.Introduction

More and more companies and organizations are becoming totally dependent on computer systems for
their daily operations. Information systems (IS) security has been proclaimed as a key issue for the
development of a global Information Society [1]. In this digitized age, organizations use the information
systems to support and complete their missions; risk management plays a crucial role in protecting
organization information assets as well as information system mission [2]. And the core of risk
management is risk assessment: the means by which risks to systems are identified and evaluated to justify
security controls. In order to study the risk evaluation of the information systems security effectively, it is
important to study the evolution rule of risk evaluation.
Firstly, several concepts related to information system security risk evaluation are introduced in this
paper. Then the purpose, the objectives, the processes and the methodologies of risk evaluation are
analyzed according to the role, the structure and the environment of information systems. The longitudinal
comparison to risk evaluation development in different stages is presented. Finally, the tendency of the risk
evaluation is put forward under the current informatization background according to the evolution rule of
risk evaluation.

1876-6102 © 2012 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of Hainan University.
Open access under CC BY-NC-ND license. doi:10.1016/j.egypro.2012.02.240
 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 1289

2.Basic concepts related to information system security risk evaluation

Generally speaking, it is natural to mention several basic concepts such as risk, assets, threat,
vulnerability, impact, information system, information system security, risk evaluation. And some core
concepts are as follows:
y Risk is defined in ISO/IEC TR 13335-1 as “the potential that a given treat will exploit vulnerabilities
of an asset or group of assets to cause loss or damage to the assets”. And more concepts in relation
with risk are also defined in ISO/IEC TR 13335-1. The relationship model of these concepts, which
makes a clear explanation to the relations of those concepts, is shown as figure 1.

threats vulnerabilities

exploit
increase
protect against increase expose

reduce
safeguards tisks assets

increase
met by indicate have

security values
requireme
FIGURE. 1 RELATIONSHIPS IN RISK MANAGEMENT

y Information system It is a narrow concept of an information system, which refers to the

computer-based system. It is an organic set of facilities as human beings, rules, databases, hardware
and software, tools and running environment [3]. It highlights the application of computer and
network communication technology. Two levels of meanings are included in the information system.
First, the function of information system is to complete the organization missions. Second, it is a
component of information system to coordinate and complete the organization mission.
y Information system security The purpose of the informatization is to complete the operation
mission by information system. At the same time, the information system relies on its constitution
elements and information in the process of achieving organization mission. In a word, the information
system security can be used in elements of information system coordinating and achieving
information system mission.
y Risk evaluation Risk management is the process of establishing and maintaining information
system security within an organization[2], which aims to “identify, measure and control uncertain
events” in order to minimize loss and optimize the return on the capital invested for security
purposes[4][5]. As the core of risk management, risk assessment is the means by which risks to
systems are identified and evaluated to justify security controls[2]. It contains why to implements risk
evaluationˈwhat to evaluate as well as how to evaluate and other issues.

3.Analysis on development phase of risk evaluation for information system security

It has been over 20 years of the world wide research on risk evaluation of information system, while it
has been started in recent years in china. The content involved in the information system risk evaluation is
extremely complex. Even though main contents related to risk evaluation have been summarized and
analyzed in [6]. There is lack of analysis and judgment to overall development tendency of risk evaluation.
According to [2,7,8], the risk evaluation had been undertaken through two generations. The third
generation of it is continuing in respect of “the whole system“. The development of risk evaluation are
divided into three generations in the light of computer history in[9,10]. These divisions are based on the
1290 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294

constitution and environment of the very information system and fail to take function and goal of
information system in organization into consideration, which indicates that the basic problem of why to
carry on risk evaluation has been not solved. Apparently, safeguarding information itself is not, or should
not be the target of information system security, the real purpose of which is to guarantee the reliability and
security in the process of the goal of operation in organization. Information system security and risk
evaluation have been developing with the progress in constitution and environment of information system,
as well as function vicissitude of information system in organization. Figure 2 presents differences in
function, constitution and environment of information system., which cause the differences of contents,
process and method of risk evaluation.

risk evaluation
momentum
the purpose of risk
evaluation
the role of IS

the structure the contents of

of IS risk evaluation

the environment the processes and

of IS methods of risk
evaluation

FIGURE. 2. THE DRIVE MODEL OF RISK EVALUATION

3.1.The first stage

In this stage, the information system was formed by the relatively isolated mainframes. It was used
to conduct scientific calculating and batch processing in place of human beings. Computers themselves
were the protected by the information system as rare tools. The protection of the computing facilities was
conducted by implementing physical countermeasures around and within the mainframe room. Computing
facility security was measured by assessing how well the facility adhered to a prescribed set of security
controls. Checklist and basic risk assessment methods for selecting discretionary IS security controls were
introduced. Peter S. Browne’s Checklist for computer Center Self-Audits is an example of a first stage risk
assessment method [2]. The first stage risk evaluation method was simple and partial for mainframe with
manual operations, which mostly relied on the experience.

3.2.The second stage

With the wide use of LANs and the development of the computing environment, the information which
computer processed began to be shared in relevant departments in organizations. Protecting information
and information technology assets of processing information are included in risk evaluation.
Risk evaluation of the first stage was obsolete because the new requirement from the objects and
change of the environment. Therefore, new contents and methods of risk evaluation were put forward.
Other fields, such as nuclear power, weapons, and aviation, were taking a systems view and using
analytical risk analyses; their success provided encouragement for a risk-assessment approach. As a result
of all this, a new view of risk has emerged for software system, and NIST played a prominent role in
prompting this view to coalesce. Six concepts in risk assessment were formalized: assets, vulnerabilities,
threats, likehoods, impacts, and safeguards. This emerging view of risk says “A threat is realized through a
vulnerability, which impacts an asset.”[8]ˈwhich was called asset-based risk assessment. The risk
 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 1291

assessment method in this stage aimed to protect the whole information system by identifying and
analyzing the threats, the vulnerabilities, the likehoods and the impacts. The ALE(Annual Loss Exception)
method was used to calculate the economic loss on condition that safeguards was used or not. But in
practical application, there was much difficulty obtaining quantitative data of the asset value and likehoods
of threat occurring. Estimating cost on safeguards was not realistic. Consequently, computing asset risk
with quantitative methods is theoretically persuasive. Although risk evaluation has not been widely used in
practice at this stage, it had provided a set of asset-based risk evaluation theory, had formed several risk
elements including assets, vulnerabilities and threats, which laid the theoretical foundation for the third
stage risk evaluation.

3.3.The third stage

With the use of communication networks, such as internet, became the backbone for
inter-organizational communication, E-commerce and on-line services have become the reality. The
structure and environment of information systems have become quite complex. New threats to information
systems are increasing .The exchange and sharing of information between organizations and entities
outside have been expanded. Therefore, information systems risk not only affects the security attributes of
information, causes direct economic losses in organizations, but takes into account the operational and
productivity implications and the reputation and public image of the organization. It is an important symbol
to consider the business impact analysis (BIA) during analyzing the impact of risk of assets. In addition,
the risk evaluation in this stage was not essentially improved comparing with that in the second stage. It
became more complicated because of structural and environment complexity of information system and an
expansion of the role.
The basic theory of risk evaluation in this stage rooted from that in the second stage.
Easy-to-understand and with a long history of research, the theory was widely applied in research
institutions and many enterprises engaged in the field of security management. For instance, Bomil Suh,
Ingoo Han [11] studied business process-oriented risk evaluation methodology of information systems
security. The security resolution from SYMANTEC[12], FOUNDSTONE[13] not only considered the
effect on the business of the risk of information systems. OCTAVETM framework [14] also considered the
risk to information system assets that could cause loss and influence on organization business. CORAS
regarded the huge loss to business as one of the most important factors [15].
Because it is difficult to quantify the risk, the qualitative analysis was used in this stage to measure the
levels of risks and the impacts of assets. The consequences should be given a value in CORAS in terms of
expected loss, on a relative scale, such as: {Low, Medium, High}, {Insignificant, Minor, Moderate, Major,
Catastrophic} or specific {No Consequence, Destroyed Data}. And the values of the probabilities was
described by using {rare, unlikely, possible, likely, almost certain}[15]. Accordingly, OCTAVE uses
{High, Medium, Low} to measure the impacts and likehoods[14]. Likert Scale[16] is a good qualitative
description of the measure. Quantitative methods are not without merit, a more detailed comparison has
been presented in the literature [16,17].
As the complexity of threats, vulnerabilities and impacts, some traditional analysis methods were used
to support the various stages of risk evaluation. CORAS used HazOp, FTA, FMECA and other methods to
help the risk assessment [15].
The driving force and brief summary of the information system risk evaluation at different stages have
been summarized in table 1. From this we can find the order of nature of information system security risk
evaluation with the development of the role and construction of information systems.
TABLE 1. THE ANALYSIS OF RISK EVALUATION IN DIFFERENT STAGES

the purpose and

the structure and the process of risk evaluation and
stage the role of IS objectives of risk
background of IS typical method
evaluation
the by assessing how well the facility
batch jobs and scientific centralized
first computer itself adhered to a prescribed set of security
calculation mainframes
stage controls;
1292 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294
gy ( )
Browne’s Checklist.

by calculating the threats, the

the LANs and
information exchange and to protect the assets of vulnerabilities, the likehoods of
second distributed
shared in departments information systems. assets;
stage environment
ALE is a typical method.
similarly to the second stage, but BIA
was implementing during the risk
to protect the assets
the evaluation. And some traditional
information exchange and communication and the impacts on
third qualitative method were used to help
shared in organizations networks business process by
stage the risk evaluation;
evaluating the assets
OCTAVETM CORAS are the
representative methods.

4.Prospect for the research on security risk evaluation of information system

These days, with information technology stimulating industrialization strategy propose, Informatization
implementing, business process re-engineering, workflow technology realizing, ERP implementing and its
expanding to SCM,CRM, the information system is not only used in exchanging and sharing
information as a platform within the organization and entities around, but is an indispensable tool for the
day-to-day operations. Information system security is not only the purpose of the protection of information
security assets, but it is also necessary to maintain the security in daily operation process of information
system. Risk evaluation approaches at all above stages are no longer appropriate under the current
information technology environment. Information system risk evaluation enters a new stage.
There is lack of appropriate risk evaluation methodology in view of such a complex giant system
according to [10]. Risk evaluation should start from understanding the information system on the whole
information system. Sharon, karin [21] pointed out the defects of the traditional bottom-up risk
evaluation based on the information system assets in the mentioned stages and put forward the top-down
risk assessment and information technology risk analysis based on the business. SUSANNE RÖHRIG
and KNORR[19] brought forward a method to obtain security protective measure from a business process
perspective. . Protecting assets is not the goal of organizations. Assets realize their value by coordinating
and achieving operation process and mission. First, these assets are coordinated to work together as a
whole. This requires a good grasp of these assets and their mutual relations; Secondly, instead of assets
protection, the ultimate goal of information system security is to protect the information system to fulfill
their organizational mission as a whole.. Business processes put all the unattached equipments, people and
so on to carry out some specific work together. It demonstrates the synergy of these assets. On the one
hand, it reflects the interrelated links among the assets. On the other hand, it is the embodiment of the
mission of information systems. Therefore, the fourth stage method of risk assessment, which focuses on
the business process perspective, will be developed with an important feature of business process.
Due to the introduction of business process, risk evaluation in the fourth stage requires additional
technologies to support the new method of risk evaluation. Kokolakis [1] implored IS-SAD and
information system security analysis based on the technology of BPM and put forward the idea that the risk
analysis is combined with the business process and made a theoretical study on the adequacy of the model
of security evaluation with the use of the IDEF tools, such as RADǃCADMǃSSMǃDFD. Yu
Zhiwei[20,21] put forward DEXVLQHVVSURFHVVEDVHGPHWKod on security requirements analysis of
information systems. Furthermore, Yu zhiwei presented a method of analyzing security objectives of
business process elements(BPEs)[22] to determine the security requirements of business processes, and
proposed an information system security model[23] to protect business activities and describe information
systems from security view in order to overcome the shortcomings of the existing information system
models.
Academician, He Dequan[24], pointed out that more than 80% of the successful invasion took
advantage of people’s ignorance, numbness and laziness. Therefore, it is not enough to prevent
information systems risk from the technical point. The risk evaluation at the fourth stage should take
 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 1293

technologies and management factors into account to synthetically consider risk recognition and protection
of information system.
According to the circumstance which information systems support the business process operations,
aligning with the technology support when considering the risk assessment method from the view of
business processes, the basic requirements of information system risk assessment in the fourth stage can be
met from the technology and management. We can conduct the study as follows:
y Risk evaluation-oriented business process modeling Generally speaking, business process model is
abstract expression of business operations supported by information system, it is also a relation model
describing a series of orderly activities which aims to complete scheduled functions. Characteristics
of business process risk are not conveyed in general business process model. It is a practical research
idea to enlarge information risk factor based on the existing business process model.
y Establishing a business process-oriented risk evaluation methodology of information systems. It
includes how to confirm and identify specific asset, risk elements, process model of risk evaluation,
risk evaluation methodology, how to describe risk and how to measure the risk and so on. Among
them, recognition and identification of risk evaluation targets are the important foundation for
business process-oriented risk evaluation of information system security project. Risk elements are
referring to business process-oriented risk causes. The process model is used for completing
process-oriented business activities and their relations. Risk evaluation approaches are to study how
to obtain risk factors; and the expression and measurement of risk are indicating how to express and
measure business process-oriented risk. Finally, the business process-oriented risk evaluation
methodology of information systems security is formed.
y Study on the efficiency of the risk evaluation of information systems security. Security is a dynamic
process which required regular inspection and maintenance and even checks at any moment. But
whether the result of current security evaluation method can actually reflect the security condition of
information system is a problem? Whether it is secure enough after safeguard implementations for
information systems should be still validated and improved in practice.
y Research and development of auxiliary platform for integrated information system security risk
evaluation. To improve the efficiency, accuracy, reusability, traceability of risk evaluation project,
reduce labor intensity of the risk evaluation, it is necessary to establish process-oriented risk
evaluation auxiliary platform with the aid of information technology.

5.Conclusions

Information system plays an increasingly important role in the organization with the development and
application of computers and network. The information system has become an absolutely necessary tool
for many business operations. As the core of security management, risk evaluation had gone through three
stages. Now it is in the transition from the third stage of to the fourth with the business-oriented
characteristics.
When the assets of the information system security are fully assured, the business process supported by
information system are still confronted with operation’s and management risk, and new risks also come
from the change of business process operations after information technology’s application. All those risks
happen to be neglected in current research of information security risk evaluation. In this paper, the current
situation and development trend of risk evaluation of information system security were firstly discussed. It
has concluded that under the current environment the risk evaluation of information system security has
gone into the fourth stage, which focuses on the business processes supported by information systems and
analyses of the risks of business processes from both technologic and managerial perspectives.

References

[1] S.A. Kokolakis,A.J. Demopoulos,E.A. Kiountouzis. The use of business process modelling in information systems security
analysis and design, Information Management & Computer Security. Bradford:2000.Vol.8,Iss.3; pg.107
[2] M. Wright, Third Generation risk Management Practices, Computer Fraud & Security, February, 1999 pp. 9-12
1294 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294

[3] Dai Zongkun, Luo Wanbo, etc. Information systems security, China:Publishing house of electronics industry, 2002.1
[4] T. Finne, Information Systems Risk Management: Key Concepts and Business Processes, Computers & Security, 19(2000)
234-242
[5] T. Finne, A Conceptual Framework for Information Security Management, computers & Security, 17 (1998) 303-307;
[6] Feng Dengguo, Zhang yang, Zhang yuqing, Survey of information securityrisk assessment, Journal of China Institute of
Communications, Vol.25 No.7:10-18
[7] Craft R., Wyss, G., Vandewart, R., et al., An Open Framework for Risk
Management,(http://csrc.nist.gov/nissc/1998/proceedings/paperE6.pdf 2010-12-5)
[8] Fletcher, S., Jansma, R., Halbgewachs, R., et al., Software System Risk Management and Assurance,
(http://ieeexplore.ieee.org/iel3/3552/10643/00492345.pdf, 2010-11-5)
[9] Stilianos Vidalis, A Critical Discussion of Risk and Threat Analysis Methods and Methodologies, School of Computing
Technical Report CS-04-03. July 2004
[10] L. Labuschagne, J.H.P. Eloff, Risk Analysis Generations – The evolution of Risk Analysis,
(http://csweb.rau.ac.za/deth/research/articles/ra_generations.pdf, 2007-5-23)
[11] B. Suh, I. Han, The IS risk analysis based on a business model, Information & Management 41(2003) 149-158
[12] Assets, Threats and Vulnerabilities: Discovery and Analysis——a comprehensive approach to Enterprise Risk Management,
Symantec Corporation, enterprisesecurity.symantec.com/PDF/AxentPDFs/RiskMgmt.pdf 2007-9-12
[13] www.foundstone.com 2010-10-24
[14] C. Alberts, A. Dorofee. Managing Information Security Risks: The OCTAVE Approach Tsinghua University Press, 2003.8
[15] I. Djordjevic, E. Scharf, D. Raptis, B.A. Gran, suitability of risk analysis methods for security assessment of large-scale
distributed computer systems, http://www.intracom.gr/ downloads/pdf/news/publications/2002/psam_2002_coras.pdf 2008-5-20
[16]. S.A. Butler, Security Attribute Evaluation Method, May 2003, CMU-CS-03-132
[17] UI Security Risk Assessment Guidebook, Sep. 2001,
www.itsc.state.md.us/PDF/S-2-2%20Risk-Assessment-Final.pdf. 2004-10-15
[18] Halliday, Sharon,Badenhorst, Karin,Solms, Rossouw von. A business approach to effective information technology risk
analysis and management. Information Management & Computer Security.Bradford:1996.Vol.4,Iss.1: 19-31
[19] S. RÖHRIG, K. KNORR, Security Analysis of Electronic Business Processes, Electronic Commerce Research, 4: 59-81
(2004).
[20] YU Zhiwei㧘TANG Renzhong㧘YE Fanbo. A business process-based method on security requirements analysis of
information systems[J]㧘IE&EM’2005, Chongqing, CHINA, NOV 06-08, 2005:1005-1009
[21] YU Zhiwei㧘TANG Renzhong㧘Jia Dongjiao et al.,. A Business Process-based Method on Security Requirement Analysis
of Information Systems, China Mechanical Engineering[J]. Vol. 18, 2007,(04):457-460
[22] YU Zhiwei㧘TANG Renzhong. Analysis on security objectives of business process elements[J]. Journal of Zhejiang
University(Engineering Science), 2007 Vol.41 No.8 P.1244-1248,1270
[23] YU Zhiwei㧘TANG Renzhong. Business activity-oriented security model of information systems[J]. Journal of Zhejiang
University(Engineering Science), 2007 Vol.41 No.11 P.1903-1907
[24] He Dequan, No absolute Security, Netinfo Security, 2002(10).-23-23