Abstract
Information Technology (IT) Risk Management is designed to confirm the sufficiency of information security. There are many risk management/assessment standards, e.g. IS0 27005:2011 and NIST SP 800-30rev1, which are mainly designed for general organizations such as governments or businesses. Cyber risk assessment focused on military strategy has been rarely studied. Hence, this paper presents an innovative cyber risk assessment conceptual framework named “Cyber Risk Assessment (CRA)” which is extended from previous work with Military Risk Evaluation (MRE). This proposed CRA is the collection and integration of both quantitative and qualitative data. The Vulnerability Detection (VD) tools in Network Risk Evaluation (the previous studies) were used for the quantitative data collection and the focus group in the MRE (the proposed method) was used to collect qualitative data, which enhance the general risk assessment standard to achieve the objective of the research. The complexity of cyberspace domains with a military perspective is thoughtfully contemplated into the cyber risk assessment for national cyber security. Results of the proposed framework enable the possibility of cyber risk evaluation into score for national cyber security planning.
Highlights
Risk management is a substantial solution to deal with Information Technology (IT) risks
Risk assessment plays its crucial role as a core process in risk management
Current IT security and risk management standards are desired for general perspectives, especially for business continuity, rather than national security
Summary
Risk management is a substantial solution to deal with IT risks. It integrates entire organization processes together. In accordance with ISO 31000:2009 (ISO, 2009), risk assessment is the core process within risk management. Organizations manage risks with risk assessment process in order to modify risk treatment as satisfied by the risk criteria. Numbers of IT and computer security standards have been developed and updated continuously to manage information security, e.g. ISO/IEC 27000 Series (ISO/IEC, 2014) and NIST SP 800-82rev (NIST, 2015). Information security management system (ISMS) standards, such as ISO 27001:2013 (ISO, 2013), will explain the information security terminology and risk management process but leave methodology open for organizations to choose the most appropriate one for themselves. Risk management standards for some specific types of organization may be available. ISO 27799:2016 (ISO, 2016) provides implementation guidance for the controls that could be effectively used for managing health information security. Risk management for extremely dangerous threats that could be part of Cyber Warfare (CW), for example, Advance Persistent Threat (APT)/Nation state, is not completely clarified by these famous standards and frameworks
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
