Risk Analysis Using “Conflicting Incentives” as an Alternative Notion of Risk
MetadataShow full item record
Risk analysis plays an important role in the protection of information systems. The initiatives by governments in many nations clearly show its significance in critical decision making in order to protect the information system. There is a considerable rise in the use of risk analysis methods by banks, hospitals, and many organizations and there is also a growing research interest in this field. Classical methods for risk analysis usually rely on likelihood estimates that are sometimes difficult to verify. Typically, this is the case when the existing statistical data for the system being analyzed are irrelevant or insufficient (e.g. in the case of non-stationary systems) or one does not have a history for which reliable statistics are available (e.g. in the case of new and emerging systems). In addition, people are not well “calibrated” at estimating probabilities. In most of these classical methods, the events are not usually attributed to people. Moreover, most of these methods focus on risks in relation to threats, overlooking risks in relation to opportunity. Furthermore, the intrusive nature of the risk analysis process makes it hard for researchers or students to gain access to scenarios from operational organizations for evaluating or training on risk analysis methods. This thesis contributes by developing a new approach for risk analysis: Conflicting Incentives Risk Analysis (CIRA). In CIRA, the stakeholders, their actions, and their perceived expected consequences are identified and used to characterize the risk situation. Risk is modeled in terms of conflicting incentives between the stakeholders in regards to the execution of actions. Thus, CIRA does not rely on the concept of incident likelihood, unlike most of the classical risk analysis methods. Moreover, human related risks are the focus in CIRA. In order to reduce the sensitivity and confidentiality issues faced due to the intrusive nature of the risk analysis process, a Case Study Role Play (CSRP) approach is introduced. Using CSRP, the required data for a risk analysis method can be collected from the individuals playing the role of fictitious characters rather than from an operational setting. To further exemplify the feasibility of CIRA, a fictitious case study of an Identity Management System (IdMS) similar to the eGovernment IdMS of Norway is analyzed utilizing the CSRP approach. This dissertation also contributes by presenting the theoretical concepts of risk acceptance and rejection, addressing both threat and opportunity risks in the context of CIRA. Furthermore, an initial insight into how CIRA can be extended to risk management is given by explaining the risk treatment (response) measures for threat (opportunity) risks. Directions for future research in the area are given by highlighting some of the potential issues such as implementing, validating and improving the method with more case study research and the development of CIRA as a tool. Thus, in order to achieve a robust information security and privacy risk management method, both threat and opportunity risks should be considered, and the human factors need to be explicitly considered during the analysis. CIRA goes towards resolving these issues in the risk management domain.
SeriesDoktorgradsavhandlinger ved Høgskolen i Gjøvik;2/2013
Doctoral dissertations at Gjøvik University College;2/2013