Centre for Security, Communications and Network Research

Dr Vassilis Dimopoulos PhD

Prof Steven M Furnell

Mr Ian Barlow, Dr Nathan L Clarke

Effective Information Assurance with Risk Management

Today's businesses base their operation on their IT infrastructure, which consequently demands that it should be protected accordingly. Nevertheless, surveys tend to indicate that the number of IT security incidents is increasing, resulting in significant losses for the organisations concerned. Leading in poor security practices, and therefore frequent victims of related security incidents, are Small and Medium Enterprises (SMEs). Even though there are a number of solutions, ranging from baseline guidelines to a detailed Risk Assessment (which can be followed to guide organisations through systematically selecting appropriate controls and practices to properly secure their networked assets), evidence suggests that these are not being employed by SMEs. Constraints such as lack of budget, security personnel and awareness are amongst the factors that are deterring SMEs from adopting such solutions, and therefore contributing to their continued problem with security incidents.

This thesis specifically targets the problem of security risk assessment within SME environments. Following an examination of the aforementioned constraints, the investigation considers the existing solutions, establishing the reasons that they are not appropriate for SME users. The research identifies that SMEs are in need of a solution that represents a progression of current guidelines, but without being as complicated as existing forms of Risk Analysis. Therefore a new methodology is designed, known as PRAM (Profile-based Risk Analysis and Management), which enables SMEs to analyse and manage their risks in a way that is simple to use and understand, as well as providing economic considerations on threats, their likelihood, effect and the spending required to reduce them to an acceptable level.

The methodology is then implemented within a working prototype, which is evaluated using a series of test scenarios. These scenarios are also used as the basis for evaluating existing SME-oriented Risk Analysis solutions, and the findings determine that the PRAM approach is able to deliver a more comprehensive solution. In addition, an evaluation of the PRAM prototype by a series of end-users suggests that it also succeeds in providing a more user-friendly solution than the current alternatives.

Overall, this thesis presents a solution that can be adopted by SMEs lacking in-house security expertise. It can assist them in understanding the threats they are under, while at the same time presenting appropriate information to enable management to evaluate their organisation.s current IT security situation and select appropriate countermeasures.