Optimizing risk to information to protect the enterprise as well as to satisfy government and industry mandates is a core function of most information security departments. Risk management is the discipline that is focused on assessing, mitigating, monitoring and optimizing risks to information. Risk assessments and analyses are critical sub-processes within risk management and are used to generate data that drive organizational decisions to accomplish this objective. However, despite this need, current approaches lack granular guidance on some key steps and have focused on qualitative data rather than quantitative data which reduces the value of the results for the decision makers. Through our research, we have identified the gaps in existing risk management methodologies. We have developed statistical design of experiments and requirements engineering based approaches to address these gaps. In addition, our quantitative models lead to a better alignment with business objectives by providing data to address the economics of making security decisions. Towards these ends, the work proposed here comprises of the following key components:
(a) Improving risk assessment methodology through statistical models for control subsetting, configuration determination and judging the impact of security enhancements.
(b) Developing approaches for dynamic configuration adjustment in response to changing security posture of an enterprise.
(c) Managing the information risk introduced by vendors of an enterprise
(d) Using requirements engineering to develop criteria and methodology for governance, risk management and compliance (GRC) which are used to drive risk considerations across the enterprise.
Our research makes extensive use of statistical models; specifically, we are using Plackett-Burman statistical design of experiments technique for prioritizing security controls. Once prioritized controls have been determined, we propose the usage of control sensors to dynamically recommend security configuration adjustment. We also intend to use requirements engineering to develop process frameworks for managing security risks introduced by the vendors of an enterprise as well as for GRC management.