Improving information security risk management.

Thumbnail Image

Persistent link to this item

View Statistics

Journal Title

Journal ISSN

Volume Title


Improving information security risk management.

Published Date




Thesis or Dissertation


Optimizing risk to information to protect the enterprise as well as to satisfy government and industry mandates is a core function of most information security departments. Risk management is the discipline that is focused on assessing, mitigating, monitoring and optimizing risks to information. Risk assessments and analyses are critical sub-processes within risk management and are used to generate data that drive organizational decisions to accomplish this objective. However, despite this need, current approaches lack granular guidance on some key steps and have focused on qualitative data rather than quantitative data which reduces the value of the results for the decision makers. Through our research, we have identified the gaps in existing risk management methodologies. We have developed statistical design of experiments and requirements engineering based approaches to address these gaps. In addition, our quantitative models lead to a better alignment with business objectives by providing data to address the economics of making security decisions. Towards these ends, the work proposed here comprises of the following key components: (a) Improving risk assessment methodology through statistical models for control subsetting, configuration determination and judging the impact of security enhancements. (b) Developing approaches for dynamic configuration adjustment in response to changing security posture of an enterprise. (c) Managing the information risk introduced by vendors of an enterprise (d) Using requirements engineering to develop criteria and methodology for governance, risk management and compliance (GRC) which are used to drive risk considerations across the enterprise. Our research makes extensive use of statistical models; specifically, we are using Plackett-Burman statistical design of experiments technique for prioritizing security controls. Once prioritized controls have been determined, we propose the usage of control sensors to dynamically recommend security configuration adjustment. We also intend to use requirements engineering to develop process frameworks for managing security risks introduced by the vendors of an enterprise as well as for GRC management.


University of Minnesota Ph.D. dissertation. December 2009. Major: Computer Science. Advisor: David Lilja. 1 computer file (PDF); x, 108 pages, appendix A. Includes Vita page 106.

Related to




Series/Report Number

Funding information

Isbn identifier

Doi identifier

Previously Published Citation

Suggested citation

Singh, Anand. (2009). Improving information security risk management.. Retrieved from the University Digital Conservancy,

Content distributed via the University Digital Conservancy may be subject to additional license and use restrictions applied by the depositor. By using these files, users agree to the Terms of Use. Materials in the UDC may contain content that is disturbing and/or harmful. For more information, please see our statement on harmful content in digital repositories.