**1. Introduction**

110 Security Enhanced Applications for Information Systems

Zuo, Y. & Hu, W. (2009). Trust-Based Information Risk Management in a Supply Chain

Vol. 2, No. 3, (July – September 2009), pp. 19-34, ISSN 1935-5726.

Network, *International Journal of Information Systems and Supply Chain Management*,

In the Information Technology Communication Society, the information system in any organization is always exposed to various kinds of risks, and they should prepare countermeasures against possible risks to protect their assets and secure their activities' continuity. For that purpose, several types of information risk evaluation and management systems, such as ISO/IEC 27002, MEHARIT, MAGERIT, SP800-30, OCTAVESM, etc., are proposed by institutions all over the world. Although each system has its own policy and characteristic, on the final stage after the risk evaluation was done and some serious risks were clarified, the system usually goes on the process of choosing effective and available mitigation controls against each of risks.

In our prior works, we proposed a method to choose a set of effective elements from a given database of properly valued mitigation controls and we also proposed a method of clustering these controls related to the threat path of OCTAVE's risk profile worksheet.

However we have not yet constructed any feasible database system for practical use, now the effort is in progress. For that sake, it is necessary to investigate several existent systems of mitigation controls, and to compare and analyse them.

The content of the chapter is as follows:


Construction of Effective Database System for Information Risk Mitigation 113

Dorofee, 2003) as a security evaluation system based on organizational assets. OCTAVE-S is a variation of the approach tailored to relatively small organizations (less than 100 people)

In the implementation guide (Alberts et al., 2005), the key differences between OCTAVE and other traditional information risk evaluation and management approaches are described as

Ordinary risk assessment has three important aspects such as operational risk, security risk, and technology risk. OCTAVE developers say that other evaluation systems are tend to evaluate the organizational systems and to focus on the technology. In OCTAVE, the technology is examined as the part of security practice, and other two aspects mainly drive

**OCTAVE Other Evaluation systems**

OCTAVE aims to evaluate the organization itself in aspect of information assets, threats and vulnerabilities, and focus on their practices to obtain the information security, which eventually lead the organization to strategic protection issues rather than tactical ones. The expert led system is managed by a team of experts in risk analysis, or in information technologies from outside or inside. OCTAVE is self-directed system lead by a small interdisciplinary team, called the analysis team, consist of members in the organization.

OCTAVE(-S) has three phases in each of which the analysis team outputs the corresponding

Outputs: Critical assets, security requirements for critical assets, threats to critical assets, and

Outputs: Risks to critical asset, risk measures, protection strategy, and risk mitigation plans Each phase has some process consist of several steps, which we show in the table2 from the

In the series of our research project, we first proposed a method to identify the set of critical assets from huge number of possible information related assets in correspondence of the step S2.1 in the table (Nagata et al., 2007). In the method we used FSM (Fuzzy Structural Modelling) based the modified structural modelling method described in the following

Organization evaluation System evaluation Focus on security practices Focus on technology Strategic issues Tactical issues Self direction Expert led

which have the limited means and unique constraints.

in the table 1.

OCTAVE approach.

Table 1. The key Differences

matters as follows.

current security practices

guide (Alberts et al., 2005).

Phase1. Build Asset-Based Threat Profiles

Phase2. Identify Infrastructure Vulnerabilities

Phase3. Develop Security Strategy and Plans

Outputs: Key components and current technology vulnerabilities
