**3. The risk perception**

120 Emerging Informatics – Innovative Concepts and Applications

f. **Business continuity and disaster recovery planning.** Addresses the preparation, processes, and practice required to ensure the preservation of the business in the face of

g. **Telecommunications and network security.** Encompasses the structures, transmission methods, transport formats, and security measures used to provide integrity, availability, and confidentiality for transmissions over private and public

h. **Application security**. Refers to the controls that are included within and applied to system and application software. Application software includes agents, applets, operating systems, databases, data warehouses, knowledge-based systems etc. These

i. **Operations security**. Addresses the protection and control of data processing resources in both centralized (data centre) and distributed (client/server) environment. j. **Legal, regulations, compliance, and investigations**. Addresses general computer crime legislation and regulations, the investigative measures and techniques that can be used to determine if an incident has occurred, and the gathering analysis, and management

For the actual state has defined 13 domains as exhaustive of cloud computing pertinent

The key issues are that the Situation of previous Manunta's formula [S = f(A;P,T) Si] can be viewed, in the information security environment, as a set of well defined interdependent

In addition each domain concurs with its own security share to the general protection and any security breach to a single domain reflects consequences to the breached domain and/or to other domains and/or to the general business. Furthermore a more appropriate keyword is in " security of information infrastructure" than "information security" with the following

**Information infrastructure**. It is the satellite, terrestrial, and wireless communication system

domains each one with its organizational and operational autonomy and protection.

that deliver contents to homes, businesses and other public and private institutions.

implementation and enforcement of those policies.

major disruptions to normal business operations.

may be used in distributed or centralized environment.

Domain 1: Cloud Computing Architectural Framework Domain 2: Governance and Enterprise Risk Management

Domain 9: Incident Response, Notification, and Remediation

Domain 7: Traditional Security, Business Continuity and Disaster Recovery

communications network and media.

of evidence if it exists.

situation (CSA Guidance 2009):

Domain 4: Compliance and Audit

Domain 8: Data Centre Operations

Domain 10: Application Security

Domain 13: Virtualization

definition:

Domain 3: Legal and Electronic Discovery

Domain 5: Information Lifecycle Management Domain 6: Portability and Interoperability

Domain 11: Encryption and Key Management Domain 12: Identity and Access Management

addresses the technical security policies of the organisation, as well as the

The risk is a word that admirably serves the forensic needs of new global culture and its calculation is deeply entrenched in science and manufacturing and as a theoretical base for decision making (Douglas pp 22-23).

Generally speaking Risks are generally classified as "speculative" (the difference between loss or gain, for example, the risk in gambling) and "pure risk", a loss or no loss situation, to which insurance generally applies (Broder p.630).

According to common understanding relating to the information infrastructure the risk focused assets are usually identified as the availability, confidentiality and/or privacy, integrity, authentication and no-repudiation. The risk analysis is tailored on the traditional definition of risk, according to the ISO/IEC (2002, p 2), that states "*combination of the probability of an event and its consequences, but the term risk is generally used only when there is at least the possibility of negative consequences.*"

This is defined Probabilistic Risk Assessment -PRA- (Brotby W. C p.205- ). The PRA has emerged as increasingly popular analysis tool especially during last decade. PRA is a systematic and comprehensive methodology to evaluate risks associated with every lifecycle aspect of a complex engineered technological entity from concept definition, through design, construction, and operation, and up to removal from service.

Risk is defined as a feasible detrimental outcome of an activity or action subject to hazards. In PRA risk is characterized: the magnitude (or severity) of the adverse consequence(s) that can potentially result from the given activity or action, and the likelihood of occurrence of the given adverse consequence(s). If the measure of consequence severity is the number of people that can be potentially injured or killed, risk assessment becomes a powerful analytical too assess safety performances.

If the severity of the consequence(s) and their likelihood of occurrence are both expresses qualitatively (e.g. through words like high, medium, or low) the risk assessment is called qualitative risk assessment. In a quantitative risk assessment or a probabilistic risk assessment, consequences are expressed numerically (e.g. the number of people potentially hurt or killed) and their likelihoods of occurrence are expressed as probabilities or frequencies (i.e. the number of occurrences or the probability of occurrence per unit time).

In security applications, the probability of occurrence (PO) is given by:

PO = PA (1 – PE )

Information Security Management Accounting 123

**RISK ENVIRONMENT**

**GOVERNANCE**

**COMPLIANCE**

**REGULATION**

**TRUSTWORTHINESS**

Therefore, people's ranking of threats may not coincide with that IS security professionals. In essence, much of the people's knowledge of the world comes from perceived stimulus-

The top edge of security management is represented by the International Standard that adopts the "Plan–Do- Check–Act" (PDCA) model which is applied to structure all

The adoption of PDCA model will also reflect the principle the principles governing the security of information systems and networks. This is a robust model for implementing the principle of those guidelines governing risk assessment, security design and

Risk management as define by "random house dictionary" as "the technique or profession of assessing, minimizing, and preventing accidental loss to a business, as "through the use

A systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective

Information Security Management Systems (ISMS ) process (ISO/IEC 27001 p. v–vi).

**RISK**

**STRATEGY AND STRUCTURE**

Fig. 3. The risk environment actors.

**4. The actual risk management approach** 

implementation, security management and reassessment.

of insurance, safety measures etc" (Tipton F. H. – Henry K p. 56):

information security management system – ISMS - (ISO/IEC, 27005 p.3-6).

signs, signal and images.

Where PA is the probability of an attack and PE is the probability of effectiveness of the security system (Rogers B.B., p. 76).

Organizations have the option of performing a risk assessment in one or two ways: qualitatively or quantitatively (Abbo, Sun - May 2009 pp 342 -346).

Qualitative risk assessment produce valid results that are descriptive versus measurable (Tipton F. H. – Henry K p. 56).

A qualitative risk assessment is typically conducted when:


The quantitative risk assessment is used by an organization when it becomes more sophisticated in data collection and retention and staff become more experienced in conducting risk assessment.

The hallmark of a quantitative risk assessment is the numeric nature of analysis. Frequency, probability, impact, countermeasures effectiveness, and other aspects of the risk assessment have a discrete mathematical value in pure quantitative analysis.

The risk is associated to a negative event and to the fact that for any negative event, normally, we have pure damages (the costs of the pure loss) resilience damages (the costs of reset) and consequential damages (can be the loss of image, business activity or a step of the threat to pursue other more harmful aims) (Innamorati, pp.61-62 -- my translation).

However if we consider the speculative risk it should be considered also the "positive consequences" in accordance with the concept widely accepted in the business world of no risk no return (LAM pp. 4-5).

The division of risk are limited to three common categories:

Personal (having to do with people assets);

Property (having to do with material assets)

Liability (having to do with legalities that could affect both of the previous categories, such as errors and omissions liability).

Finally it should be taken into consideration the environment in which risk management is situated (Jones, Ashenden p 244):

" Figure 3 depicts the environment in which risk management is situated. At the bottom of the diagram is the concept of trustworthiness (the trust is the predisposition to expose oneself to a security risk). In turn, this has a direct relationship to governance processes in an organization, and this influences an organization's ability to demonstrate compliance.

However should be point out that risk identification and risk estimation is both human and social activity (Tsohou A., Karyda M., Kokolakis S., Kiountouzis p.202). Different people (end –users, stakeholders, etc) or from they have been told by friends. Many factors may influence the way risk is perceived; some of them include the familiarity with the source or danger, the ability to control the situation and dreadfulness of the results.

Where PA is the probability of an attack and PE is the probability of effectiveness of the

Organizations have the option of performing a risk assessment in one or two ways:

Qualitative risk assessment produce valid results that are descriptive versus measurable

The risk assessors available for the organization have limited expertise in quantitative

The organization does not a significant amount of data readily available that can assist

The quantitative risk assessment is used by an organization when it becomes more sophisticated in data collection and retention and staff become more experienced in

The hallmark of a quantitative risk assessment is the numeric nature of analysis. Frequency, probability, impact, countermeasures effectiveness, and other aspects of the risk assessment

The risk is associated to a negative event and to the fact that for any negative event, normally, we have pure damages (the costs of the pure loss) resilience damages (the costs of reset) and consequential damages (can be the loss of image, business activity or a step of the

However if we consider the speculative risk it should be considered also the "positive consequences" in accordance with the concept widely accepted in the business world of no

Liability (having to do with legalities that could affect both of the previous categories, such

Finally it should be taken into consideration the environment in which risk management is

" Figure 3 depicts the environment in which risk management is situated. At the bottom of the diagram is the concept of trustworthiness (the trust is the predisposition to expose oneself to a security risk). In turn, this has a direct relationship to governance processes in an organization, and this influences an organization's ability to demonstrate compliance.

However should be point out that risk identification and risk estimation is both human and social activity (Tsohou A., Karyda M., Kokolakis S., Kiountouzis p.202). Different people (end –users, stakeholders, etc) or from they have been told by friends. Many factors may influence the way risk is perceived; some of them include the familiarity with the source or

danger, the ability to control the situation and dreadfulness of the results.

threat to pursue other more harmful aims) (Innamorati, pp.61-62 -- my translation).

qualitatively or quantitatively (Abbo, Sun - May 2009 pp 342 -346).

A qualitative risk assessment is typically conducted when:

The timeframe to complete the risk assessment is short;

have a discrete mathematical value in pure quantitative analysis.

The division of risk are limited to three common categories:

security system (Rogers B.B., p. 76).

(Tipton F. H. – Henry K p. 56).

with the risk assessment.

conducting risk assessment.

risk no return (LAM pp. 4-5).

as errors and omissions liability).

situated (Jones, Ashenden p 244):

Personal (having to do with people assets); Property (having to do with material assets)

risk assessment;

Fig. 3. The risk environment actors.

Therefore, people's ranking of threats may not coincide with that IS security professionals. In essence, much of the people's knowledge of the world comes from perceived stimulussigns, signal and images.
