Relative risk benchmarking enabling better decision making for managing information security risks

1. International INTERNATIONAL Journal of Computer JOURNAL Engineering OF and COMPUTER Technology (IJCET), ENGINEERING ISSN 0976-6367(Print),
&
ISSN 0976 - 6375(Online), Volume 5, Issue 10, October (2014), pp. 11-20 © IAEME
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 5, Issue 10, October (2014), pp. 11-20
© IAEME: www.iaeme.com/IJCET.asp
Journal Impact Factor (2014): 8.5328 (Calculated by GISI)
www.jifactor.com
11
IJCET
© I A E M E
RELATIVE RISK BENCHMARKING ENABLING BETTER
DECISION MAKING FOR MANAGING INFORMATION
SECURITY RISKS
Upasna Saluja1, Norbik Bashah Idris2
1, 2Faculty of Computing, University of Technology (UTM), Malaysia
ABSTRACT
Faced with multiple information security risks, organization need to prioritize which risks to
address among all risks that affect or have the potential to affect the organization. Organizations
struggle in this process since the current approaches for comparing risks are rudimentary and rely on
expert judgment. The research studies the approach to risk prioritization in leading risk management
methodologies. This paper describes the decision making process which results in the generation of a
new index “Relative Risk Benchmark” which guides an organization to take informed decisions
about the allocation of resources towards mitigation of identified risks. RRB is calculated on the
basis of statistical analysis performed for identified risks observed over time. RRB enables an
organization to rely on a scientifically derived value of various risks that results in better risk
prioritization with greater confidence.
By making the risk related decision making more objective, reducing dependence on expert
judgment and by improving the overall confidence in decision making, RRB provides a path
breaking innovation to the field of Information Security Risk Management. Above all, it helps avoid
wasteful expenditure by reducing the attention of risk assessors to only those risks that matter and
prioritizing resource optimally based on the scientifically determined relative risk.
Keywords: Information Security, Risk Management, Statistics, Decision Making Process.
1. INTRODUCTION TO DECISION MAKING TOWARDS INFO SEC RISK
MANAGEMENT
Information security threat environment that organizations face today, is becoming highly
complex, dynamic and dangerous. The scale, complexity and scope of information security risks
have gone beyond just hacker and virus attacks on computer systems (Aaron Beach 2009). E.g. the

2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 5, Issue 10, October (2014), pp. 11-20 © IAEME
recent theft of millions of credit card records from Target company, led to the loss of millions of
dollars; besides the CIO and CEO lost their jobs (Abrams 2014). In order to avoid putting the
organisation at risk due to breaches, executives resort to risk management which involves risk
identification, risk assessments and taking appropriate risk mitigation measures. When faced with
multiple risks it becomes necessary to get a precise understanding, of how important a particular risk
is for the organization, when compared to other risks. This paper presents statistical Relative Risk
Benchmark which enables an organization to make better decisions in prioritizing risks thus
spending the organization’s limited resources for information security in an optimum manner.
2. ISSUES WITH CURRENT DECISION MAKING APPROACHES FOR
ADDRESSING INFORMATION SECURITY RISKS
12
The researcher studied the approaches of risk prioritization as a part of the existing risk
management methodologies, in order to understand how these methods address risk prioritization.
According to Peter et al (Hoh Peter In 2004), there is a dearth of a model to evaluate information
security risks quantitatively. Organizations struggle with the decision making process when choosing
which risks to address or how much to allocate towards mitigating an individual risk vis-a-vis other
risks.
No existing Risk Assessment methodology enables an organization to compare different risks
faced by the organization in a scientific or statistical manner. Findings of the study reveal that in
existing approaches, decisions towards risk prioritization rely on rudimentary methods. The risk
mitigation recommendations are not easily accepted by stakeholders, since decision making has a
qualitative basis and is subject to expert judgment and potential bias.
3. KEY OBJECTIVES : BETTER DECISION MAKING PROCESS FOR ADDRESSING
INFORMATION SECURITY RISKS –
This study sought to improve risk related decision making by improving risk prioritization.
The key objective of the study was to develop a scientific method for risk prioritization in order to
improve decision making during risk treatment.
4. STATISTICS BASED INFORMATION SECURITY RISK MANAGEMENT
METHODOLOGY
This paper presents the Relative Risk Benchmarking (RRB) approach for better decision
making in Information Security Risk Management. This approach is based on the statistical
Information Security Risk Management methodology. Further, it presents the results of
implementation in an organization which validates key contributions of RRB. The process for
developing RRB is as follows:
4.1. Context Establishment
Establish the context pertinent to the organization and the risk management approach to be
followed. Define scope, boundaries and risk criteria.
4.2. SQRC Information Security Risk Identification
SQRC Methodology involves defining Risk Indicators of Information Technology
environment. It then builds to a quantitative phase during which SQRC gathers a larger amount of
data over a period of time on the organization’s risk and consequence indicators determined in the

3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 5, Issue 10, October (2014), pp. 11-20 © IAEME
first qualitative phase. Key steps of SQRC approach for defining and managing Information Security
Risk Indicators are:
4.2.3. Develop SQRC Information Security Risk Indicators
• Step 1- Consider initial Pool of 43 Risk Indicators defined for IT environment.
• Step 2 –Conduct Interviews to define Business Relevant Risk Indicators
• Step 3 – Conduct Interviews to Gather Context and incorporate in Risk Indicators such as:
Incorporate insights from the context such as Geographical, Operational, Business as well as Risks
not faced by the Organization but Faced by Peer Organizations, Industry Trends:
13
4.2.1. Obtaining Management Support
4.2.2. Identify a Business Sponsor
4.2.4. Dealing with Anomalies and Escalations.
4.2.5. Governance
4.2.6. Communication and Review
4.3. Risk Analysis
In the RA phase, SQRC conducts statistical Risk Analysis on the data collected during Risk
Identification phase. SQRC uses second generation statistical technique known as Partial Least
Square (Leisch) which is a regression technique under Structural Equation Modeling. PLS creates a
linear relationship between the explanatory risk indicators (Hill)and on the other hand, response
variable refer to the consequences observed by an organisation. SQRC fits a model for one or more
response variables based on explanatory risk indicators. In other words, PLS regression analysis
creates a linear model:
Y=XB+E,
Where, Y is an n case by m variables response matrix, X is an n case by p variables.
Explanatory matrix, B is a p by m regression coefficient matrix; and E is a noise term for the model
which has the same dimensions as Y.
While analyzing, SQRC takes care of model building strategies which include Proportion of
Variance Explained (PVE) in X and Y, Relationship of Response Scores by Predictor Scores, and
Correlation Loading Plot to interpret relationships between variables.The model for regression is
created by considering Parameter Estimates. Parameter estimates result of the model describes the
relationship between dependent and explanatory variables.
Where,

4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 5, Issue 10, October (2014), pp. 11-20 © IAEME
14
This helps to create a model for prediction of every dependent variable which is analyzed in
greater detail during the Risk Evaluation stage.
4.4. Relative Risk Benchmarking (RRB) for Better Decision Making
The new index, RRB determines the relative potential of each of the many information
security risks so that decision making is improved. Relative Risk Benchmark (RRB) accomplishes
this by identifying the contribution made by each individual predictor variable (Young, 2012)
towards the statistical model for the selected response variable (impact area).
Variable Importance in Projection (VIP): In PLS, the statistical technique used by SQRC, the VIP
values represent the overall contribution of each X-variable to the PLS model, when summed for all
the components and weighted according to the Y variation by each component. VIP value is
expressed in percentage to determine the relative contribution of each risk indicator.
Relative Risks determined through Relative Risk Benchmark (RRB): SQRC takes into consideration
the variable importance in projection while creating RRB. RRB displays the risk indicators which
have contributed towards statistical prediction model of the response variable. This prevents wasteful
use of resources by removing the risk indicators from the list of risks that do not have any influence
on the area under consideration. The graph displays the percentage of contribution made by different
explanatory variables (Xi) which contribute towards regression model of response variables (Yj).
5. CASE STUDY: RELATIVE RISK BENCHMARK
5.1. Context Establishment
The proposed methodology, described in Section 4 above, was implemented in a subsidiary
of a multi-national organisation based in India. This information–centric company provides products
for equity trading to brokers and stock exchanges. The scope of study included the company’s
information security environment, and other functions involved in risk management along with 130
staff members. The environment was observed and relevant data recorded from Jun 2013 to Dec
2013.
5.2. Risk Identification: Risk Indicators Determined for the Organization
Towards risk identification at the organization selected for case study, RRB was implemented
as described in Section 4. Due to confidentiality reasons, the name of the organization selected for
Case Study is withheld. The results of the study are summarized below:
5.2.1. Senior Management Support was obtained for the implementation of Risk Indicators process.
5.2.2. Development of SQRC Information Security Risk Indicators: In consultation with identified
internal stakeholders and through review of incidents and audit data, relevant risk reports, industry
surveys and reports, the study identified 43 risk indicators for IT Environments as covered in the
tables below.

5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 5, Issue 10, October (2014), pp. 11-20 © IAEME
15
Table 1: Risk Indicators (Explanatory Variables - Xi)
S N Category
RI# Risk Indicator
1 Physical Damage
X1 Damage or Destruction of equipment or media
X2
Natural Disasters (Flood, Earthquake, Volcanic
phenomenon etc.)
X3 Fire (Natural or Man-made)
X4
Man-made Disaster (Bomb / Terrorist attacks, riots, other
disruptions)
X5 Climatic Phenomenon (Dust, Corrosion, Freezing…)
2 Loss of Essential
services
X6 Failure of air-conditioning or water supply system
X7 Issues due to Power Supply
X8 Business Disruption due to telecommunications
3 Technical Issues X9 Failure or degradation of Internet Connectivity
X10
System non-availability, System hardware failure or
Malfunction
X11 Network equipment failure or Malfunction
X12 Software Malfunction or Failure
X13
Degradation of the information system (due to
Performance of / capacity)
X14 Malicious code (Malware) e.g. Virus, Trojan horse
X15 Obsolence of Hardware including network equipment
X16 Obsolence of software or applications
X17 Network performance degradation or connectivity issues
X18 Damage to Network Cables
X19
Deterioration/Loss of storage media (such as Back-up,
databases and etc.)
X20 Wireless network issues
X21 Inadequate vulnerability Management Practices
X22
Inadequate maintenance practices and measures for
technology equipment
X23 Disturbance due to Radiation
4 Compromise of
information
X24 Social Engineering
X25
Physical Theft or robbery of media, documents or
equipment

6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 5, Issue 10, October (2014), pp. 11-20 © IAEME
16
X26
Theft of and/or unauthorized access to information held
within systems
X27 Information Retrieval from recycled or discarded media
X28 Unauthorized Disclosure of confidential information
X29 Breach of employee's / customer's private information
X30
Tampering (unauthorized modification) of Data /
Hardware / Software
X31
Spoofing / impersonation / masquerading / Abuse or
Forging of Rights
5 Unauthorized
actions
X32 Unauthorized use of systems or internet access
X33
Unauthorized downloading or use of unauthorized
software
X34 Unauthorized physical access
X35 Cyber Attack
X36 Unrestricted use of storage or computing devices
6 Operational
Issues
X37
Issues due to lack of operational training of staff members
(e.g. data entry errors, accidental data deletion, information
sent to wrong recipient)
X38
Lack of expertise in technology and security administrators
( e.g. configuration error)
X39
Lack of staff members with required skill or experience
(Inability to attract, retain or effectively deploy capable)
X40
Lack of appropriate workplace health, safety or wellbeing
measures provided to staff
X41 Information Security awareness of staff members
X42 Deterioration of storage media (hard copy documents)
7 Unauthorized
actions by Third
Party
X43
Errors or unauthorized action (improper access, disclosure,
alteration or destruction of information) by third party staff
members- Vendor / Supplier / outsourced provider.
A decision was taken to apply second generation regression analyses, which required
definition of response variables. Information security impact areas were designated as consequence
indicators and designated as response variables for the statistical regression analysis.
The study defined the consequence indicators (Y variables) applicable to the context of IT
enabled environment of organizations. The main concern of the organization was CIA of data as well
as weaknesses in Infrastructure and organizational processes. Thus the following were selected:

7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 5, Issue 10, October (2014), pp. 11-20 © IAEME
17
Table 2: Consequence Indicators (Response Variables - Yj)
Var Area
Y1 Information Availability
Y2 Information Confidentiality Integrity
Y3 Infrastructure Organisational Processes
Data was collected over a seven month period with readings taken every ten days, for both
explanatory as well as response variables, based on which a data set was prepared for conducting
data analysis.
5.2.3. Dealing with Anomalies or Escalations: The study built up a process for dealing with
anomalies in gathered data and other escalations by assigning responsibilities.
5.2.4. Governance: This step assigned responsibility for the administration and monitoring of Risk
Indicators to the risk and compliance head. This step also assigned the responsibility of supplying the
required data relating to risk indicators to the functions involved in the risk management exercise.
5.2.5. Communication and Review:
Executive management to be kept informed on quarterly basis through status reports, The
study also defined the triggers for escalation as 10% more than baseline, responsibility for
communication to the functional stakeholders and triggers for escalation as 10% more than baseline.
5.3. Risk Analysis
As mentioned above in section 4.3, Risk Analysis was conducted using statistical techniques.
SQRC used statistical model from PLS analysis to determine values of statistical parameters, out of
which VIP Variable Importance of Projection (VIP) was processed for eliminating those risk
indicators that were not relevant to the model. SQRC statistical Risk Analysis resulted in
determining the contribution made by each Risk Indicator towards the Consequence indicators, (Y1,
Y2 or Y3). Determining relative contribution provided significant value to the management when
they needed to take decisions about allocation of resources for future actions of Risk treatment.
5.4. Objective Results of RRB based Analysis
Relative Risk Benchmark determined for the organization is presented below as “pie charts”,
which display the risk indicators that have contributed towards statistical prediction model for the
chosen response variables.
5.4.1. Relative Risks Measured through RRB - Y1 (Availability of Information): The Pie chart
provided below represents the percentage contribution made by 18 relevant risk indicators which
contributed towards negative impact in terms of Availability of Information (Y1).
Focus only on risk indicators which had significant influence and prioritize based on the
percentage of relative risk contribution.

8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976
ISSN 0976 - 6375(Online), Volume 5, Issue 10, Octo
0976-6367(Print),
October (2014), pp. 11-20 © IAEME

9. !!
#
Figure 1: Relative Risk Benchmark for Y1
0
As
5.4.2. Relative Risks Measured through RRB
can be seen from the pie chart, SQRC RA resulted in showing that 26 risk indicators are under
consideration and their relative contribution to the model is given below:
Figure 2: Relative Risk Benchmark for Y2 Confidentiality and Integrity of Information
Organization focuses only on
among them based on the percentage of relative risk contribution.
18
– Availability of Information
– Y2 (Confidentiality Integrity of Information):
tion -
26 risk indicators which had significant influence and prioritize

10. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976
ISSN 0976 - 6375(Online), Volume 5, Issue 10, Octo
0976-6367(Print),
October (2014), pp. 11-20 © IAEME
5.4.3. Relative Risks Measured through RRB
Similarly SQRC RA for Organizational Processes and Infrastructure
indicators whose relative contribution
0
– Y3 (Organizational Processes and Infrastructure):
showed 13 risk
Figure 3: Relative Risk Benchmark for Y3 Infrastructure and Organization Processes
Organization focuses only on
only and
prioritize among them based on the percentage of relative risk contribution.
With the above three set
decisions when prioritizing risk prioritization
6. CONTRIBUTION OF RRB
RRB improves decision making towards risk related decision making since it is a scientific
index that results in more scientific prioritization of risks
related decisions on investments related to counter measures.
data-oriented key-influencers which enable better decision making during relative risk prioritization.
Even Risk Managers who do not possess high degree of subject matter expertise are able to
determine how much an individual
area under review.RRB enables objective risk related prioritization and
moving away from relying upon merely rudimentary mathematics used in traditional methods
SQRC RRB Analysis being
; ves decision making by
factual analysis thus inspires greater confidence among stakeholders. SQRC RRB
is gathered from the organisation over a period of time
prioritization as it captures the right
snapshot of risk.
In conclusion, using Relative Risk Benchmark,
, in more reliable risk
able to make objective decisions for prioritizing risks and thus allocating
information security resources.
methods.
leads to
analyses data that
just a
RRB is a path breaking innovation which enables organization with a statistical decision
making process for allocation of resources towards mitigation of identified risks.
19
Infrastructureshowed an impact from
in percentage is given below:-
ononly on 26 risk indicators which had significant influence
sets of analyses, the organization was in a better position to make
during risk treatment.
risks; executives are able to take better risk
RRB generates a list of objective and
anagers risk indicator contributes towards the information security impact
improves
based on data collected from within the organisation
time, thus resulting
overall picture of the risk environment rather than ju
a new statistics based index, organizations
are
organization’s limited

11. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 5, Issue 10, October (2014), pp. 11-20 © IAEME
20
7. REFERENCES
[1] Aaron Beach, M. G., and Richard Han (2009). Solutions to Security and Privacy Issues in
Mobile Social Networking. 9 International Conference on Computational Science and
Engineering.
[2] Abrams, R. (2014). Target puts data breach costs at $148 Million and Forecasts Profit Drop.
New York Times.
[3] Haenlein, M. K., Andreas (2010). semPLS: Structural Equation Modeling Using Partial
Least Squares. p. doi:10.1207/s15328031us0304_4: pages: 283–297.
[4] Hill, M. (2013) Credit Risk Indicators .
[5] Hoh Peter In, Y.-G. K., Taek Lee, Chang-Joo Moon, Yoonjung Jung, Injung Kim (2004). A
Security Risk Analysis Model for Information Systems. Third Asian Simulation
Conference, AsianSim 2004.
[6] Leisch, A. M. a. F. (2012). semPLS: Structural Equation Modeling Using Partial Least
Squares.
[7] Wyme, L. J. (2007). Statistical Framework for Recreational Water Quality Criteria and
Monitoring John Wiley Sons.
[8] Young, P. J. (2012). THE USE OF KEY RISK INDICATORS BY BANKS.
[9] OPERATIONAL RISK MANAGEMENT TOOL. International conference “Improving
Financial institutions: the proper balance between regulation and governance. Helsinki.
[10] Adesh Chandra, Anurag Singh and Ishan Rastogi, “Understanding Enterprise Risk
Management and Fair Model with the Help of a Case Study”, International Journal of
Computer Engineering Technology (IJCET), Volume 3, Issue 3, 2012, pp. 300 - 311,
ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
[11] Dr. N. Kannan, “Risk and Technology Management in Banking Industry”, International
Journal of Management (IJM), Volume 1, Issue 1, 2010, pp. 43 - 58, ISSN Print:
0976-6502, ISSN Online: 0976-6510.
[12] M. Karthikeyan, M. Suriya Kumar and Dr. S. Karthikeyan, “A Literature Review on the
Data Mining and Information Security”, International Journal of Computer Engineering
Technology (IJCET), Volume 3, Issue 1, 2012, pp. 141 - 146, ISSN Print: 0976 – 6367,
ISSN Online: 0976 – 6375.