Diploma and Master Theses (authored and supervised):
"Evaluation of IT risk management tools";
Supervisor: A. Tjoa, T. Neubauer;
Institut für Softwaretechnik und Interaktive Systeme,
final examination: 2009-05.
Much has changed since these words from Benjamin Franklin, but it still applies in many ways. Especially
information security is always a trade-off between freedom (or usability) and security. The
problem is, to find the specific equilibrium, where there is a maximum of security with an coincidental
maximum of usability. However, while IT personnel talks about usability, what the decision
makers in organizations are really interested in, is cost efficiency. And since historical information
about security incidents is missing, the only way to approach this problem is by using risk management.
Methods like annual loss expectancy or return on security investment seem easy to use, but
soon show that the results are all but accurate. Computer security threats and vulnerability, but also
security controls themselves have too much influence on each other to easily evaluate their likelihood
or benefit. Although, many many risk management frameworks exist, only a handful of them
are designed from the beginning to be computer supported.
This master thesis focuses not on the development of a specific solution, but on the evaluation
of existing tools. Three risk management tools (GSTool, CRISAM Explorer, AURUM) were evaluated
for two purposes. Firstly, to decide which tool offers best support for an IT risk manager of a
large company and secondly to define criteria for an evaluation framework for risk management
tools. With those criteria, it is possible to evaluate every risk management software. The framework
can also be adapted, to accommodate the needs of a specific organization. Current evaluation frameworks
are focused on risk management methods and give a shallow overview. That is also why they
do not consider that most frameworks become unusable without proper tool support.
The result of the evaluation and the NAC case study showed, that the most important criteria
are Automation and Cost / Benefit analysis. Automation, because IT environments change rapidly
and so does the risk analysis. Cost / Benefit analysis, because with the number of elements in an environment,
the solution space becomes exponentially larger. AURUM has therefore advantages
over the other tools, because it uses new approaches in the areas of automatic risk management and
computer-supported cost / benefit analysis.
Created from the Publication Database of the Vienna University of Technology.