Course content

Classifications of Risk Management methods

 Examples of Risk Management Methods.

 Decission theory

 Risk, Threat and vulnerability discovery

 Uncertainty

 Game theory

Learning outcome

The course contributes towards the following learning outcomes:Knowledge:

Knows state of the art on key aspects of Risk Management relevant to Information Security.

Is able to judge to what extent a particular method for Risk Analysis is appropriate for a given problem.

Skills:

Can formulate research challenges in relation to Information Security Risk  Management

Can challenge established practises in the field of Information Security Risk Management

General competence

Can participate in international discussions on the subject of Information Security Risk Management

Learning methods and activities

Forelesninger|Oppgaveløsning

Obligatoriske arbeidskrav:

Draft project report including scenario suitable as a basis for the other chapters.  The draft report must be submitted via Fronter within 10 days of the first lecture.

Specific conditions

Required previous knowledge

IMT6111

Course materials

Books, articles and WEB resources such asRA method classification 
 Douglas J. Landoll. The security risk assessment handbook, p. 8-15. CRC. 2005.Bornman, G, and Labuschagne, L, 2004, A comparative framework for evaluating information security risk management methods, In proceedings of the Information Security South Africa Conference. 2004, www.infosecsa.co.zaVorster, A. and Labuschagne, L. 2005. A framework for comparing different information security risk analysis methodologies. In Proceedings of the 2005 Annual Research Conference of the South African institute of Computer Scientists and information Technologists on IT Research in Developing Countries (White River, South Africa, September 20 - 22, 2005). ACM International Conference Proceeding Series, vol. 150. South African Institute for Computer Scientists and Information Technologists, 95-103.ENISA. Inventory of risk assessment and risk management methods. Deliverable 1, Final version Version 1.0, 0/03/2006Campbell and Stamp. A classification scheme for Risk Assessment Methods. Sandia Report. SAND2004-4233.RA method examples 
 IDART (http://www.idart.sandia.gov/method.html)NIST SP 800-42, p3.1 - 3.21, 4.1- 4.3, C.1-C.9NIST SP 800-30. p8-27OECD, ¿OECD Guidelines for the Security of Information Systems and Networks -- Towards a Culture of Security.¿ Paris: OECD. July 2002. www.oecd.org. P 10-12ISO/IEC 27005:2008(E) Information technology - Security techniqueues - Information security risk managementDecision theory
  Sven Ove Hansson. Decision Theory - A brief introduction. 2005http://en.wikipedia.org/wiki/Newcomb%27s_paradox  http://en.wikipedia.org/wiki/St_Petersburg_Paradox  Sven Ove Hansson. Fallacies of RiskRisk Threat and Vulnerability discovery 
 ISO 27005, Annex C,DEd Yourdon. Just enough Structured Analysis. Chapter 9, Dataflow diagrams. + 'How to'.The vulnerability assessment and mitigation methodology. Chapter 1-4, p. 1-36. MITRE technical report..Uncertainty 
 Lindley, Dennis V. (2006-09-11). Understanding Uncertainty. Wiley-Interscience. ISBN 978-0470043837H. Campbell. Risk assessment: subjective or objective? Engineering science and education journal, 7:57 -63, 1998.F. Redmill. Risk analysis-a subjective process? Engineering Management Journal. Apr 2002. Volume: 12, Issue: 2. p. 91-96Game theory
  Stanford Encyclopedia of Philosophy . Game theory. Available from http://plato.stanford.edu/entries/game-theory/Fudenberg, Drew & Tirole, Jean (1991), Game theory, MIT Press, ISBN 978-0-262-06141-4 , Chapters 1,3,6,8