一个识别信息安全风险的整体风险分析方法外文翻译

一个识别信息安全风险的整体风险分析方法外文翻译内容摘要：

Pfleeger, 2020. Second, given that traditional risk analysis has focused primarily on technology, this aspect of security has been richly developed. For example, extensive lists of known threats and vulnerabilities to various technical assets are pubUcly available. These Hsts provide valuable guidance when conducting a risk analysis. Third, automated software packages are available that perform the detailed calculations and manage the risk analysis data. These software packages are based on the traditional method of risk analysis. Fourth, quantitative measures used in the traditional method can be used to support a costbenefit analysis of investments in security safeguards. This is, of course, provided the calculations are reasonably accurate. Finally, the traditional method of conducting a risk analysis for information security is closely related to risk analysis techniques employed in the financial and insurance sectors. This point, along with the mathematical foundation of the method, may add credibility3,2 Limitations of Traditional Risk Analysis The traditional risk analysis method for information security has several key limitations. First, this technologydriven method places very limited emphasis on the people and process aspects of information systems. This is a major oversight, given that people and processes are widely considered to be the leading causes of security breaches ., Siponen, 2020。 Dhillon, 2020。 Wade, 2020. In addition, there is no mon approach to identifying which IT assets are to be included in the analysis. An IT professional developing a list of technical assets may not be aware of important userdeveloped spreadsheets and applications that contain significant security risks. Specific confidential information that warrants safeguarding may also be omittedSecond, estimates of expected losses are based on the value of assets, and are widely inaccurate for a variety of reasons. Determining the value of intangible assets, such as information, is considered difficult, if not impossible, to estimate Gerber and von Solms, 2020. Yet, information is one of the most important assets of an anization and is the focal point of information security. Estimates for the value of tangible assets may be inaccurate because in many cases only replacement costs are considered, which does not include the financial loss due to disruption of operations Suh and Han, 2020. In cases where cost of disruption of operations is included in the asset value, the estimate is highly subjective. Finally, expected financial losses based on asset value typically do not include the social impact of a potential breach, such as loss of customer confidence Bent and Kailay, 1992Third, probability estimates of the likelihood of an identified vulnerability being exploited are monly considered to be wild uesswork. One reason for this is that likelihood is determined by past history of security breaches, and this is largely underreported ., Strang, 2020。 Yazar, 2020。 Keeney et al, 2020. Another reason that estimates of likelihood of occurrence are inaccurate is because making a more accurate estimate requires a high level of expertise by the estimator ., Gerber and von Solms, 2020, which an anization may not possess. See Baskerville 1991 for additional discussion on weak quantitative estimates inherent in traditional risk analysis, which continue to existA fourth limitation of the traditional method to risk analysis is the time and cost involved in conducting such an analysis. The bottomup nature of the tradit。