ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Perceived risk assessment
Full text PdfPdf (123 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 4th ACM workshop on Quality of protection table of contents
Alexandria, Virginia, USA
SESSION: Risk table of contents
Pages 59-64  
Year of Publication: 2008
ISBN:978-1-60558-321-1
Authors
Yudistira Asnar  University of Trento, Trento, Italy
Nicola Zannone  University of Toronto, Toronto, Canada
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 38,   Downloads (12 Months): 379,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1456362.1456375
What is a DOI?

ABSTRACT

In the last years, IT systems play a more and more fundamental role in human activities and, in particular, in critical activities such as the management of Air Traffic Control and Nuclear Power Plant. This has spurred several researchers to develop models, metrics, and methodologies for analyzing and measuring the security and dependability of critical systems. Their objective is to understand whether the risks affecting the system are acceptable or not. If risks are too high, analysts need to identify the treatments adequate to mitigate them. Existing proposals however fail to consider risks within multi-actors settings. Here, different actors participating to the system might have a different perception of risk and react consequently. In this paper, we introduce the concept of perceived risk and discuss its differences with actual risk. We also investigate the concepts necessary to capture and analyze perceived risk.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
CVE - Common Vulnerabilities and Exposures. http://cve.mitre.org/. accessed at 2008--05--27.
 
2
Y. Asnar and P. Giorgini. Analysing Risk-Countermeasure in Organizations: a Quantitative Approach. Technical Report DIT-07--047, DIT - University of Trento, July 2007.
 
3
Yudistira Asnar , Paolo Giorgini , Fabio Massacci , Nicola Zannone, From Trust to Dependability through Risk Analysis, Proceedings of the The Second International Conference on Availability, Reliability and Security, p.19-26, April 10-13, 2007  [doi>10.1109/ARES.2007.93]
 
4
Y. Asnar, R. Moretti, M. Sebastianis, and N. Zannone. Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach. In Proceedings of the 3rd International Workshop on Dependability Aspects on Data WArehousing and Mining applications, 2008.
 
5
Rebecca Gurley Bace, Intrusion detection, Macmillan Publishing Co., Inc., Indianapolis, IN, 1999
6
David Basin , Jürgen Doser , Torsten Lodderstedt, Model driven security: From UML models to access control infrastructures, ACM Transactions on Software Engineering and Methodology (TOSEM), v.15 n.1, p.39-91, January 2006  [doi>10.1145/1125808.1125810]
 
7
T. Bedford and R. Cooke. Probabilistic Risk Analysis: Foundations and Methods. Cambridge University Press, 2001.
 
8
D. Bernoulli. Exposition of a New Theory on the Measurement of Risk. Econometrica, 22:23--36, 1954. (original 1738).
 
9
J. R. Bettman. Perceived risk and its components: A model and empirical test. Journal of Marketing Research, 10:184--190, 1973.
 
10
CERT. Cert statistics. http://www.cert.org/stats/. accessed at 2008--05--27.
 
11
COSO. Enterprise Risk Management - Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission, September 2004.
 
12
Folker den Braber , Theo Dimitrakos , Bjørn Axel Gran , Mass Soldal Lund , Ketil Stølen , Jan Øyvind Aagedal, The CORAS methodology: model-based risk assessment using UML and UP, UML and the unified process, IGI Publishing, Hershey, PA, 2003
 
13
DoD. Military Standard, Procedures for Performing a Failure Mode, Effects, and Critical Analysis. MIL-STD-1629A, 1980.
 
14
Martin S. Feather, Towards a Unified Approach to the Representation of, and Reasoning with, Probabilistic Risk Information about Software and Its System Interface, Proceedings of the 15th International Symposium on Software Reliability Engineering, p.391-402, November 02-05, 2004  [doi>10.1109/ISSRE.2004.42]
 
15
Dan Geer, Risk Management Is Still Where the Money Is, Computer, v.36 n.12, p.129-131, December 2003  [doi>10.1109/MC.2003.1250894]
 
16
Paolo Giorgini , Fabio Massacci , John Mylopoulos , Nicola Zannone, Modeling Security Requirements Through Ownership, Permission and Delegation, Proceedings of the 13th IEEE International Conference on Requirements Engineering, p.167-176, August 29-September 02, 2005  [doi>10.1109/RE.2005.43]
 
17
T. I. G. Institute. CoBIT - Framework Control Objectives Management Guidelines Maturity Models, 4.1 edition.
 
18
ISO/IEC. Risk Management-Vocabulary-Guidelines for Use in Standards. ISO/IEC Guide 73, 2002.
 
19
ISO/IEC. Management of Information and Communication Technology Security - Part 1: Concepts and Models for Information and Communication Technology Security Management. ISO/IEC 13335, 2004.
 
20
ISO/IEC. Information Technology - Security Techniques - Information Security Management Systems - Requirements. ISO/IEC 27001, 2005.
 
21
ISO/IEC. Information Technology - Security Techniques - Information Security Risk Management. ISO/IEC 27005, 2008.
 
22
Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt, Addison-Wesley Professional, 2007
 
23
Audun Jøsang , Daniel Bradley , Svein J. Knapskog, Belief-based risk analysis, Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation, p.63-68, January 01, 2004, Dunedin, New Zealand
 
24
A. Jøsang and S. Presti. Analysing the Relationship Between Risk and Trust. In Proceedings of the Second International Conference on Trust Management, volume 2995 of Lecture Notes in Computer Science, pages 135--145. Springer-Verlag, 2004.
 
25
J. Jürjens. Secure Systems Development With UML. Springer, 2005.
 
26
H. Lacoheea, A. Phippenb, and S. Furnell. Risk and Restitution: Assessing How Users Establish Online Trust. Computers & Security, 25(7):286--293, October 2006.
 
27
D. G. Mayo and R. D. Hollander. Acceptable Evidence: Science and Values in Risk Management. Oxford University Press US, 1991.
 
28
Gary McGraw, Software Security: Building Security In, Addison-Wesley Professional, 2006
29
Ali Mosleh , E. Richard Hilton , Peter S. Browne, Bayesian probabilistic risk analysis, ACM SIGMETRICS Performance Evaluation Review, v.13 n.1, p.5-12, June 1985  [doi>10.1145/1041838.1041839]
 
30
P. G. Neumann. RISKS--LIST: RISKS-FORUM Digest. http://catless.ncl.ac.uk/Risks/. accessed at 2008--05--27.
 
31
Bruce Schneier, Beyond Fear: Thinking Sensibly about Security in an Uncertain World, Springer-Verlag New York, Inc., Secaucus, NJ, 2003
 
32
B. Schneier. In Praise of Security Theater. http://www.schneier.com/blog/, January 2007. last access 04.08.2008.
 
33
K. Sentz and S. Ferson. Combination of Evidence in Dempster-Shafer Theory. Technical Report SAND 2002--0835, Sandia National Laboratories, 2002.
 
34
G. Shafer. A Mathematical Theory of Evidence. Princeton University Press, Princeton, NJ, 1976.
 
35
P. Slovic. Perceived Risk, Trust, and Democracy. Risk Analysis, 13(6):675--682, 1993.
 
36
Why Trust is not Proportional to Risk, Proceedings of the The Second International Conference on Availability, Reliability and Security, p.11-18, April 10-13, 2007  [doi>10.1109/ARES.2007.161]
 
37
M. Stamatelatos, W. Vesely, J. Dugan, J. Fragola, J. Minarick, and J. Railsback. Fault Tree Handbook with Aerospace Applications. NASA, 2002.
 
38
U.S. NCSA - NHTSA. Fatality Analysis Reporting System General Estimates System - 2006 Data Summary. http://www-nrd.nhtsa.dot.gov/CMSWeb/, 2008. last access 04.08.2008.
 
39
U.S. NTSB. Aviation Accident Statistics. http://www.ntsb.gov/aviation/Table2.htm, 2008. last access 04.08.2008.
 
40
D. Vose. Risk Analysis: A Quantitative Guide. Wiley, 2000.
 
41
Peter P. Wakker, Dempster belief functions are based on the principle of complete ignorance, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, v.8 n.3, p.271-284, June, 2000  [doi>10.1016/S0218-4885(00)00019-8]
 
42
E. Weber, A. Blais, and N. Betz. A Domain-Specific Risk-Attitude Scale: Measuring Risk Perceptions and Risk Behaviors. Journal of Behavioral Decision Making, 15(4):263--290, 2002.

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.8 Metrics

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.1 Requirements/Specifications
          Subjects: Languages

  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.3 Organizational Impacts
          Subjects: Reengineering


General Terms:
Measurement, Reliability, Security


Keywords:
perceived risk, risk assessment, subjective input

Collaborative Colleagues:
Yudistira Asnar: colleagues
Nicola Zannone: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player