Why 2 times 2 ain't necessarily 4 - at least not in IT security risk assessment
This work addresses methodological issues in IT security risk assessment standards, offering an improved approach for practitioners, though it appears incremental as it critiques and builds upon an existing draft.
The paper analyzes a novel semi-quantitative IT security risk assessment approach from the draft IEC 62443-3-2, exposing systematic flaws, and proposes an alternative method that integrates semi-quantitative risk assessment with threat and risk analysis.
Recently, a novel approach towards semi-quantitative IT security risk assessment has been proposed in the draft IEC 62443-3-2. This approach is analyzed from several different angles, e.g. embedding into the overall standard series, semantic and methodological aspects. As a result, several systematic flaws in the approach are exposed. As a way forward, an alternative approach is proposed which blends together semi-quantitative risk assessment as well as threat and risk analysis.