Information Security Risk Assessment in the Context of Outsourcing in a Financial Institution

Kärt Padur
Information security risk assessment in a financial institution is important for understanding risk exposure to the confidentiality, integrity, and availability of assets. Third-party security is recognized to have a growing importance for financial sector organizations. A financial institution aims for securing information while justifying budgeting decisions. Unfortunately, commonly used methods are dependent on value judgments and individual assurances which limit their reflection of existing uncertainties in reality. This is a problem because organizations do not want to allocate resources into security without accurately estimating their exposure to risks. The paper introduces two information security risk assessment methods: Information System Security Risk Management method and Bayesian Networks Based Attack Graphs. A systematic comparison of the methods is made in the context of third-party outsourcing. A proposition of how to combine a security risk management method together with a probabilistic risk assessment method has been made. Feedback and validation have been given by experts in the field.
Graduation Thesis language
Graduation Thesis type
Master - Cyber Security
Raimundas Matulevičius, Ph.D Liis Rebane, Ph.D Toomas Vaks, MA
Defence year