I recently gave a presentation at the IEEE Policy 2011 Symposium, about “Risk Assessment and Decision Support for Enterprise Security Policies”. Good discussions and debates.
My presentation is now available online. The abstract of the related paper follows:
“This paper presents and discusses our work to provide organizations with risk assessment and decision support capabilities when dealing with their strategic security policies. We aim at achieving this by using a rigorous and scientific methodology (and tools) which leverages modeling and simulation techniques. This methodology helps organizations to assess their risk exposure. It factors in policy implementation at the operational level along with relevant threats, processes, interactions and people behaviors. It provides “what-if” analysis by illustrating the consequences of making policy changes and investments. We introduce our methodology and tools and then illustrate how this approach has been successfully used in a real case study with one of our major customers. This case study focused on the organization’s access management processes and related policies: it helped to inform strategic security policies and support changes of current processes. Additional work is planned in this space.”
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---