 |
    |
N±
: Reflecting Local Risk Assessment in LoA
Hiroyuki Sato
Information Technology Center, The University of Tokyo, Japanschuko@satolab.itc.u-tokyo.ac.jp
Abstract. Risk analysis is one of major phases in information security. In a modern framework of qualitative risk analysis, it is common that each of information assets, threats and vulnerability is given a small number of grades on which risk assessment of the information is based.
In this paper, first, we propose that we use results of risk assessment in access control among servers. By reusing the results, we can collect the cost of risk assessment in access control. Secondly, we propose a hybrid of conventional risk assessment with detailed analysis in giving LoAs. Based on a conventional qualitative a-small-number-of-grade system, we adapt it in the way that we can get reward for a small investment by partially adopting detailed risk analysis. This adjustment is represented as epsilons.
We propose the system of epsilon, and show our case of OTP where this adjustment is effective in assessment of authentication mechanism. Our experience shows that we can implement the adjustment by making a local comparison with a reference model.
LNCS 5871, p. 833 ff.
lncs@springer.com
© Springer-Verlag Berlin Heidelberg 2009