The threat nets approach to information system security risk analysis

Abstract

The growing demand for healthcare services is motivating hospitals to strengthen outpatient case management using information systems in order to serve more patients using the available resources. Though the use of information systems in outpatient case management raises patient data security concerns, it was established that the current approaches to information systems risk analysis do not provide logical recipes for quantifying threat impact and determining the cost-effectiveness of risk mitigation controls. Quantifying the likelihood of the threat and determining its potential impact is key in deciding whether to adopt a given information system or not.Therefore, this thesis proposes the Threat Nets Approach organized into 4 service recipes, namely: threat likelihood assessment service, threat impact evaluation service, return on investment assessment service and coordination management. The threat likelihood assessment service offers recipes for determining the likelihood of a threat. The threat impact evaluation service offers techniques of computing the impact of the threat on the organization. The return on investment assessment service offers recipes of determining the cost-effectiveness of threat mitigation controls. To support the application of the approach, a ThreNet tool was developed. The approach was evaluated by experts to ascertain its usability and usefulness. Evaluation of the Threat Nets Approach by the experts shows that it provides complete, usable and useful recipes for the assessment of; threat likelihood, threat impact and cost-effectiveness of threat mitigation controls. The results suggest that the application of Threat Nets approach is effective in quantifying risks to information system