An IT risk assessment must deliver the best possible quality of results in a time-eﬀective way. Organisations are used to customise the general-purpose standard risk assessment methods in a way that can satisfy their requirements. In this paper we present the QualTD Model and method, which is meant to be employed together with standard risk assessment methods for the qualitative assessment of availability risks of IT architectures, or parts of them. The QualTD Model is based on our previous quantitative model, but geared to industrial practice since it does not require quantitative data which is often too costly to acquire. We validate the model and method in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results w.r.t. the goals of the stakeholders of the system. We also perform a review of the most popular standard risk assessment methods and an analysis of which one can be actually integrated with our QualTD Model.
|Place of Publication||Enschede|
|Publisher||Distributed and Embedded Security (DIES)|
|Number of pages||26|
|Publication status||Published - 4 Sep 2009|
|Name||CTIT Technical Report Series|
|Publisher||Centre for Telematics and Information Technology, University of Twente|
Zambon, E. (Ed.), Zambon, E. (Ed.), Etalle, S., Wieringa, R. J., & Hartel, P. H. (2009). Architecture-based Qualitative Risk Analysis for Availability of IT Infrastructures. (CTIT Technical Report Series; No. TR-CTIT-09-35). Enschede: Distributed and Embedded Security (DIES).