(The) risk analysis and management for information system using CRAMM

Abstract

In today``s complex business world, managers should recognize a fundamental premise: it is not possible to have a risk-free data processing environment. Risk, therefore, must be managed. The major questions facing management, when attempting to manage risks, are: What is the impact on business objectives and goals if the risks materialize? What security safeguards are available to reduce the unacceptable risks to an acceptable level? How effective are the security safeguards once they are implemented?, etc. This study provides an overview of the risk analysis and management program for IS, and the steps to be accomplished in developing it. At this day, according to increase concern for customer``s security, the thesis studied risk analysis and management for information system by selecting a company having the highest sensitivity for customer``s security. This thesis produces too many countermeasures for a company. Consequently, however, the manager should decide to the countermeasure considering type, cost, state, and security level, etc. And so for manager``s decision making, this thesis develops DSS for analyzing and selecting countermeasures. In conclusion, In Korea which is wasteland of risk analysis and management, this research could make the pioneer have the idea about this field.