This website presents the developed software solution for supporting the entire AURUM risk management methodology. Compared to existing approaches, AURUM allows for automated information security risk management, including objective measures of risk and risk reduction by taking the entire setting of the organization into account.
Although companies consider security as one of the most important issues on their agenda, many companies are not aware how much they spend on security and if their investments in security are effective. Information security risk management is a crucial element for ensuring long-term business success because it provides an effective approach for measuring the security through the identification and valuation of assets, threats, and vulnerabilities and offers methods for the risk assessment, risk mitigation and evaluation. However, while existing approaches (see Background) for implementing an adequate risk management strategy are highly accepted within the community they are requiring very detailed knowledge about the IT security domain and the actual company environment. As a consequence, organizations mostly fall back on best-practices guidelines, information security standards, or domain experts when conducting the risk assessment and are confronted with the following problems:
- best practice guidelines such as the German IT Grundschutz Manual or the French EBIOS standard provide excellent knowledge about potential threats, vulnerabilities, and countermeasures, but without a domain expert the organization is usually unable to consider all the complex relationships between relevant IT security concepts, which results in a non-holistic IT security approach endangering the organization in performing its mission
- to check which concrete infrastructure elements are endangered by certain threats the organization has to manually map the knowledge from best-practice guidelines to their actual infrastructure
- especially information security standards such as ISO 27001 are stating only very abstract implementation suggestions for risk mitigation; concrete countermeasures or combinations thereof are mostly missing
- determining threat probabilities is mostly based on subjective perceptions, instead of objective evaluation
- while companies strive for cost-conscious solutions, they are frequently unaware of their level of IT security capital expenditure and/or, even more importantly, whether these investments are effective
- management decision makers, such as the CPO or CIO, have to cope with a great spectrum of potential IT security investments on the one hand and the decision of selecting the most appropriate set of IT security investments on the other hand. The results of existing methods provide decision makers with inadequate or little intuitive and/or interactive decision support and, thus, do not support them in making an appropriate risk versus cost trade-off when investing in IT security solutions
In order to address these reservations and demands outlined above, we developed a novel methodology for information security risk management, including objective measures of risk, risk reduction, and cost of defense, named AURUM (which is derived from ``AUtomated Risk and Utility Management'').