Abstract
To provide a systematic means of identifying and assessing information security risks, organizations typically adopt asset-driven (or asset-oriented) risk assessment schemes. These schemes require organizations to identify their information assets, find out potential incidents to those assets, and assess expected losses associated with those incidents. While asset value is important in determining loss expectancies for associated incidents, the accuracy of asset valuation is crucial. Although numerous guidelines exist regarding how best to evaluate asset value, current risk assessment schemes generally overlook how to validate assessments of asset value. Consequently, this work presents a process-oriented approach that organizations can employ to validate and adjust asset value. The approach presented in this study can help organizations represent their business processes and information assets used in those processes using flowcharts, and also mark dependencies among assets based on confidentiality, integrity, and availability requirements on flowcharts. Organizations can use the markings of dependencies to validate and correct results associated with asset valuation. If organizations can more accurately evaluate asset value, they can improve the effectiveness of their risk assessment. Therefore, the approach presented in this study can hopefully help improve organizational information security.