Risk Assessment Quantification for Bring Your Own Device Based on Practical Viewpoints
Abstract
In recent years, the companies which introduce Bring Your Own Device (BYOD) which utilizes a personal smart phone and tablet for business are increasing in number. However, there are risks, such as information leakage of business information, an employee's personal information, etc., for the private terminal utilization instead of business use. These risks were exhaustively identified in our previous study, but based on qualitative assessment results. In order to make risk countermeasures more realistic, further quantitative evaluation is needed. Therefore, in this paper, we have added new cost risk factors for BYOD from a practical viewpoint to the risk analysis results of previous study. Furthermore, based on the results, a quantitative evaluation was conducted to verify its effectiveness. For the evaluation, the risk factor values were estimated using a risk calculation formula used in the field of information security management systems (ISMS). Thus, the combined effect of the BYOD risk measures proposed in the previous study and the cost risk measures added in this study clarified that it was possible to reduce the risk by about 56%. The results of this quantitative risk assessment are expected to help make the future use of BYOD safer and secure for companies.
References
ESET/Malware Information Bureau, The dangers of "BYOD", the use of personal computers and smartphones for business, KADOKAWA ASCII Research Laboratories, (in Japanese); https://ascii.jp/elem/000/002/006/2006886/
Ministry of Internal Affairs and Communications,Section 2: Information Security and Safe and Secure Use, White Paper on Information and Communications 2013(PDF version)(in Japanese); https://www.soumu.go.jp/johotsusintokei/whitepaper/ja/h25/pdf/n3200000.pdf
S. Tanimoto, S. Yamada, M. Iwashita, T. Kobayashi, H. Sato, A. Kanai, Risk Assessment of BYOD: Bring Your Own Device, 2016 IEEE 5th Global Conference on Consumer Electronics (GCCE), pp.511-514, 2016
Ministry of Internal Affairs and Communications, Development of broadband infrastructure, (in Japanese); https://www.soumu.go.jp/main_sosiki/joho_tsusin/broadband/index.html
Ministry of Internal Affairs and Communications, National Broadband Policy, (in Japanese); https://www.soumu.go.jp/g-ict/item/ict/index.html
Myeongju Ji, Sungryong Kim, Yongjin Park, Jeong Hyun Yi, Mobile device management system with portable devices, 2015 International Symposium on Consumer Electronics (ISCE), pp.1-2, 2015
K. Noguchi,Risk Management Technology to Help You Achieve Your Goals, Japanese Standards Association, 2009, (in Japanese)
J. KEÇI, A User- Oriented Implementation of Risk Breakdown Structure in Construction Risk Management, 2nd International Balkans Conference on Challenges of Civil Engineering, BCCCE, ALBANIA, pp.582-593, 2013
A. Ichijo, Threat of "shadow IT" secretly hitting Japanese companies, 2014, (in Japanese); https://www.itmedia.co.jp/news/articles/1404/18/news037.html
Dey, P.K. Project risk management: A combined analytic hierarchy process and decision tree approach. Cost Eng. 2002, 44, 13–26.
Cox’s risk matrix theorem and its implications for project risk management; http://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-itsimplications-for-project-risk-management/
M. S. Toosarvandani, N. Modiri, and M. Afzali, The Risk Assessment and Treatment Approach in order to Provide LAN Security based on ISMS Standard, International Journal in Foundations of Computer Science & Technology (IJFCST), pp. 15–36, Vol. 2, No. 6, Nov., 2012
H. Sato, T. Kasamatsu, T. Tamura, and Y. Kobayashi, Information Security Infrastructure, Kyoritsu Shuppan Co., Ltd., 2010, (in Japanese)
ISMS Risk Assessment Manual v1.4, https://www.scribd.com/document/202271054/ISMS-Risk-Assessment-Manual-v1-4
