Skip to Main Content
This paper develops a framework for analyzing security risk dependencies in organizations and ranking the risks. The framework captures how risk `diffuses' via complex interactions and reaches an equilibrium by introducing a risk-rank algorithm. A conceptual structure of an organization-comprised of business units, security threats/vulnerabilities, and people-is leveraged for modeling risk dependencies and cascades. The risk-rank algorithm captures risk diffusion over time and ranks various risks based on a balancing of the immediate risk versus the future one emerging via cascading across system dependencies. Thus, the presented framework facilitates a systematic prioritization of risks in organizations.