Organizations need a simple risk assessment framework to understand them. In contrast, risk analysis requires some mathematical tools to be able to estimate risk based on understanding and availability. In practice, the assets, for which the risk will be calculated, are dependent on one another, resulting in inevitable complexity. We propose a framework that addresses these three situations with a process flow diagram. Simplicity is obtained from a conceptual model based on data flow diagrams which are widely used in information system design. This conceptual model can be translated into several risk models at once: graph, Boolean algebra, Boole’s algebra, and set theory. The complexity of asset dependencies is overcome when translating the conceptual model to the risk model. Solutions were shown in case studies of information systems for COVID-19 personal protective equipment in Indonesia, which require the construction of a simple information system, support multiple risk models, and take into account asset dependencies. The multi-risk model enables implementation proofing by testing the risk models used in each other.

Information Security; Risk Assessment; Asset Dependency; Simplify, Multi-risk model; COVID-19; PPE Information System

Alpcan, T., & Bambos, N. (2009). Modeling dependencies in security risk management. Post-Proceedings of the 4th International Conference on Risks and Security of Internet and Systems, CRiSIS 2009, 113–116. https://doi.org/10.1109/CRISIS.2009.5411969

Amutio, M. A., Candau, J., & Mañas, J. (2014). Magerit-version 3, methodology for information systems risk analysis and management, book I-the method. Ministerio de Administraciones Públicas.

Bauchner, H., Fontanarosa, P. B., & Livingston, E. H. (2020). Conserving supply of personal protective equipment—A call for ideas. Jama, 323(19), 1911–1911.

Bayhaqi, A. (2020, April 27). Pemerintah Siapkan Sistem Informasi Satu Data untuk Covid-19 | merdeka.com. Merdeka.Com. https://www.merdeka.com/peristiwa/pemerintah-siapkan-sistem-informasi-satu-data-untuk-covid-19.html

Boole, G. (1854). An investigation of the laws of thought: On which are founded the mathematical theories of logic and probabilities. Dover Publications.

Breier, J. (2014). Asset valuation method for dependent entities. Journal of Internet Services and Information Security, 4(3).

Breier, J., & Schindler, F. (2014). Assets dependencies model in information security risk management. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8407 LNCS, 405–412. https://doi.org/10.1007/978-3-642-55032-4_40

Chen, B., Kalbarczyk, Z., Nicol, D. M., Sanders, W. H., Tan, R., Temple, W. G., Tippenhauer, N. O., Vu, A. H., & Yau, D. K. (2013). Go with the flow: Toward workflow-oriented security assessment. Proceedings of the 2013 New Security Paradigms Workshop, 65–76.

Cook, T. M. (2020). Personal protective equipment during the coronavirus disease (COVID) 2019 pandemic – a narrative review. Anaesthesia, 75(7), 920–927. https://doi.org/10.1111/anae.15071

Fernandez, A., & Garcia, D. F. (2016). Complex vs. simple asset modeling approaches for information security risk assessment: Evaluation with MAGERIT methodology. 2016 Sixth International Conference on Innovative Computing Technology (INTECH), 542–549.

Goforth, E., Yosri, A., El-Dakhakhni, W., & Wiebe, L. (2022). Infrastructure Asset Management System Optimized Configuration: A Genetic Algorithm–Complex Network Theoretic Metamanagement Approach. Journal of Infrastructure Systems, 28(4), 04022029.

Grahanusa Mediatama. (2020, April 9). Kepolisian tindak 18 kasus terkait APD, ini berbagai modus yang digunakan. kontan.co.id. http://nasional.kontan.co.id/news/kepolisian-tindak-18-kasus-terkait-apd-ini-berbagai-modus-yang-digunakan

GTPP COVID-19. (2020). Daftar Website Kabupaten/Kota—Konten Berguna | Gugus Tugas Percepatan Penanganan COVID-19. Covid19.Go.Id. https://covid19.go.id/p/konten/daftar-website-kabupaten-kota

Haimes, Y. Y. (2018). Risk modeling of interdependent complex systems of systems: Theory and practice. Risk Analysis, 38(1), 84–98. https://doi.org/10.1111/risa.12804

Infopublik. (2020). Polisi Ungkap 18 Kasus Penyimpangan dan Penyalahgunaan APD. http://infopublik.id/kategori/lawan-covid-19/448350/polisi-ungkap-18-kasus-penyimpangan-dan-penyalahgunaan-apd

Ionita, D. (2018). Model-Driven Information Security Risk Assessment of Socio-Technical Systems [PhD Thesis, University of Twente]. https://research.utwente.nl/en/publications/model-driven-information-security-risk-assessment-of-socio-techni

Khanmohammadi, K., & Houmb, S. H. (2010). Business process-based information security risk assessment. 2010 Fourth International Conference on Network and System Security, 199–206. https://doi.org/10.1109/NSS.2010.37

Kim, D., & Solomon, M. G. (2018). Fundamentals of Information Systems Security. Jones & Bartlett Learning.

Kohonen, R., Moronen, T., & Heimonen, G. I. (2011). Concepts, Stakeholders, and Value Chains in Smart Energi Business and Services. e-hub.

Kotenko, I., Doynikova, E., Fedorchenko, A., & Desnitsky, V. (2022). Automation of Asset Inventory for Cyber Security: Investigation of Event Correlation-Based Technique. Electronics, 11(15), 2368.

Lam, J. (2014). Enterprise risk management: From incentives to controls. John Wiley & Sons.

Landoll, D. J., & Landoll, D. (2005). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.

Loloei, I., Shahriari, H. R., & Sadeghi, A. (2012). A model for asset valuation in security risk analysis regarding assets dependencies. ICEE 2012 - 20th Iranian Conference on Electrical Engineering, 763–768. https://doi.org/10.1109/IranianCEE.2012.6292456

Lund, M. S., Solhaug, B., & Stølen, K. (2010). Model-driven risk analysis: The CORAS approach. Springer Science & Business Media.

Merdeka. (2020). Kapolri Instruksikan Tindak Tegas Penimbunan & Penyalahgunaan Alat Kesehatan. Merdeka.Com. https://www.merdeka.com/peristiwa/kapolri-instruksikan-tindak-tegas-penimbunan-penyalahgunaan-alat-kesehatan.html

Muller, S. (2018). Risk Monitoring and Intrusion Detection for Industrial Control Systems [PhD Thesis]. University of Luxembourg, Luxembourg.

Muller, S., Harpes, C., Le Traon, Y., Gombault, S., & Bonnin, J.-M. (2017). Efficiently computing the likelihoods of cyclically interdependent risk scenarios. Computers & Security, 64, 59–68. https://doi.org/10.1016/j.cose.2016.09.008

Muller, S., Harpes, C., Le Traon, Y., Gombault, S., Bonnin, J.-M., & Hoffmann, P. (2016). Dynamic risk analyses and dependency-aware root cause model for critical infrastructures. International Conference on Critical Information Infrastructures Security, 163–175.

Naidoo, R. (2020). A multi-level influence model of COVID-19 themed cybercrime. European Journal of Information Systems, 29(3), 1–16. https://doi.org/10.1080/0960085X.2020.1771222

Nielsen, T. D., & Jensen, F. V. (2009). Bayesian networks and decision graphs. Springer Science & Business Media.

Porter, M. E., & Millar, V. E. (1985). How information gives you competitive advantage (Vol. 63). Harvard Business Review Reprint Service.

Rahmad, B. (2010). Analisa Risiko Keamanan Informasi dengan Mempertimbangkan Dependensi Skenario Threat dan Kontrol sebagai Pereduksi Likelihood dan Impact [PhD Thesis]. Institut Teknologi Bandung.

Rahmad, B., Supangkat, S. H., Sembiring, J., & Surendro, K. (2010). Threat Scenario Dependency-Based Model of Information Security Risk Analysis. IJCSNS, 10(8), 93.

Rahmad, B., Supangkat, S. H., Sembiring, J., & Surendro, K. (2012). Modeling asset dependency for security risk analysis using threat-scenario dependency. International Journal of Computer Science and Information Security, 10(4), 103.

Republika. (2020). Kapolri Terbitkan Instruksi Atasi Persoalan Alat Kesehatan | Republika Online. https://republika.co.id/berita/q8f8v4354/kapolri-terbitkan-instruksi-atasi-persoalan-alat-kesehatan

Schmidt, S., & Albayrak, S. (2010). A quantitative framework for dependency-aware organizational IT Risk Management. 2010 10th International Conference on Intelligent Systems Design and Applications, 1207–1212. https://doi.org/10.1109/ISDA.2010.5687022

Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14–30. https://doi.org/10.1016/j.cose.2015.11.001

Tarjan, R. (1973). Enumeration of the elementary circuits of a directed graph. SIAM Journal on Computing, 2(3), 211–216. https://doi.org/10.1137/0202017

Tatar, Ü., & Karabacak, B. (2012). An hierarchical asset valuation method for information security risk analysis. International Conference on Information Society (i-Society 2012), 286–291. https://fuse.franklin.edu/facstaff-pub

Vesely, W. E., Goldberg, F. F., Roberts, N. H., & Haasl, D. F. (1981). Fault tree handbook (NUREG-0492; p. 209). Nuclear Regulatory Commission Washington DC. http://www.stormingmedia.us/37/3794/A379453.pdf{%}5Cnhttp://ocw.mit.edu/courses/aeronautics-and-astronautics/16-63j-system-safety-fall-2012/related-resources/MIT16{_}63JF12{_}faulttree.pdf{%}5Cnhttp://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0492/

Walpole, R. E., & Myers, R. H. (1995). Ilmu Peluang dan Statistika untuk Insinyur dan Ilmuwan. Instirut Teknologi Bandung.

Wang, L., Islam, T., Long, T., Singhal, A., & Jajodia, S. (2008). An attack graph-based probabilistic security metric. IFIP Annual Conference on Data and Applications Security and Privacy, 5094 LNCS, 283–296. https://doi.org/10.1007/978-3-540-70567-3_22

Wang, R., Li, H., Jing, J., Jiang, L., & Dong, W. (2022). WYSIWYG: IoT Device Identification Based on WebUI Login Pages. Sensors, 22(13), 4892.

Wildberger, N. (Director). (2019). Boolean algebra and set theory | Math Foundations 259.

Yourdon, E. (2006). Just enough structured analysis. Available in Wiki Format at: Http://Yourdon. Com/Strucanalysis/Wiki/Index. Php, 643. https://doi.org/10.3167/015597702782409310

Yunizal, E., Surendro, K., & Santoso, J. (2020). A Method of Simplifying the Asset Dependency Cycle in Security Risk Analysis. The 5th International Conference on Information Technology and Digital Applications (ICITDA 2020), 1077. https://doi.org/10.1088/1757-899x/1077/1/012002