Airlangga University has implemented ISO 27001: 2013 in asset-based information security governance, covering information assets, software assets, hardware assets, and human resources assets. However, many vulnerabilities in university computing systems can not be mitigated properly, as evidenced by the continued hacking of university computing systems. It shows that the results of hacking tests on university computing systems are not identified in more detail and are not included in university risk management. The purpose of this research is to build a university information security risk management framework using OCTAVE method based on ISO / EIC 27001: 2013. This research uses the OCTAVE framework to build a risk management framework model. The measurement method will be done by qualitative method to measure the severity and the likelihood of each asset and quantitative method to measure the potential loss on the cost of each asset. The results of this research are expected to provide an information security risk management framework, so that the vulnerability and financial lost analysis of each asset can be a risk, and risk mitigation plans on each asset may consider vulnerability and return of investment

information risk management; OCTAVE; vulnerability; financial loss analysis

C. Joshi and U. K. Singh, “Information security risks management framework – A step towards mitigating security risks in university network,” J. Inf. Secur. Appl., vol. 35, pp. 128–137, Aug. 2017.

U. K. Singh, C. Joshi, and N. Gaud, “Measurement of security dangers in university network,” Int. J. Comput. Appl., vol. 155, no. 1, pp. 975–8887, 2016.

C. Joshi, K. Singh, and K. Tarey, “A review on taxonomies of attacks and vulnerability in computer and network system,” Int. J. Adv. Res. Comput. Sci. Softw. Eng., vol. 5, no. 1, pp. 742–747, 2015.

A. Tripathi and U. K. Singh, “Analyzing trends in vulnerability classes across CVSS metrics,” Int. J. Comput. Appl., vol. 36, no. 3, pp. 38–44, 2011.

FIRST, “CVSS v3.0 Specification Document.” [Online]. Available: https://www.first.org/cvss/specification-document.

NIST, “NVD - CVSS v3 Calculator.” [Online]. Available: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.

B. Supradono, “Manajemen risiko keamanan informasi dengan menggunakan metode octave (operationally critical threat, asset, and vulnerability evaluation),” MEDIA Elektr., vol. 2, no. 1, pp. 4–8, 2009.

R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, “Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process,” Pittsburgh, Pennsylvania, 2007.

C. Alberts, A. Dorofee, and J. Stevens, “Introduction to the OCTAVE ® Approach,” Pittsburgh, Pennsylvania, 2003.

C. J. Alberts and A. J. Dorofee, “OCTAVE SM Criteria, Version 2.0,” Pittsburgh, Pennsylvania, 2001.

International Organization for Standardization (ISO), ISO/IEC 27001 Information technology-Security techniques-Information security management systems-Requirements en. Geneva: International Organization for Standardization (ISO), 2013.

International Organization for Standardization (ISO), ISO/IEC 27002:2013 - Information technology -- Security techniques -- Code of practice for information security controls. Geneva: International Organization for Standardization (ISO), 2013.

International Organization for Standardization (ISO), ISO/IEC 27005:2011 - Information technology -- Security techniques -- Information security risk management. Geneva: International Organization for Standardization (ISO), 2011.

R. Bragg, CISSP certification : training guide. Indianapolis: Pearson Education, 2003.

D. Dekhoda, “Combining IRAM2 with Cost-Benefit Analysis for Risk Management Creating a hybrid method with traditional and economic aspects Dorna Dehkhoda,” Luleå University of Technology, 2018.

D. W. Sudiharto, “Analisa resiko keamanan informasi (information security). studi kasus: poliklinik XYZ,” in Seminar Nasional Informatika (SEMNASIF), 2011, vol. 1, no. 5.

C. Alberts and A. J. Dorofee, Managing Information Security Risks: The OCTAVESM Approach. Addison-Wesley Professional, 2002.