Asset Identification in Information Security Risk Assessment Using Process Mining

Abstract

Information security risk assessment (ISRA) currently has gaps in inadequate asset identification. This activity is still manual, depending on the approach adopted and used, thus leading to subjectivity and inaccuracies. Whereas incorrect identification will lead to inaccurate results. The need to consider the dependency of assets within ISRA, which is still not resolved by ISRA, complicates this. A process perspective that can view assets based on their role in organizational processes rather than physical connections should be able to bridge this gap. Unfortunately, Small and Medium Enterprises (SME) find it difficult to take advantage of this opportunity due to time and cost constraints. This research bridges this gap by providing a process-oriented perspective that uses process mining. It automates asset identification based on historically derived organizational workflows using Legacy Information Systems (LIS) triggers. For rigor and relevance, this research uses a series of design research evaluation stages: problem, design, construct, and usage. Problem evaluation is through the study of related literature. For design evaluation, it made comparisons with asset and process-oriented ISRA and preprocessing of process mining. The construct evaluation by testing the system before and after method implementation. It also considers the method's maximum capability. Meanwhile, usage evaluation through a case study on an inventory system. The contribution offered: (1) integrating process mining with ISRA, (2) making the process-aware LIS without disturbing the running process, (3) preparing an artifact to generate an event log using database trigger, and (4) automating ISRA's asset identification which also considers asset dependency.