Development of Metamodel for Information Security Risk Management

Abstract

AbstractInformation technology and information systems have been used widely in many fields, such as business, education, marketing, transportation, medical, and many other areas. In the information technology and system field, a security aspect plays a vital role and thus becomes a challenging issue. Therefore, security should be ready installed and resistant to various numbers of potential attacks. In Information Security and Information Technology, deciding what countermeasures could potentially harm the organization from achieving its business objectives is important. Reducing risk to an acceptable level is the main target of the risk management process. On the other hand, the main reason for failure in Information Security Risk Management (ISRM) is the complexity and inflexibility of the existing models. Domain modulars usually spend a lot of time understanding the nature of the domain they desire to model. Even though many current ISRM models appear, finding a suitable model that could provide a straight guideline to the ISRM users based on their problems is limited. To overcome this issue, this book chapter follows the design science research to create a generic metamodel that can describe the semantics of ISRM models and their solutions through one unified model. Through the metamodel, various risk management problems faced by different levels of ISRM users can be solved based on the problem attributes, such as risk determination specific to a firewall vulnerability problem and risk assessment for an information security project management. This can help many users/newcomers to this domain to easily understand the concepts required for their own information security risk problems.KeywordsMetamodelInformation security managementDesign science research