Information Security Risk Management Research Articles

Dynamic interplay in the information security risk management process

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges.

Dynamic interplay in the information security risk management process

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges.

Effects of Information Security Management Systems on Firm Performance

The purpose of this paper is to determine the aspects of the information security management system (ISMS) on which decision-makers must act to achieve the performance targets. Information assets as core of any Information systems (IS) should be taken seriously by a custom security. In this research, we conduct a case study specially using the Delone and McLean’s IS success model. The hypotheses were tested by PLS-SEM of theSmartPLS software using survey data collected among 136 IS and IT professionals. We found that the ISMS (system, service and information qualities, maturity level of information security risk management process) and performance are directly related on one hand, and indirectly by the IT capabilities of the company in the other hand. This shows that mastering security information management risks process is crucial for an enterprise because it greatly contributes to organizational performance, improve the IS’ support such as IT management, IT personal skills and IT infrastructure. This work has explored the feasibility of using the IS success model on ISMS, a key world know element, where Africa is both the target of the informational mobility, hackers and especially in the global economy. We consider the IS success model with 4 dependent variables including maturity level of process.

An analysis and classification of public information security data sources used in research and practice

In order to counteract today’s sophisticated and increasing number of cyber threats the timely acquisition of information regarding vulnerabilities, attacks, threats, countermeasures and risks is crucial. Therefore, employees tasked with information security risk management processes rely on a variety of information security data sources, ranging from inter-organizational threat intelligence sharing platforms to public information security data sources, such as mailing lists or expert blogs. However, research and practice lack a comprehensive overview about these public information security data sources, their characteristics and dependencies. Moreover, comprehensive knowledge about these sources would be beneficial to systematically use and integrate them to information security processes. In this paper, a triangulation study is conducted to identify and analyze public information security data sources. Furthermore, a taxonomy is introduced to classify and compare these data sources based on the following six dimensions: (1) Type of information, (2) Integrability, (3) Timeliness, (4) Originality, (5) Type of Source,and (6) Trustworthiness. In total, 68 public information security data sources were identified and classified. The investigations showed that research and practice rely on a large variety of heterogeneous information security data sources, which makes it more difficult to integrate and use them for information security and risk management processes.

The Role of Employee in Information Security Risk Management

The Role of Employee in Information Security Risk Management

Does CIO risk appetite matter? Evidence from information security breach incidents

After a series of recent high-profile information security breach incidents, practitioners have engaged in heated debates about the role of the chief information officer (CIO), particularly his/her role in information security risk management. However, little is known in the academic literature about how a CIO's appetite for risk affects the effectiveness of information security management. We address this gap by examining how a CIO's risk appetite is associated with information security breach incidents. We show that the level of CIO risk aversion is negatively associated with the likelihood of breach incidents. Furthermore, we find that this association is stronger if the company's chief executive officer (CEO) is also risk averse. In additional analyses, we show that the relationship between CIO risk aversion and breach incidents varies depending on breach type and the strategic position of the company and is moderated by the CIO's power.

Метод інформаційно-аналітичної підтримки управління ризиками безпеки ресурсів відомчих інформаційних систем

Метод інформаційно-аналітичної підтримки управління ризиками безпеки ресурсів відомчих інформаційних систем

INFORMATION SECURITY MANAGEMENT STRATEGY ANALYSIS USING SYSTEM DYNAMICS MODELING

Handling information security management is an absolute thing to do for organizations that have information systems to support the organization's operations. Information systems consisting of assets both software and hardware that manage data and information that are spread over networks and the internet, make it vulnerable to threats. Therefore investment and costs are needed to secure it. Costs incurred for this need are not small, but investment expenditures and information security costs carried out need serious handling to be more effective and on target. The System Dynamics Model is used to evaluate alternative strategies to demonstrate the effectiveness of investment and the cost of managing information security through simulation of policy changes. System Dynamics are methods for describing models and systems analysis that are dynamic and complex, consisting of variables that influence each other in the form of causal relationships and feedback between variables that are either reinforcing or giving balance. Simulation using a dynamic system model in this study illustrates that the management of risk assessment followed by vulnerability reduction efforts has a very large impact on the management of information security. By making a difference in the value of security tools investment, this provides an alternative choice in information security risk management investments to achieve the effectiveness of the overall costs incurred in managing information security

Context Analysis of Cloud Computing Systems Using a Pattern-Based Approach

Cloud computing services bring new capabilities for hosting and offering complex collaborative business operations. However, these advances might bring undesirable side-effects, e.g., introducing new vulnerabilities and threats caused by collaboration and data exchange over the Internet. Hence, users have become more concerned about security and privacy aspects. For secure provisioning of a cloud computing service, security and privacy issues must be addressed by using a risk assessment method. To perform a risk assessment, it is necessary to obtain all relevant information about the context of the considered cloud computing service. The context analysis of a cloud computing service and its underlying system is a difficult task because of the variety of different types of information that have to be considered. This context information includes (i) legal, regulatory and/or contractual requirements that are relevant for a cloud computing service (indirect stakeholders); (ii) relations to other involved cloud computing services; (iii) high-level cloud system components that support the involved cloud computing services; (iv) data that is processed by the cloud computing services; and (v) stakeholders that interact directly with the cloud computing services and/or the underlying cloud system components. We present a pattern for the contextual analysis of cloud computing services and demonstrate the instantiation of our proposed pattern with real-life application examples. Our pattern contains elements that represent the above-mentioned types of contextual information. The elements of our pattern conform to the General Data Protection Regulation. Besides the context analysis, our pattern supports the identification of high-level assets. Additionally, our proposed pattern supports the documentation of the scope and boundaries of a cloud computing service conforming to the requirements of the ISO 27005 standard (information security risk management). The results of our context analysis contribute to the transparency of the achieved security and privacy level of a cloud computing service. This transparency can increase the trust of users in a cloud computing service. We present results of the RestAssured project related to the context analysis regarding cloud computing services and their underlying cloud computing systems. The context analysis is the prerequisite to threat and control identification that are performed later in the risk management process. The focus of this paper is the use of a pattern at the time of design systematic context analysis and scope definition for risk management methods.

PENERAPAN STANDAR KEAMANAN INFORMASI MENGGUNAKAN FRAMEWORK ISO/IEC 27005:2011 di LAPAN BANDUNG

Information Security standard help to ensure security consistency across the business and usually contain security controls relating to the implementation of specific technology, hardware or software. It is important that a company understands standards so the company can choose the standard that are the most relevant to their organization. ISO 27000 is the international standard for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within an organization. ISO/IEC 27005:2011 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Risk Management is one of the cornerstones of a mature and functional information security program that provides business value to an organization. The object of this research in LAPAN Bandung is to conduct risk assessment and analysis infrastructure LAPAN RDSA in Bandung. This study uses qualitative and semi-quantitative analysis with the case study method. This risk analysis using the approach of the standard ISO / IEC 27005: 2011

Risk Management Framework and Evaluation: Detail Site Study and Governance of Information Security Risk Management in Medical Information Technology Infrastructure in Hospitals

Objectives: This research has focused on exploring the risk factors involved in hospital medical IT infrastructure risk factor while carry out the software and hardware deployment (i.e. field study) and proposed a risk management framework and assessments for managing the risk. The main objective of the research is to propose an information security risk management framework for a hospital domain as part of use-case in this research. In this paper, we have identified possibilities of risk that might happen anytime, carried out risk analysis in university hospital, and provided risk contingency plans. Methods: Information security is very important for the organization, but very particular for hospital domain, due to patient information is involved and it is very sensitive. While delivering the information, need to be producing the right information at right time with the effective care. The availability of information is very important in medical systems where most of the providers are from cross-border healthcare domain. The methodology followed is a qualitative approach of interview, collecting data, analysis the data, evaluate and provide recommendations. Findings: The expected outcome from this work is a recommendation of risk managing framework for hospital domain on a global context. The risk assessment evaluates the IT plan reports for hospitals and the involved parties to identify the sensitivity, threats, vulnerabilities, and risks that surround the whole medical IT infrastructure. The identified risks are analysed, prioritized and mitigated by providing relevant control plan and recommendationswere provided toavoid or minimize the risk factors in the medical domain. Improvements: Based on field study and risk evaluation reports, IT infrastructure can be improved and risk factors would be forecasted in future and minimized with effective contingency plans. Keywords: Information Security, Medical Hospital, Risk Assessment, Risk Management, Risk Mitigation

АНАЛІЗ МЕТОДІВ І ЗАСОБІВ ДЛЯ РЕАЛІЗАЦІЇ РИЗИК-ОРІЄНТОВАНОГО ПІДХОДУ В КОНТЕКСТІ ЗАБЕЗПЕЧЕННЯ ІНФОРМАЦІЙНОЇ БЕЗПЕКИ ПІДПРИЄМСТВА

The article is devoted to the actual problem of the present – the information security development on the base of risk-oriented approach for solving the problems of information security management for an enterprise. Modern business development trends require the need for risk management. The authors research methods and tools that allow to implement a riskoriented approach in the context of providing enterprise information security and to analyze and evaluate information risks of information security system. The paper considers a series of the tools representatives, most commonlyused in this area, and analyzes several risk assessment methodologies, in particular CRAMM (UK) – the methodology for analysis and risk management, OCTAVE for assessing assets and vulnerability of information security, etc., and a series of regulatory documents, among which NIST SP800-30 (riskmanagement in information technology system); ISO/IEC 27005:2011 (information security risk management methods); ENISA (information security risk assessment) and many others. The analysis of the software advantages and disadvantages for the determination and assessment of information securityrisks (CRAMM, CORAS, Risk Watch, OCTAVE, Oracle Crystal Ball) is presented and a number of recommendations according to the feasibility of using the considered software and management documentation taking into account relevant requirements and criteria of enterprises and organizations isformed.

Methodology and algorithm of information security risk management for local infrastructure

The complexity of information security does not resume to mere technicality, transferring significant liability to proper management. Risk analysis in information security is a powerful tool that comes in handy for managers in making decisions about the implementation of efficient information management systems, in order to achieve the organization's mission.
 As a part of risk management, risk analysis is the systematic implementation of methods, techniques and management practices to assess the context, identify, analyze, evaluate, treat, monitor and communicate the risks for the information security and systems through which they are processed, stored or transmitted.
 The ISO/IEC 27005:2011 – Information security risk management, does not specify any particular method for managing the risks associated with information security, but a general approach. It is up to the organization to devise control objectives that would reflect specific approaches to risk management and the degree of assurance required.
 There are several models, methodologies and tools amongst which those like CRAMM (United Kingdom, Insight Consulting), Risicare/Mehari (France, Clusif), GSTool (Germany, ITGrundschutz). The theoretical model of the mentioned methodologies is hard to put in practice without experience required from the members of the risk analysis team. Using the appropriate risk assessment solution, an organization can devise its own security requirements.

Performance evaluation of the recommendation mechanism of information security risk identification

Abstract In recent decades, information security has become crucial for protecting the benefits of a business operation. Many organizations perform information security risk management in order to analyze their weaknesses, and enforce the security of the business processes. However, identifying the threat–vulnerability pairs for each information asset during the processes of risk assessment is not easy and time-consuming for the risk assessor. Furthermore, if the identified risk diverges from the real situation, the organization may put emphasis on the unnecessary controls to prevent the non-existing risk. In order to resolve the problem mentioned above, we utilize the data mining approach to discover the relationship between assets and threat–vulnerability pairs. In this paper, we propose a risk recommendation mechanism for assisting user in identifying threats and vulnerabilities. In addition, we also implement a risk assessment system to collect the historical selection records and measure the elapsed time. The result shows that with the assistance of risk recommendations, the mean elapsed time is shorter than with the traditional method by more than 21%. The experimental results show that the risk recommendation system can improve both the performance of efficiency and accuracy of risk identification.

Задачі з керування ризиками інформаційної безпеки апарата прийняття рішень

The author has submitted and tried to perform the number of tasks helping in modeling multi-factors information security risk management system. The author has prioritized financing different vulnerabilities by combining two approaches: processing approach in building events tree and mathematical formalizing the connections and affections levels of different events (vulnerabilities and threats) on information resource. Problems in programming 2017; 4: 089-097

Relating Wiener’s cybernetics aspects and a situation awareness model implementation for information security risk management

PurposeSituation awareness theory is a primary mean to take decisions and actions in a dynamically changing environment. Nowadays, to implement situation awareness, theories and models in organizational scenarios have become an important research challenge. The purpose of this paper is to investigate the relationship between the situation awareness theory and cybernetics. Further, the aim is to use this relationship to check the feasibility of situation awareness-based information security risk management (ISRM) implementation in the organizational scenario.Design/methodology/approachTo investigate the relationship between situation awareness theory and cybernetics, Endsley’s situation awareness theory and Norbert Wiener’s cybernetics concepts and philosophy have been used in the present work. For a detailed study, concepts, techniques and philosophy of the cybernetics have been extracted from the thesis of Norbert Wiener titled “The human use of human beings” and “Cybernetics or control and communication in the animal and the machine”.FindingsThe present paper demonstrates that relationship can be successfully established between cybernetics and situation awareness theory. Further, this relationship can be used to solve organizational implementation issues related to situation awareness based systems. To demonstrate relationship and solutions of implementation issues, two case studies related to ISRM are also incorporated in the present case study.Originality/valueThe present work bridges two parallel and prominent theories of situation awareness and cybernetics. It also demonstrates that combination of both the theories can be used to feasibly implement situation awareness based systems in organizations.

Design and Implementation of a Comprehensive Information Security Risk Management Tool based on Multi-agents Systems

Design and Implementation of a Comprehensive Information Security Risk Management Tool based on Multi-agents Systems

Integrating information quality dimensions into information security risk management (ISRM)

Information security is becoming an important entity to most organizations due to current trends in information transfer through a borderless and vulnerable world. This gives more concerns and aware organization to apply information security risk management (ISRM) to develop effective and economically-viable control strategies. Even though there are numerous ISRM methods that are readily available, most of the ISRM methods prescribe a similar process that leads to establish a scope of the assessment, collecting information, producing intermediary information, and finally using the collected information to identify their security risks and provide a measured, analyzed security profile of critical information assets. Based on the “garbage in-garbage out” phenomenon, the success of ISRM planning tremendously depends on the quality of input information. However, with the amount, diversity and variety of information available, practitioners can easily deflects with grown information and becoming unmanageable. Therefore this paper contribute as a stepping stone to determine which IQ dimensions constitute the quality of the information throughout the process of gathering information during ISRM. Seems to accurately define the attributes of IQ dimensions, IQ needs to be assessed within the context of its generation. Thus, papers on IQ web were assessed and comparative analysis was conducted to identify the possible dimensions for ISRM. Then, online survey using likert structured questionnaire were distributed among a group of information security practitioners in Malaysia (N = 150). Partial least square (PLS) analysis revealed that dimension accuracy, amount of data, objective, completeness, reliability and verifiability are significantly influence the quality of information gathering for ISRM. These IQ dimensions can guide practitioners in the process of gathering quality and complete information in order to make a plan that leads to a clear direction, and ultimately help to make decisions that lead to success.

A framework for estimating information security risk assessment method completeness

In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization. ISRA practices vary among industries and disciplines, resulting in various approaches and methods for risk assessments. There exist several methods for comparing ISRA methods, but these are scoped to compare the content of the methods to a predefined set of criteria, rather than process tasks to be carried out and the issues the method is designed to address. It is the lack of an all-inclusive and comprehensive comparison that motivates this work. This paper proposes the Core Unified Risk Framework (CURF) as an all-inclusive approach to compare different methods, all-inclusive since we grew CURF organically by adding new issues and tasks from each reviewed method. If a task or issue was present in surveyed ISRA method, but not in CURF, it was appended to the model, thus obtaining a measure of completeness for the studied methods. The scope of this work is primarily functional approaches risk assessment procedures, which are the formal ISRA methods that focus on assessments of assets, threats, vulnerabilities, and protections, often with measures of probability and consequence. The proposed approach allowed for a detailed qualitative comparison of processes and activities in each method and provided a measure of completeness. This study does not address aspects beyond risk identification, estimation, and evaluation; considering the total of all three activities, we found the “ISO/IEC 27005 Information Security Risk Management” to be the most complete approach at present. For risk estimation only, we found the Factor Analysis of Information Risk and ISO/IEC 27005:2011 as the most complete frameworks. In addition, this study discovers and analyzes several gaps in the surveyed methods.

Механизмы страхования в управлении рисками информационной безопасности

Механизмы страхования в управлении рисками информационной безопасности