Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Understanding and Specifying Information Security Needs to Support the Delivery of High Quality Security Services

In this paper we present an approach for specifying and prioritizing information security requirements in organizations. It is important to prioritize security requirements since hundred per cent security is\ud not achievable and the limited resources available should be directed to satisfy the most important ones. We propose to explicitly link security requirements with the organization’s business vision, i.e. to provide business\ud rationale for security requirements. The rationale is then used as a basis for comparing the importance of different security requirements.\ud Furthermore we discuss how to integrate the aforementioned solution concepts into a service level management process for security services, which is an important step in IT Governance. We validate our approach by way of a focus group session

Modeling of economically sustainable information security management systems in seaport clusters

The paper researches the usage of ARIS Express process modeling tool in creation of economically sustainable information security management system in seaport clusters. Basic concepts of information security in seaport cluster stakeholder’s organizations are detailed, and relations and interactions between organizations and their environment are researched. Portfolio approach to information security is being endorsed along with quantification of total levels of the risk and the resulting cost of information security. The authors identify two basic process paths of information security in seaport clusters: basic activities and supporting activities. Furthermore, main components of both are being researched in detail, along with their interactions that create a robust system of information security management in seaport clusters. Process flow of all activities is constructed by using business process model implementation of ARIS Express software

Possibilistic Information Flow Control for Workflow Management Systems

In workflows and business processes, there are often security requirements on both the data, i.e. confidentiality and integrity, and the process, e.g. separation of duty. Graphical notations exist for specifying both workflows and associated security requirements. We present an approach for formally verifying that a workflow satisfies such security requirements. For this purpose, we define the semantics of a workflow as a state-event system and formalise security properties in a trace-based way, i.e. on an abstract level without depending on details of enforcement mechanisms such as Role-Based Access Control (RBAC). This formal model then allows us to build upon well-known verification techniques for information flow control. We describe how a compositional verification methodology for possibilistic information flow can be adapted to verify that a specification of a distributed workflow management system satisfies security requirements on both data and processes.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Modeling of economically sustainable information security management systems in seaport clusters

The paper researches the usage of ARIS Express process modeling tool in creation of economically sustainable information security management system in seaport clusters. Basic concepts of information security in seaport cluster stakeholder’s organizations are detailed, and relations and interactions between organizations and their environment are researched. Portfolio approach to information security is being endorsed along with quantification of total levels of the risk and the resulting cost of information security. The authors identify two basic process paths of information security in seaport clusters: basic activities and supporting activities. Furthermore, main components of both are being researched in detail, along with their interactions that create a robust system of information security management in seaport clusters. Process flow of all activities is constructed by using business process model implementation of ARIS Express software

INTEGRATED INFORMATION SECURITY RISK MANAGEMENT – MERGING BUSINESS AND PROCESS FOCUSED APPROACHES

Previous papers mostly dealt with specific views of information security management (either technical, organizational for instance). Recently, major progress has been achieved in the development of a business driven approach with BORIS (Business Oriented management of Information Security) and a process-oriented approach called ORBIT (Operational Risks in Business and IT). An integrated framework is being described in this paper that bases on the beneficial and complementary merge of both approaches. It supports management of an enterprise’s information security functions with a strong economic focus whereby it specifically links business and information security objectives. The methodology to be presented has proven to be reliable, user friendly, consistent and precise under real conditions over several years in enterprises with world wide presence

An Integrated Approach in Risk Management Process for Identifying Information Security Threats using Medical Research Design

In this paper, we attempt to introduce a new method for performing risk analysis studies by effectively adopting and adapting medical research design namely a prospective cohort study based survival analysis approach into risk management process framework. Under survival analysis approach, a method which is known as Cox Proportional Hazards (PH) Model will be applied in order to identify potential information security threats. The risk management process in this research will be based on Australian/New Zealand Standard for Risk Management (AS/NZS ISO 31000:2009). AS/NZS ISO 31000:2009 provides a sequencing of the core part of the risk management process namely establishing the context, risk identification, risk analysis, risk evaluation and risk treatment. Moreover, it seems that the integration of risk management process with medical approach indeed brings very useful new insights. Thus, the contribution of the paper will be introducing a new method for performing a risk analysis studies in information security domain

The duality of Information Security Management: fighting against predictable and unpredictable threats

Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side-effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra, Lanzara, 1994) that supports bricolage, hacking and improvisation.Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side-effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra, Lanzara, 1994) that supports bricolage, hacking and improvisation.Articles published in or submitted to a Journal without IF refereed / of international relevanc