An information security risk-driven investment model for analysing human factors

Modern organisational structure and risk management model are characterised by a wide range of forces including the role of human factors which combine to create an unprecedented level of uncertainty and exposure to information security risk, investment and decision making process. Developing a risk-driven investment model for information security systems with consideration of subjective nature of critical human factors, is a challenging task. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of such dependencies and understanding potentially results in information security systems to fail or to fully achieve their that depend on them. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This paper fills this gap by introducing a process that allows information security managers to capture possible riskinvestment relationships and to reason about them. The process is supported by a modelling language based on a set of concepts relating to trust and control and secure tropos and requirements engineering. In order to demonstrate the applicability and usefulness of the approach a descriptive example from an UK organisation is used. Keywords: Information Security (IS), Information Security Risk-Driven Investment Model (RIDIM), Risk, Social Engineering Attacks (SEAs), Security Investment (SI), Return On Investment in Information Security (ROISI)

ПРОЦЕДУРА ІНВЕСТУВАННЯ В КІБЕРБЕЗПЕКУ З УРАХУВАННЯМ БАГАТОФАКТОРНОСТІ І В НЕЧІТКІЙ ПОСТАНОВЦІ

It is shown that the application of multi-step quality games theory allows financing of various information technologies considering various factors. In particular, there are lots of approaches to building effective information security systems in the enterprise. Using such model will make it possible to develop, based on game models, decision support systems (DSS), for example, software products (PP). Which, in turn, will allow making rational decisions on investing in the development of such technologies. This circumstance makes it necessary and relevant to develop new models and software products that can implement decision support procedures in the process of finding rational investment strategies, including in information security field of enterprises, and obtaining forecast assessment for feasibility of a specific strategy. The model proposed by us is based on analysis of financing process by investors in information technology for protecting information tasks for the case of their multi-factoring in fuzzy setting. The investment process management model is proposed, using the example of investing in the information security of informatization objects taking into account multi-factoring and in fuzzy setting for DSS computational core. The difference between the model and previously developed ones is that it considers the investment process as complex structure, for which it is not enough to model it as a single-factor category. Computational experiments were performed for the developed model. The simulation results are visualized in the Python programming language, which allows you to optimize the procedures for investment process managing.Показано, що застосування теорії багатокрокових ігор якості дозволяє здійснювати фінансування різних інформаційних технологій з урахуванням усіляких чинників. Зокрема, з огляду на велику кількість підходів до побудови ефективних систем інформаційної безпеки на підприємстві. Використання такої моделі дасть можливість розробляти на основі ігрових моделей систем підтримки прийняття рішень (СППР), наприклад, програмні продукти (ПП). Які, в свою чергу, дозволять приймати раціональні рішення по вкладенню фінансових коштів в розвиток таких технологій. Дана обставина обумовлює необхідність і релевантність розробки нових моделей і програмних продуктів, які здатні реалізувати процедури підтримки прийняття рішень в процесі пошуку раціональних стратегій інвестування, в тому числі, в сфері інформаційної безпеки підприємств і отримання прогнозної оцінки для можливості реалізації конкретної стратегії

GOVERNANCE UNDER UNCERTAINTY: TASK ASSIGNMENT IN PRODUCER CONTROLLED RESEARCH ORGANIZATIONS

In Canada, Australia, United States, and a number of other countries there are considerable number of producer controlled research organizations (PCROs) in the agricultural sector, charged with the task of investing hundreds of millions of dollars in research and development (R&D) projects. Given the impact of PCROs on productivity of agricultural sector and food security, the primary objective of this study is to improve the governance of PCROs by providing knowledge of the decision-making process and governance structure of these producer-led entities. The information related to the current governance structures and decision-making processes of PCROs is attained through analyzing a series of interviews with managers and directors of key PCROs in Australia, the U.S. and Canada. A great deal of similarity was observed across PCROs both in terms of the decision-making process and governance structure. In particular, PCROs do not tend to separate management and oversight tasks. The producers elected directors of these organizations are involved in management decisions. This observed practice is in contrast with most of the theories and empirical studies focusing on the governance structure of non-profit (NP) and for-profit (FP) organizations (Brown & Guo, 2010; Fama & Jensen, 1983; LeRoux & Langer, 2016; Miller-Millesen, 2003). Based on information gained from the interviews, observable characteristics of PCROs explained in the literature, and agency theory this dissertation develops a theoretical model to describe the unusual task assignment in the PCROs. The theoretical model suggests that because of the long investment horizons in the PCROs, the compensation of management teams based on their contributions to return on investments is not feasible. Therefore, the PCROs have to reward their executives on the basis of a measure of efforts exerted. Hence, the directors’ involvement reduces the volatility of managers’ compensation. Motivated by the theoretical model, a survey whose participants are the directors of Saskatchewan’s PCROs was conducted to examine the consistency of theoretical model’s implications and the task assignment practices of PCROs in the real world. The examination of the survey results suggests the presence of consistencies between the theoretical model’s implications and observed outcomes

Applying Real Options Thinking to Information Security in Networked Organizations

An information security strategy of an organization participating in a networked business sets out the plans for designing a variety of actions that ensure confidentiality, availability, and integrity of company’s key information assets. The actions are concerned with authentication and nonrepudiation of authorized users of these assets. We assume that the primary objective of security efforts in a company is improving and sustaining resiliency, which means security contributes to the ability of an organization to withstand discontinuities and disruptive events, to get back to its normal operating state, and to adapt to ever changing risk environments. When companies collaborating in a value web view security as a business issue, risk assessment and cost-benefit analysis techniques are necessary and explicit part of their process of resource allocation and budgeting, no matter if security spendings are treated as capital investment or operating expenditures. This paper contributes to the application of quantitative approaches to assessing risks, costs, and benefits associated with the various components making up the security strategy of a company participating in value networks. We take a risk-based approach to determining what types of security a strategy should include and how much of each type is enough. We adopt a real-options-based perspective of security and make a proposal to value the extent to which alternative components in a security strategy contribute to organizational resiliency and protect key information assets from being impeded, disrupted, or destroyed

A hybrid decision support system with golden cut and bipolar q-ROFSs for evaluating the risk-based strategic priorities of fintech lending for clean energy projects

In the last decade, the risk evaluation and the investment decision are among the most prominent issues of efficient project management. Especially, the innovative financial sources could have some specific risk appetite due to the increasing return of investment. Hence, it is important to uncover the risk factors of fintech investments and investigate the possible impacts with an integrated approach to the strategic priorities of fintech lending. Accordingly, this study aims to analyze a unique risk set and the strategic priorities of fintech lending for clean energy projects. The most important contributions to the literature can be listed as to construct an impact-direction map of risk-based strategic priorities for fintech lending in clean energy projects and to measure the possible influences by using a hybrid decision making system with golden cut and bipolar q-rung orthopair fuzzy sets. The extension of multi stepwise weight assessment ratio analysis (M-SWARA) is applied for weighting the risk factors of fintech lending. The extension of elimination and choice translating reality (ELECTRE) is employed for constructing and ranking the risk-based strategic priorities for clean energy projects. In this process, data is obtained with the evaluation of three different decision makers. The main superiority of the proposed model by comparing with the previous models in the literature is that significant improvements are made to the classical SWARA method so that a new technique is created with the name of M-SWARA. Hence, the causality analysis between the criteria can also be performed in this proposed model. The findings demonstrate that security is the most critical risk factor for fintech lending system. Moreover, volume is found as the most critical risk-based strategy for fintech lending. In this context, fintech companies need to take some precautions to effectively manage the security risk. For this purpose, the main risks to information technologies need to be clearly identified. Next, control steps should be put for these risks to be managed properly. Furthermore, it has been determined that the most appropriate strategy to increase the success of the fintech lending system is to increase the number of financiers integrated into the system. Within this framework, the platform should be secure and profitable to persuade financiers.Optimization and upgrading of Industrial structure in Henan Province ; Key Scientific Research Project of Colleges and Universities in Henan Provinc

The Application of AHP Model to Guide Decision Makers: A Case Study of E-banking Security

Changes in technology have resulted in new ways for bankers to deliver their services to costumers. Electronic banking systems in various forms are the evidence of such advancement. However, information security threats also evolving along this trend. This paper proposes the application of Analytic Hierarchy Process (AHP) methodology to guide decision makers in banking industries to deal with information security policy. The model is structured according aspects of information security policy in conjunction with information security elements. We found that cultural aspect is valued on the top priority among other security aspects, while confidentiality is considered as the most important factor in terms of information security elements.Comment: 5 page

An Overview of Economic Approaches to Information Security Management

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

Investors’ Behavioural Biases and the Security Market: An Empirical Study of the Nigerian Security Market

Behavioural biases describe a replicable pattern in perceptual distortion, inaccurate judgment, illogical interpretation, or what is broadly called irrationality. This paper adopts a primary data approach to investigate the effects of behavioural biases on security market performance in Nigeria. The objectives are in twofold: one, to examine the extent of behavioural biases among security market investors in Nigeria and, to examine the effects of behavioural biases on stock market performance in Nigeria. The paper employed questionnaire as instrument and the technique of correlation with Pearson Product Moment Coefficient to analyze a survey of 300 randomly selected investors in Nigeria security market. We find strong evidence that behavioural biases exists but not so dominant in the Nigeria security market because a weak negative relationship exists between behavioural biases and stock market performance in Nigeria. The paper recommends that individual investors in the market should engage the services of investment advisors which will reduce personal biases in the management of their portfolios

Risk mitigation decisions for it security

Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. © 2014 ACM