Empirical evaluation of information security risk assessment framework GBM-OA

Abstract. Importance of information security is rapidly increasing when new security breaches are continuously reported by companies and organizations. These breaches cause loss of confidentiality, reputation and revenue for companies and organizations. They can also get legal penalties due lack of information security. To improve information security, companies and organizations are required to conduct assessment and audits for their systems to make sure that they do not have open critical vulnerabilities. In addition, information security risks need to be evaluated as part of companies’ and organizations’ risk management to prepare against possible attackers. Multiple different information security risk assessment frameworks have been developed to help companies and organizations to conduct information security risk assessment. To find out which framework is suitable for their needs, management needs to compare the different frameworks, estimate how much time and how many people are available for the assessment and how the frameworks have worked previously in the context. In this thesis, suitability of genre-based security risk assessment framework GBM-OA is evaluated in context of centralized CI/CD environment. A canonical action research was conducted in a team providing centralized CI/CD solution for the company’s projects. In the study, information security risk assessment was conducted using GBM-OA, and after the assessment semi-structured interviews were conducted for the participants to find out if the framework was suitable in the context. The findings show that the framework provided sufficient results for the team without taking much time from the participants. Additionally, participants found value in definition of environment, which helps the team to understand how responsibilities are split to different stakeholders. Downsides were confusing terminology used in the framework and filling of the templates was found compelling. About suitability, it was found that the framework is not suitable in the context as it is. Participants did not like that the assessment should be done separately, but it should be integrated into automation or development cycle. Right now, there is not any instructions regarding integration or iteration, even though it is stated that it is possible. Participants also provided improvement suggestions to add step to the framework for risk impact definition

CIRA Perspective on Risks Within UnRizkNow — A Case Study

UnRizkNow is a community of practice for cyber security practitioners in Norway. It is imperative for the establishment of UnRizkNow to identify the underlying risks that can affect the normal operation of the community. This paper presents a study to carry out a risk assessment of UnRizkNow CoP using conflicting incentives risk analysis (CIRA) method. The main contribution of this research work is to identify and analyze the risks that can be obtained from the conflicts in the incentives of members and organizer in UnRizkNow. This paper also presents risk treatment plan regarding incentives as suggested by CIRA method. The findings of this study are helpful to establish UnRizkNow community, and also for the researchers who want to analyze human risks in a system