The Economic Case for Cyberinsurance

We present three economic arguments for cyberinsurance. First, cyberinsurance results in higher security investment, increasing the level of safety for information technology (IT) infrastructure. Second, cyberinsurance facilitates standards for best practices as cyberinsurers seek benchmark security levels for risk management decision-making. Third, the creation of an IT security insurance market redresses IT security market failure resulting in higher overall societal welfare. We conclude that this is a significant theoretical foundation, in addition to market-based evidence, to support the assertion that cyberinsurance is the preferred market solution to managing IT security risks.

Information Security Analysis of Online Education Management System using Information Technology Infrastructure Library Version 3

The rapid development of information affects many aspects of human life. So that the field of information security becomes one aspect that must be considered. This study aims to measure the information security awareness and to improve daily operational activities of managing IT services effectively and efficiently. Salemba Adventist Academy has used the Wium Online Education Management System (WIOEM) online system, but in its implementation the security aspects of the system are not yet known. The Information Technology Infrastructure Library (ITIL) v3 framework which is globally recognized for managing information technology is broken down into five parts: Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement. This study focuses on Service Operations with 4 attributes, namely: Security, Privacy, Risk, and Trust. The data collection method used by the researcher was through observation in the form of a questionnaire in taking the number of samples to several students by taking population samples using the Lemeshow method. After the data were collected, the results of the ITIL indicator questionnaire are calculated based on the data security level. The results show that the Security indicator is Level 1, the Privacy indicator is level 3, the Risk indicator is level 3, and the Trust indicator is level 4 on the Data Security Level scale. This shows that the WIOEM system can be used properly according to user expectations and meets several levels of data security according to ITIL v3 framework.   &nbsp

Managing Risk and Information Security: Protect to Enable (Second Edition)

Examine the evolving enterprise security landscape and discover how to manage and survive risk. While based primarily on the author’s experience and insights at major companies where he has served as CISO and CSPO, the book also includes many examples from other well-known companies and provides guidance for a management-level audience. Managing Risk and Information Security provides thought leadership in the increasingly important area of enterprise information risk and security. It describes the changing risk environment and why a fresh approach to information security is needed. Because almost every aspect of an enterprise is now dependent on technology not only for internal operations but increasing as a part of product or service creation, the focus of IT security must shift from locking down assets to enabling the business while managing and surviving risk. This edition discusses business risk from a broader perspective, including privacy and regulatory considerations. It describes the increasing number of threats and vulnerabilities and offers strategies for developing solutions. These include discussions of how enterprises can take advantage of new and emerging technologies—such as social media and the huge proliferation of Internet-enabled devices—while minimizing risk. What You'll Learn Review how people perceive risk and the effects it has on information security See why different perceptions of risk within an organization matters Understand and reconcile these differing risk views Gain insights into how to safely enable the use of new technologies Who This Book Is For The primary audience is CIOs and other IT leaders, CISOs and other information security leaders, IT auditors, and other leaders of corporate governance and risk functions. The secondary audience is CEOs, board members, privacy professionals, and less senior-level information security and risk professionals

CHALLENGES FOR ENSURING THE DATA SECURITY OF COMMERCIAL BANKS

The introduction of new information and communication technology into banking has radically altered the essence and character of banking activity. Alongside the competitive advantages and the direct economic effect of the advent of high-tech innovation in the banking sector, credit institutions are facing a number of challenges, one of them being to ensure the security of their products and related information. The main objective of this research is to elucidate the nature, instances, and methods of managing data security in commercial banks. An emphasis is put on some sources of operational risk in commercial banks which have a direct impact on the potentially growing risk in terms of data security. The research also focuses on the role of bank management in governing that process, as well as the methods and mechanisms for reducing the occurrence of the risk related to information security

An analysis of the effectiveness and cost of project security management

This research analyzes the idea of managing information security risk on projects, as well as the effectiveness and costs associated with this kind of management. Organizations today face a myriad of security risks given their increased use of information technology. New solutions to improve information security within organizations large and small need to be researched and analyzed. Review of relevant literature has determined that although organizations are managing security from the top down, there is a lack of security management at the project level and that most project managers and their teams rely on the organizational security measures to keep information secure. The concept of managing security risks at the project level is not well defined and there exists no concrete and widely accepted framework for it. This research examines if managing security at the project level within a multi-tiered defensive strategy can be effective and at what cost. It also seeks to determine if budgeting for security in projects will lead to more secure project assets and products. This qualitative study uses three sources of data to deduce conclusions and recommendations. One, literary sources, two, subject interviews of security and project management professionals, and three, a computerized model built to simulate a defense in depth strategy. The primary finding of this research is that the concept of managing information security in projects is valid, and that doing so will lead to more secure project assets and products. This type of management will increase the security posture of the project itself and the organization as a whole. Recommendations are made by the researcher as to what steps a project manager and the organization above it must take to leverage the management of information security risks on projects

ESTABLISHING BLOCKCHAIN-RELATED SECURITY CONTROLS

Blockchain technology is a secure and relatively new technology of distributed digital ledgers which is based on interlinked blocks of transactions. There is a rapid growth in the adoption of the blockchain technology in different solutions and applications and within different industries throughout the world, such as but not limited to, finance, supply chain, digital identity, energy, healthcare, real estate and government. Blockchain technology has great benefits such as decentralization, transparency, immutability and automation. Like any other emerging technology, the blockchain technology has also several risks and threats associated with its expected benefits which in turns could have a negative impact on individuals, entities and/or countries. This is mainly due to the absence of a solid governance foundation for managing and mitigating such risks and the shortage of published standards to govern the blockchain technology along with its associated applications. In line with the “Dubai blockchain Strategy 2020” and “Emirates blockchain Strategy 2021” initiatives, this thesis aims to achieve the following: first, preservation of the confidentiality, integrity and availability of information and information assets in relevance to blockchain applications and solutions implementation across entities, and second, mitigation and reduction of related information security risks and threats; through the establishment of new information security controls specifically related to the blockchain technology which have not been covered in International and National Information Security Standards which are ISO 27001:2013 Standard and UAE Information Assurance Standards by the Signals Intelligence Agency (formerly known as the National Electronic Security Authority). Finally, Risk Assessment and Risk Treatment have been performed on five blockchain use cases; to determine their involved risks with respective to security controls appropriately. The assessment/analysis results showed that the proposed security controls can mitigate relevant information security risks on the blockchain solutions and applications and consequently protect the information and information assets from unauthorized disclosure, modification, and destruction

Risk Assessment And Development Of Access Control Information Security Governance Based On ISO/IEC27001:2013 At XYZ University

The rapid development of information technology at this time also has an impact on the use of information technology in the university environment. XYZ University as a university that has quite a lot of students also applies information technology to support their distance learning. The role of information technology is quite crucial and important. Unfortunately, the issue of information security which is an important part of information technology often gets less attention. Its undeniable that the emergence of threats or weaknesses in information technology can disrupt the course of service activities using information technology. Therefore, it is necessary to manage information technology and risk-based document standard procedures as outlined in governance to manage emerging threats or weaknesses. ISO/IEC 27001:2013 is an framework of information security management system that can be used as a basis for managing information security. This study identifies assets, threats, weaknesses, risk analysis, BIA, risk assessment, and risk mapping based on clauses to produce recommendations for policy documents, procedures, and work instructions to improve information security control based on ISO 27001:2013 clauses. Considering its high risk value, this study produced several recommendations for security documents, namely 5 policy documents, 6 procedure guidelines, 8 work instructions, and 12 forms

Assessing Business Value of IT and IS Risk: Security Issues

Enterprise systems have taken full advantage of Information Technology (IT) and Information Systems (IS) to innovate and to create business value. The principal business value for system is utility. System utility is a complex factor that has many contributing variables and the resultant of business value. The metrics of utility are measures such as up-time, customer satisfaction, and so on. In this paper the concern of security as the protection of information assets is discussed in relation to managing the risk of utility. Risk modeling has come under greater scrutiny since the collapse of global financial markets in 2008. A common criticism is that risk models disengage business layers and foster surrogates that anesthetize prudent virtues within the enterprise system. The discussion in this essay proceeds by elaborating current risk modeling trends and concludes by promoting an awareness of the changing scope and expectations for effective business security risk analysis

Interpreting the management of information systems security

The management of adverse events within organisations has become a pressing issue as the perceptions of risk continue to heighten. However the basic need for developing secure information systems has remained unfulfilled. This is because the focus has been on the means of delivery of information, i.e. the technology, rather than on the various contextual factors related to information processing. The overall aim of this research is to increase understanding of the issues and concerns in the management of information systems security. The study is conducted by reviewing the analysis, design and management of computer based information in two large organisations - A British national Health Service Hospital Trust and a Borough Council. The research methodology adopts an interpretive mode of inquiry. The management of information systems security is evaluated in terms of the business environment, organisational culture, expectations and obligations of different roles, meanings of different actions and the related patterns of behaviour. Findings from the two case studies show that an inappropriate analysis, design and management of computer based information systems affects the integrity and wholeness of an organisation. As a result, the probability of occurrence of adverse events increases. In such an environment there is a strong likelihood that security measures may either be ignored or are inappropriate to the real needs of an organisation. Therefore what is needed is coherence between the computer based information systems and the business environment in which they are embedded. In conclusion, this study shows that to resolve the problem of managing information systems security, we need to understand the deep seated pragmatic aspects of an organisation. Solutions to the problem of security can be provided by interpreting the behavioural patterns of the people involved

Information security risk factors and management framework for ICT outsourcing / Nik Zulkarnaen Khidzir

Information Communication Technology (ICT) services have become increasingly important in today’s business environment with most private and government agencies without sufficient resources and expertise outsourcing their ICT projects to vendors. However, this strategy could invite potentially damaging information security risks (ISRs). Subsequently, a dedicated framework for information security risk management for ICT outsourcing activities needs to be in place to address and manage its related risk factors. The research focuses on managing Information Security Risks (ISRs) in ICT outsourcing projects in a Malaysian environment. The mixed research method, combining the quantitative and qualitative was employed to achieve the research objectives. 110 respondents participated in a survey while focus groups from eight organizations were interviewed. From the quantitative study, the critical information security risks in ICT outsourcing project were identified and ranked. Furthermore, through an exploratory factor analysis, two additional critical Information Security Risk (ISR) factors were discovered, being information security management defects and the challenges of managing unexpected change of service providers. Results show that organizations practiced Information Security Risk- Identification; Information Security Risk-Analysis; Information Security Risk- Treatment Plan; Information Security Risk-Treatment Plan Implementation; Information Security Risk-Monitoring; and Information Security Risk-Control. However, there was divergence in the key activities practiced due to several factors. The findings were then used as a basis for the framework development. The framework proposed step-by-step processes, activities and guidelines to be taken in managing Information Security Risk (ISR). The case study results discovered organizations had excluded some of the processes and activities due to financial, resources and time constraints. However, the framework confirmatory done through expert-judgement proves that the framework had thoroughly assessed information security risk management from an outsourcing perspective and is applicable to ICT projects implemented in Malaysia. Fundamentally, the development of the framework will enable organizations to identify ISR factors and to urgently address them so that the full benefits of ICT outsourcing may be reaped