5 research outputs found
An Analysis of and Perspective on the Information Security Maturity Model: a case study of a Public and a Private Sector Company
Information Security (IS) is a concept that is related to protecting a set of data in order to preserve the value it has for an individual or an organization. A review of the literature shows there are four main aspects related to IS: confidentiality, integrity, availability and non-repudiation. Based on these four aspects, a new framework is put forward for analyzing the information security maturity model (ISMM) in an organization, assuming that each organization has a minimum level of information security policies in each aspect, taking into consideration the percentage of policies that this organization has from all those cited in our model. At the end, a case study was conducted in order to analyze the ISMM of a public and private sector company
Economic Valuation for Information Security Investment: A Systematic Literature Review
Research on technological aspects of information security risk is a well-established area and familiar territory for most information security professionals. The same cannot be said about the economic value of information security investments in organisations. While there is an emerging research base investigating suitable approaches measuring the value of investments in information security, it remains difficult for practitioners to identify key approaches in current research. To address this issue, we conducted a systematic literature review on approaches used to evaluate investments in information security. Following a defined review protocol, we searched several databases for relevant primary studies and extracted key details from the identified studies to answer our research questions. The contributions of this work include: a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work; categorisation and mapping of approaches according to their key elements and components; and a summary of key challenges and benefits of existing work, which should help focus future research efforts
ΠΠ°ΡΠΊΠΎΠ²ΡΠΊΠ°Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΡ ΠΊΠΈΠ±Π΅ΡΡΠ³ΡΠΎΠ· ΠΈ Π΅Π΅ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ Π΄Π»Ρ Π²ΡΠ±ΠΎΡΠ° ΠΎΠΏΡΠΈΠΌΠ°Π»ΡΠ½ΠΎΠ³ΠΎ Π½Π°Π±ΠΎΡΠ° ΡΡΠ΅Π΄ΡΡΠ² Π·Π°ΡΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ
In this work, we study a Markov model of cyber threats that act on a computer system. Within the framework of the model the computer system is considered as a system with failures and recoveries by analogy with models of reliability theory. To estimate functionally-temporal properties of the system we introduce a parameter called the lifetime of the system and defined as the number of transitions of the corresponding Markov chain until the first hit to the final state. Since this random variable plays an important role at evaluating a security level of the computer system, we investigate in detail its random distribution for the case of mutually exclusive cyber threats; in particular, we derive explicit analytical formulae for numerical characteristics of its distribution: expected value and dispersion. Then we generalize substantially the Markov model dropping the assumption that cyber threats acting on the system are mutually exclusive. This modification leads to an extended Markov chain that has (at least qualitatively) the same structure as the original chain. This fact allowed to generalize the above analytical results for the expected value and dispersion of the lifetime to the case of non-mutually exclusive cyber threats. At the end of the work the Markov model for non-mutually exclusive cyber threats is used to state a problem of finding an optimal configuration of security remedies in a given cyber threat space. It is essential that the formulated optimization problems belong to the class of non-linear discrete (Boolean) programming problems. Finally, we consider an example that illustrate the solution of the problem on selecting the optimal set of security remedies for a computer system.Π Π΄Π°Π½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΠ΅ ΠΈΡΡΠ»Π΅Π΄ΡΠ΅ΡΡΡ ΠΌΠ°ΡΠΊΠΎΠ²ΡΠΊΠ°Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΠΊΠΈΠ±Π΅ΡΡΠ³ΡΠΎΠ·, Π΄Π΅ΠΉΡΡΠ²ΡΡΡΠΈΡ
Π½Π° ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ½ΡΡ ΡΠΈΡΡΠ΅ΠΌΡ. Π ΡΠ°ΠΌΠΊΠ°Ρ
Π΄Π°Π½Π½ΠΎΠΉ ΠΌΠΎΠ΄Π΅Π»ΠΈ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ½Π°Ρ ΡΠΈΡΡΠ΅ΠΌΠ° ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°Π΅ΡΡΡ ΠΊΠ°ΠΊ ΡΠΈΡΡΠ΅ΠΌΠ° Ρ ΠΎΡΠΊΠ°Π·Π°ΠΌΠΈ ΠΈ Π²ΠΎΡΡΡΠ°Π½Π°Π²Π»Π΅Π½ΠΈΡΠΌΠΈ ΠΏΠΎ Π°Π½Π°Π»ΠΎΠ³ΠΈΠΈ Ρ ΠΌΠΎΠ΄Π΅Π»ΡΠΌΠΈ ΡΠ΅ΠΎΡΠΈΠΈ Π½Π°Π΄Π΅ΠΆΠ½ΠΎΡΡΠΈ. ΠΠ»Ρ ΠΎΡΠ΅Π½ΠΊΠΈ ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»ΡΠ½ΠΎ-Π²ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
ΡΠ²ΠΎΠΉΡΡΠ² ΡΠΈΡΡΠ΅ΠΌΡ ΠΌΡ Π²Π²ΠΎΠ΄ΠΈΠΌ Π΅Π΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ, Π½Π°Π·ΡΠ²Π°Π΅ΠΌΡΠΉ Π²ΡΠ΅ΠΌΠ΅Π½Π΅ΠΌ ΠΆΠΈΠ·Π½ΠΈ ΠΈ ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅ΠΌΡΠΉ ΠΊΠ°ΠΊ ΡΠΈΡΠ»ΠΎ ΠΏΠ΅ΡΠ΅Ρ
ΠΎΠ΄ΠΎΠ² Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠ΅ΠΉ ΠΌΠ°ΡΠΊΠΎΠ²ΡΠΊΠΎΠΉ ΡΠ΅ΠΏΠΈ Π΄ΠΎ ΠΏΠ΅ΡΠ²ΠΎΠ³ΠΎ ΠΏΠΎΠΏΠ°Π΄Π°Π½ΠΈΡ Π² ΡΠΈΠ½Π°Π»ΡΠ½ΠΎΠ΅ ΡΠΎΡΡΠΎΡΠ½ΠΈΠ΅. Π ΡΠΈΠ»Ρ ΡΠΎΠ³ΠΎ, ΡΡΠΎ Π΄Π°Π½Π½Π°Ρ ΡΠ»ΡΡΠ°ΠΉΠ½Π°Ρ Π²Π΅Π»ΠΈΡΠΈΠ½Π° ΠΈΠ³ΡΠ°Π΅Ρ Π²Π°ΠΆΠ½ΡΡ ΡΠΎΠ»Ρ ΠΏΡΠΈ ΠΎΡΠ΅Π½ΠΊΠ΅ ΡΡΠΎΠ²Π½Ρ Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΡΡΠΈ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ, ΠΌΡ ΠΏΠΎΠ΄ΡΠΎΠ±Π½ΠΎ ΠΈΡΡΠ»Π΅Π΄ΡΠ΅ΠΌ Π΅Π΅ ΡΠ°ΡΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΠ΅ Π²Π΅ΡΠΎΡΡΠ½ΠΎΡΡΠ΅ΠΉ Π² ΡΠ»ΡΡΠ°Π΅ Π½Π΅ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΡ
ΠΊΠΈΠ±Π΅ΡΡΠ³ΡΠΎΠ·; Π² ΡΠ°ΡΡΠ½ΠΎΡΡΠΈ, ΠΌΡ ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΡΠ²Π½ΡΠ΅ Π°Π½Π°Π»ΠΈΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠΎΡΠΌΡΠ»Ρ Π΄Π»Ρ Π΅Π΅ ΡΠΈΡΠ»ΠΎΠ²ΡΡ
Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊ: ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΎΠΆΠΈΠ΄Π°Π½ΠΈΡ ΠΈ Π΄ΠΈΡΠΏΠ΅ΡΡΠΈΠΈ. ΠΠ°ΡΠ΅ΠΌ ΠΌΡ ΡΡΡΠ΅ΡΡΠ²Π΅Π½Π½ΠΎ ΠΎΠ±ΠΎΠ±ΡΠ°Π΅ΠΌ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°Π΅ΠΌΡΡ ΠΌΠ°ΡΠΊΠΎΠ²ΡΠΊΡΡ ΠΌΠΎΠ΄Π΅Π»Ρ, ΠΈΡΠΊΠ»ΡΡΠΈΠ² Π΄ΠΎΠΏΡΡΠ΅Π½ΠΈΠ΅ ΠΎ Π½Π΅ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΠΎΡΡΠΈ Π΄Π΅ΠΉΡΡΠ²ΡΡΡΠΈΡ
Π½Π° ΡΠΈΡΡΠ΅ΠΌΡ ΠΊΠΈΠ±Π΅ΡΡΠ³ΡΠΎΠ·. Π‘ΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠ°Ρ ΠΌΠ°ΡΠΊΠΎΠ²ΡΠΊΠ°Ρ ΡΠ΅ΠΏΡ ΠΏΡΠΈ ΡΠ°ΠΊΠΎΠΉ ΠΌΠΎΠ΄ΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ΡΠ°ΡΡΠΈΡΡΠ΅ΡΡΡ Π·Π° ΡΡΠ΅Ρ Π΄ΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΡ
ΡΠΎΡΡΠΎΡΠ½ΠΈΠΉ, Π½Π΅ ΠΌΠ΅Π½ΡΡ ΡΠ²ΠΎΠ΅ΠΉ ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅Π½Π½ΠΎΠΉ ΡΡΡΡΠΊΡΡΡΡ. Π£ΠΊΠ°Π·Π°Π½Π½ΡΠΉ ΡΠ°ΠΊΡ ΠΏΠΎΠ·Π²ΠΎΠ»ΠΈΠ» ΠΎΠ±ΠΎΠ±ΡΠΈΡΡ ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠ΅ ΡΠ°Π½Π΅Π΅ Π°Π½Π°Π»ΠΈΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΡ Π΄Π»Ρ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΎΠΆΠΈΠ΄Π°Π½ΠΈΡ ΠΈ Π΄ΠΈΡΠΏΠ΅ΡΡΠΈΠΈ Π²ΡΠ΅ΠΌΠ΅Π½ΠΈ ΠΆΠΈΠ·Π½ΠΈ Π½Π° ΡΠ»ΡΡΠ°ΠΉ ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΡ
ΠΊΠΈΠ±Π΅ΡΡΠ³ΡΠΎΠ·. Π Π·Π°ΠΊΠ»ΡΡΠ΅Π½ΠΈΠΈ ΡΠ°Π±ΠΎΡΡ ΠΌΠ°ΡΠΊΠΎΠ²ΡΠΊΠ°Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΡ
ΠΊΠΈΠ±Π΅ΡΠ³ΡΠΎΠ· ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΠΏΠΎΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ Π·Π°Π΄Π°ΡΠΈ ΠΎ ΠΏΠΎΠΈΡΠΊΠ΅ ΠΎΠΏΡΠΈΠΌΠ°Π»ΡΠ½ΠΎΠΉ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΡΡΠ΅Π΄ΡΡΠ² Π·Π°ΡΠΈΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ Π² Π·Π°Π΄Π°Π½Π½ΠΎΠΌ ΠΏΡΠΎΡΡΡΠ°Π½ΡΡΠ²Π΅ ΠΊΠΈΠ±Π΅ΡΡΠ³ΡΠΎΠ·. Π‘ΡΡΠ΅ΡΡΠ²Π΅Π½Π½ΠΎ, ΡΡΠΎ ΡΡΠΎΡΠΌΡΠ»ΠΈΡΠΎΠ²Π°Π½Π½ΡΠ΅ ΠΎΠΏΡΠΈΠΌΠΈΠ·Π°ΡΠΈΠΎΠ½Π½ΡΠ΅ Π·Π°Π΄Π°ΡΠΈ ΠΏΡΠΈΠ½Π°Π΄Π»Π΅ΠΆΠ°Ρ ΠΊ ΠΊΠ»Π°ΡΡΡ Π·Π°Π΄Π°Ρ Π½Π΅Π»ΠΈΠ½Π΅ΠΉΠ½ΠΎΠ³ΠΎ Π΄ΠΈΡΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ (Π±ΡΠ»Π΅Π²Π°) ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ. Π Π·Π°ΠΊΠ»ΡΡΠ΅Π½ΠΈΠΈ ΡΠ°Π±ΠΎΡΡ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°Π΅ΡΡΡ ΠΏΡΠΈΠΌΠ΅Ρ, ΠΈΠ»Π»ΡΡΡΡΠΈΡΡΡΡΠΈΠΉ ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ Π·Π°Π΄Π°ΡΠΈ ΠΎ Π²ΡΠ±ΠΎΡΠ΅ ΠΎΠΏΡΠΈΠΌΠ°Π»ΡΠ½ΠΎΠ³ΠΎ Π½Π°Π±ΠΎΡΠ° ΡΡΠ΅Π΄ΡΡΠ² Π·Π°ΡΠΈΡΡ Π΄Π»Ρ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ
Best Practices to Minimize Data Security Breaches for Increased Business Performance
In the United States, businesses have reported over 2,800 data compromises of an estimated 543 million records, with security breaches costing firms approximately $7.2 million annually. Scholars and industry practitioners have indicated a significant impact of security breaches on consumers and organizations. However, there are limited data on the best practices for minimizing the impact of security breaches on organizational performance. The purpose of this qualitative multicase study was to explore best practices technology leaders use to minimize data security breaches for increased business performance. Systems theory served as the conceptual framework for this study. Fourteen participants were interviewed, including 2 technology executives and 5 technical staff, each from a banking firm in the Northcentral United States and a local government agency in the Southcentral United States. Data from semistructured interviews, in addition to security and privacy policy statements, were analyzed for methodological triangulation. Four major themes emerged: a need for implementation of security awareness education and training to mitigate insider threats, the necessity of consistent organization security policies and procedures, an organizational culture promoting data security awareness, and an organizational commitment to adopt new technologies and innovative processes. The findings may contribute to the body of knowledge regarding best practices technology leaders can use for securing organizational data and contribute to social change since secure organizational data might reduce consumer identity theft
Towards a Comprehensive Evidence-Based Approach For Information Security Value Assessment
This thesis is motivated by the goals of understanding in depth which information security value aspects are relevant in real-world business environments and contributing a value-prioritised information security investment decision model suitable for practitioners in the field. Pursuing this goal, we apply a mixed method research approach that combines the analysis of the relevant literature, expert interviews, practitioner survey data and structural equation modelling and multicriteria decision analysis. In the first step, we address the identified terminology gap to clarify the meaning of βcyber securityβ by analysing authoritative definition sources in the literature and presenting an improved definition distinct from that of βinformation securityβ. We then investigate the influence of repeated information security breaches on an organisationβs stock market value to benchmark the wider economic impact of such events. We find abnormal returns following a breach event as well as weak statistical significance on abnormal returns for later breach events, confirming that data breaches have a negative impact on organisations. To understand how security practitioners view this topic, we conduct and analyse semi-structured interviews following a grounded theory approach. Our research identifies 15 principles aligned with a conceptual information security investment framework. The key components of this framework such as the business environment, drivers (threat landscape, legal and regulatory) and challenges (cost of security, uncertainty) are found to be a crucial part of value-prioritised information security investment decisions. We verify these findings through a structural model consisting of five latent variables representing key areas in value-focused information security investment decisions. The model shows that security capabilities have the largest direct effect on the value organisations gain from information security investment. In addition, the value outcome is strongly influenced by organisation-specific constructs such as the threat landscape and regulatory requirements, which must therefore be considered when creating security capabilities. By addressing one of the key uncertainty issues, we use a probabilistic topic modelling approach to identify latent security threat prediction topics from a large pool of security predictions publicised in the media. We further verify the prediction outcomes through a survey instrument. The results confirm the feasibility of forecasting notable threat developments in this context, implying that practitioners can use this approach to reduce uncertainty and improve security investment decisions. In the last part of the thesis, we present a multicriteria decision model that combines our results on value-prioritised information security investments in an organisational context. Based on predefined criteria and preferences and by utilising stochastic multicriteria acceptability analysis as the adopted methodology, our model can deal with substantial uncertainty while offering ease of use for practitioners