3 research outputs found
Employees' awareness towards IT security measures implemented in their organization : selected financial institution
This research is aimed to gather the employees? awareness towards the IT Security measures implemented in their organization case study of a financial institution and from the results gathered can determine the level of IT security awareness among the employees in the organization and suggest security awareness guidelines in order to achieve integrity, availability and confidentiality of the organization. Research on the employees? awareness towards the IT Security measures implemented in organization is done limitedly in Malaysia. Thus, this research will help to identify current IT security measures implemented, the level of IT security awareness among the employees and how to improve employees? awareness towards the implementation of the IT security in the organization. Hence, to collect information from the employees sequential explanatory design is used. It is done via quantitative approach then followed by qualitative approach. Thus, both questionnaire and interviews was conducted. Other than that, a literature review also included in order to review the past and current situation, from the review and results pertaining from the data collection and data analysis, security awareness guidelines for the employees is proposed and evaluated
Resolving vulnerability identification errors using security requirements on business process models
Purpose - In any information security risk assessment, vulnerabilities are usually identified by
information-gathering techniques. However, vulnerability identification errors - wrongly identified or
unidentified vulnerabilities - can occur as uncertain data are used. Furthermore, businessesâ security needs
are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and
cost-effectively.
Design/methodology/approach - This paper aims to resolve vulnerability errors by analysing the
security requirements of information assets in business process models. Business process models have
been selected for use, because there is a close relationship between business process objectives and risks.
Security functions are evaluated in terms of the information flow of business processes regarding their
security requirements. The claim that vulnerability errors can be resolved was validated by comparing the
results of a current risk assessment approach with the proposed approach. The comparison is conducted
both at three entities of an insurance company, as well as through a controlled experiment within a survey
among security professionals.
Findings - Vulnerability identification errors can be resolved by explicitly evaluating security
requirements in the course of business; this is not considered in current assessment methods.
Research limitations/implications - Security requirements should be explicitly evaluated in risk
assessments considering the business context. Results of any evaluation of security requirements could be
used to indicate the security of information. The approach was only tested in the insurance domain and
therefore results may not be applicable to other business sectors.
Originality/value - It is shown that vulnerability identification errors occur in practice. With the explicit
evaluation of security requirements, identification errors can be resolved. Risk assessment methods should
consider the explicit evaluation of security requirements
Recommended from our members
Vulnerability Identification Errors in Security Risk Assessments
At present, companies rely on information technology systems to achieve their business objectives, making them vulnerable to cybersecurity threats. Information security risk assessments help organisations to identify their risks and vulnerabilities. An accurate identification of risks and vulnerabilities is a challenge, because the input data is uncertain. So-called âvulnerability identification errorsâ can occur if false positive vulnerabilities are identified, or if vulnerabilities remain unidentified (false negatives). âAccurate identificationâ in this context means that all vulnerabilities identified do indeed pose a risk of a security breach for the organisation. An experiment performed with German IT security professionals in 2011 confirmed that vulnerability identification errors do occur in practice. In particular, false positive vulnerabilities were identified by participants.
In information security (IS) risk assessments, security experts analyze the organisationâs assets in order to identify vulnerabilities. Methods such as brainstorming, checklists, scenario-analysis, impact-analysis, and cause-analysis (ISO, 2009b) are used to identify vulnerabilities. These methods use uncertain input data for vulnerability identification, because the probabilities, effects and losses of vulnerabilities cannot be determined exactly (Fenz and Ekelhart, 2011). Furthermore, business security needs are not considered properly; the security checklists and standards used to identify vulnerabilities do not consider company-specific security requirements (Siponen and Willison, 2009). In addition, the intentional behaviour of an attacker when exploiting vulnerabilities for malicious purposes further increases the uncertainty, because predicting human behaviour is not just about existing vulnerabilities and their consequences (Pieters and Consoli, 2009), rather than preparing for future attacks. As a result, current approaches determine risks and vulnerabilities under a high degree of uncertainty, which can lead to errors.
This thesis proposes an approach to resolve vulnerability identification errors using security requirements and business process models. Security requirements represent the business security needs and determine whether any given vulnerability is a security risk for the business. Information assetsâ security requirements are evaluated in the context of the business process model, in order to determine whether security functions are implemented and operating correctly. Systems, personnel and physical parts of business processes, as well as IT processes, are considered in the security requirement evaluation, and this approach is validated in three steps. Firstly, the systematic procedure is compared to two best-practice approaches. Secondly, the risk result accuracy is compared to a best-practice risk-assessment approach, as applied to several real-world examples within an insurance company. Thirdly, the capability to determine risk more accurately by using business processes and security requirements is tested in a quasi-experiment, using security professionals.
This thesis demonstrates that risk assessment methods can benefit from explicit evaluation of security requirements in the business context during risk identification, in order to resolve vulnerability identification errors and to provide a criterion for security