Using Knowledge Management to Strengthen Information Security Policy Development in Developing Countries: Case - Jamaica

Information security incidents continue to grow exponentially amidst the development of advanced technological solutions aimed at protecting information system resources. Today, the growth in information systems’ breaches remains at an alarming rate. The strategies developed by malicious users are becoming more sophisticated in nature and are introduced unabated across various networks. However, security experts and developers are lagging behind in their response to the information security phenomenon. Today, developing countries continue struggling to effectively address information security issues and are becoming the main avenue for cyber criminals who capitalize on the weaknesses that exist in these regions. An effective response to information security requires a significant amount of resources. In developing countries there are limited human, financial and technological resources and weak legislative frameworks and these are fundamental requirements for combating cyber-crime. One major cyber-crime incident could be catastrophic for businesses and governments in these small, fragile economies and could have far reaching effects on their citizens. Knowledge management can be employed to assist in strengthening the capability of organizations and governments in the development of context-sensitive information security policies in developing regions. In this paper we present a knowledge acquisition model that brings together the two most widely adopted standards COBIT, ISO/IEC 27005 and tacit knowledge that exists in repositories (human) within the information security domain to support the development of context-sensitive information security policies. A quantitative methodology was used in the development of an artifact, preliminary evaluation was done using the informed argument approach and results and recommendations for future research are presented. This study can add to the limited literature on the use of knowledge management in the information security domain and the artifact presented can assist information security practitioners in small/medium-sized organizations

Vulnerability Identification Errors in Security Risk Assessments

At present, companies rely on information technology systems to achieve their business objectives, making them vulnerable to cybersecurity threats. Information security risk assessments help organisations to identify their risks and vulnerabilities. An accurate identification of risks and vulnerabilities is a challenge, because the input data is uncertain. So-called ’vulnerability identification errors‘ can occur if false positive vulnerabilities are identified, or if vulnerabilities remain unidentified (false negatives). ‘Accurate identification’ in this context means that all vulnerabilities identified do indeed pose a risk of a security breach for the organisation. An experiment performed with German IT security professionals in 2011 confirmed that vulnerability identification errors do occur in practice. In particular, false positive vulnerabilities were identified by participants. In information security (IS) risk assessments, security experts analyze the organisation’s assets in order to identify vulnerabilities. Methods such as brainstorming, checklists, scenario-analysis, impact-analysis, and cause-analysis (ISO, 2009b) are used to identify vulnerabilities. These methods use uncertain input data for vulnerability identification, because the probabilities, effects and losses of vulnerabilities cannot be determined exactly (Fenz and Ekelhart, 2011). Furthermore, business security needs are not considered properly; the security checklists and standards used to identify vulnerabilities do not consider company-specific security requirements (Siponen and Willison, 2009). In addition, the intentional behaviour of an attacker when exploiting vulnerabilities for malicious purposes further increases the uncertainty, because predicting human behaviour is not just about existing vulnerabilities and their consequences (Pieters and Consoli, 2009), rather than preparing for future attacks. As a result, current approaches determine risks and vulnerabilities under a high degree of uncertainty, which can lead to errors. This thesis proposes an approach to resolve vulnerability identification errors using security requirements and business process models. Security requirements represent the business security needs and determine whether any given vulnerability is a security risk for the business. Information assets’ security requirements are evaluated in the context of the business process model, in order to determine whether security functions are implemented and operating correctly. Systems, personnel and physical parts of business processes, as well as IT processes, are considered in the security requirement evaluation, and this approach is validated in three steps. Firstly, the systematic procedure is compared to two best-practice approaches. Secondly, the risk result accuracy is compared to a best-practice risk-assessment approach, as applied to several real-world examples within an insurance company. Thirdly, the capability to determine risk more accurately by using business processes and security requirements is tested in a quasi-experiment, using security professionals. This thesis demonstrates that risk assessment methods can benefit from explicit evaluation of security requirements in the business context during risk identification, in order to resolve vulnerability identification errors and to provide a criterion for security

Information security frameworks for assisting GDPR compliance in banking industry

Purpose: Data can nowadays be seen as the main asset of organizations and data leaks have a considerable impact on the organization’s image, revenues and possible consequences to the affected clients. One of the most critical industries is the bank. Information security frameworks (ISF) have been created to assist organizations and other frameworks evolved to update these domain practices. Recently, the European Union decided to create the general data protection regulation (GDPR), applicable to all organizations dealing with personal data of citizens residing in the European Union. Although considered a general regulation, GDPR implementation needs to align with some industries’ laws and policies. Especially in the Bank industry. How these ISF can assist the implementation of GDPR is not clear. Design/methodology/approach: The design science research process was followed and semi-structured interviews performed. Findings: A list of practices to assist the bank industry in GDPR implementation is provided. How each practice map with assessed ISF and GDPR requirements is also presented. Research limitations/implications: As GDPR is a relatively recent subject, it is hard to find experts in the area. It is more difficult if the authors intend to find experienced people in the GDPR and bank industry. That is one of the main reasons this study does not include more interviews. Originality/value: This research provides a novel artefact to the body of knowledge. The proposed artefact lists which ISF practices banks should implement to comply with GDPR. By doing it the artefact provides a centralized view about which ISF frameworks (or part of them) could be implemented to help banks comply with GDPR.info:eu-repo/semantics/acceptedVersio

Privacy, security, legal and technology acceptance requirements for a GDPR compliance platform.

GDPR entered into force in May 2018 for enhancing user data protection. Even though GDPR leads towards a radical change with many advantages for the data subjects it turned out to be a significant challenge. Organizations need to make long and complex changes for the personal data processing activities to become GDPR compliant. Citizens as data subjects are empowered with new rights, which however they need to become aware of and understand. Finally, the role of data protection authorities changes as well as their expectations from organizations. GDPR compliance being a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of the Data govErnance For supportiNg gDpr (DEFeND) EU Project is to deliver such a platform. To succeed, the platform needs to satisfy legal and privacy requirements, be effective in supporting organizations in GDPR compliance, and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, we describe the process, within the DEFeND EU Project, for eliciting and analyzing requirements for such a complex platform, by involving stakeholders from the banking, energy, health and public administration sectors, and using advanced frameworks for privacy requirements and acceptance requirements. The paper also contributes by providing elicited privacy and acceptance requirements concerning a holistic platform for supporting GDPR compliance

Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

Purpose– General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform. Design/methodology/approach– The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors. Findings– The findings provide the process for the DEFeND platform requirements’elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements. Practical implications– The proposed software engineering methodology and data collection tools(i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry. Social implications– It is reported repeatedly that data controllers face difficulties in complying with theGDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR,thus, offering a significant boost toward the European personal data protection objectives. Originality/value– This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives

Security Risk Management of E-commerce Systems

Turvariski juhtimine mängib iga süsteemi väljatöötamisel olulist rolli ja see kehtib ka elektrooniliste kaubandussüsteemide kohta. Kuna paljud inimesed kasutavad neid teenuseid, võivad nad kokku puutuda ebaadekvaatsete turvameetmetega ja see on kahjulik nii äritegevusele kui klientidele. Antud lõputöö toob uurimistöö tulemusena välja elektrooniliste kaubandussüsteemide toiminguid, mis on suunatud turvariskide vähendamisele, uurides ja analüüsides Webshop poodi.Antud meetod vaatleb turvariski juhtimise strateegiate hindamist, olles selle eriala ekspertide poolt heaks kiidetud ning ei käsitle mitte ainult elektrooniliste kaubandussüsteemide potentsiaalsete ohtude määratlemist, vaid tagab ka turvariski juhtimise struktureeritud kulgemise. Turvariski juhtimise protsess on esitatud sellisel kujul, et ta on asjakohastele elektrooniliste kaubandussüsteemide osanikele arusaadav.Security risk management is a vital part of any system development including e-commerce systems. As many people rely on these e-services, its inadequate security measures can be experienced, causing great losses to both businesses and customers. This thesis research work proposes a procedure that targets e-commerce system security and suggests the application of a threat-driven approach to security risk management by analysing an e-commerce system Webshop as a case study.This approach provides a useful assessment of the security risk management procedure that is validated by experts in the field. It not only identifies evolving threats to e-commerce systems but allows for a structured flow in security risk management. The risk management process is documented and reported in such a way that is easily understandable by concerned stakeholders of the e-commerce system

Method of Information Security Risk Analysis for Virtualized System

The growth of usage of Information Technology (IT) in daily operations of enterprises causes the value and the vulnerability of information to be at the peak of interest. Moreover, distributed computing revolutionized the out-sourcing of computing functions, thus allowing flexible IT solutions. Since the concept of information goes beyond the traditional text documents, reaching manufacturing, machine control, and, to a certain extent – reasoning – it is a great responsibility to maintain appropriate information security. Information Security (IS) risk analysis and maintenance require extensive knowledge about the possessed assets as well as the technologies behind them, to recognize the threats and vulnerabilities the infrastructure is facing. A way of formal description of the infrastructure – the Enterprise Architecture (EA) – offers a multiperspective view of the whole enterprise, linking together business processes as well as the infrastructure. Several IS risk analysis solutions based on the EA exist. However, lack of methods of IS risk analysis for virtualization technologies complicates the procedure, thus leading to reduced availability of such analysis. The dissertation consists of an introduction, three main chapters and general conclusions. The first chapter introduces the problem of information security risk analysis and its’ automation. Moreover, state-of-the-art methodologies and their implementations for automated information security risk analysis are discussed. The second chapter proposes a novel method for risk analysis of virtualization components based on the most recent data, including threat classification and specification, control means and metrics of the impact. The third chapter presents an experimental evaluation of the proposed method, implementing it to the Cyber Security Modeling Language (CySeMoL) and comparing the analysis results to well-calibrated expert knowledge. It was concluded that the automation of virtualization solution risk analysis provides sufficient data for adjustment and implementation of security controls to maintain optimum security level