Evaluating policy layer security controls for value realisation in secure systems

A strategic question for any business is: What value do control frameworks give? The question concerns the costs associated with implementing and maintaining control frameworks compared with the benefits gained. Each control framework contains many controls that may or may not benefit a situation and this research is aimed at testing different selections and combinations of controls to forecast probable impacts on business outcomes. The scope of the research is limited to a representative set of security controls and the lesser question: What are the criteria for selecting the most effective and efficient security control configurations for best business value? We design a decision support tool (DSS), run a pilot study and begin to develop output sets as part of the exploratory research. The conclusion is that in controlled environments the security controls may be optimised to deliver the best business value and that the highest performing sets of controls can be forecasted once the interaction factors are known

Assessing the Business Value of IT Control Configurations: A Design Science Study

The increasing complexity of IT systems and their interoperability has compounded the challenging task of assessing the IT risks and devising cost-effective mitigating measures. Risk factors such as business dynamics and changes arising from new technology and regulatory requirements, affect the risk profile, which requires reassessing the defined IT risks and the corresponding controls. Ensuring effectiveness and efficiency of the implemented controls is crucial to obtain an accurate sense of assurance that, in itself involves risk. IT Risk Assessors, auditors and practitioners use a set of criteria to estimate risk and then derive areas for control improvement. However, it is highly inefficient, subjective and little data is directly collected to support the decisions made. With improvements in technology a range of new organizational data can now potentially be used to support the selection of IT controls. Little empirical research has been conducted to date in this area. A set of related problems is explored in this thesis and the research focuses on one particular researchable problem, stated as: Selecting the best set of IT controls configurations in any situation for the highest business value outcomes. A research question has been derived from the research problem to guide the research processes: What are the criteria for selecting the most effective and efficient controls configurations for the best business value outcomes? To answer the research question, methodologies were explored resulting in the selection of Design Science (DS) as the research methodology for this thesis. DS has been adopted in IT research, as DS has shown to be adequate to research complex and multi-domain problems, when sufficient knowledge is not always available. The key aspect of the DS methodology is to learn through doing. A DS research roadmap and artefacts evaluation criteria have been adopted to ensure the research activities are executed objectively and the anticipated research deliverables are produced. In this thesis a conceptualised solution was developed, which is a model-based interactive Decision Support System (DSS) to aid management, and practitioners determine the controls configurations that return the best business value. Following the DS methodology process, a model called (G-Model) resulted in game theory applications and a 3-player competitive game to solve the problem of selecting the best performing control configurations. The Gambit software application was used to develop a 3-player game using COBIT 4.1, ITIL v3.0 and ISO 27001/2, security controls as the game players. Each player has two strategies: Implement and Not-Implement. A set of payoff values and guidance on how to calculate a payoff value was prepared along with a Risk Space Matrix definition. A risk register was employed as part of the DSS to capture and assess IT risks and also to apply the controls and processes resulting from the game theory based model. The DSS components were subjected to experts? evaluation, 7 experts in total participated in a two-stage evaluation. Oral and written feedback was obtained, analysed and reflected upon. The artefacts evaluation was benchmarked against an adopted evaluation criteria. Reflecting, by the researcher, on the expert?s feedback and artefacts evaluation, answers for the raised questions were formed. Subsequently, selection criteria to aid practitioners in finding the best set of controls that return the best business value and mitigate the identified risks, were defined. Lastly, in this thesis recommendations for further research are provided. To further investigate the G-Model and analyse the Nash Equilibrium value that results from solving a gaming file. The objective is to find the correlation with the corresponding payoff value to estimate the Capability Maturity Model Integration (CMMI) level of the selected controls. Also, recommendations are made to develop sub-games so that controls can be defined at a granular level. This research investigates the application of the game theory based model in an interactive DSS that allows practitioners to examine the value of forming possible controls configurations. G-Model provides the means for practitioners to enter the payoff values, enabling them to assess the possible controls combinations, holistically and determine the best set of controls in almost real-time. The essence of an effective IT risk management, resource extensive process, is to be conducted timely, and be repeatable with ease. If gaming files are developed for the wider spectrum of IT General Controls (ITGC), and integrated in an interactive DSS software application. Practitioners would be able to assess IT risks as often as required and be able to select the set of controls that return the highest business value outcomes

Assessing the Business Value of IT Control Configurations: A Design Science Study

The increasing complexity of IT systems and their interoperability has compounded the challenging task of assessing the IT risks and devising cost-effective mitigating measures. Risk factors such as business dynamics and changes arising from new technology and regulatory requirements, affect the risk profile, which requires reassessing the defined IT risks and the corresponding controls. Ensuring effectiveness and efficiency of the implemented controls is crucial to obtain an accurate sense of assurance that, in itself involves risk. IT Risk Assessors, auditors and practitioners use a set of criteria to estimate risk and then derive areas for control improvement. However, it is highly inefficient, subjective and little data is directly collected to support the decisions made. With improvements in technology a range of new organizational data can now potentially be used to support the selection of IT controls. Little empirical research has been conducted to date in this area. A set of related problems is explored in this thesis and the research focuses on one particular researchable problem, stated as: Selecting the best set of IT controls configurations in any situation for the highest business value outcomes. A research question has been derived from the research problem to guide the research processes: What are the criteria for selecting the most effective and efficient controls configurations for the best business value outcomes? To answer the research question, methodologies were explored resulting in the selection of Design Science (DS) as the research methodology for this thesis. DS has been adopted in IT research, as DS has shown to be adequate to research complex and multi-domain problems, when sufficient knowledge is not always available. The key aspect of the DS methodology is to learn through doing. A DS research roadmap and artefacts evaluation criteria have been adopted to ensure the research activities are executed objectively and the anticipated research deliverables are produced. In this thesis a conceptualised solution was developed, which is a model-based interactive Decision Support System (DSS) to aid management, and practitioners determine the controls configurations that return the best business value. Following the DS methodology process, a model called (G-Model) resulted in game theory applications and a 3-player competitive game to solve the problem of selecting the best performing control configurations. The Gambit software application was used to develop a 3-player game using COBIT 4.1, ITIL v3.0 and ISO 27001/2, security controls as the game players. Each player has two strategies: Implement and Not-Implement. A set of payoff values and guidance on how to calculate a payoff value was prepared along with a Risk Space Matrix definition. A risk register was employed as part of the DSS to capture and assess IT risks and also to apply the controls and processes resulting from the game theory based model. The DSS components were subjected to experts? evaluation, 7 experts in total participated in a two-stage evaluation. Oral and written feedback was obtained, analysed and reflected upon. The artefacts evaluation was benchmarked against an adopted evaluation criteria. Reflecting, by the researcher, on the expert?s feedback and artefacts evaluation, answers for the raised questions were formed. Subsequently, selection criteria to aid practitioners in finding the best set of controls that return the best business value and mitigate the identified risks, were defined. Lastly, in this thesis recommendations for further research are provided. To further investigate the G-Model and analyse the Nash Equilibrium value that results from solving a gaming file. The objective is to find the correlation with the corresponding payoff value to estimate the Capability Maturity Model Integration (CMMI) level of the selected controls. Also, recommendations are made to develop sub-games so that controls can be defined at a granular level. This research investigates the application of the game theory based model in an interactive DSS that allows practitioners to examine the value of forming possible controls configurations. G-Model provides the means for practitioners to enter the payoff values, enabling them to assess the possible controls combinations, holistically and determine the best set of controls in almost real-time. The essence of an effective IT risk management, resource extensive process, is to be conducted timely, and be repeatable with ease. If gaming files are developed for the wider spectrum of IT General Controls (ITGC), and integrated in an interactive DSS software application. Practitioners would be able to assess IT risks as often as required and be able to select the set of controls that return the highest business value outcomes

Risk based assessment of IT Control Frameworks: a case study

Businesses are constantly advised to implement Information Technology Governance (ITG) frameworks or adapt best practices to gain efficiency, accountability, and/or to meet regulatory compliance. However, organisations require a clear statement of the business value to be gained from implementing resource intensive IT control-based structured environments. Business value has many facets, depending on the industry, size of the organisation, and how business value is perceived. Business risk provides both positive and negative metrics for an assessment of potential business gain and loss. It has often been contested that the implementation of control frameworks is a liability that is not supported by measurable business benefits. This study proposes to investigate the relationship between IT control frameworks, best practices and standards, and business risk treatment. The expectation is that the value generated by the relationship will become apparent and that by implication the costs and benefits of ITG can be identified. At present there are many tools available to assist business managers with risk management. An assessment of a representative set of control frameworks, best practices and standards is made to identify which risks may be treated, the scope of a framework, and what benefits may be expected from implementing those frameworks and best practices. Part of the literature review investigates the challenges that organisations face when implementing IT control frameworks and best practices. Also, the set of related problems is explored and the research focuses on one researchable problem, how to identify business value from managing IT risks in control-based structured environments. The research question is: How could a business realise the value of managing IT risk in control-based structured environments? Identifying business value in risk based IT control-based structured environments is a complex and subjective domain that suits qualitative research methods. Research reports in the subject area suggest that case study research methods are most commonly used to obtain factual data and to construct theory. Consequently in this study face-to-face semi-structured interviews, document collection, analysis and observation are the main source of data gathered for analysis. The researcher has interviewed staff with relevant roles in two organisations to understand what liabilities, challenges and benefits are observed in practice. Collected data is analysed qualitatively utilising qualitative analysis software tools and the results are reviewed and further analysed by the author. The conclusion of the thesis summarises the challenges, problems and solutions derived from the data collected in the case study companies and shows the answer to the research question is conditional on a complex set of conditions. Among the identified business value outcomes are the improved business-IT communication and alignment. Improved communication leads to a better alignment between business and IT objectives. Subsequently, organisations are able to direct their efforts to secure their most valuable assets to ensure resilient business. In addition, these organisations continuously build required IT capabilities that allow them to capture business opportunities when they arise. Lastly, recommendations for further research are also provided. To establish adequate ITG and risk management process, organisations have no choice but to adopt a mix of frameworks, best practices and standards. The justification is either to meet compliance requirements or to complement the applied frameworks, where one framework doesn’t cover certain aspects of ITG, security, risk and compliance. The author has learned from the research that an investigation into integrating frameworks, best practices and standards would be the next step in better understanding the issue of identifying business value in risk based IT control-based structured environments. Practitioners as well businesses would benefit from the outcomes of this type of research