Empirical evaluation of information security risk assessment framework GBM-OA

Abstract. Importance of information security is rapidly increasing when new security breaches are continuously reported by companies and organizations. These breaches cause loss of confidentiality, reputation and revenue for companies and organizations. They can also get legal penalties due lack of information security. To improve information security, companies and organizations are required to conduct assessment and audits for their systems to make sure that they do not have open critical vulnerabilities. In addition, information security risks need to be evaluated as part of companies’ and organizations’ risk management to prepare against possible attackers. Multiple different information security risk assessment frameworks have been developed to help companies and organizations to conduct information security risk assessment. To find out which framework is suitable for their needs, management needs to compare the different frameworks, estimate how much time and how many people are available for the assessment and how the frameworks have worked previously in the context. In this thesis, suitability of genre-based security risk assessment framework GBM-OA is evaluated in context of centralized CI/CD environment. A canonical action research was conducted in a team providing centralized CI/CD solution for the company’s projects. In the study, information security risk assessment was conducted using GBM-OA, and after the assessment semi-structured interviews were conducted for the participants to find out if the framework was suitable in the context. The findings show that the framework provided sufficient results for the team without taking much time from the participants. Additionally, participants found value in definition of environment, which helps the team to understand how responsibilities are split to different stakeholders. Downsides were confusing terminology used in the framework and filling of the templates was found compelling. About suitability, it was found that the framework is not suitable in the context as it is. Participants did not like that the assessment should be done separately, but it should be integrated into automation or development cycle. Right now, there is not any instructions regarding integration or iteration, even though it is stated that it is possible. Participants also provided improvement suggestions to add step to the framework for risk impact definition

NewSQL-tietokannat

Tiivistelmä. Tämä kandidaatin tutkielma käsittelee NewSQL-tietokantoja. Tutkielmassa perehdytään siihen, kuinka NewSQL-tietokannat kykenevät takaamaan ACID-transaktiot. Tämä selvitetään tutkimalla erilaisia NewSQL-tietokantoja. Valitsin tämän aiheen henkilökohtaisen mielenkiinnon vuoksi. Lisäksi aihe on tuore ja mahdollisesti tulevaisuudessa merkittävä. Käsiteltävän tiedon määrä on nopeassa kasvussa, joten yritykset tarvitsevat luotettavia ratkaisuja tallentaa ja hallinnoida suurta määrää tietoa. Varsinkin koneoppiminen vaatii suuren datamäärän käsittelyä. Tällä hetkellä on tärkeää varmistaa NewSQL-tietokantojen luotettavuus. Tutkimuskysymyksen vastausta lähestytään erilaisten NewSQL-tietokantaratkaisujen avulla. Tällaisia ovat esimerkiksi VoltDB ja MemSQL, joiden ratkaisut ACIDtransaktioiden takaamiseen esitellään tässä tutkielmassa pääpiirteisesti. NewSQL-tietokantojen kehitys on ollut jatkumo jo 1960-luvulta lähtien alkaen relaatiotietokannoista. Käsiteltävän tiedon kasvun takia tietokantoja on jouduttu laajentamaan ja hajauttamaan, mikä on aiheuttanut haasteita tietokantojen luotettavuuteen. Tämän takia tutkielmassa käydään myös läpi, millaisia vaikutuksia tietokantojen hajautuksella on ollut niiden luotettavuuteen