Towards Validating Risk Indicators Based on Measurement Theory

Due to the lack of quantitative information and for cost-efficiency purpose, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators.\ud In practice it is common to validate risk scales by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk scales that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of measurement theory to risk indicators, we analyze the indicators used by a particular risk assessment method specially developed for assessing confidentiality risks in networks of organizations

Towards Validating Risk Indicators Based on Measurement Theory (Extended version)

Due to the lack of quantitative information and for cost-efficiency, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators. In practice it is common to validate risk indicators by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. For instance, in an extended enterprise this may mean over investing in service level agreements or obtaining a contract that provides a lower security level than the system requires. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk indicators that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of the measurement theory to risk indicators, we analyze the indicators used by a risk assessment method specially developed for assessing confidentiality risks in networks of organizations

IT architecture-based confidentiality risk assessment in networks of organizations

Today almost every organization benefits from business opportunities created by\ud digitalization. Digitalization allows, among others, to develop software products on\ud shared platforms, to remotely access and alter patient records or remotely control power\ud generators. This change in the technical environment has triggered changes in the legal\ud environment, and introduced new compliance requirements. Consequently, protecting\ud the confidentiality of digital information assets has become a major concern for many\ud organizations. This concern is even bigger for organizations that connect their IT system\ud with other organizations to reduce costs.\ud Risk assessment methodologies provide stakeholders with sound knowledge on\ud security risks that threaten the business. A risk assessment method should satisfy three\ud conflicting requirements: accuracy, cost-efficiency, and inter-subjectivity. These three\ud requirements form the dilemma of confidentiality risk assessment methods. Accuracy\ud has to do with the level of granularity that a method allows when assessing the risk.\ud Cost-efficiency is the crucial real limitation of all risk assessment methods. In practice,\ud even risk assessments of large and information-intensive company sections rarely last\ud longer than two weeks. The third requirement we look at in this dissertation is intersubjectivity.\ud Nowadays, despite the large use of standardized methods, the very result\ud of a risk assessment is largely subjective, in the sense that other assessors may assess\ud risks differently. This lack of inter-subjectivity means that risk assessments are difficult\ud to replicate and risk assessment results are not comparable

CRAC: Confidentiality Risk Assessment and IT-Architecture Comparison

CRAC is an IT-architecture-based method for assessing and comparing confidentiality risks of distributed IT systems. The method determines confidentiality risks by taking into account the effects of the leakage of confidential information (e.g. industrial secrets), and the paths that may be followed by different attackers (e.g. insider and outsider). We evaluate its effectiveness by applying it to a real-world outsourcing case

Technical Action Research as a Validation Method in Information Systems Design Science

Current proposals for combining action research and design science start with a concrete problem in an organization, then apply an artifact to improve the problem, and finally reflect on lessons learned. The aim of these combinations is to reduce the tension between relevance and rigor. This paper proposes another way of using action research in design science, which starts with an artifact, and then tests it under conditions of practice by solving concrete problems with them. The aim of this way of using action research in design science is to bridge the gap between the idealizations made when designing the artifact and the concrete conditions of practice that occur in real-world problems. The paper analyzes the role of idealization in design science and compares it with the requirements of rigor and relevance. It then proposes a way of bridging the gap between idealization and practice by means of action research, called technical action research (TAR) in this paper. The core of TAR is that the researcher plays three roles, which must be kept logically separate, namely of artifact developer, artifact investigator, and client helper. Finally, TAR is compared to other approaches of using action research in design science, and with canonical action research

The study of state anxiety and sport-confidence levels in prospective students attending department of sports management aptitude tests

WOS: 000252819200006The objective of this study is to draw comparisons among the state anxiety and state sport-confidence levels of prospective students attending Ege University School of Physical Education and Sports 2006-2007 Academic Year Aptitude Tests. The study base of this research consists of 290 students (79 female, 211 male) taking the aforementioned tests. This study uses the State Sport-Confidence Scale developed by Vealey (1986) and translated to Turkish by Engur and co. (2005) and the State Anxiety Inventory developed by Spielberger and co. (1970) and translated to Turkish by Oner and Le Compte (1983). During the analysis of the collected data, using the one-way variance analysis, T-test and Pearson correlation technique, the significance level was determined as .05. The analysis of data revealed a significant difference in sport-confidence scores amongst different branches of sports. Furthermore, a relationship between state sport-confidence and state anxiety was revealed. According to the results, it can be said that state sport-confidence levels of prospective sports managers taking the test in different branches of sports can show differences between branches

CRAC: Confidentiality Risk Assessment and IT-Infrastructure Comparison

In this paper we present CRAC, an IT infrastructure-based method for assessing and comparing confidentiality risks of IT based collaborations. The method determines confidentiality risks by taking into account the effects of the leakage of confidential information (e.g. industrial secrets and user credentials), and the paths that may be followed by different attackers (e.g. insider, outsider and outsourcer). We also show how the CRAC-method can be applied in practice and we evaluate its effectiveness by applying it to a real-world outsourcing case

IT Confidentiality Risk Assessment for an Architecture-Based Approach

Information systems require awareness of risks and a good understanding of vulnerabilities and their exploitations. In this paper, we propose a novel approach for the systematic assessment and analysis of confidentiality risks caused by disclosure of operational and functional information. The approach is based on a model integrating information assets and the IT infrastructure that they rely on for distributed systems. IT infrastructures enable one to analyse risk propagation possibilities and calculate the impact of confidentiality incidents. Furthermore, our approach is a mean to bridge the technical and businessoriented views of information systems, since the importance of information assets, which is leading the technical decisions, is set by the business