Requirements for IT Security Metrics - an Argumentation Theory Based Approach

The demand for measuring IT security performance is driven by regulatory, financial, and organizational factors. While several best practice metrics have been suggested, we observe a lack of consistent requirements against which IT security metrics can be evaluated. We address this research gap by adopting a methodological approach that is based on argumentation theory and an accompanying literature review. As a result, we derive five key requirements: IT security metrics should be (a) bounded, (b) metrically scaled, (c) reliable, valid and objective, (d) context-specific and (e) computed automatically. We illustrate and discuss the context-specific instantiation of requirements by using the practically used vulnerability scanning coverage and mean-time-to-incident discovery metrics as examples. Finally we summarize further implications of each requirement

Decision Problems in Information Security: Methodologies and Quantitative Models

In the present dissertation, decision problems in information security are covered and methodologies and quantitative models are developed to address open issues in academia and to provide insights for practitioners. Framed in an adaptation of the process theory of Soh and Markus (1995) - from a thematic point of view - the dissertation comprises papers that cover decision problems in each phase of the adapted theory. The structure of the thesis is as follows: Part I comprises a presentation of and introduction to the dissertation with the underlying theoretical framing. In Part II, metadata of the papers of which the dissertation is composed of, are presented. Part III lists additional papers that have been developed during the course of this dissertation. Part IV includes a discussion of the findings and concludes with an outline of future research

A Multi-Theoretical Literature Review on Information Security Investments using the Resource-Based View and the Organizational Learning Theory

The protection of information technology (IT) has become and is predicted to remain a key economic challenge for organizations. While research on IT security investment is fast growing, it lacks a theoretical basis for structuring research, explaining economic-technological phenomena and guide future research. We address this shortcoming by suggesting a new theoretical model emerging from a multi-theoretical perspective adopting the Resource-Based View and the Organizational Learning Theory. The joint application of these theories allows to conceptualize in one theoretical model the organizational learning effects that occur when the protection of organizational resources through IT security countermeasures develops over time. We use this model of IT security investments to synthesize findings of a large body of literature and to derive research gaps. We also discuss managerial implications of (closing) these gaps by providing practical examples

Information Security Investments: An Exploratory Multiple Case Study on Decision-Making, Evaluation and Learning

The need to protect resources against attackers is reflected by huge information security investments of firms worldwide. In the presence of budget constraints and a diverse set of assets to protect, organizations have to decide in which IT security measures to invest, how to evaluate those investment decisions, and how to learn from past decisions to optimize future security investment actions. While the academic literature has provided valuable insights into these issues, there is a lack of empirical contributions. To address this lack, we conduct a theory-based exploratory multiple case study. Our case study reveals that (1) firms’ investments in information security are largely driven by external environmental and industry-related factors, (2) firms do not implement standardized decision processes, (3) the security process is perceived to impact the business process in a disturbing way, (4) both the implementation of evaluation processes and the application of metrics are hardly existent and (5) learning activities mainly occur at an ad-hoc basis

Forecasting IT Security Vulnerabilities - An Empirical Analysis

Today, organizations must deal with a plethora of IT security threats and to ensure smooth and uninterrupted business operations, firms are challenged to predict the volume of IT security vulnerabilities and allocate resources for fixing them. This challenge requires decision makers to assess which system or software packages are prone to vulnerabilities, how many post-release vulnerabilities can be expected to occur during a certain period of time, and what impact exploits might have. Substantial research has been dedicated to techniques that analyze source code and detect security vulnerabilities. However, only limited research has focused on forecasting security vulnerabilities that are detected and reported after the release of software. To address this shortcoming, we apply established methodologies which are capable of forecasting events exhibiting specific time series characteristics of security vulnerabilities, i.e., rareness of occurrence, volatility, non-stationarity, and seasonality. Based on a dataset taken from the National Vulnerability Database (NVD), we use the Mean Absolute Error (MAE) and Root Mean Square Error (RMSE) to measure the forecasting accuracy of single, double, and triple exponential smoothing methodologies, Croston's methodology, ARIMA, and a neural network-based approach. We analyze the impact of the applied forecasting methodology on the prediction accuracy with regard to its robustness along the dimensions of the examined system and software package "operating systems", "browsers" and "office solutions" and the applied metrics. To the best of our knowledge, this study is the first to analyze the effect of forecasting methodologies and to apply metrics that are suitable in this context. Our results show that the optimal forecasting methodology depends on the software or system package, as some methodologies perform poorly in the context of IT security vulnerabilities, that absolute metrics can cover the actual prediction error precisely, and that the prediction accuracy is robust within the two applied forecasting-error metrics. (C) 2019 Elsevier Ltd. All rights reserved

Literature Reviews in IS Research: What Can Be Learnt from the Past and Other Fields?

Literature reviews (LRs) are recognized for their increasing impact in the information systems literature. Methodologists have drawn attention to the question of how we can leverage the value of LRs to preserve and generate knowledge. The panelists who participated in the discussion of “Standalone Literature Reviews in IS Research: What Can Be Learnt from the Past and Other Fields?” at ICIS 2016 in Dublin acknowledged this significant issue and debated 1) what the IS field can learn from other fields and where IS-specific challenges occur, 2) how the IS field should move forward to foster the genre of LRs, and 3) the best practices to train doctoral IS students in publishing LRs. This paper reports the key takeaways of this panel discussion. We provide guidance for IS scholars on how to conduct LRs that contribute to the cumulative knowledge development in and across the IS field to best prepare the next generation of IS scholars

Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory

Nowadays, providing employees with failure-free access to various systems, applications and services is a crucial factor for organizations’ success as disturbances potentially inhibit smooth workflows and thereby harm productivity. However, it is a challenging task to assign access rights to employees’ accounts within a satisfying time frame. In addition, the management of multiple accounts and identities can be very onerous and time consuming for the responsible administrator and therefore expensive for the organization. In order to meet these challenges, firms decide to invest in introducing an Identity and Access Management System (IAMS) that supports the organization by using policies to assign permissions to accounts, groups, and roles. In practice, since various versions of IAMSs exist, it is a challenging task to decide upon introduction of an IAMS. The following study proposes a first attempt of a decision support model for practitioners which considers four alternatives: Introduction of an IAMS with Role-based Access Control RBAC) or without and no introduction of IAMS again with or without RBAC. To underpin the practical applicability of the proposed model, we parametrize and operationalize it based on a real world use case using input from an expert interview

IT Security Investments Through the Lens of the Resource-Based View: A new Theoretical Model and Literature Review

IT security has become a major issue for organizations as they need to protect their assets, including IT resources, intellectual property and business processes, against security attacks. Disruptions of IT-based business activities can easily lead to economic damage, such as loss of productivity, revenue and reputation. \ \ Organizations need to decide (1) which assets need which level of protection, (2) which technical,managerial and organizational security countermeasures lead to this protection and (3) how much should be spent on which countermeasure in the presence of budget constraints. Answering these questions requires both making IT security investment decisions and evaluating the effectiveness and efficiency of these decisions. \ \ The literature has contributed to this field adopting approaches from micro-economics, finance and management, among others. However, the literature is rather fragmented and lacks a shared theoretical basis. As a consequence, it remains partly open what we can learn from past research and how we can \ direct and stimulate still missing research activities. \ \ In order to address these deficiencies, we draw on the resource-based view (RBV) and provide a theoretical model for IT security investments. We use this RBV model to review the IT security investment literature and to identify research gaps