Abstract
Security is a complex issue for organisations, with its management now a fiduciary responsibility as well as a moral one. Without a holistic robust security structure that considers human, organisational and technical aspects to manage security, the assets of an organisation are at critical risk. Enterprise architecture (EA) is a strong and reliable structure that has been tested and used effectively for at least 30 years in organisations globally. It relies on a holistic classification structure for organisational assets. Grouping security with EA promises to leverage the benefits of EA in the security domain. We conduct a review of existing security frameworks to evaluate the extent to which they employ EA. We find that while the idea of grouping security with EA is not new, there is a need for developing a comprehensive solution. We design, develop, and demonstrate a security EA framework for organisations regardless of their industry, budgetary constraints or size; and survey professionals to analyse the framework and provide feedback. The survey results support the need for a holistic security structure and indicate benefits including reduction of security gaps, improved security investment decisions, clear functional responsibilities and a complete security nomenclature and international security standard compliance among others.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
https://www.theregister.co.uk/2017/04/07/icloud_wipe_threat/.
References
ASD. Cyber Crime in Australia July to September 2019 (2020)
Patterson, T.: Holistic security: why doing more can cost you less and lower your risk. Comput. Fraud Secur. 6, 13–15 (2003)
Roeleven, S., Broer, J.: Why Two Thirds of Enterprise Architecture Projects Fail. ARIS Expert Paper (2010)
Angelo, S.: Security Architecture Model Component Overview. Sans Security Essentials (2001)
Copeland, M.: Cyber Security on Azure. Apress, Berkeley (2017). https://doi.org/10.1007/978-1-4842-2740-4
Gorazo. Enterprise Architecture Literature Review (2014)
Anderson, R.: Security Engineering. John Wiley & Sons, New Jersey (2008)
Moulton, R., Coles, R.S.: Applying information security governance. Comput. Secur. 22(7), 580–584 (2003)
Gregor, S., Hevner, A.R.: Positioning and presenting design science research for maximum impact. MIS Q. 37(2), 337–355 (2013)
Hevner, A.R., et al.: Design science in information systems research. MIS Quarterly, pp. 75–105 (2004)
Nunamaker Jr., J.F., Chen, M., Purdin, T.D.: Systems development in information systems research. J. Manag. Inform. Syst. 7(3), 89–106 (1990)
Venable, J., Pries-Heje, J., Baskerville, R.: FEDS: a framework for evaluation in design science research. Eur. J. Inform. Syst. 25(1), 77–89 (2016)
Sein, M.K., et al.: Action design research. MIS Quarterly, pp. 37–56 (2011)
Peffers, K., et al.: The design science research process: a model for producing and presenting information systems research. In: Proceedings of the First International Conference on Design Science Research in Information Systems and Technology (DESRIST 2006). ME Sharpe, Inc. (2006)
Oppenheim, A.N.: Questionnaire Design, Interviewing and Attitude Measurement. Bloomsbury Publishing, London (2000)
Zachman, J.A.: A framework for information systems architecture. IBM Syst. J. 26(3), 276–292 (1987)
EBI. E.B.I., Glossary (2015)
Eloff, J., Eloff, M.: Information security architecture. Comput. Fraud Secur. 11, 10–16 (2005)
ITGI. I.G.I., Board briefing on IT governance. Information Systems Audit and Control Foundation (2001)
Anderson, R.: Why information security is hard-an economic perspective. In: Proceedings 17th Annual Computer Security Applications Conference, pp. 358–365. IEEE (2001)
ISACA: An Introduction to the Business Model for Information Security (2009)
Vaishnavi, V., Kuechler, W.: Design research in information systems (2004)
McClintock, M., et al.: Enterprise security architecture: mythology or methodology? In: International Conference on Enterprise Information Systems (2020)
Crotty, M.: The Foundations of Social Research: Meaning and Perspective in the Research Process. Sage, London (1998)
Hirschheim, R.: Information systems epistemology: an historical perspective. Res. Methods Inform. Syst. 9, 13–35 (1985)
Fosnot, C.T.: Constructivism: Theory, Perspectives, and Practice. Teachers College Press, New York (2013)
Strauss, A., Corbin, J.: Basics of Qualitative Research Techniques. Sage Publications, New York (1998)
Mills, J., Bonner, A., Francis, K.: The development of constructivist grounded theory. Int. J. Qual. Methods 5(1), 25–35 (2006)
Lee, A.S., Baskerville, R.L.: Generalizing generalizability in information systems research. Inform. Syst. Res. 14(3), 221–243 (2003)
Williams, M.: Questionnaire design. Making Sense of Social Research, pp. 104–124 (2003)
Rattray, J., Jones, M.C.: Essential elements of questionnaire design and development. J. Clin. Nurs. 16(2), 234–243 (2007)
Urquhart, C., Lehmann, H., Myers, M.D.: Putting the ‘theory’ back into grounded theory: guidelines for grounded theory studies in information systems. Inform. Syst. J. 20(4), 357–381 (2010)
Starks, H., Brown Trinidad, S.: Choose your method: a comparison of phenomenology, discourse analysis, and grounded theory. Qual. Health Res. 17(10), 1372–1380 (2007)
Strauss, A., Corbin, J.: Grounded theory methodology. Handb. Qual. Res. 17, 273–85 (1994)
Martin, P.Y., Turner, B.A.: Grounded theory and organizational research. J. Appl. Behav. Sci. 22(2), 141–157 (1986)
Siponen, M., Willison, R.: Information security management standards: problems and solutions. Inform. Manag. 46(5), 267–270 (2009)
Bittler, R.S., Kreizman, G.: Gartner Enterprise Architecture Process: Evolution 2005. G00130849, Gartner, Stamford, CT, pp. 1–12 (2005)
Josey, A.: TOGAF Version 9.1 Enterprise Edition: An Introduction. The Open Group (2009)
USG. U.S.F.G., Introduction to the Federal Enterprise Architecture Framework V2 (2013)
DoD, C.: DoDAF Architecture Framework Version 2.02. Website, August 2010
ISO. I.S.O./I.E.C. 27000, 27001 and 27002 for information security management (2013)
Zachman, J.A.: The framework for enterprise architecture: background, description and utility. Zachman International (1996)
Sherwood, J., Clark, A., Lynas, D.: Enterprise security architecture. SABSA White Paper, vol. 2009 (1995)
Shariati, M., Bahmani, F., Shams, F.: Enterprise information security, a review of architectures and frameworks from interoperability perspective. Procedia Comput. Sci. 3, 537–543 (2011)
Oda, S.M., Fu, H., Zhu, Y.: Enterprise information security architecture a review of frameworks, methodology, and case studies. In: ICCSIT 2009. IEEE (2009)
Zachman, J.P.: The Zachman Framework Evolution (2011)
Veiga, A.D., Eloff, J.H.: An information security governance framework. Inform. Syst. Manag. 24(4), 361–372 (2007)
Claycomb, W., Shin, D.: Mobile-driven architecture for managing enterprise security policies. In: ACMSE 2006. ACM (2006)
Acknowledgements
This work has been supported by an Australian Research Council Discovery Early Career Research Award (project number DE200101577).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Graham, M., Falkner, K., Szabo, C., Yarom, Y. (2021). Security Architecture Framework for Enterprises. In: Filipe, J., Śmiałek, M., Brodsky, A., Hammoudi, S. (eds) Enterprise Information Systems. ICEIS 2020. Lecture Notes in Business Information Processing, vol 417. Springer, Cham. https://doi.org/10.1007/978-3-030-75418-1_40
Download citation
DOI: https://doi.org/10.1007/978-3-030-75418-1_40
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75417-4
Online ISBN: 978-3-030-75418-1
eBook Packages: Computer ScienceComputer Science (R0)