Skip to main content
SpringerLink
Log in

Enterprise Engineering in Business Information Security

  • Conference paper
  • First Online:
Advances in Enterprise Engineering XII (EEWC 2018)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 334))

Included in the following conference series:

Abstract

Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.

A case study & expert validation in Security, Risk and Compliance artefact engineering.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ponemone: Cost of Data Breach Study: Global Analysis, Ponemon Institute LLC, United States (2016)

    Google Scholar 

  2. Ponemon Institute: Business Case for Data Protection, Ponemon Institute LLC (2009)

    Google Scholar 

  3. Cashell, B., Jackson, W., Jickling, M., Webel, B.: The Economic Impact of Cyber-Attacks, Congressional Research Service, The Library of Congress, United States (2004)

    Google Scholar 

  4. ITGI: Information Risks: Who’s Business are they?, United States: IT Governance Institute (2005)

    Google Scholar 

  5. Alberts, C.J., Dorofee, A.: OCTAVE Method Implementation Guide version 2.0, Carnegie Mellon University Software Engineering Institute, Pittsburgh, Pennsylvania, (2001)

    Google Scholar 

  6. Stonenburner, G., Goguen, A., Feringa, A.: NIST Special publications 800-27 Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology, Gaithersburg (2002)

    Google Scholar 

  7. ISF, IRAM: Information Risk Assessment Methodology 2, Information Security Forum (2016). https://www.securityforum.org/tool/information-risk-assessment-methodology-iram2/

  8. Hubbard, D.: The Failure of Risk Management. Wiley, Hoboken (2009)

    Google Scholar 

  9. ENISA: Principles and Inventories for Risk Management/Risk Assessment methods and tools, Brussel: European Network and information Security Agency (ENISA) (2006)

    Google Scholar 

  10. Yaokumah, W., Brown, S.: An empirical examination of the relationship between information security/business strategic alignment and information security governance. J. Bus. Syst., Governance Ethics 2(9), 50–65 (2014)

    Google Scholar 

  11. Zitting, D.: Are You Still Auditing in Excel?. Sarbanes Oxley Compliance Journal (2015). http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=4156

  12. Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Comput. Secur. 2014–43, 90–110 (2014)

    Article  Google Scholar 

  13. Van Niekerk, J., Von Solms, R.: Information security culture; A management perspective. Comput. Secur. 29, 476–486 (2010)

    Article  Google Scholar 

  14. Seale, C.: Researching Society and Culture, 2nd edn. Sage Publications, Thousand Oaks (2004). ISBN 978-0-7619-4197-2

    Google Scholar 

  15. Bobbert, Y.: Use of DEMO as a methodology for business and security alignment. Platform for Information Security, pp. 22–26 (2009). www.ee-institute.org/download.php?id=133&type=doc

  16. ISO/IEC27001:2013, ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC, Geneva (2013)

    Google Scholar 

  17. Cherdantseva, Y., Hilton, J.: A reference model of information assurance & security. In: IEEE proceedings of ARES, vol. SecOnt workshop, Regensburg, Germany (2013)

    Google Scholar 

  18. GOV.UK: The Security Policy Framework (SPF), Statement of Assurance questionnaire in Excel - Gov.uk

    Google Scholar 

  19. Halkyn, ISO27001 Self Assessment Checklist hits record downloads, 19 February 2015

    Google Scholar 

  20. von Solms, S., von Solms, R.: Information Security Governance. Springer, New York (2009). https://doi.org/10.1007/978-0-387-79984-1. ISBN 978-0-387-79983-4

    Book  Google Scholar 

  21. ITGI: COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT. IT Governance Institute, United States of America (2007). ISBN 1-933284-80-3

    Google Scholar 

  22. Koning, E.: Assessment Framework for DNB Information Security Examination, De Nederlandsche Bank, Amsterdam (2014)

    Google Scholar 

  23. Volchkov, A.: How to measure security rom a governance perspective. ISACA J. 5, 44–51 (2013)

    Google Scholar 

  24. Papazafeiropoulou, A.: Understanding governance, risk and compliance information systems the experts view. Inf. Syst. Front. 18, 1251–1263 (2016)

    Article  Google Scholar 

  25. Deloitte: Spreadsheet Management, Not what you figured (2009)

    Google Scholar 

  26. Bobbert, Y.: Defining a research method for engineering a Business Information Security artefact. In: Proceedings of the Enterprise Engineering Working Conference (EEWC) Forum, Antwerp (2017)

    Google Scholar 

  27. Bobbert, Y.: Porters’ elements for a business information security strategy. ISACA J. 1, 1–4 (2015)

    Google Scholar 

  28. Dietz, J.: Enterprise Ontology. Springer, Heidelberg (2006). https://doi.org/10.1007/3-540-33149-2

    Book  Google Scholar 

  29. MBZK: Baseline Informatiebeveiliging Rijksdienst 2017, Den haag: Ministerie van Binnenlandse Zaken en Koninkrijksrelaties (2017)

    Google Scholar 

  30. Bobbert, Y., Mulder, J.: Governance practices and critical success factors suitable for business information security. In: International Conference on Computational Intelligence and Communication Networks, India (2015)

    Google Scholar 

  31. Wieringa, R.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43839-8

    Book  Google Scholar 

  32. Bobbert, Y., Mulder, J.: Group support systems research in the field of business information security; a practitioners view. In: 46th Hawaii International Conference on System Science, Hawaii US (2013)

    Google Scholar 

  33. De Vreede, G., Briggs, R.O., Van Duin, R., Enserink, B.: Athletics in electronic brainstorming; asynchronous electronic brainstorming in very large groups. In: Proceedings of the 33rd Hawaii International Conference on System Sciences (2000)

    Google Scholar 

  34. Recker, J.: Scientific Research in Information Systems. Springer, Australia (2013). https://doi.org/10.1007/978-3-642-30048-6

    Book  Google Scholar 

  35. Asch, S.: Effects of group pressure upon the modification and distortion of judgment. In: Guetzkow, H. (ed.) Groups, Leadership and Men, Carnegie Press, Pittsburgh (1951)

    Google Scholar 

  36. den Hengst, M., Adkins, M., Keeken, S., Lim, A.: Which facilitation functions are most challenging: a global survey of facilitators, Delft University of Technology, Delft (2005)

    Google Scholar 

  37. Vreede, G., Boonstra, J., Niederman, F.: What is effective GSS facilitation? A qualitative inquiry into participants’ perceptions. In: Proceedings of the 35th Hawaii International Conference on System Sciences, Delft University of Technology, Netherlands (2002)

    Google Scholar 

  38. Vreede, G., Vogel, D., Kolfschoten, G., Wien, J.: Fifteen years of GSS in the field: a comparison across time and national boundaries. In: Proceedings of the 36th Hawaii International Conference on System Sciences, HICSS 2003 (2003)

    Google Scholar 

  39. Kolfschoten, G., Mulder, J., Proper, H.: De fata morgana van Group Support Systemen. Informatie 4(5), 10–14 (2016)

    Google Scholar 

  40. Argyris, C.: Double-loop learning, teaching, and research. Acad. Manag. 1(2), 206–218 (2002)

    MathSciNet  Google Scholar 

  41. Bobbert, Y., Mulder, J.: A research journey into maturing the business information security of mid market organizations. Int. J. IT/Bus. Align. Gov. 1(4), 18–39 (2010)

    Article  Google Scholar 

  42. Mari, G.: Cyber Security; Facts or Fiction, Antwerp Management School, 14 November 2016. http://blog.antwerpmanagementschool.be/

Download references

Author information

Authors and Affiliations

  1. Radboud University, Nijmegen, Netherlands

    Yuri Bobbert

  2. University of Antwerp, Antwerp, Belgium

    Yuri Bobbert & Hans Mulder

  3. Antwerp Management School, Antwerp, Belgium

    Yuri Bobbert & Hans Mulder

Authors
  1. Yuri Bobbert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hans Mulder
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hans Mulder .

Editor information

Editors and Affiliations

  1. University of Madeira and Madeira Interactive Technologies Institute, Funchal, Portugal

    David Aveiro

  2. Free University of Bozen-Bolzano, Bolzano , Brazil

    Giancarlo Guizzardi

  3. Instituto Superior Técnico, Universidade de Lisboa, Lisbon, Portugal

    Sérgio Guerreiro

  4. Luxembourg Institute of Science and Technology, Esch-sur-Alzette, Luxembourg

    Wided Guédria

Appendix

Appendix

See Fig. 5.

Fig. 5.
figure 5

Meta-model for the BIS processes and data. The grey areas represent the scope of the artefact (dashboard tool).

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bobbert, Y., Mulder, H. (2019). Enterprise Engineering in Business Information Security. In: Aveiro, D., Guizzardi, G., Guerreiro, S., Guédria, W. (eds) Advances in Enterprise Engineering XII. EEWC 2018. Lecture Notes in Business Information Processing, vol 334. Springer, Cham. https://doi.org/10.1007/978-3-030-06097-8_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-06097-8_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-06096-1

  • Online ISBN: 978-3-030-06097-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation