Abstract
Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.
A case study & expert validation in Security, Risk and Compliance artefact engineering.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ponemone: Cost of Data Breach Study: Global Analysis, Ponemon Institute LLC, United States (2016)
Ponemon Institute: Business Case for Data Protection, Ponemon Institute LLC (2009)
Cashell, B., Jackson, W., Jickling, M., Webel, B.: The Economic Impact of Cyber-Attacks, Congressional Research Service, The Library of Congress, United States (2004)
ITGI: Information Risks: Who’s Business are they?, United States: IT Governance Institute (2005)
Alberts, C.J., Dorofee, A.: OCTAVE Method Implementation Guide version 2.0, Carnegie Mellon University Software Engineering Institute, Pittsburgh, Pennsylvania, (2001)
Stonenburner, G., Goguen, A., Feringa, A.: NIST Special publications 800-27 Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology, Gaithersburg (2002)
ISF, IRAM: Information Risk Assessment Methodology 2, Information Security Forum (2016). https://www.securityforum.org/tool/information-risk-assessment-methodology-iram2/
Hubbard, D.: The Failure of Risk Management. Wiley, Hoboken (2009)
ENISA: Principles and Inventories for Risk Management/Risk Assessment methods and tools, Brussel: European Network and information Security Agency (ENISA) (2006)
Yaokumah, W., Brown, S.: An empirical examination of the relationship between information security/business strategic alignment and information security governance. J. Bus. Syst., Governance Ethics 2(9), 50–65 (2014)
Zitting, D.: Are You Still Auditing in Excel?. Sarbanes Oxley Compliance Journal (2015). http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=4156
Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Comput. Secur. 2014–43, 90–110 (2014)
Van Niekerk, J., Von Solms, R.: Information security culture; A management perspective. Comput. Secur. 29, 476–486 (2010)
Seale, C.: Researching Society and Culture, 2nd edn. Sage Publications, Thousand Oaks (2004). ISBN 978-0-7619-4197-2
Bobbert, Y.: Use of DEMO as a methodology for business and security alignment. Platform for Information Security, pp. 22–26 (2009). www.ee-institute.org/download.php?id=133&type=doc
ISO/IEC27001:2013, ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC, Geneva (2013)
Cherdantseva, Y., Hilton, J.: A reference model of information assurance & security. In: IEEE proceedings of ARES, vol. SecOnt workshop, Regensburg, Germany (2013)
GOV.UK: The Security Policy Framework (SPF), Statement of Assurance questionnaire in Excel - Gov.uk
Halkyn, ISO27001 Self Assessment Checklist hits record downloads, 19 February 2015
von Solms, S., von Solms, R.: Information Security Governance. Springer, New York (2009). https://doi.org/10.1007/978-0-387-79984-1. ISBN 978-0-387-79983-4
ITGI: COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT. IT Governance Institute, United States of America (2007). ISBN 1-933284-80-3
Koning, E.: Assessment Framework for DNB Information Security Examination, De Nederlandsche Bank, Amsterdam (2014)
Volchkov, A.: How to measure security rom a governance perspective. ISACA J. 5, 44–51 (2013)
Papazafeiropoulou, A.: Understanding governance, risk and compliance information systems the experts view. Inf. Syst. Front. 18, 1251–1263 (2016)
Deloitte: Spreadsheet Management, Not what you figured (2009)
Bobbert, Y.: Defining a research method for engineering a Business Information Security artefact. In: Proceedings of the Enterprise Engineering Working Conference (EEWC) Forum, Antwerp (2017)
Bobbert, Y.: Porters’ elements for a business information security strategy. ISACA J. 1, 1–4 (2015)
Dietz, J.: Enterprise Ontology. Springer, Heidelberg (2006). https://doi.org/10.1007/3-540-33149-2
MBZK: Baseline Informatiebeveiliging Rijksdienst 2017, Den haag: Ministerie van Binnenlandse Zaken en Koninkrijksrelaties (2017)
Bobbert, Y., Mulder, J.: Governance practices and critical success factors suitable for business information security. In: International Conference on Computational Intelligence and Communication Networks, India (2015)
Wieringa, R.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43839-8
Bobbert, Y., Mulder, J.: Group support systems research in the field of business information security; a practitioners view. In: 46th Hawaii International Conference on System Science, Hawaii US (2013)
De Vreede, G., Briggs, R.O., Van Duin, R., Enserink, B.: Athletics in electronic brainstorming; asynchronous electronic brainstorming in very large groups. In: Proceedings of the 33rd Hawaii International Conference on System Sciences (2000)
Recker, J.: Scientific Research in Information Systems. Springer, Australia (2013). https://doi.org/10.1007/978-3-642-30048-6
Asch, S.: Effects of group pressure upon the modification and distortion of judgment. In: Guetzkow, H. (ed.) Groups, Leadership and Men, Carnegie Press, Pittsburgh (1951)
den Hengst, M., Adkins, M., Keeken, S., Lim, A.: Which facilitation functions are most challenging: a global survey of facilitators, Delft University of Technology, Delft (2005)
Vreede, G., Boonstra, J., Niederman, F.: What is effective GSS facilitation? A qualitative inquiry into participants’ perceptions. In: Proceedings of the 35th Hawaii International Conference on System Sciences, Delft University of Technology, Netherlands (2002)
Vreede, G., Vogel, D., Kolfschoten, G., Wien, J.: Fifteen years of GSS in the field: a comparison across time and national boundaries. In: Proceedings of the 36th Hawaii International Conference on System Sciences, HICSS 2003 (2003)
Kolfschoten, G., Mulder, J., Proper, H.: De fata morgana van Group Support Systemen. Informatie 4(5), 10–14 (2016)
Argyris, C.: Double-loop learning, teaching, and research. Acad. Manag. 1(2), 206–218 (2002)
Bobbert, Y., Mulder, J.: A research journey into maturing the business information security of mid market organizations. Int. J. IT/Bus. Align. Gov. 1(4), 18–39 (2010)
Mari, G.: Cyber Security; Facts or Fiction, Antwerp Management School, 14 November 2016. http://blog.antwerpmanagementschool.be/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
See Fig. 5.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Bobbert, Y., Mulder, H. (2019). Enterprise Engineering in Business Information Security. In: Aveiro, D., Guizzardi, G., Guerreiro, S., Guédria, W. (eds) Advances in Enterprise Engineering XII. EEWC 2018. Lecture Notes in Business Information Processing, vol 334. Springer, Cham. https://doi.org/10.1007/978-3-030-06097-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-06097-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-06096-1
Online ISBN: 978-3-030-06097-8
eBook Packages: Computer ScienceComputer Science (R0)