Advertisement

A Protection Profiles Approach to Risk Analysis for Small and Medium Enterprises

  • Vassilis Dimopoulos
  • Steven Furnell
Conference paper
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 193)

Abstract

Performing a Risk Analysis has long been considered necessary security practice for organisations, however surveys indicate that Small and Medium Enterprises do not tend to undertake one. Some of the main reasons behind this have been found to be the lack of funds, expertise and awareness within such organisations, this paper describes a methodology that aims to assess these issues and be appropriate for the needs of this SMEs by utilising a protection profiles and threat trees approach to perform the assessment instead of lengthy questionnaires and incorporating other elements such as financial considerations and creation of a security policy.

Key words

protection profiles risk analysis threat trees SMEs 

5. References

  1. Blakely, B., 2002, Consultants can offer remedies to lax SME security, TechRepublic, 6 February 2002, http://techrepublic.com.com/5100-6329-1031090.htmlGoogle Scholar
  2. Briney, A. and Prince, F., 2002, 2002 Information Security Magazine Survey, does size matter?, Information Security Magazine, September 2002, http://www.infosecuritymag.com/2002/sep/2002survey.pdf.Google Scholar
  3. British Standards Institution, 2000, Information technology. Code of practice for information security management. BS ISO/IEC 17799:2000. 15 February 2001. ISBN 0 580 36958 7.Google Scholar
  4. Brake, J., 2003, Small business security needs for the changing face of small business, Micro and Home Business Association, 14 August 2003, http://www.security.iia.net.au/downloads.Google Scholar
  5. Chong, C. K., 2003, Managing Information Security for SMEs. May 2003, Information Technology Standards Committee, http://www.itsc.org.sg/standards_news/2002-05/kinchong-security.ppt.Google Scholar
  6. Cisco Systems Inc., 2005, Cisco IOS Security Architecture, 5 May 1995, http://www.cisco.com/warp/public/614/9.html.Google Scholar
  7. Commoncriteria, 2003, What is a Protection Profile (PP)?, http://www.commoncriteria.org/protection_profiles/pp.html.Google Scholar
  8. Danchev, D., 2003, Building and implementing a successful information security policy, http://www.windowsecurity.com.Google Scholar
  9. Dimopoulos, V., Furnell, S., Barlow, I. and Lines, B., 2004a, Factors affecting the adoption of IT risk analysis, Proceedings of the Third European Conference on Information Warfare and Security (ECIW 2004), Egham, UK, 28–29 June 2004.Google Scholar
  10. Dimopoulos, V., Furnell, S., Jennex, M. and Kritharas, I., 2004b, Approaches to IT security in small and medium enterprises, Proceedings of The 2nd Australian Information Security Management Conference 2004 (InfoSec04), Perth, Western Australia, 25 November 2004.Google Scholar
  11. Dimopoulos, V. and Furnell, S.M., 2005, Effective IT security for small and medium enterprises, Proceedings of the 4 th Security Conference, Las Vegas, USA, 30–31 March 2005.Google Scholar
  12. DTI. (2004) Information Security Breaches Survey 2004. Department of Trade & Industry, April 2004. URN 04/617.Google Scholar
  13. Hamilton, C., 2004, Are you at risk? How to assess threats & your ability to respond, Virgo Publishing, Inc., 2004, http://www.publicvenuesecurity.com/articles/3blfeat3.html.Google Scholar
  14. Heare, S., 2001, Data center physical security checklist December 2001, SANS, http://www.sans.org/rr/paper.php?id=416.Google Scholar
  15. Hurd, D., 2000, Security checklist for small business, http://www.itsecurity.com/papers/nai.htm.Google Scholar
  16. Jennex, M.E. and Addo, T., 2004, SMEs and knowledge requirements for operating hacker and security tools. IRMA 2004 Conference, New Orleans, Louisiana, 23–26 May 2004.Google Scholar
  17. Jones, H., 2002, Small firms warned over hackers, British Broadcasting Company, BBC News, 9 November 2002, http://news.bbc.co.uk/l/hi/technology/2428983.stm.Google Scholar
  18. Loukis, E., and Spinellis, D., 2002, Information systems security in the Greek public sector, Information Management and Computer Security, 2002 http://www.dmst.aueb.gr/dds/pubs/jrnl/2000-IMCS-pubsec/html/ispa.html.Google Scholar
  19. Meyer, K., Schaeffer, S., and Baker, D., 1995, Addressing threats in World Wide Web technology, 11th Annual Computer Security Applications Conference, IEEE Computer Society Press, pp123–132Google Scholar
  20. NCC, 2000, Business Information Security Survey 2000. National Computing Centre, http://www.ncc.co.uk/ncc/.Google Scholar
  21. Shaw, G., 2002, Effective security risk analysis, April 2002, http://www.itsecurity.com/papers/insight2.htm.Google Scholar
  22. Suppiah-Shandre, H., 2002, Security — top priority for all, SME IT Guide, International Data Group, Singapore, February 2002, http://smeit.com.sg.Google Scholar
  23. Symantec, 2005, Symantec Internet Security Threat Report Trends for July 04–December 04, Volume VII, March 2005, http://www.symantec.com.Google Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Vassilis Dimopoulos
    • 1
  • Steven Furnell
    • 1
    • 2
  1. 1.Network Research GroupUniversity of PlymouthPlymouthUK
  2. 2.School of Computer and Information ScienceEdith Cowan UniversityPerthAustralia

Personalised recommendations