Skip to main content

A Protection Profiles Approach to Risk Analysis for Small and Medium Enterprises

  • Conference paper
  • 977 Accesses

Part of the IFIP International Federation for Information Processing book series (IFIPAICT,volume 193)

Abstract

Performing a Risk Analysis has long been considered necessary security practice for organisations, however surveys indicate that Small and Medium Enterprises do not tend to undertake one. Some of the main reasons behind this have been found to be the lack of funds, expertise and awareness within such organisations, this paper describes a methodology that aims to assess these issues and be appropriate for the needs of this SMEs by utilising a protection profiles and threat trees approach to perform the assessment instead of lengthy questionnaires and incorporating other elements such as financial considerations and creation of a security policy.

Key words

  • protection profiles
  • risk analysis
  • threat trees
  • SMEs

5. References

  • Blakely, B., 2002, Consultants can offer remedies to lax SME security, TechRepublic, 6 February 2002, http://techrepublic.com.com/5100-6329-1031090.html

    Google Scholar 

  • Briney, A. and Prince, F., 2002, 2002 Information Security Magazine Survey, does size matter?, Information Security Magazine, September 2002, http://www.infosecuritymag.com/2002/sep/2002survey.pdf.

    Google Scholar 

  • British Standards Institution, 2000, Information technology. Code of practice for information security management. BS ISO/IEC 17799:2000. 15 February 2001. ISBN 0 580 36958 7.

    Google Scholar 

  • Brake, J., 2003, Small business security needs for the changing face of small business, Micro and Home Business Association, 14 August 2003, http://www.security.iia.net.au/downloads.

    Google Scholar 

  • Chong, C. K., 2003, Managing Information Security for SMEs. May 2003, Information Technology Standards Committee, http://www.itsc.org.sg/standards_news/2002-05/kinchong-security.ppt.

    Google Scholar 

  • Cisco Systems Inc., 2005, Cisco IOS Security Architecture, 5 May 1995, http://www.cisco.com/warp/public/614/9.html.

    Google Scholar 

  • Commoncriteria, 2003, What is a Protection Profile (PP)?, http://www.commoncriteria.org/protection_profiles/pp.html.

    Google Scholar 

  • Danchev, D., 2003, Building and implementing a successful information security policy, http://www.windowsecurity.com.

    Google Scholar 

  • Dimopoulos, V., Furnell, S., Barlow, I. and Lines, B., 2004a, Factors affecting the adoption of IT risk analysis, Proceedings of the Third European Conference on Information Warfare and Security (ECIW 2004), Egham, UK, 28–29 June 2004.

    Google Scholar 

  • Dimopoulos, V., Furnell, S., Jennex, M. and Kritharas, I., 2004b, Approaches to IT security in small and medium enterprises, Proceedings of The 2nd Australian Information Security Management Conference 2004 (InfoSec04), Perth, Western Australia, 25 November 2004.

    Google Scholar 

  • Dimopoulos, V. and Furnell, S.M., 2005, Effective IT security for small and medium enterprises, Proceedings of the 4 th Security Conference, Las Vegas, USA, 30–31 March 2005.

    Google Scholar 

  • DTI. (2004) Information Security Breaches Survey 2004. Department of Trade & Industry, April 2004. URN 04/617.

    Google Scholar 

  • Hamilton, C., 2004, Are you at risk? How to assess threats & your ability to respond, Virgo Publishing, Inc., 2004, http://www.publicvenuesecurity.com/articles/3blfeat3.html.

    Google Scholar 

  • Heare, S., 2001, Data center physical security checklist December 2001, SANS, http://www.sans.org/rr/paper.php?id=416.

    Google Scholar 

  • Hurd, D., 2000, Security checklist for small business, http://www.itsecurity.com/papers/nai.htm.

    Google Scholar 

  • Jennex, M.E. and Addo, T., 2004, SMEs and knowledge requirements for operating hacker and security tools. IRMA 2004 Conference, New Orleans, Louisiana, 23–26 May 2004.

    Google Scholar 

  • Jones, H., 2002, Small firms warned over hackers, British Broadcasting Company, BBC News, 9 November 2002, http://news.bbc.co.uk/l/hi/technology/2428983.stm.

    Google Scholar 

  • Loukis, E., and Spinellis, D., 2002, Information systems security in the Greek public sector, Information Management and Computer Security, 2002 http://www.dmst.aueb.gr/dds/pubs/jrnl/2000-IMCS-pubsec/html/ispa.html.

    Google Scholar 

  • Meyer, K., Schaeffer, S., and Baker, D., 1995, Addressing threats in World Wide Web technology, 11th Annual Computer Security Applications Conference, IEEE Computer Society Press, pp123–132

    Google Scholar 

  • NCC, 2000, Business Information Security Survey 2000. National Computing Centre, http://www.ncc.co.uk/ncc/.

    Google Scholar 

  • Shaw, G., 2002, Effective security risk analysis, April 2002, http://www.itsecurity.com/papers/insight2.htm.

    Google Scholar 

  • Suppiah-Shandre, H., 2002, Security — top priority for all, SME IT Guide, International Data Group, Singapore, February 2002, http://smeit.com.sg.

    Google Scholar 

  • Symantec, 2005, Symantec Internet Security Threat Report Trends for July 04–December 04, Volume VII, March 2005, http://www.symantec.com.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2005 International Federation for Information Processing

About this paper

Cite this paper

Dimopoulos, V., Furnell, S. (2005). A Protection Profiles Approach to Risk Analysis for Small and Medium Enterprises. In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_17

Download citation

  • DOI: https://doi.org/10.1007/0-387-31167-X_17

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-29826-9

  • Online ISBN: 978-0-387-31167-8

  • eBook Packages: Computer ScienceComputer Science (R0)