A Business Aware Information Security Risk Analysis Method
Securing the organization critical information assets from sophisticated insider threats and outsider attacks is essential to ensure business continuity and efficiency. The information security risk management (ISRM) is the process that identifies the threats and vulnerabilities of an enterprise information system, evaluates the likelihood of their occurrence and estimates their potential business impact. It is a continuous process that allows cost effectiveness of implemented security controls and provides a dynamic set of tools to monitor the security level of the information system. However, the examination of existing practices of the enterprises reveals a poor effectiveness of information security management processes such as stated in the information security breaches surveys. In particular, the enterprises experience difficulties in assessing and managing their security risks, in implementing appropriate security controls, as well as in preventing security threats. The available ISRM models and frameworks mainly focus on the technical modules related to the development of security mitigation and prevention and do not pay much attention to the influence of business variables affecting the reliability of the provided solutions. This paper discusses the major business related factors for risk analysis and shows their interference in the ISRM process. These factors include the enterprise strategic environment, the organizational structure features, the customer relationship and the value chain configuration.
- 1.2009 CSI Computer Crime and Security Survey. Computer Security Institute, available at: http://www.gocsi.com/.
- 2.2008 Information security breaches survey, available at: http://www.security-survey.gov.uk.
- 3.Iso/iec 17799:2000 (part 1), Information technology-code of practice for information security management.Google Scholar
- 4.Spagnoletti P., Resca A. (2008), The duality of Information Security Management: fighting against predictable and unpredictable threats, Journal of Information Systems Security, Vol. 4 – Issue 3, 2008Google Scholar
- 5.Åhlfeldt R.M., Spagnoletti P. and Sindre G. (2007) Improving the Information Security Model by using TFI. In “New Approaches for Security, Privacy and Trust in Complex Environments”, IFIP Springer Series, Springer Boston, Volume 232/2007, 73–84Google Scholar
- 6.Humphreys, E. (2008) Information security management standards: Compliance, governance and risk management, Information security technical report 13: 247–255.Google Scholar
- 7.Bandyopadhyay, K., P. P. Mykytyn and K. Mykytyn (1999) A framework for integrated risk management in information technology, Management Decision 37(5):437–444.Google Scholar
- 8.Eloff, J., L. Labuschagne and K. P. Badenhorst (1993) A comparative framework for risk analysis methods, Computers & Security 12: 597–603.Google Scholar
- 9.Tchankova, L. (2002) Risk identification – basic stage in risk management, Environmental Management and Health 13(3): 290–297.Google Scholar
- 10.Finne, T. (2000) Information Systems Risk Management: Key Concepts and Business Processes, Computers & Security 19: 234–242.Google Scholar
- 11.Broderick, J. S. (2001) Information Security Risk Management –When Should It be Managed?, Information Security Technical Report 6 (3) : 12–18.Google Scholar
- 12.Suh, B. and I. Han (2003) The IS risk analysis based on a business model, Information & Management 41: 149–158.Google Scholar
- 13.Gerber, M. and R. von Solms (2005) Management of risk in the information age, Computers & Security 24, 16–30.Google Scholar
- 14.Hamdi M. and N. Boudriga (2005) Computer and network security risk management: Theory, challenges, and countermeasures, International journal of communication systems 18:763–793.Google Scholar
- 15.Krichene, J. (2008) Managing Security Projects in Telecommunication Networks Ph.D. Thesis Engineering School of Communications, SUP’COM.Google Scholar
- 16.Stonebumer, G., A. Grogen, and A. Fering, Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology. Special publication 800–830.Google Scholar
- 17.Alberts C. and A. Dorofee (2002) Managing Information Security Risks: The OCTAVE Approach Addison Wesley Professional.Google Scholar
- 18.Krichene, J. and N. Boudriga (2007) Network security project management: A security policy-based approach, in Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, (SMC 2007) Montréal, Canada October 7–10.Google Scholar