Search results
1 – 10 of over 42000Zhengbiao Han, Shuiqing Huang, Huan Li and Ni Ren
This paper uses the GB/T20984-2007 multiplicative method to assess the information security risk of a typical digital library in compliance with the principle and thought of ISO…
Abstract
Purpose
This paper uses the GB/T20984-2007 multiplicative method to assess the information security risk of a typical digital library in compliance with the principle and thought of ISO 27000. The purpose of this paper is to testify the feasibility of this method and provide suggestions for improving information security of the digital library.
Design/methodology/approach
This paper adopts convenience sampling to select respondents. The assessment of assets is through analyzing digital library-related business and function through a questionnaire which collects data to determine asset types and the importance of asset attributes. The five-point Likert scale questionnaire method is used to identify the threat possibility and its influence on the assets. The 12 respondents include directors and senior network technicians from the editorial department, comic library, children’s library, counseling department and the learning promotion centre. Three different Guttman scale questionnaires, tool testing and on-site inspection are combined to identify and assess vulnerabilities. There were different Guttman scale questionnaires for management personnel, technical personnel and general librarian. In all, 15 management librarians, 7 technical librarians and 72 ordinary librarians answered the vulnerability questionnaire. On-site inspection was conducted on the basis of 11 control domains of ISO 27002. Vulnerabilities were scanned using remote security evaluation system NSFOCUS. The scanning covered ten IP sections and a total of 81 hosts.
Findings
Overall, 2,792 risk scores were obtained. Among them, 282 items (accounting for 10.1 per cent of the total) reached the high risk level; 2 (0.1 per cent) reached the very high risk level. High-risk items involved 26 threat types (accounting for 44.1 per cent of all threat types) and 13 vulnerability types (accounting for 22.1 per cent of all vulnerability types). The evaluation revealed that this digital library faces seven major hidden dangers in information security. The assessment results were well accepted by staff members of this digital library, which testified to the applicability of this method to a Chinese digital library.
Research limitations/implications
This paper is only a case study of a typical Chinese digital library using a digital library information security assessment method. More case-based explorations are necessary to prove the feasibility of the assessing strategy proposed in this study.
Originality/value
Based on the findings of recent literature, the authors found that very few researchers have made efforts to develop methods for calculating the indicators for digital library information security risk assessment. On the basis of ISO 27000 and other related information security standards, this case study proposed an operable method of digital library information security risk assessment and used it to assess a the information security of a typical Chinese digital library. This study can offer insights for formulating a digital library information security risk assessment scale.
Details
Keywords
Stefan Taubenberger, Jan Jürjens, Yijun Yu and Bashar Nuseibeh
In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly…
Abstract
Purpose
In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly identified or unidentified vulnerabilities – can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost‐effectively. This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models.
Design/methodology/approach
Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.
Findings
Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.
Originality/value
It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.
Details
Keywords
Palaniappan Shamala, Rabiah Ahmad, Ali Hussein Zolait and Shahrin bin Sahib
Information security has become an essential entity for organizations across the globe to eliminate the possible risks in their organizations by conducting information security…
Abstract
Purpose
Information security has become an essential entity for organizations across the globe to eliminate the possible risks in their organizations by conducting information security risk assessment (ISRA). However, the existence of numerous different types of risk assessment methods, standards, guidelines and specifications readily available causes the organizations to face the daunting tasks in determining the most suitable method that would augur well in meeting their needs. Therefore, to overcome this tedious process, this paper suggests collective information structure model for ISRA.
Design/methodology/approach
The proposed ISRA model was developed by deploying a questionnaire using close-ended questions administrated to a group of information security practitioners in Malaysia (N = 80). The purpose of the survey was to strengthen and add more relevant additional features to the existing framework, as it was developed based on secondary data.
Findings
Previous comparative and analyzed studies reveals that all the six types of ISRA methodologies have features of the same kind of information with a slight difference in form. Therefore, questionnaires were designed to insert additional features to the research framework. All the additional features chosen were based on high frequency of more than half percentage agreed responses from respondents. The analyses results inspire in generating a collective information structure model which more practical in the real environment of the workplace.
Practical implications
Generally, organizations need to make comparisons between methodologies and decide on the best due to the inexistence of agreed reference benchmark in ISRA methodologies. This tedious process leads to unwarranted time, money and energy consumption.
Originality/value
The collective information structure model for ISRA aims to assist organizations in getting a general view of ISRA flow and gathering information on the requirements to be met before risk assessment can be conducted successfully. This model can be conveniently used by organizations to complete all the required planning as well as to select the suitable methods to complete the ISRA.
Details
Keywords
Stefan Fenz, Johannes Heurix, Thomas Neubauer and Fabian Pechstein
The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches…
Abstract
Purpose
The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results.
Design/methodology/approach
To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback.
Findings
As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need.
Originality/value
The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.
Details
Keywords
Piya Shedden, Rens Scheepers, Wally Smith and Atif Ahmad
Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues…
Abstract
Purpose
Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.
Design/methodology/approach
The argument was developed through an illustrative case study in which a well‐documented traditional methodology is applied to a complex data backup process. Follow‐up interviews were conducted with the organisation's security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.
Findings
It was discovered that the backup process depended, in subtle and often informal ways, on tacit knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, this study suggests a new approach might draw on more detailed accounts of individual knowledge, collective knowledge and their relationship to organisational processes.
Originality/value
Drawing on the knowledge management literature, the paper suggests mechanisms to incorporate these knowledge‐based considerations into the scope of information security risk methodologies. A knowledge protection model is presented as a result of this research. This model outlines ways in which organisations can effectively identify and treat risks around process knowledge critical to the business.
Details
Keywords
Subhas C. Misra, Vinod Kumar and Uma Kumar
This paper seeks to present a conceptual modeling approach, which is new in the domain of information systems security risk assessment.
Abstract
Purpose
This paper seeks to present a conceptual modeling approach, which is new in the domain of information systems security risk assessment.
Design/methodology/approach
The approach is helpful for performing means‐end analysis, thereby uncovering the structural origin of security risks in information systems, and how the root‐causes of such risks can be controlled from the early stages of the projects.
Findings
Though some attempts have previously been made to model security risk assessment in information systems using conventional modeling techniques such as data flow diagrams and UML, the previous works have analyzed and modeled the same just by addressing “what” a process is like. However, they do not address “why” the process is the way it is.
Originality/value
The approach addresses the limitation of the existing security risk assessment models by exploring the strategic dependencies between the actors of a system and analyzing the motivations, intents and rationales behind the different entities and activities constituting the system.
Details
Keywords
Internet of Things (IoT) interconnects many heterogeneous devices to each other, collecting and processing large volumes of data for decision making without human intervention…
Abstract
Purpose
Internet of Things (IoT) interconnects many heterogeneous devices to each other, collecting and processing large volumes of data for decision making without human intervention. However, the information security concern it brings has attracted quite a lot of attention, and, at this stage, the smart step would be to analyze the security issues of IoT platform and get to the state of readiness before embarking upon this attractive technology. The purpose of this paper is to address these issues.
Design/methodology/approach
IoT risk assessment through the application of the analytical hierarchy process (AHP), a favorite multi-criteria decision making technique, is proposed. The IoT risks are prioritized and ranked at different layers, before which a well-defined IoT risk taxonomy is defined comprising of 25 risks across six layers of the IoT model for developing control and mitigation plans for information security of IoT.
Findings
People and processes layer, network layer and applications layer are the top three critical layers with risks like the lack of awareness, malware injection, malicious code injection, denial of service and inefficient policies for IoT practice get the highest priority and rank. Pareto analysis of the overall risk factors revealed that the top ten factors contribute to 80 percent of the risks perceived by information security experts.
Research limitations/implications
The study focuses only on certain predefined constructs or layers of the IoT model traced from legacy studies. It is essential to re-look these constructs on a timely basis to prolong the results’ validity. The study’s empirical scope is confined only to the risk perception of select IoT experts and does not encompass a broader segment of the IoT ecosystem. Therefore, the risks assessment may not be sweeping to a bigger audience.
Practical implications
The study implications are two-fold: one it consolidates the earlier siloed works to intensify the need for risk assessment in the IoT domain, and second the study brings yet another contextual avenue of extending the application AHP and Pareto principle combination. The paper also draws specific critical organizational interventions about IoT risks. A comprehensive approach to prioritizing and ranking IoT risks are present in this research paper.
Originality/value
The contribution of this study to the benchmarking of IoT risk assessment is two-fold. One, a comprehensive risk assessment taxonomy is proposed, and two, the risks are prioritized and ranked to give a convincing reference for the organizations while making information security plans for IoT technology.
Details
Keywords
Ana Faizi, Ali Padyab and Andreas Naess
This study aims to address the issue of practicing information security risk assessment (ISRA) on cloud solutions by studying municipalities and large organizations in Sweden.
Abstract
Purpose
This study aims to address the issue of practicing information security risk assessment (ISRA) on cloud solutions by studying municipalities and large organizations in Sweden.
Design/methodology/approach
Four large organizations and five municipalities that use cloud services and conduct ISRA to adhere to their information security risk management practices were studied. Data were gathered qualitatively to answer the study’s research question: How is ISRA practiced on the cloud? The Coat Hanger model was used as a theoretical lens to study and theorize the practices.
Findings
The results showed that the organizations aimed to follow the guidelines, in the form of frameworks or their own experience, to conduct ISRA; furthermore, the frameworks were altered to fit the organizations’ needs. The results further indicated that one of the main concerns with the cloud ISRA was the absence of a culture that integrates risk management. Finally, the findings also stressed the importance of a good understanding and a well-written legal contract between the cloud providers and the organizations using the cloud services.
Originality/value
As opposed to the previous research, which was more inclined to try out and evaluate various cloud ISRA, the study provides insights into the practice of cloud ISRA experienced by the organizations. This study represents the first attempt to investigate cloud ISRA that organizations practice in managing their information security.
Details
Keywords
Andrea Kő, Gábor Tarján and Ariel Mitev
This paper aims to provide a maturity model for information security awareness (MMISA), based on the literature, expert interviews and feedback. In addition to developing the…
Abstract
Purpose
This paper aims to provide a maturity model for information security awareness (MMISA), based on the literature, expert interviews and feedback. In addition to developing the MMISA, the authors investigate the role of the three decisive factors that affect ISA maturity level: risk management mechanism, organizational structure and ISA.
Design/methodology/approach
The research methodology is a combined one; qualitative and quantitative methods were applied, including surveying the literature, interviews and developing a survey to collect quantitative data about decisive factors that affect ISA maturity level. The authors perform a variance-based partial least squares-structural equation modeling (PLS-SEM) investigation of the relationships between these factors.
Findings
The investigation of decisive factors of ISA maturity levels revealed that if the authors identify a strong risk assessment mechanism (through a documented methodology and reliable results), the authors can expect a high level of ISA. If there is a well-defined organizational structure with clear responsibilities, this supports the linking of a risk management mechanism with the level of ISA. The connection between organizational structure and ISA maturity level is supported by ISA activities: an increased level of awareness actions strengthens an organizational structure via the best practices learned by the staff.
Originality/value
The main contribution of the proposed MMISA model is that the model offers controls and audit evidence for maturity levels. Beyond that, the authors distinguish in the MMISA model controls supporting knowledge and controls supporting attitude, emphasizing that this is not enough to know what to do, but the proper attitude is required too. The authors didn't find any other ISA maturity model which has a similar feature. The contribution of the authors' work is that the authors provide a method for solving this complex measurement problem via the MMISA, which also offers direct guidance for the daily practices of organizations.
Details
Keywords
Jialiang Xie, Shanli Zhang, Honghui Wang and Mingzhi Chen
With the rapid development of Internet technology, cybersecurity threats such as security loopholes, data leaks, network fraud, and ransomware have become increasingly prominent…
Abstract
Purpose
With the rapid development of Internet technology, cybersecurity threats such as security loopholes, data leaks, network fraud, and ransomware have become increasingly prominent, and organized and purposeful cyberattacks have increased, posing more challenges to cybersecurity protection. Therefore, reliable network risk assessment methods and effective network security protection schemes are urgently needed.
Design/methodology/approach
Based on the dynamic behavior patterns of attackers and defenders, a Bayesian network attack graph is constructed, and a multitarget risk dynamic assessment model is proposed based on network availability, network utilization impact and vulnerability attack possibility. Then, the self-organizing multiobjective evolutionary algorithm based on grey wolf optimization is proposed. And the authors use this algorithm to solve the multiobjective risk assessment model, and a variety of different attack strategies are obtained.
Findings
The experimental results demonstrate that the method yields 29 distinct attack strategies, and then attacker's preferences can be obtained according to these attack strategies. Furthermore, the method efficiently addresses the security assessment problem involving multiple decision variables, thereby providing constructive guidance for the construction of security network, security reinforcement and active defense.
Originality/value
A method for network risk assessment methods is given. And this study proposed a multiobjective risk dynamic assessment model based on network availability, network utilization impact and the possibility of vulnerability attacks. The example demonstrates the effectiveness of the method in addressing network security risks.
Details