Developing contextual understanding of information security risks (original) (raw)
Related papers
Mapping the consensual knowledge of security risk management experts
Australian Information Warfare and Security …, 2006
The security industry comprises of diverse and multidisciplined practitioners, originating from many disciplines. It has been suggested that the industry has an undefined knowledge structure, although security experts contain a rich knowledge structure. There has also been limited research mapping security expert knowledge structure, reducing the ability of tertiary educators to provide industry focused teaching and learning. The study utilized multidimensional scaling (MDS) and expert interviews to map the consensual knowledge structure of security experts in their understanding of security risk. Security risk concepts were extracted and critiqued from West Australian university courses. Linguistic analysis categorised the more utilized security risk concepts. MDS tested these concepts and presented a spatial knowledge structure [STRESS1=0.35, α=0.64], further tested and validated by security experts [N=3]. The study presented a number of significant findings. A table of security categories, with supporting subordinate concepts was presented. The security risk consensual knowledge map suggested that the concept threat occupied a central theme for security experts. Spatial location of security risk concepts provided an indication of conceptual relationships. Finally, the sequential structure and concept clusters provided an indication of security expert conceptual decision making.
Key concepts in security risk management: A psychometric concept map to approach to understanding
Risk management is becoming a well established discipline, with its own body of knowledge and domain practitioners. States worldwide now have their own risk management standards and in many, it is the company director’s responsibility to ensure risk management compliance. A subset of risk management is security risk management; however, security risk management is unique from other forms of risk management and many of the more generic risk models lack key concepts necessary for effective design, application and mitigation of security risks. This book defines the key concepts of security risk management and forms these into a conceptual map, based on an interpretative four-phase scientific study. The security risk management map demonstrates the inclusive and spatial locality of the more significant security risk concepts, domain complexity and the central aspect of such concepts as threat, criticality, etc. In addition, the book presents 14 core organisational security knowledge categories, arranged within a framework. Such an approach allows in-depth understanding, improved teaching and learning, system design and application of these areas of security and security risk management.
Information Visualization, 2013
Information officers and network administrators require tools to help them achieve situation awareness about potential network threats. We describe a response to mini-challenge 1 of the 2012 IEEE VAST challenge in which we developed a visual analytic solution to a network security situation awareness problem. To support conceptual design, we conducted a series of knowledge elicitation sessions with domain experts. These provided an understanding of the information they needed to make situation awareness judgements as well as a characterisation of those judgements in the form of production rules which define a parameter we called the 'Concern Level Assessment' (CLA). The CLA was used to provide heuristic guidance within a visual analytic system called M-SIEVE. An analysis of VAST challenge assessment sessions using M-SIEVE provides some evidence that intelligent heuristics like this can provide useful guidance without unduly dominating interaction and understanding.
Examining the Contribution of Critical Visualisation to Information Security
This paper examines the use of visualisations in the field of information security and in particular focuses on the practice of information security risk assessment. We examine the current roles of information security visualisations and place these roles in the wider information visualisation discourse. We present an analytic lens which divides visualisations into three categories: journalistic, scientific and critical visuali-sations. We then present a case study that uses these three categories of visualisations to further support information security practice. Two significant results emerge from this case study: (1) visualisations that promote critical thinking and reflection (a form of critical visualisation) support the multi-stakeholder nature of risk assessment and (2) a preparatory stage in risk assessment is sometimes needed by service designers in order to establish the service design before conducting a formal risk assessment. The reader is invited to explore the images in the digital version of this paper where they can zoom in to particular aspects of the images and view the images in colour.
Triangulating the Views of Human and Non-Human Stakeholders In Information Security Risk Assessment
2007
The risk assessment methodologies that are portrayed in traditional information security management literature often do not scale into the multi-level stakeholder environment of corporate governance. This is because they focus on one type of stakeholder, the IT infrastructure. A risk assessment methodology that is to successfully operate in such an environment must have effective mechanisms of including and incorporating the risk perceptions of the different stakeholders. This does not mean that the traditional forms of information security risk assessment should be replaced; on the contrary they are extremely necessary. Rigorous IT infrastructure risk assessment is fundamental to good security management. However in environments where the operational processes for using the information are complex and dynamic, another aspect of risk, namely business or operational process security risk assessment needs to take place. Whilst this view of security risk assessment in itself is not a new concept and can be found as dominant aspects of security risk assessment methodologies such as Sherwood Applied Business Security Architecture (SABSA) and Facilitated Risk Analysis and Assessment Process (FRAAP), there has been little discussion as to how to include the operational process view without detracting from the technical IT asset view. This work considers how interaction between the stakeholders might take place and this short paper explores the different techniques to promote inclusiveness of the different stakeholder communities in the risk assessment process. The case studies that are used in this paper are the results of five years of field observations.
Winter 12-14-2013 Contextual Dependencies in Information Systems Security
2017
This paper addresses the contextual dependencies related to the use of information systems security and criticizes the predominance of technical and formalized paradigm in the development and implementation of IS security policies and procedures. The underlying epistemology of our research lies in the interpretative paradigm. It explores the patterns of how the contextual use of information systems security is involved according to a business/organizational practice perspective. It elicits the detailed processes and practices that constitute the pragmatic perspective in developing information security activities.
A Framework for Decision Support in Information Systems Security
Americas Conference on Information Systems, 2004
As the structure of modern organizations shifts, so correspondingly must the methodologies which underlie the evaluation and development of the security posture of their information systems. We have witnessed an ever-growing gap between organizational policy and technology. We have also witnessed an ever increasing complexity of decisions regarding the planning and design of IS security. Within this paper, we propose a decision support framework consistent with security and decision theory and develop a model of the decision analysis space suitable for multiple criteria decision making (MCDM). The adoption of MCDM techniques within the context of this model can show inherent trade-offs between alternatives in a security decision, encapsulate qualitative as well as quantitative elements within the analysis space, and facilitate group-decision making thereby dealing with conflicting perspectives of multiple stakeholders. The paper concludes with a demonstration of the proposed model through a case study conducted with a major financial services provider.
Incorporating a knowledge perspective into security risk assessments
VINE, 2011
PurposeMany methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.Design/methodology/approachThe argument was developed through an illustrative case study in which a well‐documented traditional methodology is applied to a complex data backup process. Follow‐up interviews were conducted with the organisation's security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.FindingsIt was discovered that the backup pr...
Freeman, 2007
The risk assessment methodologies that are portrayed in traditional information security management literature often do not scale into the multi-level stakeholder environment of corporate governance. This is because they focus on one type of stakeholder, the IT infrastructure. A risk assessment methodology that is to successfully operate in such an environment must have effective mechanisms of including and incorporating the risk perceptions of the different stakeholders. This does not mean that the traditional forms of information security risk assessment should be replaced; on the contrary they are extremely necessary. Rigorous IT infrastructure risk assessment is fundamental to good security management. However in environments where the operational processes for using the information are complex and dynamic, another aspect of risk, namely business or operational process security risk assessment needs to take place. Whilst this view of security risk assessment in itself is not a new concept and can be found as dominant aspects of security risk assessment methodologies such as Sherwood Applied Business Security Architecture (SABSA) and Facilitated Risk Analysis and Assessment Process (FRAAP), there has been little discussion as to how to include the operational process view without detracting from the technical IT asset view. This work considers how interaction between the stakeholders might take place and this short paper explores the different techniques to promote inclusiveness of the different stakeholder communities in the risk assessment process. The case studies that are used in this paper are the results of five years of field observations.
Journal of Homeland Security and Emergency Management, 2000
We present a multi-phased action research project conducted at the department of Information Management -Customer Support and Operations in a large multi-national company. This department is in charge of IT service continuity and was asked to develop an IT response and recovery plan that had to be integrated within the organization's overall business continuity plan. The department's key challenge was to develop a response plan which incorporates the perspectives of the business managers whose perception of the threats and associated risks differed significantly from that of the IT managers. To develop such a shared response plan, we used group support systems and cognitive mapping techniques to identify both stakeholder groups' perceptions of IT threats and risks. This allowed us to raise awareness in both groups for the other group's different perspectives. We aggregated the responses into a shared response and recovery plan, representing the views of both groups. Our research has made clear to the stakeholder groups involved the necessity of sharing information and developing awareness to formulate a shared disaster recovery plan for ensuring business continuity and recovery.