Triangulating the Views of Human and Non-Human Stakeholders In Information Security Risk Assessment (original) (raw)
Related papers
Freeman, 2007
The risk assessment methodologies that are portrayed in traditional information security management literature often do not scale into the multi-level stakeholder environment of corporate governance. This is because they focus on one type of stakeholder, the IT infrastructure. A risk assessment methodology that is to successfully operate in such an environment must have effective mechanisms of including and incorporating the risk perceptions of the different stakeholders. This does not mean that the traditional forms of information security risk assessment should be replaced; on the contrary they are extremely necessary. Rigorous IT infrastructure risk assessment is fundamental to good security management. However in environments where the operational processes for using the information are complex and dynamic, another aspect of risk, namely business or operational process security risk assessment needs to take place. Whilst this view of security risk assessment in itself is not a new concept and can be found as dominant aspects of security risk assessment methodologies such as Sherwood Applied Business Security Architecture (SABSA) and Facilitated Risk Analysis and Assessment Process (FRAAP), there has been little discussion as to how to include the operational process view without detracting from the technical IT asset view. This work considers how interaction between the stakeholders might take place and this short paper explores the different techniques to promote inclusiveness of the different stakeholder communities in the risk assessment process. The case studies that are used in this paper are the results of five years of field observations.
On the Role of the Facilitator In Information Security Risk Assessment
Journal in Computer Virology, 2007
In organisations where information security has historically been a part of management and for which the risk assessment methodologies have been designed there are established methods for communicating risk. This is the case for example in the banking and military sectors. However in organisations where information security is not embedded into management thinking and where the relationship between information security and the business is less clearcut, communicating the risks to the business is less straightforward. In such circumstances it has been observed during field research that information security risk assessments frequently output findings to which the business cannot relate and the process is consequently often viewed as a "tick box" exercise, as opposed to one that provides real value to the business. In such a situation the information security risk assessment is divorced from the business process and not embedded into the organisation's processes or thinking. The research for this paper was undertaken in order to identify what needs to be done in order to ensure that businesses of this type find the risk assessment process valuable in practice.
Information Security Risks Assessment: A Case Study
ArXiv, 2018
Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising...
Information Security Risk Assessment: Towards a Business Practice Perspective
2010
Information security risk assessments (ISRAs) are of great importance for organisations. Current ISRA methods identify an organisation's security risks and provide a measured, analysed security risk profile of critical information assets in order to build plans to treat risk. However, despite prevalent use in organisations today, current methods adopt a limited view of information assets during risk identification. In the context of day-to-day activities, people copy, print and discuss information, leading to the 'leakage' of information assets. Employees will create and use unofficial assets as part of their day-to-day routines. Furthermore, employees will also possess important knowledge on how to perform their functions within a business process or information system. These are all elements of business 'practice', a perspective that would yield a richer and holistic understanding of an organisation's information assets and vulnerabilities. This perspective is not captured by traditional ISRA methods, leading to an incomplete view of an organisation's information systems and processes that could prove detrimental and damaging. This paper hence suggests that a business practice perspective be incorporated into ISRA methods in order to identify information leakage, unofficial, critical information assets and critical process knowledge of organisations.
Comparative Study of Information Security Risk Assessment Frameworks
With the increasing need of securing organization's computing environment, a security risks management framework is essentially needed that define the security risks management process accurately. In this regard, numerous risks management frameworks have been developed, and many more are emerging every day. They all have very different perspectives and addressing problems differently, though with the same basic goal of risks mitigation in direction of information security. Information is a critical asset for every organization and hence development and implementation of strategic plans for information security risks mitigation should be an essential part of every organizations operation. This paper compares and analyzes the different activities, inputs and outputs required by each information security risk assessment models. The primary goal of the paper is to identify which information security risk assessment model assesses information security risk effectively. The comparative study helps in evaluating the models' applicability to an organization and their specific needs.
Sustainability, 2022
Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulti...
Risk Assessment Model for Organizational Information Security
2015
Information security risk assessment (RA) plays an important role in the organization’s future strategic planning. Generally there are two types of RA approaches: quantitative RA and qualitative RA. The quantitative RA is an objective study of the risk that use numerical data. On the other hand, the qualitative RA is a subjective evaluation based on judgment and experiences which does not operate on numerical data. It is difficult to conduct a purely quantitative RA method, because of the difficulty to comprehend numerical data alone without a subjective explanation. However, the qualitative RA does not necessarily demand the objectivity of the risks, although it is possible to conduct RA that is purely qualitative in nature. If implemented in silos, the limitations of both quantitative and qualitative methods may increase the likelihood of direct and indirect losses of an organization. This paper suggests a combined RA model from both quantitative and qualitative RA methods to be u...
Online Information Review, 2007
Purpose-Information security is becoming increasingly more important as organisations are endangered by a variety of threats from both its internal and external environments. Many theorists now advocate that effective security policies should be created at senior management level. This is because executives are able to evaluate the organisation using a holistic approach as well as having the power to ensure that new systems and procedures are implemented in a timely manner. There is, however, a continuing lack of understanding regarding the strategic importance of managing information security. In addition, there is a gap in the literature on the relationship between directors and information security strategy. This paper attempts to close this gap by exploring how directors perceive their organisation's security and what factors influence their decisions on the development and implementation of information security strategy. Design/methodology/approach-The research is based on constructivist grounded theory. Forty-three interviews were conducted at executive level in 29 organisations. These interviews were then coded and analysed in order to develop new theory on directors' perception of risk and its effect on the development and implementation of information security strategy. Findings-The analysis shows that senior managers' engagement with information security is dependent on two key variables: the strategic importance of information systems to their organisation and their perception of risk. Additionally, this research found that these two variables are affected by both organisational contextual factors and the strategic and operational actions undertaken within the business. Furthermore, the results demonstrated that the two board variables also have an impact on the organisation's environment as well as its strategic and operational actions. This paper uses the data gathered from the interviews to develop a model of these factors. In addition, a perception grid is constructed which illustrates the potential concerns that can drive board engagement. Practical implications-The paper illustrates the advantages of using the perception grid to understand and develop current and future information security issues. Originality/value-The paper investigates how organisational directors perceive information security and how this perception influences the development of their information security strategy.
Incorporating a knowledge perspective into security risk assessments
VINE, 2011
PurposeMany methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.Design/methodology/approachThe argument was developed through an illustrative case study in which a well‐documented traditional methodology is applied to a complex data backup process. Follow‐up interviews were conducted with the organisation's security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.FindingsIt was discovered that the backup pr...
Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma
This paper presents main security risk assessment methodologies used in information technology. The author starts from and research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst. Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.