Michael Matthias Naumann,Stelian Mircea Olaru,Georg Sven Lampe,Fabian Pitz

DOI: https://doi.org/10.2478/picbe-2024-0043

2024-06-01

Proceedings of the International Conference on Business Excellence

Abstract:Abstract In the current global context, companies need a defined minimum level of information security to recognize and deal with related threats and risks. Due to market, customer or legal requirements, specifications and requirements for information security are implemented uniformly according to standards such as the information security management standard ISO/IEC 27001 or industry-specific standards such as Trusted Information Security Assessment Exchange - TISAX, ISO IEC 27019 Energy Utility Information Security Standard. The conformity to these standard requirements within the established management system is checked during periodically required audits. However, there are various reasons for which, even after many years of audits in companies, there are still insufficient process implementations for information security requirements. The aim of the paper is to analyze the status of conformity and thus also the process maturity in selected samples of companies that have already had information security management systems (ISMS) implemented for several years. In detail, the reasons for deviations from the minimum requirements with associated risks for the security of information in companies were analyzed, which allow conclusions to be drawn about possible process improvements. The paper also analyzes why, despite established measures and existing expertise, only a limited level of process maturity is achieved on average. Other possible approaches to the implementation procedure for dealing with non-conformities in information security are also considered. The results of this research show that there is a need for an adjusted continuous improvement process, which makes risks resulting from insufficient process maturity more visible. Proposals for such improvements are listed.

Sabine Goldes,Ralf Schneider,Christian M. Schweda,Jawed Zamani

DOI: https://doi.org/10.1109/cybconf.2017.7985763

2017-06-01

Abstract:Information Security is a topic of increasing importance for organizations today. The triad of professionalization and industrialization of cyber-crime, globalization and digitalization of business models, and increasing regulatory focus on data protection exerts pressure on organizations and enterprises to implement sophisticated Information Security Management Systems (ISMS). Best-practices for implementing such systems are given by multiple de-facto standards, whereas blueprints for ISMS are relatively scarce. In this paper we discuss design requirements for a modern Information Security Management System, derive a blueprint for such a system based on the viable system approach, and exemplify constituents of the blueprint from the environment of an insurance enterprise.

Rainer Diesch,Matthias Pfaff,Helmut Krcmar

DOI: https://doi.org/10.1016/j.cose.2020.101747

2020-05-01

Abstract:<p>Decision-making in the context of organizational information security is highly dependent on various information. For information security managers, not only relevant information has to be clarified but also their interdependencies have to be taken into account. Thus, the purpose of this research is to develop a comprehensive model of relevant management success factors (MSF) for organizational information security. First, a literature survey with an open-axial-selective analysis of 136 articles was performed to identify factors influencing information security. These factors were categorized into 12 areas: physical security, vulnerability, infrastructure, awareness, access control, risk, resources, organizational factors, CIA, continuity, security management, compliance &amp; policy. Second, an interview series with 19 experts from the industry was used to evaluate the relevance of these factors in practice and explore interdependencies between them. Third, a comprehensive model was developed. The model shows that there are key-security-indicators, which directly impact the security-status of an organization while other indicators are only indirectly connected. Based on these results, information security managers should be aware of direct and indirect MSFs to make appropriate decisions.</p>

computer science, information systems

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Goran Piskachev,Stefan Dziwok,Thorsten Koch,Sven Merschjohan,Eric Bodden

DOI: https://doi.org/10.48550/arXiv.2208.06136

2022-08-12

Abstract:As security becomes more relevant for many companies, the popularity of static program analysis (SPA) tools is increasing. In this paper, we target the use of SPA tools among companies in Germany with a focus on security. We give insights on the current issues and the developers' willingness to configure the tools to overcome these issues. Compared to previous studies, our study considers the companies' culture and processes for using SPA tools. We conducted an online survey with 256 responses and semi-structured interviews with 17 product owners and executives from multiple companies. Our results show a diversity in the usage of tools. Only half of our survey participants use SPA tools. The free tools tend to be more popular among software developers. In most companies, software developers are encouraged to use free tools, whereas commercial tools can be requested. However, the product owners and executives in our interviews reported that their developers do not request new tools. We also find out that automatic security checks with tools are rarely performed on each release.

Cryptography and Security,Software Engineering

Lam‐for Kwok,Dennis Longley

DOI: https://doi.org/10.1108/09685229910255179

1999-03-01

Abstract:Information security management has been placed on a firmer footing with the publication of standards by national bodies. These standards provide an opportunity for security managers to gain senior management recognition of the importance of procedures and mechanisms to enhance information security. They may also place demands on security managers to provide convincing demonstration of conformance to the standards. The risk data repository (RDR) computer model described in this paper was developed to manage organisational information security data and facilitate risk analysis studies. The RDR provides a form of computer documentation that can assist the security officer to maintain a continuous record of the organisational information security scenario and facilitate system security development, business continuity planning and standards conformance audits.

Barbara Gaudenzi,Ilenia Confente,Martin Christopher

DOI: https://doi.org/10.1057/crr.2015.16

2015-10-01

Corporate Reputation Review

Abstract:It could be argued that the management of reputational risk should be a key business priority. Yet despite recognition in previous studies that the risk related to reputation is critical, concrete reputational risk management approaches remain poorly developed. This paper presents a theoretical framework with the key steps for companies to become more aware of reputational risk and to protect themselves from it. In addition, the authors describe companies’ perceptions of risks and reputation issues. A questionnaire-based survey focused on risks and reputation issues was conducted among a sample of experts in risk management working for international manufacturing and service firms. Results show that while reputational risk is considered to be critical, in practice there is no particular attention assigned to specific risk sources that might affect reputation.

English Else

Golnaz Elahi,Eric Yu,Tong Li,Lin Liu

DOI: https://doi.org/10.1109/compsac.2011.48

2011-01-01

Abstract:Various governmental or academic institutes survey current security trends, and report vulnerabilities, security breaches, and their costs. However, it is unclear whether (and how) practitioners analyze these vulnerabilities and attacks to arrive at security requirements and decide on security solutions. What modeling methods are used for eliciting, analyzing, and documenting security requirements in real-world practice? This paper intends to answer such questions through a survey of security requirements engineering practices. 374 software professionals from 237 International and Chinese firms participated in the survey. The results show businesses often try to consider security from early stages of the development life cycle, however, ultimately, security is left to be built into the system at the implementation phase. We observed that practitioners favour qualitative risk assessment rather than quantitative approaches, and this helps them consider more varieties of factors when comparing alternative security design solutions.

Michael Felderer,Juergen Grossmann,Ina Schieferdecker

DOI: https://doi.org/10.48550/arXiv.1801.06812

2018-01-21

Abstract:In order to optimize the usage of testing efforts and to assess risks of software-based systems, risk-based testing uses risk (re-)assessments to steer all phases in a test process. Several risk-based testing approaches have been proposed in academia and/or applied in industry, so that the determination of principal concepts and methods in risk-based testing is needed to enable a comparison of the weaknesses and strengths of different risk-based testing approaches. In this chapter we provide an (updated) taxonomy of risk-based testing aligned with risk considerations in all phases of a test process. It consists of three top-level classes, i.e., contextual setup, risk assessment, and risk-based test strategy. This taxonomy provides a framework to understand, categorize, assess and compare risk-based testing approaches to support their selection and tailoring for specific purposes. Furthermore, we position four recent risk-based testing approaches into the taxonomy in order to demonstrate its application and alignment with available risk-based testing approaches.

Software Engineering

Michel Dacorogna,Marie Kratz

2023-02-05

Abstract:Not a day goes by without news about a cyber attack. Fear spreads out and lots of wrong ideas circulate. This survey aims at showing how all these uncertainties about cyber can be transformed into manageable risk. After reviewing the main characteristics of cyber risk, we consider the three layers of cyber space: hardware, software and psycho-cognitive layer. We ask ourselves how is this risk different from others, how modelling has been tackled and needs to evolve, and what are the multi-facetted aspects of cyber risk management. This wide exploration pictures a science in the making and points out the questions to be solved for building a resilient society.

Cryptography and Security

Abdullah Al Hayajneh,Hasnain Nizam Thakur,Kutub Thakur

DOI: https://doi.org/10.5539/cis.v16n4p1

2023-11-20

Computer and Information Science

Abstract:In the contemporary era marked by the extensive utilization of data, information systems have been extensively embraced by global organizations and also hold a pivotal position in national defense and various other domains. The growing interconnectedness between individuals and diverse information systems has resulted in an intensified emphasis on the evaluation of potential risks. The mitigation of these dangers extends beyond simple technological solutions and includes established standards, legal structures, and policies, adopting a complete approach based on safety engineering concepts. This study aims to develop a robust framework for the harmonization of Information Technology Security Standards. It will explore prevalent techniques for conducting risk assessments and differentiate between quantitative and qualitative approaches to evaluation. Moreover, this study illustrates the combination of quantitative and qualitative evaluation methodologies, providing a comprehensive framework for the analysis and design of risk assessment. In addition, this study advances our understanding of INFOSEC risk assessment and contributes to the advancement of more efficient information security strategies by sharing global perspectives, addressing challenges in classification, clarifying the incorporation of Information Security Management Systems (ISMS), and highlighting the significance of Artificial Intelligence in the domain of Information Security (INFOSEC).

Markus Voggenreiter,Florian Angermeir,Fabiola Moyón,Ulrich Schöpp,Pierre Bonvin

DOI: https://doi.org/10.1145/3639477.3639744

2024-01-12

Abstract:In recent years, DevOps, the unification of development and operation workflows, has become a trend for the industrial software development lifecycle. Security activities turned into an essential field of application for DevOps principles as they are a fundamental part of secure software development in the industry. A common practice arising from this trend is the automation of security tests that analyze a software product from several perspectives. To effectively improve the security of the analyzed product, the identified security findings must be managed and looped back to the project team for stakeholders to take action. This management must cope with several challenges ranging from low data quality to a consistent prioritization of findings while following DevOps aims. To manage security findings with the same efficiency as other activities in DevOps projects, a methodology for the management of industrial security findings minding DevOps principles is essential.

Software Engineering

Daniel Méndez Fernández,Michaela Tießler,Marcos Kalinowski,Michael Felderer,Marco Kuhrmann

DOI: https://doi.org/10.48550/arXiv.1707.00144

2017-07-31

Abstract:Background: The sensitivity of Requirements Engineering (RE) to the context makes it difficult to efficiently control problems therein, thus, hampering an effective risk management devoted to allow for early corrective or even preventive measures. Problem: There is still little empirical knowledge about context-specific RE phenomena which would be necessary for an effective context- sensitive risk management in RE. Goal: We propose and validate an evidence-based approach to assess risks in RE using cross-company data about problems, causes and effects. Research Method: We use survey data from 228 companies and build a probabilistic network that supports the forecast of context-specific RE phenomena. We implement this approach using spreadsheets to support a light-weight risk assessment. Results: Our results from an initial validation in 6 companies strengthen our confidence that the approach increases the awareness for individual risk factors in RE, and the feedback further allows for disseminating our approach into practice.

Software Engineering

Valeria Baranova,Krystyna Dvornyk

DOI: https://doi.org/10.26565/2786-4995-2024-2-12

2024-06-28

Abstract:The digital transformation of business contributes to the growth of productivity in all sectors of the economy, creating additional value for consumers, optimizing the internal business processes of enterprises and reducing costs. In socially significant sectors, digital transformation contributes to solving social problems, improving access to public and social services. The rapid advancement of technology and the growing complexity of the business environment make effective risk management a critical factor for the strategic success of enterprises in all sectors of the economy. Especially important in this context is the transformation of traditional methods of risk management with the help of digital tools and data analytics. The implementation of digital technologies in the process of risk management can become decisive for achieving competitive advantages and ensuring sustainable development in Ukraine. The article describes the main principles of digital risk management; methods of risk management are explored through the selection of options with sustainability in mind; modern practice is considered and information management tools are analyzed. In the framework of the conducted research, foreign experience was considered; and also, with the help of the analysis of the "EBIOS RM" method, recommendations were formulated regarding the subject area of the study. Detailed attention is paid to the current state of the information technology industry in Ukraine and the identification of key problems of information management. Effective information management mechanisms were analyzed and digital risk management tools were systematized.

Fotis Kitsios,Elpiniki Chatzidimitriou,Maria Kamariotou

DOI: https://doi.org/10.3390/su14031269

IF: 3.9

2022-01-24

Sustainability

Abstract:Organizations must be committed to ensuring the confidentiality, availability, and integrity of the information in their possession to manage legal and regulatory obligations and to maintain trusted business relationships. Information security management systems (ISMSs) support companies to better deal with information security risks and cyber-attacks. Although there are many different approaches to successfully implementing an ISMS in a company, the most important and time-consuming part of establishing an ISMS is a risk assessment. The purpose of this paper was to develop a risk assessment framework that a company followed in the information technology sector to conduct the risk assessment process to comply with International Organization for Standardization (ISO) 27001. The findings analyze the conditions that force organizations to invest in protecting information and the benefits they can derive from this process. In particular, the paper delves into a multinational IT consulting services company that undertakes and implements large business support installation and customization projects. It explains the risk assessment process and the management of the necessary configurations so that its functions are acceptable and in line with information security standards. Finally, it presents the difficulties and challenges encountered.

environmental sciences,environmental studies,green & sustainable science & technology

Nathalie Brender,Iliya Markov

DOI: https://doi.org/10.1016/j.ijinfomgt.2013.05.004

IF: 18.958

2013-10-01

International Journal of Information Management

Abstract:In today&#x27;s economic turmoil, the pay-per-use pricing model of cloud computing, its flexibility and scalability and the potential for better security and availability levels are alluring to both SMEs and large enterprises. However, cloud computing is fraught with security risks which need to be carefully evaluated before any engagement in this area. This article elaborates on the most important risks inherent to the cloud such as information security, regulatory compliance, data location, investigative support, provider lock-in and disaster recovery. We focus on risk and control analysis in relation to a sample of Swiss companies with regard to their prospective adoption of public cloud services. We observe a sufficient degree of risk awareness with a focus on those risks that are relevant to the IT function to be migrated to the cloud. Moreover, the recommendations as to the adoption of cloud services depend on the company&#x27;s size with larger and more technologically advanced companies being better prepared for the cloud. As an exploratory first step, the results of this study would allow us to design and implement broader research into cloud computing risk management in Switzerland.

information science & library science

Xuan Zhang,Nattapong Wuwong,Hao Li,Xuejie Zhang

DOI: https://doi.org/10.1109/cit.2010.501

2010-06-01

Abstract:The security risks associated with each cloud delivery model vary and are dependent on a wide range of factors including the sensitivity of information assets, cloud architectures and security controls involved in a particular cloud environment [7]. Over time, organizations tend to relax their security posture. To combat a relaxation of security, the cloud provider should perform regular security assessments [3]. Risk management framework is one of security assessment tool to reduction of threats and vulnerabilities and mitigates security risks. The goal of this paper is to present information risk management framework for better understanding critical areas of focus in cloud computing environment, to identifying a threat and identifying vulnerability. This framework is covering all of cloud service models and cloud deployment models. Cloud provider can be applied this framework to organizations to do risk mitigation.

Sayed Amir Reza Mortazavi,Faramarz Safi-Esfahani

DOI: https://doi.org/10.1007/s41870-019-00302-0

2019-04-22

International Journal of Information Technology

Abstract:Today, information is rapidly increasing. For most of this information, data security and protection from unauthorized access are of great importance. Maybe information is created by an individual or a few people, but creating security for the information should be done by all assets of hardware, software and people. This entails organizing all elements of the system, and training and monitoring the performance of the people. One of the standards provided for the creation of security is ISMS. This standard is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a system in terms of security. ISMS receives several parameters from users, assesses the risks and offers some controls (guidelines) to improve them. Collecting primary parameters is also very important in ISMS. Usually these parameters are collected personally, which result in getting inaccurate outcomes. The most important parameters include confidentiality, integrity, availability, threat and vulnerability. This paper tries to provide a method based on checklists so that by assessing the users’ responses to these checklists, one can more accurately insert the vulnerability parameter value as a standard input of ISMS, in order to gain better outcomes, and more accurately perform choice of controls. In the assessment, the standard deviation method is calculated, and comparison between the common mode of ISMS and the proposed method shows that the latter works 30% better than the conventional method. People may refuse to respond sincerely due to different reasons, and the percentage of the results may differ, since the results are obtained as cross-sectional at a certain time.

Michael Schmid,Sebastian Pape

DOI: https://doi.org/10.1007/978-3-030-22312-0_16

2019-01-01

Abstract:Generally, measuring the information security maturity is the first step to build a knowledge information security management system in an organization. Unfortunately, it is not possible to measure information security directly. Thus, in order to get an estimate, one has to find reliable measurements. One way to assess information security is by applying a maturity model and assess the level of controls. This does not need to be equivalent to the level of security. Nevertheless, evaluating the level of information security maturity in companies has been a major challenge for years. Although many studies have been conducted to address these challenges, there is still a lack of research to properly analyze these assessments. The primary objective of this study is to show how to use the analytic hierarchy process (AHP) to compare the information security controls’ level of maturity within an industry in order to rank different companies. To validate the approach of this study, we used real information security data from a large international media and technology company.

Betsy Uchendu,Jason R.C. Nurse,Maria Bada,Steven Furnell

DOI: https://doi.org/10.1016/j.cose.2021.102387

2021-10-01

Abstract:<p>While the creation of a strong security culture has been researched and discussed for decades, it continues to elude many businesses. Part of the challenge faced is distilling pertinent, recent academic findings and research into useful guidance. In this article, we aim to tackle this issue by conducting a state-of-the-art study into organisational cyber security culture research. This work investigates four questions, including how cyber security culture is defined, what factors are essential to building and maintaining such a culture, the frameworks proposed to cultivate a security culture and the metrics suggested to assess it. Through the application of the PRISMA systematic literature review technique, we identify and analyse 58 research articles from the last 10 years (2010-2020). Our findings demonstrate that while there have been notable changes in the use of terms (e.g., information security culture and cyber security culture), many of the most influential factors across papers are similar. Top management support, policy and procedures, and awareness for instance, are critical in engendering cyber security culture. Many of the frameworks reviewed revealed common foundations, with organisational culture playing a substantial role in crafting appropriate cyber security culture models. Questionnaires and surveys are the most used tool to measure cyber security culture, but there are also concerns as to whether more dynamic measures are needed. For practitioners, this article highlights factors and models essential to the creation and management of a robust security culture. For research, we produce an up-to-date characterisation of the field and also define open issues deserving of further attention such as the role of change management processes and national culture in an enterprise's cyber security culture.</p>

computer science, information systems