Kaj Hänninen,Hans Hansson,Henrik Thane,Mehrdad Saadatmand

DOI: https://doi.org/10.48550/arXiv.1808.10308

2018-08-30

Software Engineering

Abstract:In the early 90s, researchers began to focus on security as an important property to address in combination with safety. Over the years, researchers have proposed approaches to harmonize activities within the safety and security disciplines. Despite the academic efforts to identify interdependencies and to propose combined approaches for safety and security, there is still a lack of integration between safety and security practices in the industrial context, as they have separate standards and independent processes often addressed and assessed by different organizational teams and authorities. Specifically, security concerns are generally not covered in any detail in safety standards potentially resulting in successfully safety-certified systems that still are open for security threats from e.g., malicious intents from internal and external personnel and hackers that may jeopardize safety. In recent years security has again received an increasing attention of being an important issue also in safety assurance, as the open interconnected nature of emerging systems makes them susceptible to security threats at a much higher degree than existing more confined products.This article presents initial ideas on how to extend safety work to include aspects of security during the context establishment and initial risk assessment procedures. The ambition of our proposal is to improve safety and increase efficiency and effectiveness of the safety work within the frames of the current safety standards, i.e., raised security awareness in compliance with the current safety standards. We believe that our proposal is useful to raise the security awareness in industrial contexts, although it is not a complete harmonization of safety and security disciplines, as it merely provides applicable guidance to increase security awareness in a safety context.

Abdullah Al Hayajneh,Hasnain Nizam Thakur,Kutub Thakur

DOI: https://doi.org/10.5539/cis.v16n4p1

2023-11-20

Computer and Information Science

Abstract:In the contemporary era marked by the extensive utilization of data, information systems have been extensively embraced by global organizations and also hold a pivotal position in national defense and various other domains. The growing interconnectedness between individuals and diverse information systems has resulted in an intensified emphasis on the evaluation of potential risks. The mitigation of these dangers extends beyond simple technological solutions and includes established standards, legal structures, and policies, adopting a complete approach based on safety engineering concepts. This study aims to develop a robust framework for the harmonization of Information Technology Security Standards. It will explore prevalent techniques for conducting risk assessments and differentiate between quantitative and qualitative approaches to evaluation. Moreover, this study illustrates the combination of quantitative and qualitative evaluation methodologies, providing a comprehensive framework for the analysis and design of risk assessment. In addition, this study advances our understanding of INFOSEC risk assessment and contributes to the advancement of more efficient information security strategies by sharing global perspectives, addressing challenges in classification, clarifying the incorporation of Information Security Management Systems (ISMS), and highlighting the significance of Artificial Intelligence in the domain of Information Security (INFOSEC).

Ahmed I. Al-Darwish,Pilsung Choe

DOI: https://doi.org/10.1007/978-3-030-22351-9_15

2019-01-01

Abstract: Information systems support organizations to achieve strategic competitiveness over other organizations and assist senior management in the decision-making process. In addition, they help organizations in timely implementation of projects and effective risk management. A reliable and coherent Information System requires a solid security framework that ensures Confidentiality, Integrity, Availability, Authenticity and Auditability of the critical information assets; therefore, managing security is essential for organizations doing business in a globally networked and competitive environment whilst seeking to achieve their objectives and goals and ensuring the continuity of business. This paper provides an integrated framework that classifies and holistic view of challenges in Information Security Systems, and their interrelationships. The framework is expected to provide a basis that can be used to evaluate individual organizational members’ behavior and the adequateness of existing security measures.

Ahmed I. Al-Darwish,Pilsung Choe

DOI: https://doi.org/10.1007/978-3-030-25629-6_114

2019-01-01

Abstract:Information systems support organizations to achieve strategic competitiveness and to improve the decision-making process. In addition, they help timely implementation of projects and effective risk management. A reliable and coherent information system requires a solid security framework that ensures Confidentiality, Integrity, Availability, Authenticity and Auditability of the critical information assets; therefore, managing security is essential for organizations doing a business in a globally networked and competitive environment whilst seeking to achieve their objectives and goals and ensuring the continuity of business. To date, studies have shown that non-technical risks are as important as technical risks in safeguarding. However, little attention has been paid to the role of human factors or organizational factors. This study validates the importance of non-technical factors based on a case study of an incident analysis using the information security framework with a focus of non-technical factors.

Michael R. Grimaila,Adedeji Badiru

DOI: https://doi.org/10.1007/s12351-010-0102-2

IF: 2.7

2011-01-23

Operational Research

Abstract:The increased reliance on information technology systems and communications networks in support of the core organizational processes creates an environment where significant, and potentially catastrophic, losses can result from a loss or corruption of a critical information resource. Risk assessment is the widely accepted process used to understand, quantify, and document the effects of undesirable events on organizational objectives so that risk management, continuity of operations planning, and contingency planning can be performed. In this paper, we present the application of a simulation-based hybrid analytic dynamic forecasting methodology that combines the techniques of analytic hierarchy process, factor analysis, and spanning tree to the problem of selecting among a set contingency measures following events which place the organizational mission at risk. The methodology makes use of qualitative subjective assessments by subject matter experts at multiple levels of the organization and uses historical event occurrences (when available) to provide the decision maker with a ongoing recommendation of the best contingency measures to employ to assure the organizational mission objectives. The method is novel because it augments the decision maker’s experiential knowledge with a probabilistic forecast of the best contingency measure to take in response to events based upon subject matter expert knowledge, historical evidence, and the real-time status critical resources. The methodology provides a structured approach to mitigate operational risk in complex environments and decreases the time required to make decisions under conditions of uncertainty.

operations research & management science

Kwo‐Shing Hong,Yen‐Ping Chi,Louis R. Chao,Jih‐Hsing Tang

DOI: https://doi.org/10.1108/09685220310500153

2003-12-01

Abstract:With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.

Craig A. Horne,Atif Ahmad,Sean B. Maynard

DOI: https://doi.org/10.48550/arXiv.1606.03528

2016-06-11

Abstract:Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.

Computers and Society,Cryptography and Security

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Martijn Dekker,Lampis Alevizos

DOI: https://doi.org/10.1002/spy2.333

2023-06-26

Abstract:The challenge of decision-making under uncertainty in information security has become increasingly important, given the unpredictable probabilities and effects of events in the ever-changing cyber threat landscape. Cyber threat intelligence provides decision-makers with the necessary information and context to understand and anticipate potential threats, reducing uncertainty and improving the accuracy of risk analysis. The latter is a principal element of evidence-based decision-making, and it is essential to recognize that addressing uncertainty requires a new, threat-intelligence driven methodology and risk analysis approach. We propose a solution to this challenge by introducing a threat-intelligence based security assessment methodology and a decision-making strategy that considers both known unknowns and unknown unknowns. The proposed methodology aims to enhance the quality of decision-making by utilizing causal graphs, which offer an alternative to conventional methodologies that rely on attack trees, resulting in a reduction of uncertainty. Furthermore, we consider tactics, techniques, and procedures that are possible, probable, and plausible, improving the predictability of adversary behavior. Our proposed solution provides practical guidance for information security leaders to make informed decisions in uncertain situations. This paper offers a new perspective on addressing the challenge of decision-making under uncertainty in information security by introducing a methodology that can help decision-makers navigate the intricacies of the dynamic and continuously evolving landscape of cyber threats.

Cryptography and Security

Irfan Syamsuddin

DOI: https://doi.org/10.5120/12120-8242

2013-10-12

Abstract:Information security plays a significant role in recent information society. Increasing number and impact of cyber attacks on information assets have resulted the increasing awareness among managers that attack on information is actually attack on organization itself. Unfortunately, particular model for information security evaluation for management levels is still not well defined. In this study, decision analysis based on Ternary Analytic Hierarchy Process (T-AHP) is proposed as a novel model to aid managers who responsible in making strategic evaluation related to information security issues. In addition, sensitivity analysis is applied to extend our analysis by using several "what-if" scenarios in order to measure the consistency of the final evaluation. Finally, we conclude that the final evaluation made by managers has a significant consistency shown by sensitivity analysis results.

Computers and Society,Cryptography and Security

Simon Miller,Susan Appleby,Jonathan M. Garibaldi,Uwe Aickelin

DOI: https://doi.org/10.2139/ssrn.2823280

2013-01-01

International Journal of Secure Software Engineering

Abstract:The task of designing secure software systems is fraught with uncertainty, as data on uncommon attacks is limited, costs are difficult to estimate, and technology and tools are continually changing. Consequently, experts may interpret the security risks posed to a system in different ways, leading to variation in assessment. This paper presents research into measuring the variability in decision making between security professionals, with the ultimate goal of improving the quality of security advice given to software system designers. A set of thirty nine cyber-security experts took part in an exercise in which they independently assessed a realistic system scenario. This study quantifies agreement in the opinions of experts, examines methods of aggregating opinions, and produces an assessment of attacks from ratings of their components. We show that when aggregated, a coherent consensus view of security emerges which can be used to inform decisions made during systems design.

Ahmed S. Alfakeeh,Abdulmohsen Almalawi,Fawaz Jaber Alsolami,Yoosef B. Abushark,Asif Irshad Khan,Adel Aboud S. Bahaddad,Alka Agrawal,Rajeev Kumar,Raees Ahmad Khan

DOI: https://doi.org/10.32604/cmc.2022.020146

2022-01-01

Abstract:Security is an important component in the process of developing healthcare web applications. We need to ensure security maintenance; therefore the analysis of healthcare web application's security risk is of utmost importance. Properties must be considered to minimise the security risk. Additionally, security risk management activities are revised, prepared, implemented, tracked, and regularly set up efficiently to design the security of healthcare web applications. Managing the security risk of a healthcare web application must be considered as the key component. Security is, in specific, seen as an add-on during the development process of healthcare web applications, but not as the key problem. Researchers must ensure that security is taken into account right from the earlier developmental stages of the healthcare web application. In this row, the authors of this study have used the hesitant fuzzy-based AHP-TOPSIS technique to estimate the risks of various healthcare web applications for improving security-durability. This approach would help to design and incorporate security features in healthcare web applications that would be able to battle threats on their own, and not depend solely on the external security of healthcare web applications. Furthermore, in terms of healthcare web application's security-durability, the security risk variable is measured, and vice versa. Hence, the findings of our study will also be useful in improving the durability of several web applications in healthcare.

Xiaotong Li,Hua Li,Bingzhen Sun,Fang Wang

DOI: https://doi.org/10.3233/jifs-172097

2018-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Through advancing in information and communications technology, Smart Cities provide many potential advantages like improved energy efficiency, new economic opportunities and management methods, however the information security in the top-level design of building a quite efficient smart city is easy to be ignored and caused a huge economic losses for citizens. We focus on mining information risks of smart city from the perspective of system, identifying the key risks and determining the importance of each factor, in order to measure the risk accurately. This paper presents a failure mode and effects analysis (FMEA) method to analyze five dimensions of the information security of smart city, and assess the risks on the basis of the fuzzy set theory and the grey relational theory. Due to the problem is the risk assessment of multi-dimension for an organization information security, we present a decision model that provides an efficient framework for calculating the value of risk assessment. The results indicate that aspects of the highest importance of the information security risk of smart city are the threats in natural, contrived and physical aspects, followed by the lack of public security education and training. Through the analysis we can find out the relationship between the failure modes and the overall situation of the system, then it can distinguish the main factors which play a driving role, and the secondary factors which have less impact on the system. According to the assessment results, some suggestions are put forward to guarantee the information security of smart city. The practical application of fuzzy and grey FMEA proposed in this paper helps enhance the reliability of the prediction, and the ranking of risk factors can be used for better decision-making concerning taking measures, which in turn will make smart city safer.

Mikko T. Siponen,Harri Oinas-Kukkonen

DOI: https://doi.org/10.1145/1216218.1216224

2007-02-28

Abstract:This paper identifies four security issues (access to Information Systems, secure communication, security management, development of secure Information Systems), and examines the extent to which these security issues have been addressed by existing research efforts. Research contributions in relation to these four security issues are analyzed from three viewpoints: a meta-model for information systems, the research approaches used, and the reference disciplines used. Our survey reveals that most information security research has focused on the technical context, and on issues of access to IS and secure communication. The corresponding security issues have been resolved by using mathematical approaches as a research approach. The reference disciplines most commonly reflected have been mathematics, including philosophical logic. Based on this analysis, we suggest new directions for studying information security from an information systems viewpoint, with respect to research methodology and research questions. Empirical studies in relation to the issues of security management and the development of secure IS, based on suitable reference theories (e.g., psychology, sociology, semiotics, and philosophy), are particularly necessary.

Andrew Fielder,Emmanouil Panaousis,Pasquale Malacaria,Chris Hankin,Fabrizio Smeraldi

DOI: https://doi.org/10.48550/arXiv.1502.05532

2015-02-19

Abstract:When investing in cyber security resources, information security managers have to follow effective decision-making strategies. We refer to this as the cyber security investment challenge. In this paper, we consider three possible decision-support methodologies for security managers to tackle this challenge. We consider methods based on game theory, combinatorial optimisation and a hybrid of the two. Our modelling starts by building a framework where we can investigate the effectiveness of a cyber security control regarding the protection of different assets seen as targets in presence of commodity threats. In terms of game theory we consider a 2-person control game between the security manager who has to choose among different implementation levels of a cyber security control, and a commodity attacker who chooses among different targets to attack. The pure game theoretical methodology consists of a large game including all controls and all threats. In the hybrid methodology the game solutions of individual control-games along with their direct costs (e.g. financial) are combined with a knapsack algorithm to derive an optimal investment strategy. The combinatorial optimisation technique consists of a multi-objective multiple choice knapsack based strategy. We compare these approaches on a case study that was built on SANS top critical controls. The main achievements of this work is to highlight the weaknesses and strengths of different investment methodologies for cyber security, the benefit of their interaction, and the impact that indirect costs have on cyber security investment.

Computer Science and Game Theory,Cryptography and Security

Joseph H. Schuessler

DOI: https://doi.org/10.1080/15536548.2013.10845676

2013-04-01

Journal of Information Privacy and Security

Abstract:Information Systems Security (ISS) is of major concern to not only network administrators, but also for managers of organizations for a variety of reasons including: the need for organizations to comply with various regulatory agencies, the reliance on information systems to provide the organizational backbone to the organization, and rising operational dependence on ecommerce to conduct daily business activities. These aspects create challenges for network managers who are tasked with balancing the needs of stakeholders with protection of sensitive information and valuable hardware. Despite ISS being largely a managerial issue, managerial concern for ISS is inadequate, evidenced by its consistently low ranking as a key issue in information systems management surveys. This research seeks to examine the current state of threats faced by organizations and the countermeasures they employ by examining prior research on the subject and comparing the results of that research to interview responses from “experts” in positions that required both a technical and managerial understanding of the threats and countermeasures faced and used respectively. Results suggest that, based on interview responses from experts, both threats and countermeasure responses have changed over time. Interpretation of the results will help systems administrators and network managers better understand modern threats and point towards potential remedies to mitigate the risk generated by such threats.

Lotfi Hajjem,Salah Benabdallah,Fouad Ben Abdelaziz

DOI: https://doi.org/10.48550/arXiv.1704.06713

2017-04-22

Abstract:Today, with the continued growth in using information and communication technologies (ICT) for business purposes, business organizations become increasingly dependent on their information systems. Thus, they need to protect them from the different attacks exploiting their vulnerabilities. To do so, the organization has to use security technologies, which may be proactive or reactive ones. Each security technology has a relative cost and addresses specific vulnerabilities. Therefore, the organization has to put in place the appropriate security technologies set that minimizes the information system s vulnerabilities with a minimal cost. This bi objective problem will be considered as a resources allocation problem (RAP) where security technologies represent the resources to be allocated. However, the set of vulnerabilities may change, periodically, with the continual appearance of new ones. Therefore, the security technologies set should be flexible to face these changes, in real time, and the problem becomes a dynamic one. In this paper, we propose a harmony search based algorithm to solve the bi objective dynamic resource allocation decision model. This approach was compared to a genetic algorithm and provided good results.

Cryptography and Security,Neural and Evolutionary Computing

Debi Ashenden

DOI: https://doi.org/10.1016/j.istr.2008.10.006

2008-11-01

Information Security Technical Report

Abstract:This paper considers to what extent the management of Information Security is a human challenge. It suggests that the human challenge lies in accepting that individuals in the organisation have not only an identity conferred by their role but also a personal and social identity that they bring with them to work. The challenge that faces organisations is to manage this while trying to achieve the optimum configuration of resources in order to meet business objectives. The paper considers the challenges for Information Security from an organisational perspective and develops an argument that builds on research from the fields of management and organisational behaviour. It concludes that the human challenge of Information Security management has largely been neglected and suggests that to address the issue we need to look at the skills needed to change organisational culture, the identity of the Information Security Manager and effective communication between Information Security Managers, end users and Senior Managers.

Alexander A. Ganin,Phuoc Quach,Mahesh Panwar,Zachary A. Collier,Jeffrey M. Keisler,Dayton Marchese,Igor Linkov

DOI: https://doi.org/10.1111/risa.12891

2017-09-05

Risk Analysis

Abstract:Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Kaja Prislan,Anže Mihelič,Igor Bernik

DOI: https://doi.org/10.1371/journal.pone.0238739

IF: 3.7

2020-09-08

PLoS ONE

Abstract:Measuring the performance of information security is an essential part of the information security management system within organisations. Studies in the past mainly focused on establishing qualitative measurement approaches. Since these can lead to ambiguous conclusions, quantitative metrics are being increasingly proposed as a useful alternative. Nevertheless, the literature on quantitative approaches remains scarce. Thus, studies on the evaluation of information security performance are challenging, especially since many approaches are not tested in organisational settings. The paper aims to validate the model used for evaluating the performance of information security management system through a multidimensional socio-technical approach, in a real-world settings among medium-sized enterprises in Slovenia. The results indicate that information security is strategically defined and compliant, however, measures are primarily implemented at technical and operational levels, while its strategic management remains underdeveloped. We found that the biggest issues are related to information resources and risk management, where information security measurement-related activities proved to be particularly problematic. Even though enterprises do possess certain information security capabilities and are aware of the importance of information security, their current practices make it difficult for them to keep up with the fast-paced technological and security trends.