B. Lampson

Abstract:Risk management is a fundamental principle of cybersecurity. It is the basis of the NIST Framework for Improving Critical Infrastructure Cybersecurity. Agencies of the U.S. Government certify the operational security of their information systems against the requirements of the FISMA Risk Management Framework (RMF). The alternative to risk management would presumably be a quest for total security – both unaffordable and unachievable.

Law,Political Science,Computer Science

Knut Haufe,Ricardo Colomo-Palacios,Srdan Dzombeta,Knud Brandis,Vladimir Stantchev

DOI: https://doi.org/10.12821/ijispm040402

2022-02-02

International Journal of Information Systems and Project Management

Abstract:Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. It is based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.

Michael Stoltz

DOI: https://doi.org/10.48550/arxiv.2405.07094

2024-05-11

Cryptography and Security

Abstract:This informative report provides a comprehensive analysis of how executive federal report agencies implement the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF) to achieve cybersecurity compliance. By exploring the concept and evolution of the RMF, the report delves into the framework's importance for enhancing cybersecurity measures within federal agencies, addressing the challenges these agencies face in the digital landscape. Through a methodical literature review, the report examines theoretical foundations, implementation strategies, and the critical role of continuous monitoring and automation in RMF processes, drawing from key sources like Ross (2014), Lubell (2020), Barrett et al. (2021), and Pillitteri et al. (2021, 2022), among others. Employing a detailed methodology for data collection and analysis, the report presents findings on the successes and challenges of RMF implementation, highlighting the impact of automation and continuous monitoring in bolstering cybersecurity postures. Case studies offer in-depth insights into the experiences of specific agencies, providing lessons learned and best practices. The report concludes with strategic recommendations for overcoming implementation challenges and suggests future directions for enhancing RMF research and practice. This investigation underscores the RMF's critical role in establishing robust cybersecurity compliance across executive federal agencies, offering valuable recommendations for policymakers, cybersecurity professionals, and governmental bodies.

Laurie Williams,Sammy Migues,Jamie Boote,Ben Hutchison

2024-04-19

Abstract:The Proactive Software Supply Chain Risk Management Framework (P SSCRM) described in this document is designed to help you understand and plan a secure software supply chain risk management initiative. P SSCRM was created through a process of understanding and analyzing real world data from nine industry leading software supply chain risk management initiatives as well as through the analysis and unification of ten government and industry documents, frameworks, and standards. Although individual methodologies and standards differ, many initiatives and standards share common ground. P SSCRM describes this common ground and presents a model for understanding, quantifying, and developing a secure software supply chain risk management program and determining where your organization's existing efforts stand when contrasted with other real world software supply chain risk management initiatives.

Cryptography and Security

Jeb Webb,Atif Ahmad,Sean B. Maynard,Graeme Shanks

DOI: https://doi.org/10.1016/j.cose.2014.04.005

2014-07-01

Abstract:Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

computer science, information systems

Jakub Breier,Adrian Baldwin,Helen Balinsky,Yang Liu

DOI: https://doi.org/10.48550/arXiv.2012.04884

2020-12-09

Cryptography and Security

Abstract:Adversarial attacks for machine learning models have become a highly studied topic both in academia and industry. These attacks, along with traditional security threats, can compromise confidentiality, integrity, and availability of organization's assets that are dependent on the usage of machine learning models. While it is not easy to predict the types of new attacks that might be developed over time, it is possible to evaluate the risks connected to using machine learning models and design measures that help in minimizing these risks. In this paper, we outline a novel framework to guide the risk management process for organizations reliant on machine learning models. First, we define sets of evaluation factors (EFs) in the data domain, model domain, and security controls domain. We develop a method that takes the asset and task importance, sets the weights of EFs' contribution to confidentiality, integrity, and availability, and based on implementation scores of EFs, it determines the overall security state in the organization. Based on this information, it is possible to identify weak links in the implemented security measures and find out which measures might be missing completely. We believe our framework can help in addressing the security issues related to usage of machine learning models in organizations and guide them in focusing on the adequate security measures to protect their assets.

Ahmed E. Youssef

DOI: https://doi.org/10.48550/arXiv.2001.08993

2020-01-13

Cryptography and Security

Abstract:Security is considered one of the top ranked risks of Cloud Computing (CC) due to the outsourcing of sensitive data onto a third party. In addition, the complexity of the cloud model results in a large number of heterogeneous security controls that must be consistently managed. Hence, no matter how strongly the cloud model is secured, organizations continue suffering from lack of trust on CC and remain uncertain about its security risk consequences. Traditional risk management frameworks do not consider the impact of CC security risks on the business objectives of the organizations. In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting CC identify, analyze, evaluate, and mitigate security risks in their Cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives. In essence, it is designed to address impacts of cloud-specific security risks into business objectives in a given organization. Consequently, organizations are able to conduct a cost-value analysis regarding the adoption of CC technology and gain an adequate level of confidence in Cloud technology. On the other hand, Cloud Service Providers (CSP) are able to improve productivity and profitability by managing cloud-related risks. The proposed framework has been validated and evaluated through a use-case scenario.

Lam‐for Kwok,Dennis Longley

DOI: https://doi.org/10.1108/09685229910255179

1999-03-01

Abstract:Information security management has been placed on a firmer footing with the publication of standards by national bodies. These standards provide an opportunity for security managers to gain senior management recognition of the importance of procedures and mechanisms to enhance information security. They may also place demands on security managers to provide convincing demonstration of conformance to the standards. The risk data repository (RDR) computer model described in this paper was developed to manage organisational information security data and facilitate risk analysis studies. The RDR provides a form of computer documentation that can assist the security officer to maintain a continuous record of the organisational information security scenario and facilitate system security development, business continuity planning and standards conformance audits.

Enrico Bracci,Tallaki Mouhcine,Tarek Rana,Danture Wickramasinghe

DOI: https://doi.org/10.1080/09540962.2021.1963071

2021-08-23

Abstract:While it is becoming pervasive and unavoidable in every organization, risk management (RM) interacts with control systems in public sector organizations (PSOs). This article presents a literature review showing that PSOs design and implement risk-based control systems arbitrarily. This leads to the issue of appropriate integration of RM in management accounting and control systems (MACS). Despite the importance of integrated RM, the existing literature shows that issues of RM are not well integrated at the MACS level, and that a radical cultural shift is still required in PSOs. Future RM studies must provide empirical data about integration in practice.

public administration

Jan Schröder,Jakub Breier

2024-06-15

Abstract:Machine learning (ML) models are used in many safety- and security-critical applications nowadays. It is therefore important to measure the security of a system that uses ML as a component. This paper focuses on the field of ML, particularly the security of autonomous vehicles. For this purpose, a technical framework will be described, implemented, and evaluated in a case study. Based on ISO/IEC 27004:2016, risk indicators are utilized to measure and evaluate the extent of damage and the effort required by an attacker. It is not possible, however, to determine a single risk value that represents the attacker's effort. Therefore, four different values must be interpreted individually.

Cryptography and Security,Artificial Intelligence,Machine Learning

Alexander A. Ganin,Phuoc Quach,Mahesh Panwar,Zachary A. Collier,Jeffrey M. Keisler,Dayton Marchese,Igor Linkov

DOI: https://doi.org/10.1111/risa.12891

2017-09-05

Risk Analysis

Abstract:Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Jhon Arista Alarcon

DOI: https://doi.org/10.47909/dtr.05

2023-05-16

Abstract:A risk management model makes it possible to explore the organizational factors and risk management practices that affect or delay the achievement of the objectives that are considered strategic. The purpose of managing risks is to develop a detailed analysis of the organization, its operations, assets, processes and their existing interrelationships in order to establish a complete list of risks, which implies identifying, analyzing and providing alternative treatment to risks. actual and potential. Therefore, a risk management model obtains too much importance when focusing on the needs of the organization in a specific way, since it is not only about copying norms or policies of one organization to mitigate the risks of another, but each of these has different scenarios or contexts.

Sabine Goldes,Ralf Schneider,Christian M. Schweda,Jawed Zamani

DOI: https://doi.org/10.1109/cybconf.2017.7985763

2017-06-01

Abstract:Information Security is a topic of increasing importance for organizations today. The triad of professionalization and industrialization of cyber-crime, globalization and digitalization of business models, and increasing regulatory focus on data protection exerts pressure on organizations and enterprises to implement sophisticated Information Security Management Systems (ISMS). Best-practices for implementing such systems are given by multiple de-facto standards, whereas blueprints for ISMS are relatively scarce. In this paper we discuss design requirements for a modern Information Security Management System, derive a blueprint for such a system based on the viable system approach, and exemplify constituents of the blueprint from the environment of an insurance enterprise.

Xuan Zhang,Nattapong Wuwong,Hao Li,Xuejie Zhang

DOI: https://doi.org/10.1109/cit.2010.501

2010-06-01

Abstract:The security risks associated with each cloud delivery model vary and are dependent on a wide range of factors including the sensitivity of information assets, cloud architectures and security controls involved in a particular cloud environment [7]. Over time, organizations tend to relax their security posture. To combat a relaxation of security, the cloud provider should perform regular security assessments [3]. Risk management framework is one of security assessment tool to reduction of threats and vulnerabilities and mitigates security risks. The goal of this paper is to present information risk management framework for better understanding critical areas of focus in cloud computing environment, to identifying a threat and identifying vulnerability. This framework is covering all of cloud service models and cloud deployment models. Cloud provider can be applied this framework to organizations to do risk mitigation.

Gregor Svindland,Alexander Voß

2024-10-25

Abstract:We introduce a decision-making framework tailored for the management of systemic risk in networks. This framework is constructed upon three fundamental components: (1) a set of acceptable network configurations, (2) a set of interventions aimed at risk mitigation, and (3) a cost function quantifying the expenses associated with these interventions. While our discussion primarily revolves around the management of systemic cyber risks in digital networks, we concurrently draw parallels to risk management of other complex systems where analogous approaches may be adequate.

Risk Management,Cryptography and Security,Discrete Mathematics,Networking and Internet Architecture,Systems and Control

Sucheta Lahiri,Jeff Saltz

DOI: https://doi.org/10.12821/ijispm120403

2024-10-07

International Journal of Information Systems and Project Management

Abstract:Many data science endeavors encounter failure, surfacing at any project phase. Even after successful deployments, data science projects grapple with ethical dilemmas, such as bias and discrimination. Current project management methodologies prioritize efficiency and cost savings over risk management. The methodologies largely overlook the diverse risks of sociotechnical systems and risk articulation inherent in data science lifecycles. Conversely, while the established risk management framework (RMF) by NIST and McKinsey aims to manage AI risks, there is a heavy reliance on normative definitions of risk, neglecting the multifaceted subjectivities of data science project failures. This paper reports on a systematic literature review that identifies three main themes: Big Data Execution Issues, Demand for a Risk Management Framework tailored for Large-Scale Data Science Projects, and the need for a General Risk Management Framework for all Data Science Endeavors. Another overarching focus is on how risk is articulated by the institution and the practitioners. The paper discusses a novel and adaptive data science risk management framework – “DS EthiCo RMF” – which merges project management, ethics, and risk management for diverse data science projects into one holistic framework. This agile risk management framework DS EthiCo RMF can bridge the current divide between normative risk standards and the multitude of data science requirements, offering a human-centric method to navigate the intertwined sociotechnical risks of failure in data science projects.

Šarūnas Grigaliūnas,Rasa Brūzgienė,Michael Schmidt,Panayiota Smyrli,Stephanos Andreou,Audrius Lopata

DOI: https://doi.org/10.3390/electronics13193955

IF: 2.9

2024-10-09

Electronics

Abstract:The growing complexity of cybersecurity threats demands a robust framework that integrates various security domains, addressing the issue of disjointed security practices that fail to comply with evolving regulations. This paper introduces a novel information security management and compliance framework that integrates operational, technical, human, and physical security domains. The aim of this framework is to enable organizations to identify the requisite information security controls and legislative compliance needs effectively. Unlike traditional approaches, this framework systematically aligns with both current and emerging security legislation, including GDPR, NIS2 Directive, and the Artificial Intelligence Act, offering a unified approach to comprehensive security management. The experimental methodology involves evaluating the framework against five distinct risk scenarios to test its effectiveness and adaptability. Each scenario assesses the framework's capability to manage and ensure compliance with specific security controls and regulations. The results demonstrate that the proposed framework not only meets compliance requirements across multiple security domains but also provides a scalable solution for adapting to new threats and regulations efficiently. These findings represent a significant step forward in holisticsecurity management, indicating that organizations can enhance their security posture and legislative compliance simultaneously through this integrated framework.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zahrina Aulia Adriani,Teguh Raharjo,Ni Wayan Trisnawaty

DOI: https://doi.org/10.33022/ijcs.v13i3.4016

2024-06-15

Indonesian Journal of Computer Science

Abstract:Risk management in the software development lifecycle (SDLC) is a continuous process that addresses risks throughout a system's lifecycle, including acquisition, development, maintenance, or operation. Despite its importance, ineffective risk management practices can lead to project failures, impacting organizations financially and reputationally. Therefore, there is a need for a systematic understanding of risk management practices in SDLC. This study conducts a Systematic Literature Review (SLR) related to risk management activities performed by previous research during the SDLC. The SLR method combines Kitchenham with the toll-gate method to select literature for use. This SLR aims to investigate activities in traditional waterfall and agile development processes, which will be mapped into risk management activities in SDLC according to ISO 16085:202. Additionally, the review highlights the challenges encountered in implementing risk management in the SDLC process, including project complexity, adherence to policies and standards, lack of communication, lack of resources, and organizational culture.

M.M Eloff,S.H von Solms

DOI: https://doi.org/10.1016/s0167-4048(00)88613-7

2000-03-01

Abstract:The present article is aimed at clarifying the oft-times confusing terminology and at elucidating the various approaches obtaining to the realm of Information Security (IS) management. The IS management approaches selected for discussion in this article will specifically address those rudiments and concepts that play a key role in the assessment of the IS status of an organization. Following, a hierarchical framework will be developed in terms of which to elucidate ill-defined terms and concepts. By so doing, issues such as certification, benchmarking, guidelines and codes of practice will come under consideration. IS management approaches widely accepted in the international arena will also be mapped onto the said hierarchical framework.

computer science, information systems

D. Sandhya rani,T. Varalakshmi,G. Hemanth kumar

DOI: https://doi.org/10.47392/irjaem.2024.0255

2024-05-31

Abstract:Despite significant efforts to ensure the success of software projects, the risk of failure remains high. Although these risks cannot be entirely eliminated, they can be effectively managed through proper risk management techniques throughout the software development lifecycle. This study aims to classify and identify the most effective risk management techniques using factor analysis. We surveyed software project managers, presenting them with thirty different risk management techniques, which they frequently used and deemed effective. We categorized these techniques into three main components: Planning and Requirement Techniques, Communication Techniques, and Models and Tools. The study's findings will be applied to a real-world software project to verify their effectiveness in mitigating risks. A novel multi-dimensional weighting approach is proposed to highlight the relationships between risks and actions, selecting best-fit profiles for both business and risk via an `if-the-shoe-fits' process, and determining precise mitigating actions through score tolerance bands. The successful identification and implementation of these techniques are expected to significantly improve the likelihood of mitigating risks in software projects.