Addressing dynamic issues in information security management

被引：17

作者：

Abbas H. ^{[1
]}

Magnusson C. ^{[1
]}

Yngstrom L. ^{[1
]}

Hemani A. ^{[1
]}

机构：

[1] ECS, ICT, Royal Institute of Technology, Department of Computer and System Sciences, Stockholm University, Stockholm

来源：

Information Management and Computer Security | 2011年 / 19卷 / 01期

关键词：

Data security; Generation and dissemination of information; Information systems;

D O I：

10.1108/09685221111115836

中图分类号：

学科分类号：

摘要：

Purpose – The purpose of this paper is to address three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an organization; externalities caused by a security system; and obsolete evaluation of security concerns. Design/methodology/approach – In order to address these critical concerns, a framework based on options reasoning borrowed from corporate finance is proposed and adapted to evaluation of security architecture and decision making for handling these issues at organizational level. The adaptation as a methodology is demonstrated by a large case study validating its efficacy. Findings – The paper shows through three examples that it is possible to have a coherent methodology, building on options theory to deal with uncertainty issues in information security at an organizational level. Practical implications – To validate the efficacy of the methodology proposed in this paper, it was applied to the Spridnings-och Hämtningssystem (SHS: dissemination and retrieval system) system. The paper introduces the methodology, presents its application to the SHS system in detail and compares it to the current practice. Originality/value – This research is relevant to information security management in organizations, particularly issues on changing requirements and evaluation in uncertain circumstances created by progress in technology. © 2011, Emerald Group Publishing Limited

引用

页码：5 / 24

页数：19

共 34 条

[1]

Abbas H., Yngstrom L., Hemani A., Security evaluation of IT products: bridging the gap between common criteria (CC) and real option thinking, Proceedings of the World Congress on Engineering and Computer Science 2008, San Francisco, CA, USA, 22-24 October, pp. 530-533, (2008)

[2]

Abbas H., Magnusson C., Yngstrom L., Hemani A., A structured approach for internalizing externalities caused by IT security mechanisms, Proceedings of the IEEE International Workshop on Education Technology and Computer Science, Wuhan, China, 6-7 March, (2010)

[3]

Abbas H., Yngstrom L., Hemani A., Adaptability infrastructure for bridging IT security evaluation and options theory, Proceedings of the 2nd IEEE/ACM International Conference on Security of Information and Networks (SIN 2009), Gazimagusa, 6-10 October, pp. 39-45, (2009)

[4]

Abbas H., Yngstrom L., Hemani A., Empowering security evaluation of IT products with options theory, (2009)

[5]

Abbas H., Yngstrom L., Hemani A., Option based evaluation: security evaluation of IT products based on options theory, Proceedings of IEEE Eastern European Regional Conference on the Engineering of Computer Based Systems, Novi Sad, Serbia, 7-8 September, pp. 134-141, (2009)

[6]

Brynjolfsson E., Yang S., Information technology and productivity: a review of the literature, Advances in Computers, 43, pp. 179-214, (1996)

[7]

Byrnes C., Kyratzoglou L., Applying architecture tradeoff assessment method (ATAM) as part of formal software architecture review, (2008)

[8]

CRA Members, 2009, (2009)

[9]

Introduction and general model, (2009)

[10]

Cavoukian A., Privacy as a negative externality the solution: privacy by design, Proceedings of Workshop on the Economics of Information Security, London, UK, (2009)

← 1 2 3 4 →