From rationale to lessons learned in the cloud information security risk assessment: a study of organizations in Sweden

Purpose This study aims to address the issue of practicing information security risk assessment (ISRA) on cloud solutions by studying municipalities and large organizations in Sweden. Design/methodology/approach Four large organizations and five municipalities that use cloud services and conduct ISRA to adhere to their information security risk management practices were studied. Data were gathered qualitatively to answer the study’s research question: How is ISRA practiced on the cloud? The Coat Hanger model was used as a theoretical lens to study and theorize the practices. Findings The results showed that the organizations aimed to follow the guidelines, in the form of frameworks or their own experience, to conduct ISRA; furthermore, the frameworks were altered to fit the organizations’ needs. The results further indicated that one of the main concerns with the cloud ISRA was the absence of a culture that integrates risk management. Finally, the findings also stressed the importance of a good understanding and a well-written legal contract between the cloud providers and the organizations using the cloud services. Originality/value As opposed to the previous research, which was more inclined to try out and evaluate various cloud ISRA, the study provides insights into the practice of cloud ISRA experienced by the organizations. This study represents the first attempt to investigate cloud ISRA that organizations practice in managing their information security.

Download Full-text

Collective information structure model for Information Security Risk Assessment (ISRA)

Journal of Systems and Information Technology ◽

10.1108/jsit-02-2015-0013 ◽

2015 ◽

Vol 17 (2) ◽

pp. 193-219 ◽

Cited By ~ 4

Author(s):

Palaniappan Shamala ◽

Rabiah Ahmad ◽

Ali Hussein Zolait ◽

Shahrin bin Sahib

Keyword(s):

Risk Assessment ◽

Information Security ◽

Information Structure ◽

Structure Model ◽

Security Risk ◽

Content Type ◽

Information Security Risk ◽

Security Risk Assessment ◽

Collective Information ◽

Tedious Process

Purpose – Information security has become an essential entity for organizations across the globe to eliminate the possible risks in their organizations by conducting information security risk assessment (ISRA). However, the existence of numerous different types of risk assessment methods, standards, guidelines and specifications readily available causes the organizations to face the daunting tasks in determining the most suitable method that would augur well in meeting their needs. Therefore, to overcome this tedious process, this paper suggests collective information structure model for ISRA. Design/methodology/approach – The proposed ISRA model was developed by deploying a questionnaire using close-ended questions administrated to a group of information security practitioners in Malaysia (N = 80). The purpose of the survey was to strengthen and add more relevant additional features to the existing framework, as it was developed based on secondary data. Findings – Previous comparative and analyzed studies reveals that all the six types of ISRA methodologies have features of the same kind of information with a slight difference in form. Therefore, questionnaires were designed to insert additional features to the research framework. All the additional features chosen were based on high frequency of more than half percentage agreed responses from respondents. The analyses results inspire in generating a collective information structure model which more practical in the real environment of the workplace. Practical implications – Generally, organizations need to make comparisons between methodologies and decide on the best due to the inexistence of agreed reference benchmark in ISRA methodologies. This tedious process leads to unwarranted time, money and energy consumption. Originality/value – The collective information structure model for ISRA aims to assist organizations in getting a general view of ISRA flow and gathering information on the requirements to be met before risk assessment can be conducted successfully. This model can be conveniently used by organizations to complete all the required planning as well as to select the suitable methods to complete the ISRA.

Download Full-text

Information Security Risk Assessment Model for Risk Management

Trust and Privacy in Digital Business - Lecture Notes in Computer Science ◽

10.1007/11824633_3 ◽

2006 ◽

pp. 21-30 ◽

Cited By ~ 8

Author(s):

Dariusz Wawrzyniak

Keyword(s):

Risk Assessment ◽

Risk Management ◽

Information Security ◽

Assessment Model ◽

Risk Assessment Model ◽

Security Risk ◽

Information Security Risk ◽

Security Risk Assessment

Download Full-text

Risk assessment of digital library information security: a case study

The Electronic Library ◽

10.1108/el-09-2014-0158 ◽

2016 ◽

Vol 34 (3) ◽

pp. 471-487 ◽

Cited By ~ 5

Author(s):

Zhengbiao Han ◽

Shuiqing Huang ◽

Huan Li ◽

Ni Ren

Keyword(s):

Risk Assessment ◽

High Risk ◽

Information Security ◽

Digital Library ◽

Risk Level ◽

Security Risk ◽

Content Type ◽

Information Security Risk ◽

Security Risk Assessment

Purpose This paper uses the GB/T20984-2007 multiplicative method to assess the information security risk of a typical digital library in compliance with the principle and thought of ISO 27000. The purpose of this paper is to testify the feasibility of this method and provide suggestions for improving information security of the digital library. Design/methodology/approach This paper adopts convenience sampling to select respondents. The assessment of assets is through analyzing digital library-related business and function through a questionnaire which collects data to determine asset types and the importance of asset attributes. The five-point Likert scale questionnaire method is used to identify the threat possibility and its influence on the assets. The 12 respondents include directors and senior network technicians from the editorial department, comic library, children’s library, counseling department and the learning promotion centre. Three different Guttman scale questionnaires, tool testing and on-site inspection are combined to identify and assess vulnerabilities. There were different Guttman scale questionnaires for management personnel, technical personnel and general librarian. In all, 15 management librarians, 7 technical librarians and 72 ordinary librarians answered the vulnerability questionnaire. On-site inspection was conducted on the basis of 11 control domains of ISO 27002. Vulnerabilities were scanned using remote security evaluation system NSFOCUS. The scanning covered ten IP sections and a total of 81 hosts. Findings Overall, 2,792 risk scores were obtained. Among them, 282 items (accounting for 10.1 per cent of the total) reached the high risk level; 2 (0.1 per cent) reached the very high risk level. High-risk items involved 26 threat types (accounting for 44.1 per cent of all threat types) and 13 vulnerability types (accounting for 22.1 per cent of all vulnerability types). The evaluation revealed that this digital library faces seven major hidden dangers in information security. The assessment results were well accepted by staff members of this digital library, which testified to the applicability of this method to a Chinese digital library. Research limitations/implications This paper is only a case study of a typical Chinese digital library using a digital library information security assessment method. More case-based explorations are necessary to prove the feasibility of the assessing strategy proposed in this study. Originality/value Based on the findings of recent literature, the authors found that very few researchers have made efforts to develop methods for calculating the indicators for digital library information security risk assessment. On the basis of ISO 27000 and other related information security standards, this case study proposed an operable method of digital library information security risk assessment and used it to assess a the information security of a typical Chinese digital library. This study can offer insights for formulating a digital library information security risk assessment scale.

Download Full-text

Information Security Risk Assessment

Encyclopedia ◽

10.3390/encyclopedia1030050 ◽

2021 ◽

Vol 1 (3) ◽

pp. 602-617

Author(s):

Ievgeniia Kuzminykh ◽

Bogdan Ghita ◽

Volodymyr Sokolov ◽

Taimur Bakhshi

Keyword(s):

Risk Assessment ◽

Information System ◽

Information Security ◽

Management Practices ◽

Security Risk ◽

Security Risks ◽

Information Security Risk ◽

Security Risk Assessment ◽

The Cost ◽

Cost Of Protection

Information security risk assessment is an important part of enterprises’ management practices that helps to identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Risk management refers to a process that consists of identification, management, and elimination or reduction of the likelihood of events that can negatively affect the resources of the information system to reduce security risks that potentially have the ability to affect the information system, subject to an acceptable cost of protection means that contain a risk analysis, analysis of the “cost-effectiveness” parameter, and selection, construction, and testing of the security subsystem, as well as the study of all aspects of security.

Download Full-text