scholarly journals Methodology for Assessing the Risks of Information Enterprise Security Using Case Technologies

2021 ◽  
Vol 25 (5) ◽  
pp. 41-49
Author(s):  
А. V. Gavrilov ◽  
V. A. Sizov ◽  
E. V. Yaroshenko
Keyword(s):  
Information Security ◽  
Business Processes ◽  
Educational Process ◽  
Security System ◽  
Security Measures ◽  
It Industry ◽  
Enterprise Information ◽  
Information Assets ◽  
Value Determination ◽  
Enterprise Security

Purpose of the study. Creating an effective information security system of an enterprise is impossible without an adequate assessment of the risks to which its assets are exposed. The results of such an assessment should become the basis for making decisions in the field of information security of the enterprise. Identification of information assets and assessment of their value, determination of the level of threats to the security of assets allow planning measures to create an enterprise information security system.This paper discusses a methodology for assessing the risks of information security of an enterprise, a distinctive feature and novelty of which is the use of modern tools and methods for constructing and analyzing business processes in order to identify the information assets of an enterprise to be protected.Materials and methods. It is proposed to identify information assets based on the model of business processes of the enterprise, performed using the IDEF0 methodology. Modeling of business processes was carried out in the Business Studio environment of the “Modern Management Technologies” company.The activity of a typical IT-industry company was considered as an example for the risk analysis.Results. The methodology for assessing the risks of information security of an enterprise described in the article has been successfully tested in the educational process. Its use in conducting laboratory classes in the discipline “Designing the information security system of enterprises and organizations” for masters studying in the direction of “Information security” allowed, according to the authors of the article, to increase the effectiveness of the formation of students’ professional competencies.Conclusion. The paper proposes a methodology for assessing information security risks for objects of an enterprise’s information infrastructure, which makes it possible to identify priority areas of information security at an enterprise. As a result of the application of the technique, a loss matrix is formed, showing the problem areas in the organization of information protection, which should be given priority attention when planning information security measures. Based on the data obtained, it is possible to form an economically justified strategy and tactics for the development of an enterprise information security system.

scholarly journals Improving the efficiency of the formation of professional competencies Masters in “Information Security” based on the use o CASE-technologies

2019 ◽  
Vol 23 (3) ◽  
pp. 25-32
Author(s):  
A. V. Gavrilov ◽  
V. A. Sizov
Keyword(s):  
Information Security ◽  
Business Processes ◽  
System Analysis ◽  
Educational Process ◽  
Information Resources ◽  
Security System ◽  
Professional Competencies ◽  
Enterprise Information ◽  
Economic Point ◽  
Case Technologies

Purpose of the study. In modern conditions, building an effective information security system for an enterprise requires specialists with appropriate professional competencies and systems approach skills in analyzing a combination of factors that influence the state of information security of an enterprise. For the preparation of such kind of specialists, qualitative changes in the content of educational disciplines are required, based on the use of methods and means of system analysis in the process of building an information security system. The current approaches to assessing the risk of an enterprise are based on the formation of a register of its information resources necessary for the further processing of risks. Adequate assessment of the value of a resource is impossible without a correct understanding of the semantics of this resource and its role in the implemented business processes. Modern approaches to the formation of the register of enterprise information resources, according to the authors, do not offer an effective method of identifying resources and estimating their value.This paper considers an approach based on the use of structural and functional analysis methods and CASE-technologies in the formation of a register of information resources of the enterprise in the training of masters in the direction of “Information Security”. Materials and methods. For the formation of the register of enterprise information resources, it is proposed to build a structural-functional enterprise model using the IDEF0 notation. Business process modeling was performed in the Business Studio environment of «Modern Control Technologies». As an example for risk analysis, the activities of a typical IT-industry company engaged in the development and implementation of enterprise management information systems were considered. Results. The technique was successfully tested in the educational process. According to the authors of the article, the use of this technique in conducting laboratory classes for masters enrolled in the “Information Security” direction has made it possible to increase the efficiency of the formation of professional competencies in students and, consequently, in general, the quality of education. The results obtained can be used not only as a training method for specialists in the field of information security. The application of the methodology of forming the register of information resources of an enterprise considered in the article in practical activities to ensure the information security of an enterprise will increase the validity of decisions to protect the information of the enterprise. Conclusion. The paper proposes a method to justify the choice of the main directions for the protection of enterprise information based on the analysis of its business processes. A distinctive feature of the technique is the use of modern CASE-technologies for decision-making in the field of enterprise information security. The implementation of the methodology allows you to create a register of information resources of the enterprise, including an assessment of the likely damage for each resource. The registry shows the bottlenecks in the organization of protection, which should be given priority when planning measures to protect information. On the basis of the data obtained, it is possible to form a strategy and tactics for developing an enterprise information protection system that is reasonable from an economic point of view. 

scholarly journals Basic q-analysis of MCQA for Information Security System

2019 ◽  
Vol 3 (5) ◽  
Author(s):  
Oleh Kozlenko
Keyword(s):  
Information Systems ◽  
Structural Analysis ◽  
Information Security ◽  
System Analysis ◽  
Security System ◽  
Security Measures ◽  
Security Systems ◽  
Basic Principles ◽  
Application Methods ◽  
Security Incidents

Article explores application methods for systems structural analysis to use in study of security in information systems, which is based on variants of general attack scenarios, features of cybersecurity culture, q-analysis, which is part of MCQA . General security system analysis usually is based on different factors, which include  technical means, human-related mistakes in different ways and respond to security incidents. Q-analysis presents the basic principles of constructing model of information security systems elements connectivity on the example of two sets: set of threats and sets of security measures for information security and calculated numerical values. Elements of the two sets of are interconnected and form the basis of a system for ensuring their security. These calculations can be used to further determine overall formal assessment of security of the organization.

scholarly journals DETERMINING THE PRIORITY OF CYBER SECURITY MEASURES FOR INCOMPLETE EXPERT RANKING

2020 ◽  
pp. 9-15
Author(s):  
Hryhoriy Hnatienko ◽  
Natalia Tmenova
Keyword(s):  
Information Security ◽  
Cyber Security ◽  
Human Life ◽  
Security System ◽  
Security Measures ◽  
Organizational System ◽  
Team Members ◽  
Expert Team ◽  
Expert Ranking ◽  
Choice Tasks

High-quality functioning of the information security system and solving problems that arise in the information protection, is currently a topical trend in various areas of human life. Successful cyber protection consist in creating and implementing a multi-level system of measures that cover various aspects with complex interact and complement each other. These measures have a different nature, and their priorities may differ significantly in terms of different services of the organization, so it is logical to formalize the sequence of cybersecurity implementation in a class of group choice tasks. The paper proposes a flexible mathematical apparatus for modeling information security problems and adequate application of the opinion analysis of experts’ team in practice. The approach to finding the resultant ranking of measures priority is described as a solution to the problem of multicriteria optimization, where the sequence of measures implementation may involve the interaction of performers and require regulation of the actions sequence of all elements and subsystems of the organizational system. This approach allows to combine different information security measures proposed by the experts of various departments; to find a compromise solution for a diverse group of experts; not to violate any expert's preferences under calculating the compromise ranking of cyber security measures. The proposed approach can be useful in developing appropriate cybersecurity measures and favorable in developing and implementing of rapid response procedures to threats, as well as it can be indispensable in the overall building or improving organization security system and it can contain elements of training, coordination, and complexity of expert team members, who are the heads of units of a single organizational system.

Managing the Risks of Outsourcing IT Security in Supply Chain

2013 ◽  
pp. 477-495 ◽  
Author(s):  
Theodosios Tsiakis ◽  
Panagiotis Tsiakis
Keyword(s):  
Supply Chain ◽  
Information Systems ◽  
Information Security ◽  
Supply Chains ◽  
Business Processes ◽  
Business Operations ◽  
It Systems ◽  
Increasing Risk ◽  
Information Assets ◽  
Share Information

Enterprises are expeditiously outsourcing the non-core business processes and functions. This is happening in order for new efficiencies to be found and costs to be reduced along with the increase of shareholder value. Enterprises in a supply chain use networks to share information assets. Information Systems and Information Technology are essential for their business operations. Organizations resort to outsourcing, in order to balance the infinite requirements with organisational assets. Supply chains that are relying upon sourced Information Systems (or/and IT) are vulnerable from Information Security (IS) specific types of risks to supply chains. These systems and their components are at increasing risk of supply chain. The process of securing all elements of IT systems (whether it is hardware, software, or services) throughout their life cycle is critical. The scope of the chapter is to identify the basic process of outsourcing Information Security functions/processes in Supply Chain and moreover to adduce the practice of it.

scholarly journals Analysis of Information Threats to Industrial Security

2020 ◽  
pp. 6-10
Author(s):  
Grigory Zharkov ◽  
◽  
Vadim Shevtsov ◽  
Keyword(s):  
Information System ◽  
Information Security ◽  
Security System ◽  
Comprehensive Approach ◽  
Security Threats ◽  
Enterprise Information ◽  
System A ◽  
Industrial Security ◽  
Data Objects ◽  
High Level

Information security of an enterprise (IS of an enterprise) is the state of security of data, objects of informatization of an enterprise and its interests. IS of an enterprise is achieved only when such properties of the basic properties of IS as confidentiality, integrity, availability of information and the technical component of an enterprise involved in technological processes are met. Ensuring IS of an enterprise is effective only with a systematic and comprehensive approach to protection. The information security system should take into account all current information threats and vulnerabilities. Information security threats are analyzed to determine the full set of requirements for the developed security system. A threat is considered relevant if it can be implemented in the information system of the enterprise and poses a threat to information with limited access. It is shown that the list of threats to information security of an industrial enterprise is very wide and is limited not only to those considered in this article. It is very important to maintain a high level of enterprise information security, especially at critical information infrastructure facilities.

Management of Technical Security Measures

2013 ◽  
Vol 3 (1) ◽  
pp. 14-31 ◽  
Author(s):  
Jörg Uffen ◽  
Michael H. Breitner
Keyword(s):  
Information Security ◽  
Personality Traits ◽  
Empirical Data ◽  
Cognitive Factors ◽  
Security Measures ◽  
Information Assets ◽  
Security Standards ◽  
The Relationship ◽  
Moderating Role

Organizations are investing substantial resources in technical security measures that aim at preventively protecting their information assets. The way management – or information security executives – deals with potential security measures varies individually and depends on personality traits and cognitive factors. Based on the Theory of Planned Behavior, the authors examine the relationship between the personality traits of conscientiousness, neuroticism and openness with attitudes and intentions towards managing technical security measures. The highly relevant moderating role of compliance factors is also investigated. The hypothesized relationships are analyzed and validated using empirical data from a survey of 174 information security executives. Findings suggest that conscientiousness is important in determining the attitude towards the management of technical security measures. In addition, the findings indicate that when executives are confronted with information security standards or guidelines, the personality traits of conscientiousness and openness will have a stronger effect on attitude towards managing security measures than without moderators.

Information Security for Legal Safety

2011 ◽  
pp. 620-625
Author(s):  
Andreas Mitrakas
Keyword(s):  
Information Security ◽  
Legal Framework ◽  
Organizational Response ◽  
Security Measures ◽  
Public And Private ◽  
Protection Measures ◽  
Private Organizations ◽  
Trading Partners ◽  
Information Assets

The growing use of information technology in sensitive daily transactions highlights the significance of information security to protect information assets. Vulnerabilities associated with public and private transactions pose challenges that government, private organizations, and individuals are compelled to respond to by adopting appropriate protection measures. Information security responds to the need of transacting parties for confidentiality, integrity, and availability of resources (Pfleeger, 2000). Information security is required in transactions carried out among, businesses, public administrations, and citizens. An organizational response to information security threats includes setting up and implementing appropriate policy frameworks that are typically endorsed by agreement. Beyond organizational objectives lies an emerging legal framework instigated by the role of information security as a means to safeguard information assets that are socially significant. Organizations are often required to implement information security measures mandated by industry regulations or legislation, such as in electronic banking transactions. The scope of these legal and regulatory requirements is to mitigate potential risk that entails liabilities for shareholders, employees, customers, trading partners, or other third parties involved in a transaction. Information security and its subsequent regulation are equally important for public services. In e-government services made available to citizens and businesses, information security ensures e-government transactions. The remainder of this article presents an overview of the prevailing legal and policy issues that are currently associated with information security.

SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs

2015 ◽  
Vol 30 (1) ◽  
pp. 71-92 ◽  
Author(s):  
Paul John Steinbart ◽  
Robyn L. Raschke ◽  
Graham Gal ◽  
William N. Dilla
Keyword(s):  
Information Security ◽  
Program Effectiveness ◽  
Objective Measure ◽  
Objective Measures ◽  
Future Research ◽  
Sensitive Information ◽  
Maturity Model ◽  
Security Measures ◽  
Enterprise Information ◽  
Security Incidents

ABSTRACT The ever-increasing number of security incidents underscores the need to understand the key determinants of an effective information security program. Research that addresses this topic requires objective measures, such as number of incidents, vulnerabilities, and non-compliance issues, as indicators of the effectiveness of an organization's information security activities. However, these measures are not readily available to researchers. While some research has used subjective assessments as a surrogate for objective security measures, such an approach raises questions about scope and reliability. To remedy these deficiencies, this study uses the COBIT Version 4.1 Maturity Model Rubrics to develop an instrument (SECURQUAL) that obtains an objective measure of the effectiveness of enterprise information security programs. We show that SECURQUAL scores reliably predict objective measures of information security program effectiveness. Future research might use the instrument as a surrogate effectiveness measure that avoids asking respondents to disclose sensitive information about information security incidents and vulnerabilities.

scholarly journals Business Process Modeling During Bachelors Training in “Business Informatics” in the Con-text of Digital Transformation of Enterprises

2020 ◽  
Vol 24 (6) ◽  
pp. 51-59
Author(s):  
M. V. Ushakova ◽  
A. V. Gabalin
Keyword(s):  
Business Process ◽  
Business Processes ◽  
Research Work ◽  
Digital Transformation ◽  
Educational Process ◽  
Enterprise Engineering ◽  
It Industry ◽  
Business Informatics ◽  
Digital Enterprise

Purpose of the study. The aim of the study is to analyze the effectiveness of the joint use of the competence-activity approach and interdisciplinary connections in the formation of model-ing skills in the field of enterprise engineering and reengineering of business processes in the edu-cational process of the university. The relevance of the problems outlined in this article is determined by the need to develop human resources in the IT industry and to continuously improve the quality of training specialists in this area.The object of the research is the preparation of full-time students of educational institu-tions of higher education in terms of the formation of skills in systemic and business analysis of a digital enterprise as an object of economics and management.Materials and research methods. The article analyzes the possibility of effective use of the competence-activity approach and interdisciplinary connections in the educational process when developing modeling skills as part of the research work of bachelors in the direction of “Business Informatics”.Results. Taking into account the analysis of the experience of using the competence-activity approach and interdisciplinary relations, there are shown the prospects of their joint use in the educational process in the formation of modeling skills in the field of enterprise engineering and reengineering of business processes. The structure of the research work of students and the sequence of stages of modeling are proposed, which have proven themselves well at the Business Informatics Chair and Production Management Systems.Conclusion. In the transition to the digital economy, the key difficulty in our country is the lack of qualified and competent personnel. It is necessary to correctly form the approaches to the training of IT industry specialists. The joint use of the competenceactivity approach at the Na-tional University of Science andTechnology “MISIS”, which implies the formation of knowledge among students in the process of developing a process information system project and interdisci-plinary relations, has confirmed its effectiveness. The experience of using business process mod-eling in the preparation of bachelors, training with specialty “Business Informatics” is generalized and a sequence of modeling steps is proposed, which allows to consider and comprehensively de-scribe a digital enterprise as an object of economics and management in the form of architectural models, as well as an approach to the formation of skills in modeling and business management processes of the enterprise for students.This approach made it possible to involve students in the process of active learning, im-prove the process of forming key competencies, significantly improve the quality of theses and their practical significance, as well as increase the level of teaching compliance with world trends in the era of digital transformation.

Sign in / Sign up

Export Citation Format

Share Document