SECURQUAL: An Instrument for Evaluating the Effectiveness of Enterprise Information Security Programs

ABSTRACT The ever-increasing number of security incidents underscores the need to understand the key determinants of an effective information security program. Research that addresses this topic requires objective measures, such as number of incidents, vulnerabilities, and non-compliance issues, as indicators of the effectiveness of an organization's information security activities. However, these measures are not readily available to researchers. While some research has used subjective assessments as a surrogate for objective security measures, such an approach raises questions about scope and reliability. To remedy these deficiencies, this study uses the COBIT Version 4.1 Maturity Model Rubrics to develop an instrument (SECURQUAL) that obtains an objective measure of the effectiveness of enterprise information security programs. We show that SECURQUAL scores reliably predict objective measures of information security program effectiveness. Future research might use the instrument as a surrogate effectiveness measure that avoids asking respondents to disclose sensitive information about information security incidents and vulnerabilities.

Download Full-text

Basic q-analysis of MCQA for Information Security System

European Journal of Electrical Engineering and Computer Science ◽

10.24018/ejece.2019.3.5.131 ◽

2019 ◽

Vol 3 (5) ◽

Author(s):

Oleh Kozlenko

Keyword(s):

Information Systems ◽

Structural Analysis ◽

Information Security ◽

System Analysis ◽

Security System ◽

Security Measures ◽

Security Systems ◽

Basic Principles ◽

Application Methods ◽

Security Incidents

Article explores application methods for systems structural analysis to use in study of security in information systems, which is based on variants of general attack scenarios, features of cybersecurity culture, q-analysis, which is part of MCQA . General security system analysis usually is based on different factors, which include technical means, human-related mistakes in different ways and respond to security incidents. Q-analysis presents the basic principles of constructing model of information security systems elements connectivity on the example of two sets: set of threats and sets of security measures for information security and calculated numerical values. Elements of the two sets of are interconnected and form the basis of a system for ensuring their security. These calculations can be used to further determine overall formal assessment of security of the organization.

Download Full-text

Methodology for Assessing the Risks of Information Enterprise Security Using Case Technologies

Open Education ◽

10.21686/1818-4243-2021-5-41-49 ◽

2021 ◽

Vol 25 (5) ◽

pp. 41-49

Author(s):

А. V. Gavrilov ◽

V. A. Sizov ◽

E. V. Yaroshenko

Keyword(s):

Information Security ◽

Business Processes ◽

Educational Process ◽

Security System ◽

Security Measures ◽

It Industry ◽

Enterprise Information ◽

Information Assets ◽

Value Determination ◽

Enterprise Security

Purpose of the study. Creating an effective information security system of an enterprise is impossible without an adequate assessment of the risks to which its assets are exposed. The results of such an assessment should become the basis for making decisions in the field of information security of the enterprise. Identification of information assets and assessment of their value, determination of the level of threats to the security of assets allow planning measures to create an enterprise information security system.This paper discusses a methodology for assessing the risks of information security of an enterprise, a distinctive feature and novelty of which is the use of modern tools and methods for constructing and analyzing business processes in order to identify the information assets of an enterprise to be protected.Materials and methods. It is proposed to identify information assets based on the model of business processes of the enterprise, performed using the IDEF0 methodology. Modeling of business processes was carried out in the Business Studio environment of the “Modern Management Technologies” company.The activity of a typical IT-industry company was considered as an example for the risk analysis.Results. The methodology for assessing the risks of information security of an enterprise described in the article has been successfully tested in the educational process. Its use in conducting laboratory classes in the discipline “Designing the information security system of enterprises and organizations” for masters studying in the direction of “Information security” allowed, according to the authors of the article, to increase the effectiveness of the formation of students’ professional competencies.Conclusion. The paper proposes a methodology for assessing information security risks for objects of an enterprise’s information infrastructure, which makes it possible to identify priority areas of information security at an enterprise. As a result of the application of the technique, a loss matrix is formed, showing the problem areas in the organization of information protection, which should be given priority attention when planning information security measures. Based on the data obtained, it is possible to form an economically justified strategy and tactics for the development of an enterprise information security system.

Download Full-text

Modelling adaptive information security for SMEs in a cluster

Journal of Intellectual Capital ◽

10.1108/jic-05-2019-0128 ◽

2019 ◽

Vol 21 (2) ◽

pp. 235-256 ◽

Cited By ~ 2

Author(s):

Bilge Yigit Ozkan ◽

Marco Spruit ◽

Roland Wondolleck ◽

Verónica Burriel Coll

Keyword(s):

Information Security ◽

Design Science ◽

Shared Knowledge ◽

Future Research ◽

Maturity Model ◽

Content Type ◽

Scarce Resources ◽

The Creation ◽

The Cost ◽

Further Development

Purpose This paper presents a method for adapting an Information Security Focus Area Maturity (ISFAM) model to the organizational characteristics (OCs) of a small- and medium-sized enterprise (SME) cluster. The purpose of this paper is to provide SMEs with a tailored maturity model enabling them to capture and improve their information security capabilities. Design/methodology/approach Design Science Research was followed to design and evaluate the method as a design artifact. Findings The method has successfully been used to adapt the ISFAM model to a group of SMEs within a regional cluster resulting in a model that is aligned with the OCs of the cluster. Areas for further investigation and improvements were identified. Research limitations/implications The study is based on applying the proposed method for the SMEs active in the transport, logistics and packaging sector in the Port of Rotterdam. Future research can focus on different sectors and regions. The method can be used for adapting other focus area maturity models. Practical implications The resulting adapted maturity model can facilitate the creation and further development of a base of common or shared knowledge in the cluster. The adapted maturity model can cut the cost of over implementation of information security capabilities for the SMEs with scarce resources. Originality/value The resulting adapted maturity model can facilitate the creation and further development of a base of common or shared knowledge in the cluster. The adapted maturity model can cut the cost of over implementation of information security capabilities for the SMEs with scarce resources.

Download Full-text

Technical analysis of enterprise information security

Computational Intelligence and Industrial Engineering ◽

10.2495/ciie140441 ◽

2014 ◽

Author(s):

Ying Wu

Keyword(s):

Information Security ◽

Technical Analysis ◽

Enterprise Information

Download Full-text

A Survey on Security and Privacy Issues in Modern Healthcare Systems

ACM Transactions on Computing for Healthcare ◽

10.1145/3453176 ◽

2021 ◽

Vol 2 (3) ◽

pp. 1-44

Author(s):

Akm Iqtidar Newaz ◽

Amit Kumar Sikder ◽

Mohammad Ashiqur Rahman ◽

A. Selcuk Uluagac

Keyword(s):

Healthcare Systems ◽

Security And Privacy ◽

Health Conditions ◽

Future Research ◽

Security Measures ◽

Implantable Medical Devices ◽

Manual Intervention ◽

Security Challenges ◽

Future Research Directions ◽

Privacy Violation

Recent advancements in computing systems and wireless communications have made healthcare systems more efficient than before. Modern healthcare devices can monitor and manage different health conditions of patients automatically without any manual intervention from medical professionals. Additionally, the use of implantable medical devices, body area networks, and Internet of Things technologies in healthcare systems improve the overall patient monitoring and treatment process. However, these systems are complex in software and hardware, and optimizing between security, privacy, and treatment is crucial for healthcare systems because any security or privacy violation can lead to severe effects on patients’ treatments and overall health conditions. Indeed, the healthcare domain is increasingly facing security challenges and threats due to numerous design flaws and the lack of proper security measures in healthcare devices and applications. In this article, we explore various security and privacy threats to healthcare systems and discuss the consequences of these threats. We present a detailed survey of different potential attacks and discuss their impacts. Furthermore, we review the existing security measures proposed for healthcare systems and discuss their limitations. Finally, we conclude the article with future research directions toward securing healthcare systems against common vulnerabilities.

Download Full-text

A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions

IEEE Transactions on Network and Service Management ◽

10.1109/tnsm.2020.3044865 ◽

2020 ◽

pp. 1-1

Author(s):

Ferda Ozdemir Sonmez ◽

Banu Gunel Kilic

Keyword(s):

Decision Support ◽

Information Security ◽

Decision Support System ◽

Support System ◽

Optimal Selection ◽

Enterprise Information ◽

Selection Of

Download Full-text

Improving Forensic Triage Efficiency through Cyber Threat Intelligence

Future Internet ◽

10.3390/fi11070162 ◽

2019 ◽

Vol 11 (7) ◽

pp. 162 ◽

Cited By ~ 2

Author(s):

Nikolaos Serketzis ◽

Vasilios Katos ◽

Christos Ilioudis ◽

Dimitrios Baltatzis ◽

Georgios Pangalos

Keyword(s):

Information Security ◽

Digital Forensics ◽

Incident Response ◽

Security Controls ◽

Digital Forensic ◽

Threat Intelligence ◽

Cyber Threat ◽

Series Of Experiments ◽

Cyber Threat Intelligence ◽

Security Incidents

The complication of information technology and the proliferation of heterogeneous security devices that produce increased volumes of data coupled with the ever-changing threat landscape challenges have an adverse impact on the efficiency of information security controls and digital forensics, as well as incident response approaches. Cyber Threat Intelligence (CTI)and forensic preparedness are the two parts of the so-called managed security services that defendants can employ to repel, mitigate or investigate security incidents. Despite their success, there is no known effort that has combined these two approaches to enhance Digital Forensic Readiness (DFR) and thus decrease the time and cost of incident response and investigation. This paper builds upon and extends a DFR model that utilises actionable CTI to improve the maturity levels of DFR. The effectiveness and applicability of this model are evaluated through a series of experiments that employ malware-related network data simulating real-world attack scenarios. To this extent, the model manages to identify the root causes of information security incidents with high accuracy (90.73%), precision (96.17%) and recall (93.61%), while managing to decrease significantly the volume of data digital forensic investigators need to examine. The contribution of this paper is twofold. First, it indicates that CTI can be employed by digital forensics processes. Second, it demonstrates and evaluates an efficient mechanism that enhances operational DFR.

Download Full-text

Blockchain as supply chain technology: considering transparency and security

International Journal of Physical Distribution & Logistics Management ◽

10.1108/ijpdlm-08-2019-0234 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Pei Xu ◽

Joonghee Lee ◽

James R. Barth ◽

Robert Glenn Richey

Keyword(s):

Supply Chain ◽

Text Mining ◽

Information Security ◽

Design Methodology ◽

Use Cases ◽

Future Research ◽

Content Type ◽

Blockchain Technology ◽

Twitter Data ◽

The Way

PurposeThis paper discusses how the features of blockchain technology impact supply chain transparency through the lens of the information security triad (confidentiality, integrity and availability). Ultimately, propositions are developed to encourage future research in supply chain applications of blockchain technology.Design/methodology/approachPropositions are developed based on a synthesis of the information security and supply chain transparency literature. Findings from text mining of Twitter data and a discussion of three major blockchain use cases support the development of the propositions.FindingsThe authors note that confidentiality limits supply chain transparency, which causes tension between transparency and security. Integrity and availability promote supply chain transparency. Blockchain features can preserve security and increase transparency at the same time, despite the tension between confidentiality and transparency.Research limitations/implicationsThe research was conducted at a time when most blockchain applications were still in pilot stages. The propositions developed should therefore be revisited as blockchain applications become more widely adopted and mature.Originality/valueThis study is among the first to examine the way blockchain technology eases the tension between supply chain transparency and security. Unlike other studies that have suggested only positive impacts of blockchain technology on transparency, this study demonstrates that blockchain features can influence transparency both positively and negatively.

Download Full-text

OVERVIEW OF BASIC RECOMMENDATIONS FOR PREVENTING INFORMATION SECURITY INCIDENTS UNDER REMOTE WORK AND SELF-ISOLATION MODE

Information Technology and Mathematical Modeling in the Management of Complex Systems ◽

10.26731/2658-3704.2020.2(7).39-45 ◽

2020 ◽

pp. 39-45

Author(s):

Aleksander Alekseevich Butin ◽

Anastasiia Nikolaevna Vasilevskaia

Keyword(s):

Information Security ◽

Remote Work ◽

Security Incidents

Download Full-text

A Composite Framework for Behavioral Compliance with Information Security Policies

Journal of Organizational and End User Computing ◽

10.4018/joeuc.2013070103 ◽

2013 ◽

Vol 25 (3) ◽

pp. 32-51 ◽

Cited By ~ 9

Author(s):

Salvatore Aurigemma

Keyword(s):

Information Security ◽

Theory Of Planned Behavior ◽

Theoretical Framework ◽

Composite Model ◽

Security Policies ◽

Future Research ◽

Security Threats ◽

Behavioral Compliance ◽

Weakest Link ◽

Organizational Information

To combat potential security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. This paper presents a composite theoretical framework for understanding employee behavioral compliance with organizational information security policies. Building off of the theory of planned behavior, a composite model is presented that incorporates the strengths of previous studies while minimizing theoretical gaps present in other behavioral compliance models. In building the framework, related operational constructs are examined and normalized to allow better comparison of past studies and help focus future research efforts.

Download Full-text