An Analytical Study of Methodologies and Tools for Enterprise Information Security Risk Management

Ict Infrastructure ◽

An enterprise is characterized by its business processes and supporting ICT infrastructure. Securing these entities is of utmost importance for the survival of an enterprise and continuity of its business operations. In order to secure them, it is important to first detect the risks that can be realized to cause harm to those entities. Over the years, several kinds of security risk analysis methodologies have been proposed. They cater to different categories of enterprise entities and consider varying levels of detail during risk analysis. An enterprise often finds it difficult to select a particular method that will best suit its purpose. This paper attempts to address this problem by presenting a detailed study of existing risk analysis methodologies. The study classifies them into specific categories and performs comparative analyses considering different parameters addressed by the methodologies, including asset type, vulnerabilities, threats, and security controls.

Cloud-Based Business Process Security Risk Management: A Systematic Review, Taxonomy, and Future Directions

Computers ◽

10.3390/computers10120160 ◽

2021 ◽

Vol 10 (12) ◽

pp. 160

Author(s):

Temitope Elizabeth Abioye ◽

Oluwasefunmi Tale Arogundade ◽

Sanjay Misra ◽

Kayode Adesemowo ◽

Robertas Damaševičius

Keyword(s):

Risk Management ◽

Risk Analysis ◽

Business Process ◽

Business Processes ◽

Cloud Services ◽

Assessment Model ◽

Security Risk ◽

Security Issues ◽

Management Techniques ◽

Despite the attractive benefits of cloud-based business processes, security issues, cloud attacks, and privacy are some of the challenges that prevent many organizations from using this technology. This review seeks to know the level of integration of security risk management process at each phase of the Business Process Life Cycle (BPLC) for securing cloud-based business processes; usage of an existing risk analysis technique as the basis of risk assessment model, usage of security risk standard, and the classification of cloud security risks in a cloud-based business process. In light of these objectives, this study presented an exhaustive review of the current state-of-the-art methodology for managing cloud-based business process security risk. Eleven electronic databases (ACM, IEEE, Science Direct, Google Scholar, Springer, Wiley, Taylor and Francis, IEEE cloud computing Conference, ICSE conference, COMPSAC conference, ICCSA conference, Computer Standards and Interfaces Journal) were used for the selected publications. A total of 1243 articles were found. After using the selection criteria, 93 articles were selected, while 17 articles were found eligible for in-depth evaluation. For the results of the business process lifecycle evaluation, 17% of the approaches integrated security risk management into one of the phases of the business process, while others did not. For the influence of the results of the domain assessment of risk management, three key indicators (domain applicability, use of existing risk management techniques, and integration of risk standards) were used to substantiate our findings. The evaluation result of domain applicability showed that 53% of the approaches had been testing run in real-time, thereby making these works reusable. The result of the usage of existing risk analysis showed that 52.9% of the authors implemented their work using existing risk analysis techniques while 29.4% of the authors partially integrated security risk standards into their work. Based on these findings and results, security risk management, the usage of existing security risk management techniques, and security risk standards should be integrated with business process phases to protect against security issues in cloud services.

Proceedings of the CUBE International Information Technology Conference on - CUBE '12 ◽

A two-phase quantitative methodology for enterprise information security risk analysis

10.1145/2381716.2381869 ◽

2012 ◽

Cited By ~ 4

Author(s):

Jaya Bhattacharjee ◽

Anirban Sengupta ◽

Chandan Mazumdar ◽

Mridul Sankar Barik

Keyword(s):

Information Security ◽

Risk Analysis ◽

Quantitative Methodology ◽

Security Risk ◽

Enterprise Information ◽

Two Phase ◽

Information Security Risk

A new comprehensive framework for enterprise information security risk management

Applied Computing and Informatics ◽

10.1016/j.aci.2011.05.002 ◽

2011 ◽

Vol 9 (2) ◽

pp. 107-118 ◽

Cited By ~ 26

Author(s):

Mohamed S. Saleh ◽

Abdulkader Alfantookh

Keyword(s):

Risk Management ◽

Information Security ◽

Security Risk ◽

Enterprise Information ◽

Comprehensive Framework ◽

Research on Method of Information System Information Security Risk Management

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.926-930.4105 ◽

2014 ◽

Vol 926-930 ◽

pp. 4105-4109

Author(s):

Xiao Li Cao

Keyword(s):

Information System ◽

Risk Management ◽

Information Systems ◽

Information Security ◽

Risk Analysis ◽

Management Approach ◽

Security Risk ◽

System Risk ◽

With the popularity of the Internet and global information continues to advance organizational information systems have become an important strategic resource for the survival of the importance of information security to protect its widespread concern. Once the information security organization information system is destroyed, the Organization for Security attribute information would cause tremendous impact the organization's business operation, the losses include not only economic, but also likely to organize image, reputation is a strategic competitive advantage even fatal injuries. However, the existing information systems of information security risk management approach to information system risk analysis and assessment with specific organizational environment and business background with fragmentation, lack of risk analysis and description of the formation process, carried only consider "technical" factors security decisions, lack of full expression to achieve the desired goal of a number of decisions on organizational decision-making. Therefore, the information system to carry information security risk management is essential.

Strategic Dimensions of Information Security Risk Management

Journal of Business Management and Information Systems ◽

10.48001/jbmis.2019.0602001 ◽

2019 ◽

Vol 6 (2) ◽

pp. 1-9 ◽

Cited By ~ 1

Author(s):

Ayush Gupta

Keyword(s):

Risk Management ◽

Information Security ◽

Business Models ◽

Business Processes ◽

Management Model ◽

Security Risk ◽

Best Value ◽

Security Risk Management ◽

Flow Of Information

Information security is thus a big threat to the survival of enterprises. In all context and forms, it is an imperative to provide adequate safeguards and measures to management the risk arising from flow of information and data. The business models of organizations are highly dependent on flow of information during the business processes. The management of information security has several perspectives. In this paper, the legal, quality and human resource perspectives have been discussed. The Information Security Risk Management Model must balance these perspectives to optimize for best value derived out of it.

Methodology and algorithm of information security risk management for local infrastructure

Central and Eastern European eDem and eGov Days ◽

10.24989/ocg.v325.33 ◽

2018 ◽

Vol 325 ◽

pp. 399-410

Author(s):

Bulai Rodica ◽

Ciorbă Dumitru ◽

Poştaru Andrei ◽

Rostislav Călin

Keyword(s):

Risk Management ◽

Information Security ◽

Risk Analysis ◽

Management Practices ◽

Security Requirements ◽

Security Risk ◽

Information Management Systems ◽

Efficient Information ◽

The complexity of information security does not resume to mere technicality, transferring significant liability to proper management. Risk analysis in information security is a powerful tool that comes in handy for managers in making decisions about the implementation of efficient information management systems, in order to achieve the organization's mission. As a part of risk management, risk analysis is the systematic implementation of methods, techniques and management practices to assess the context, identify, analyze, evaluate, treat, monitor and communicate the risks for the information security and systems through which they are processed, stored or transmitted. The ISO/IEC 27005:2011 – Information security risk management, does not specify any particular method for managing the risks associated with information security, but a general approach. It is up to the organization to devise control objectives that would reflect specific approaches to risk management and the degree of assurance required. There are several models, methodologies and tools amongst which those like CRAMM (United Kingdom, Insight Consulting), Risicare/Mehari (France, Clusif), GSTool (Germany, ITGrundschutz). The theoretical model of the mentioned methodologies is hard to put in practice without experience required from the members of the risk analysis team. Using the appropriate risk assessment solution, an organization can devise its own security requirements.