Information Security Investments: How to Prioritize?
Article No.: 12, Pages 1 - 8
Abstract
Context: In an increasingly digitalized world with more complex supply chains, there is concern about the security of sharing information. To highlight the associated risk, companies carry out Information Security Risk Assessments (ISRAs), to measure the risk associated with sharing information with a third party. There are dozens of risk frameworks that are used as a basis for creating Information Security Risk Assessment forms. These forms, in most cases, are adapted to the reality of each company, generating a large number of questions that can be asked or topics that are priorities. This wide range of possibilities generates inefficiencies in the information security supplier management process. In addition, this makes it difficult to prioritize efforts on topics, that most contribute to increasing a company’s information security maturity or the suitability of these companies to what the market demands. Problem: Companies do not have unlimited resources for investments in information security. Due to the increase in cybercrimes and consequently market demands, it is important that human and financial resources are directed to the themes and adjustments most required by the market. Current research on this topic is focused on comparing risky frameworks or trying to improve their efficiency, however, there is very little research about what the market is demanding. Method: In this work, a qualitative analysis was carried out on 5 information security risk assessment forms sent by multinational companies to a Brazilian healthcare operator. Atlas TI tool was used to identify the most recurrent themes. Results: The most relevant topics for the 5 companies evaluated are the existence of information security policies, incident prevention and response plans, adaptation to legislation and compliance, and ensuring the protection and privacy of data. The ISRA of the company in the financial sector was the one with the highest number of questions, which indicates greater maturity of this sector in terms of supplier management in information security topics.
References
[1]
Mário Antunes, Marisa Maximiano, and Ricardo Gomes. 2022. A Client-Centered Information Security and Cybersecurity Auditing Framework. Applied Sciences (Switzerland) 12, 9 (2022). https://doi.org/10.3390/app12094102 Cited by: 2; All Open Access, Gold Open Access.
[2]
LV Astakhova. 2020. The Validity of Information Security Risk Assessment Methods for Organizations. Scientific and Technical Information Processing 47 (2020), 241–247.
[3]
Maria Bada and Jason RC Nurse. 2020. The social and psychological impact of cyberattacks. In Emerging cyber threats and cognitive vulnerabilities. Elsevier, 73–92.
[4]
Michel Benaroch. 2021. Third-party induced cyber incidents—much ado about nothing?Journal of Cybersecurity 7, 1 (2021), tyab020.
[5]
Brasil. 2012. Lei nº 12.651, de 25 de maio de 2012. Diário Oficial [da] República Federativa do Brasil (2012). http://www.planalto.gov.br/ccivil_03/_Ato2011-2014/2012/Lei/L12651.htm
[6]
J Scott Brennen and Daniel Kreiss. 2016. Digitalization. The international encyclopedia of communication theory and philosophy (2016), 1–11.
[7]
Mike Chapple, James Michael Stewart, and Darril Gibson. 2018. (ISC) 2 CISSP Certified Information Systems Security Professional Official Study Guide. John Wiley & Sons.
[8]
Cisco. 2023. Cisco Cybersecurity Readiness Index. https://www.cisco.com/c/dam/m/en_us/products/security/cybersecurity-reports/cybersecurity-readiness-index/2023/cybersecurity-readiness-index-report.pdf
[9]
W Alec Cram, Jeffrey G Proudfoot, and John D’arcy. 2017. Organizational information security policies: a review and research framework. European Journal of Information Systems 26 (2017), 605–641.
[10]
Zijie Deng, Guocong Feng, Qingshui Huang, Hong Zou, and Jiafa Zhang. 2022. Research on Enterprise Information Security Risk Assessment System Based on Bayesian Neural Network. In 2022 IEEE 2nd International Conference on Data Science and Computer Application (ICDSCA). IEEE, 938–941.
[11]
ENISA. 2023. INTEROPERABLE EU RISK MANAGEMENT FRAMEWORK. https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-framework
[12]
European Commission. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). https://eur-lex.europa.eu/eli/reg/2016/679/oj
[13]
Emilio Granados Franco, Richard Lukacs, Marie Sophie Müller, Philip Shetler-Jones, and Saadia Zahidi. 2020. COVID-19 risks outlook: A preliminary mapping and its implications. World Economic Forum.
[14]
Gartner. 2023. Definition of Digitalization. https://www.gartner.com/en/information-technology/glossary/digitalization
[15]
Margareta Heidt, Jin P Gerlach, and Peter Buxmann. 2019. Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments. Information Systems Frontiers 21 (2019), 1285–1305.
[16]
Omer F Keskin, Kevin Matthe Caramancion, Irem Tatar, Owais Raza, and Unal Tatar. 2021. Cyber third-party risk management: A comparison of non-intrusive risk scoring reports. Electronics 10, 10 (2021), 1168.
[17]
Fotis Kitsios, Elpiniki Chatzidimitriou, and Maria Kamariotou. 2022. Developing a Risk Analysis Strategy Framework for Impact Assessment in Information Security Management Systems: A Case Study in IT Consulting Industry. Sustainability 14, 3 (2022), 1269.
[18]
Jaidip Kotak, Edan Habler, Oleg Brodt, Asaf Shabtai, and Yuval Elovici. 2023. Information Security Threats and Working from Home Culture: Taxonomy, Risk Assessment and Solutions. Sensors 23, 8 (2023), 4018.
[19]
Ievgeniia Kuzminykh, Bogdan Ghita, Volodymyr Sokolov, and Taimur Bakhshi. 2021. Information security risk assessment. Encyclopedia 1, 3 (2021), 602–617.
[20]
Harjinder Singh Lallie, Lynsay A Shepherd, Jason RC Nurse, Arnau Erola, Gregory Epiphaniou, Carsten Maple, and Xavier Bellekens. 2021. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Computers & security 105 (2021), 102248.
[21]
Davor Maček, Ivan Magdalenić, and N Begičević Ređep. 2020. A systematic literature review on the application of multicriteria decision making methods for information security risk assessment. International Journal of Safety and Security Engineering 10, 2 (2020), 161–174.
[22]
B Nduva. 2021. Helping defend against a 30000% increase in phishing attacks related to COVID-19 scams. CGI UK (2021).
[23]
OECD. 2017. Entrepreneurship at a Glance 2017. 148 pages. https://doi.org/https://doi.org/10.1787/entrepreneur_aag-2017-en
[24]
Johan A Oldekop, Rory Horner, David Hulme, Roshan Adhikari, Bina Agarwal, Matthew Alford, Oliver Bakewell, Nicola Banks, Stephanie Barrientos, Tanja Bastia, 2020. COVID-19 and the case for global development. World development 134 (2020), 105044.
[25]
Neena Pandey, Abhipsa Pal, 2020. Impact of digital surge during Covid-19 pandemic: A viewpoint on research and practice. International journal of information management 55 (2020), 102171.
[26]
I Nyoman Pujawan and Alpha Umaru Bah. 2022. Supply chains under COVID-19 disruptions: literature review and research agenda. In Supply Chain Forum: An International Journal, Vol. 23. Taylor & Francis, 81–95.
[27]
PwC. 2022. Global Digital Trust Insights Survey 2022. https://www.pwc.com.br/pt/estudos/servicos/consultoria-negocios/2021/global-digital-trust-insights-survey-2022.html
[28]
Katia Romero Felizardo Scannavino, Elisa Yumi Nakagawa, Sandra Camargo Pinto Ferraz Fabbri, and Fabiano Cutigi Ferrari. 2017. Revisão Sistemática da Literatura em Engenharia de Software: teoria e prática. Elsevier.
[29]
Ljilja Sikman, Nermin Sarajlic, 2022. Modelling of Fuzzy Expert System for an Assessment of Security Information Management System UIS (University Information System). Tehnički vjesnik 29, 1 (2022), 60–65.
[30]
Luiz Alberto Silva Junior and Marcelo Brito Carneiro Leão. 2018. O software Atlas. ti como recurso para a análise de conteúdo: analisando a robótica no Ensino de Ciências em teses brasileiras. Ciência & Educação 24, 3 (2018), 715–728.
[31]
instituto de Pesquisa Datafolha Tempest. 2022. 3a Pesquisa Tempest de Cibersegurança. https://www.tempest.com.br/categoria_editoriais/pesquisas-de-mercado/
[32]
Jun Wang, Robert Brooks, Xing Lu, and Hunter M Holzhauer. 2014. Growth/Value, Market Cap, and Momentum. The Journal of Investing 23, 1 (2014), 33–42.
[33]
Yu-Chih Wei, Wei-Chen Wu, and Ya-Chi Chu. 2018. Performance evaluation of the recommendation mechanism of information security risk identification. Neurocomputing 279 (2018), 48–53.
Index Terms
- Information Security Investments: How to Prioritize?
Recommendations
Taxonomy of information security risk assessment (ISRA)
Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness
The objectives are: (1) to determine the risk assessment of information security threats, based upon the perceived impact and the perceived probability of occurrence of these threats; (2) to determine the extent of risk mitigation, based upon the ...
On the role of the Facilitator in information security risk assessment
AbstractIn organisations where information security has historically been a part of management and for which the risk assessment methodologies have been designed there are established methods for communicating risk. This is the case for example in the ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
May 2024
708 pages
ISBN:9798400709968
DOI:10.1145/3658271
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
SBSI '24
Acceptance Rates
Overall Acceptance Rate 181 of 557 submissions, 32%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 43Total Downloads
- Downloads (Last 12 months)43
- Downloads (Last 6 weeks)16
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format