Cited By
View all- Oliveira MGoldman AYoder J(2024)Information Security Investments: How to Prioritize?Proceedings of the 20th Brazilian Symposium on Information Systems10.1145/3658321.3658363(1-8)Online publication date: 20-May-2024
The Validity of Information Security Risk Assessment Methods for Organizations
Pages 241 - 247
Abstract
Abstract
Based on statistical data, a contradiction is shown between an increase in financial investments in the information security (IS) of organizations and a steady increase in the number of IS incidents caused by internal users. A conclusion is made about the cognitive vulnerability and low degree of validity of modern IS risk assessment methods. Stereotypes have been identified, the result of which are cognitive errors in assessing IS risks: the priority of technical protection of information from external threats of IS over organizational and technical protection from internal threats; distrust of the internal client, perception of it exclusively as an object of tough managerial influence, ignoring its subjective role in IS management; restriction of work with personnel within the IS management system with one-time measures and static criteria for assessing human risks and inattention to systemic measures and dynamic, situational criteria. The necessity of updating standards for IS risk management, as well as the development of new methods and tools for assessing, IS risks based on rejecting outdated stereotypes, is substantiated.
References
[1]
PriceWaterhouseCoopers. The Global State of Information Security® Survey 2018. https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html. Accessed March 31, 2020.
[2]
Investigation of the Level of Information Security in Companies in Russia and the CIS for 2019. https://searchinform.ru/research-2019/. Accessed March 31, 2020.
[3]
Investigation of Confidential Information Leaks from Financial Segment Organizations in 2019. https://www. infowatch.ru/analytics/reports/21649. Accessed March 31, 2020.
[4]
Kahneman D., Slovic P., and Tversky A. Judgment under Uncertainty: Heuristics and Biases 1982
[5]
Pereira T. and Santos H. Insider threats: The major challenge to security risk management, Human Aspects of Information Security, Privacy, and Trust. HAS 2015 Lect. Notes Comput. Sci. 2015 9190 654-663
[6]
Sadok, M. and Spagnoletti, P., A business aware information security risk and analysis method, in Information Technology and Innovation Treads in Organization, D’Atri, A., Ferrara, M., George, J.F., and Spagnoletti, P., Eds., 2011, pp. 453–460.
[7]
Asosheh, A., Dehmoubed, B., and Khani, A., A new quantitative approach for information security risk assessment, IEEE International Conference on Intelligence and Security Informatics (ISI 2009), 2009, pp. 229–239. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5137311&isnumber=5137253. Accessed March 31, 2020.
[8]
Posey C., Roberts T.L., Lowry P.B., Bennett R.J., and Courtney J. Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors MIS Q. 2013 37 1189-1210
[9]
Posey C., Roberts T.L., Lowry P.B., and Hightower R.T. Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders Inf. Manage. 2014 51 551-567
[10]
Schultz E.E. A framework for understanding and predicting insider attacks Comput. Secur. 2002 21 526-531
[11]
Wood, B., An insider threat model for adversary simulation, in Research on Mitigating the Insider Threat to Information Systems, Anderson, R.H., Ed., RAND, 2000, no. 2. https://www.yumpu.com/en/document/read/22015185/an-insider-threat-model-for-adversary-simulation-. Accessed April 1, 2020.
[12]
Caputo D., Marcus A., Maloof M., and Stephens G. Detecting insider theft of trade secrets IEEE Secur. Priv. 2009 7 14-21
[13]
Theoharidou M., Kokolakis S., Karyda M., and Kiountouzis E. The insider threat to information systems and the effectiveness of ISO17799 Comput. Secur. 2005 24 472-484
[14]
Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., and Gritzalis, D., An insider threat prediction model, TrustBus 2010: Trust,Privacy and Security in Digital Business; Lect. Notes Comput. Sci., 2010, vol. 6264, pp. 26–37.
[15]
Cappelli D.M., Moore A.P., Trzeciak R.F., and Shimeall T.J. Common Sense Guide to Prevention and Detection of Insider Threat 2009 Pittsburgh Carnegie Mellon Univ.
[16]
Duran F., Conrad S., Conrad G., Duggan D., and Held E. Building a system for insider security IEEE Secur. Priv. 2009 7 30-38
[17]
Microsoft Security Assessment Tool 4.0. https://www.microsoft.com/ru-RU/download/details.aspx?id=12273. Accessed March 31, 2020.
[18]
ISO/IEC 17799-2005: Technologies de l’information – Techniques de security – Code de pratique pour la gestion de security d’information.https://www.iso.org/standard/39612.html. Accessed March 31, 2020.
[19]
NIST SP 800-53 rev.5: Security and Privacy Controls for Information Systems and Organizations.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5-draft.pdf. Accessed March 31, 2020.
[20]
NIST SP 800-137: Information Security Continuous Monitoring for Federal information Systems and Organizations.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf. Accessed March 31, 2020.
[21]
Beres, Y., Mont, M.C., Griffin, J., and Shiu, S., Using security metrics coupled with predictive modeling and simulation to assess security processes, 3rd International Symposium on Empirical Software Engineering and Measurement, Lake Buena Vista, FL, 2009, pp. 564–573.
[22]
Kononov, A.A., Cognitive distortions as threats to information security and methods of countering them, in Sovremennye problemy i zadachi obespecheniya informatsionnoi bezopasnosti: Sb. statei (Current Problems of Information Security: Collection of Papers), Moscow, 2017, pp. 27–32.
[23]
Coles-Kemp L. and Theoharidou M. Insider Threats in Cyber Security. Advances in Information Security 2010 Boston, MA Springer
[24]
GOST (State Standard) R 22.3.07–2014: Safety in Emergency Situations. Life Safety Culture. General Provisions.https://base.garant.ru/70981162/. Accessed March 31, 2020.
[25]
GOST (State Standard) R IEC 62508–2014: Risk Management. Analysis of Human Factor Impact on Reliability.https://base.garant.ru/71268248/. Accessed March 31, 2020.
[26]
Saks A.M. Translating employee engagement research into practice Organ. Dyn. 2017 46 76-86
[27]
Employee Engagement and Motivation. Understand the Concept of Employee Engagement and Learn How to Build an Engaged and Motivated Workforce. Chartered Institute of Personnel and Development, 2018. /https://www.cipd.co.uk. Accessed March 31, 2020.
[28]
Veretkovskaya, O.V., Organization’s personnel Engagement as a relevant task of modern companies, Ekon. Biz.: Teor. Prakt., 2019, no. 4-2, pp. 40–43.
[29]
Mashin, V.A., Safety culture: The principle of an atmosphere of trust in the organization, Elektr. Stantsii, 2018, no. 9, no. 1046, pp. 2–14.
[30]
Astakhova L.V. The ontological status of trust in information security Sci. Tech. Inf. Process. 2016 43 58-65
[31]
Ashenden, D. and Sasse, A., CISOs and organisational culture: Their own worst enemy?, Comput. Secur., 2013, vol. 39, part B, pp. 396–405.
[32]
Mansfield-Devine S. Raising awareness: People are your last line of defence Comput. Fraud Secur. 2017 2017 10-14
[33]
Heartfield R. and Loukas G. Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework Comput. Secur. 2018 76 101-127
[34]
Rakhmetov, R., Information security risk management. Part 5. NIST SP 800-30 Standard (continued). NIST SP 800-137 Standard. https://www.securityvision.ru/blog/upravlenie-riskami-informatsionnoy-bezopasnosti-chast-5-standart-nist-sp-800-30-prodolzhenie-standar/. Accessed March 31, 2020.
[35]
Chockalingam S., Hadžiosmanović D., Pieters W., Teixeira A., and van Gelder P. Integrated safety and security risk assessment methods: A survey of key characteristics and applications, Critical Information Infrastructures Security. CRITIS 2016 Lect. Notes Comput. Sci. 2017 10242 50-62
[36]
Legostaeva, E.S., Methodological prerequisites for the study of cognitive errors, in Sovremennaya nauka v teorii i praktike: Monogr. (Contemporary Science in Theory and Practice: Monography), Akutin, S.P., Ed., Moscow, 2018, pp. 53–72.
[37]
Yudkowsky, E., Cognitive biases potentially affecting judgment of global risks, in Global Catastrophic Risks, Bostrom, N. and Ćirković, M.M., Eds., New York: Oxford Univ. Press, 2008, pp. 91–119.https://intelligence.org/files/CognitiveBiases.pdf. Accessed April 1, 2020.
[38]
Infowatch Person Monitor. https://www.infowatch.ru/products/person-monitor. Accessed March 31, 2020.
[39]
Searchinform Profilecenter. https://searchinform.ru/products/kib/profilecenter. Accessed March 31, 2020.
[40]
Mel’nikova, O.T. and Khoroshilov, D.A., Strategies for validating qualitative research in psychology, Psikhol. Issled., 2015, vol. 8, no. 44, pp. 3. http://psystudy.ru. Accessed April 18, 2020.
[41]
Denzin, N., The Research Act: A Theoretical Introduction to Sociological Methods, New York: Imprint Routledge, 2009. Accessed April 18, 2020.
Index Terms
- The Validity of Information Security Risk Assessment Methods for Organizations
Index terms have been assigned to the content through auto-classification.
Recommendations
A framework for estimating information security risk assessment method completeness
In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization. ISRA practices vary among ...
Taxonomy of information security risk assessment (ISRA)
Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Economic acceptable risk assessment model
InfoSecCD '08: Proceedings of the 5th annual conference on Information security curriculum developmentAcceptable risk is the residual risk that follows the implementation of the safeguard. Residual risk is the qualitative or quantitative risk that could not be removed, or which was accepted. Managing the residual risk is the core of risk management. ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
© Allerton Press, Inc. 2020. ISSN 0147-6882, Scientific and Technical Information Processing, 2020, Vol. 47, No. 4, pp. 241–247. © Allerton Press, Inc., 2020. Russian Text © The Author(s), 2020, published in Nauchno-Tekhnicheskaya Informatsiya, Seriya 1: Organizatsiya i Metodika Informatsionnoi Raboty, 2020, No. 11, pp. 1–8.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 01 October 2020
Received: 18 April 2020
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
Cited By
View all- Oliveira MGoldman AYoder J(2024)Information Security Investments: How to Prioritize?Proceedings of the 20th Brazilian Symposium on Information Systems10.1145/3658321.3658363(1-8)Online publication date: 20-May-2024