A conceptual framework to support information security risk management

Abstract

Nowadays organizations strongly rely on technology, in particular on the performance of their information systems, and therefore become more exposed to security risks. Additionally the rapid advances of information and communication technologies have promoted the speed and accessibility of operations resulting in significant changes in the way organizations conduct their business. As a consequence of this technological evolution, sophisticated and underestimated attacks will transcend. In this scenario, organizations are forced to adequate security procedures to manage information security and promote security awareness. Its objectives are educating first through information security awareness initiatives and then identify, address and mitigate risks before they become serious threats. Despite the intense efforts made by ENISA and OECD to enhance knowledge and to positively influence public behaviour towards information security and to provide any private and public organizations with good practices and key issues in the information security domain, security is still a critical activity, which concerns a great number of organizations and governments worldwide. On the other hand, the research community is making efforts to alert managers to the need to put information security risk into the hands of professional risk managers instead of IT specialist, given the knowledge specificities that this area demands and the security risks the organizations are daily subject of. It is observed that a significant number of organizations use the security standards ISO and NIST. However, according to the security managers these standards do not cover all their conceptual security needs, since they suggest abstract implementation for risk mitigation and thus concrete countermeasures or combinations thereof are mostly missing. This requires new and easier methodologies to support the security management, specially the security risk analysis process. In turn, this has motivated the challenge of achieving a simple, flexible and consistent conceptual model to assist the security risk management process. In this way, this thesis proposes a conceptual model grounded on hierarchical concepts, structured in an ontology based on the security standard ISO/IEC_JTC1, to support security risk management process. The definition of the security concepts and established relationships, which are represented in the hierarchical structure of the ontology, are provided. A framework was developed and evaluated by interviews performed to security experts. The framework developed first incorporates the concepts hierarchically defined in the ontology, and secondly is a mean to support the organizations to manage their information security risk. The implemented interviews aim to assess, in the first instance, the relevance of the concepts defined and its hierarchy, and then the analysis of the practical usability of the methodology for the implementation of a risk analysis. The results, demonstrate the importance and applicability of the defined conceptual model, revealing the proposed solution ensures a commitment to simplicity, flexibility and consistency of the conceptual model devised, addressing the needs of security risk analysis of organizations.

Nowadays organizations strongly rely on technology, in particular on the performance of their information systems, and therefore become more exposed to security risks. Additionally the rapid advances of information and communication technologies have promoted the speed and accessibility of operations resulting in significant changes in the way organizations conduct their business. As a consequence of this technological evolution, sophisticated and underestimated attacks will transcend. In this scenario, organizations are forced to adequate security procedures to manage information security and promote security awareness. Its objectives are educating first through information security awareness initiatives and then identify, address and mitigate risks before they become serious threats. Despite the intense efforts made by ENISA and OECD to enhance knowledge and to positively influence public behaviour towards information security and to provide any private and public organizations with good practices and key issues in the information security domain, security is still a critical activity, which concerns a great number of organizations and governments worldwide. On the other hand, the research community is making efforts to alert managers to the need to put information security risk into the hands of professional risk managers instead of IT specialist, given the knowledge specificities that this area demands and the security risks the organizations are daily subject of. It is observed that a significant number of organizations use the security standards ISO and NIST. However, according to the security managers these standards do not cover all their conceptual security needs, since they suggest abstract implementation for risk mitigation and thus concrete countermeasures or combinations thereof are mostly missing. This requires new and easier methodologies to support the security management, specially the security risk analysis process. In turn, this has motivated the challenge of achieving a simple, flexible and consistent conceptual model to assist the security risk management process. In this way, this thesis proposes a conceptual model grounded on hierarchical concepts, structured in an ontology based on the security standard ISO/IEC_JTC1, to support security risk management process. The definition of the security concepts and established relationships, which are represented in the hierarchical structure of the ontology, are provided. A framework was developed and evaluated by interviews performed to security experts. The framework developed first incorporates the concepts hierarchically defined in the ontology, and secondly is a mean to support the organizations to manage their information security risk. The implemented interviews aim to assess, in the first instance, the relevance of the concepts defined and its hierarchy, and then the analysis of the practical usability of the methodology for the implementation of a risk analysis. The results, demonstrate the importance and applicability of the defined conceptual model, revealing the proposed solution ensures a commitment to simplicity, flexibility and consistency of the conceptual model devised, addressing the needs of security risk analysis of organizations.