Utilize este identificador para referenciar este registo:
https://hdl.handle.net/1822/20869
Título: | A conceptual framework to support information security risk management |
Autor(es): | Pereira, Teresa |
Orientador(es): | Santos, Henrique Dinis dos |
Data: | 26-Jul-2012 |
Resumo(s): | Nowadays
organizations
strongly
rely
on
technology,
in
particular
on
the
performance
of
their
information
systems,
and
therefore
become
more
exposed
to
security
risks.
Additionally
the
rapid
advances
of
information
and
communication
technologies
have
promoted
the
speed
and
accessibility
of
operations
resulting
in
significant
changes
in
the
way
organizations
conduct
their
business.
As
a
consequence
of
this
technological
evolution,
sophisticated
and
underestimated
attacks
will
transcend.
In
this
scenario,
organizations
are
forced
to
adequate
security
procedures
to
manage
information
security
and
promote
security
awareness.
Its
objectives
are
educating
first
through
information
security
awareness
initiatives
and
then
identify,
address
and
mitigate
risks
before
they
become
serious
threats.
Despite
the
intense
efforts
made
by
ENISA
and
OECD
to
enhance
knowledge
and
to
positively
influence
public
behaviour
towards
information
security
and
to
provide
any
private
and
public
organizations
with
good
practices
and
key
issues
in
the
information
security
domain,
security
is
still
a
critical
activity,
which
concerns
a
great
number
of
organizations
and
governments
worldwide.
On
the
other
hand,
the
research
community
is
making
efforts
to
alert
managers
to
the
need
to
put
information
security
risk
into
the
hands
of
professional
risk
managers
instead
of
IT
specialist,
given
the
knowledge
specificities
that
this
area
demands
and
the
security
risks
the
organizations
are
daily
subject
of.
It
is
observed
that
a
significant
number
of
organizations
use
the
security
standards
ISO
and
NIST.
However,
according
to
the
security
managers
these
standards
do
not
cover
all
their
conceptual
security
needs,
since
they
suggest
abstract
implementation
for
risk
mitigation
and
thus
concrete
countermeasures
or
combinations
thereof
are
mostly
missing.
This
requires
new
and
easier
methodologies
to
support
the
security
management,
specially
the
security
risk
analysis
process.
In
turn,
this
has
motivated
the
challenge
of
achieving
a
simple,
flexible
and
consistent
conceptual
model
to
assist
the
security
risk
management
process.
In
this
way,
this
thesis
proposes
a
conceptual
model
grounded
on
hierarchical
concepts,
structured
in
an
ontology
based
on
the
security
standard
ISO/IEC_JTC1,
to
support
security
risk
management
process.
The
definition
of
the
security
concepts
and
established
relationships,
which
are
represented
in
the
hierarchical
structure
of
the
ontology,
are
provided.
A
framework
was
developed
and
evaluated
by
interviews
performed
to
security
experts.
The
framework
developed
first
incorporates
the
concepts
hierarchically
defined
in
the
ontology,
and
secondly
is
a
mean
to
support
the
organizations
to
manage
their
information
security
risk.
The
implemented
interviews
aim
to
assess,
in
the
first
instance,
the
relevance
of
the
concepts
defined
and
its
hierarchy,
and
then
the
analysis
of
the practical
usability
of
the
methodology
for
the
implementation
of
a
risk
analysis.
The
results,
demonstrate
the
importance
and
applicability
of
the
defined
conceptual
model,
revealing
the
proposed
solution
ensures
a
commitment
to
simplicity,
flexibility
and
consistency
of
the
conceptual
model
devised,
addressing
the
needs
of
security
risk
analysis
of
organizations. Nowadays organizations strongly rely on technology, in particular on the performance of their information systems, and therefore become more exposed to security risks. Additionally the rapid advances of information and communication technologies have promoted the speed and accessibility of operations resulting in significant changes in the way organizations conduct their business. As a consequence of this technological evolution, sophisticated and underestimated attacks will transcend. In this scenario, organizations are forced to adequate security procedures to manage information security and promote security awareness. Its objectives are educating first through information security awareness initiatives and then identify, address and mitigate risks before they become serious threats. Despite the intense efforts made by ENISA and OECD to enhance knowledge and to positively influence public behaviour towards information security and to provide any private and public organizations with good practices and key issues in the information security domain, security is still a critical activity, which concerns a great number of organizations and governments worldwide. On the other hand, the research community is making efforts to alert managers to the need to put information security risk into the hands of professional risk managers instead of IT specialist, given the knowledge specificities that this area demands and the security risks the organizations are daily subject of. It is observed that a significant number of organizations use the security standards ISO and NIST. However, according to the security managers these standards do not cover all their conceptual security needs, since they suggest abstract implementation for risk mitigation and thus concrete countermeasures or combinations thereof are mostly missing. This requires new and easier methodologies to support the security management, specially the security risk analysis process. In turn, this has motivated the challenge of achieving a simple, flexible and consistent conceptual model to assist the security risk management process. In this way, this thesis proposes a conceptual model grounded on hierarchical concepts, structured in an ontology based on the security standard ISO/IEC_JTC1, to support security risk management process. The definition of the security concepts and established relationships, which are represented in the hierarchical structure of the ontology, are provided. A framework was developed and evaluated by interviews performed to security experts. The framework developed first incorporates the concepts hierarchically defined in the ontology, and secondly is a mean to support the organizations to manage their information security risk. The implemented interviews aim to assess, in the first instance, the relevance of the concepts defined and its hierarchy, and then the analysis of the practical usability of the methodology for the implementation of a risk analysis. The results, demonstrate the importance and applicability of the defined conceptual model, revealing the proposed solution ensures a commitment to simplicity, flexibility and consistency of the conceptual model devised, addressing the needs of security risk analysis of organizations. |
Tipo: | Tese de doutoramento |
Descrição: | Tese de doutoramento em Technologies and Information Systems |
URI: | https://hdl.handle.net/1822/20869 |
Acesso: | Acesso restrito UMinho |
Aparece nas coleções: | DSI - Engenharia da Programação e dos Sistemas Informáticos |
Ficheiros deste registo:
Ficheiro | Descrição | Tamanho | Formato | |
---|---|---|---|---|
Teresa Susana Mendes Pereira Bernardino.pdf Acesso restrito! | 4,98 MB | Adobe PDF | Ver/Abrir |