Skip to main content
SpringerLink
Log in

“Check, Check, Check, We Got Those” – Catalogue Use in Information Security Risk Management

  • Conference paper
  • First Online:
Human Aspects of Information Security and Assurance (HAISA 2023)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 674))

  • 457 Accesses

Abstract

Information Security Risk Management (ISRM) is fundamental in most organisations today. The literature describes ISRM as a complex activity, and one way of addressing this is to enable knowledge reuse in the shape of catalogues. Catalogues in the ISRM domain can contain lists of, e.g. assets, threats and security controls. In this paper, we focus on three aspects of catalogue use. Why we need catalogues, how catalogue granularity is perceived, and how catalogues help novices in practice. As catalogue use is not yet a widespread practice in the ISRM, we have selected a domain where catalogues are a part of the ISRM work. In this case, the Air Traffic Management (ATM) domain uses a methodology that includes catalogues and is built on ISO/IEC 27005. The results are based on data collected from 19 interviews with ATM professionals that are either experts or novices in ISRM. With this paper, we nuance the view on what catalogues can contribute with. For example, consistency, coherency, a starting point and new viewpoints. At the same time, we identify the need to inform about the aim of the catalogues and the limitations that come with catalogue use in order to leverage the use – especially from a novice perspective.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 119.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Fortune Media IP Limited. https://fortune.com/education/articles/this-cybersecurity-job-is-one-of-the-fastest-growing-in-the-u-s-and-it-pays-six-figures/

  2. Osborn, E., Simpson, A.: Risk and the small-scale cyber security decision making dialogue—a UK case study. Comput. J. 61, 472–495 (2018)

    Article  Google Scholar 

  3. Carvalho, R.M., Andrade, R.M., Lelli, V., Silva, E.G., de Oliveira, K.M.: What about catalogs of non-functional requirements? In: REFSQ Workshops (2020)

    Google Scholar 

  4. Sá-Soares, F., Soares, D., Arnaud, J.: A catalog of information systems outsourcing risks. Int. J. Inf. Syst. Proj. Manage. 2, 23–43 (2022)

    Google Scholar 

  5. de Gramatica, M., Labunets, K., Massacci, F., Paci, F., Tedeschi, A.: The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals. In: Fricker, S.A., Schneider, K. (eds.) REFSQ 2015. LNCS, vol. 9013, pp. 98–114. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16101-3_7

    Chapter  Google Scholar 

  6. Rudolph, M.: Generation of usable policy administration points for security and privacy. Technische Universität Kaiserslautern, vol. Ph.D., p. 386, Fraunhofer Verlag (2020)

    Google Scholar 

  7. Labunets, K.: Security Risk Assessment Methods: An Evaluation Framework and Theoretical Model of the Criteria Behind Methodsâ Success. University of Trento (2016)

    Google Scholar 

  8. Leming, R.: Why is information the elephant asset? An answer to this question and a strategy for information asset management. Bus. Inf. Rev. 32, 212–219 (2015)

    Google Scholar 

  9. Andersson, S.: Problems in information classification: insights from practice. Inf. Comput. Secur. (2023)

    Google Scholar 

  10. Luh, R., Temper, M., Tjoa, S., Schrittwieser, S., Janicke, H.: PenQuest: a gamified attacker/defender meta model for cyber security assessment and education. J. Comput. Virol. Hacking Tech. 16(1), 19–61 (2019). https://doi.org/10.1007/s11416-019-00342-x

    Article  Google Scholar 

  11. Souag, A., Mazo, R., Salinesi, C., Comyn-Wattiau, I.: Reusable knowledge in security requirements engineering: a systematic mapping study. Requirements Eng. 21(2), 251–283 (2015). https://doi.org/10.1007/s00766-015-0220-8

    Article  Google Scholar 

  12. Asgari, H., et al.: Provisioning for a distributed ATM security management: the GAMMA approach. IEEE Aerosp. Electron. Syst. Mag. 32, 5–21 (2017)

    Article  Google Scholar 

  13. Nie, R.T., Zhao, Y., Dai, J.H.: Evaluation on safety performance of air traffic management based on fuzzy theory. In: 2009 International Conference on Measuring Technology and Mechatronics Automation, pp. 554–557 (2009)

    Google Scholar 

  14. Bernsmed, K., Bour, G., Lundgren, M., Bergström, E.: An evaluation of practitioners’ perceptions of a security risk assessment methodology in air traffic management projects. J. Air Transp. Manag. 102, 102223 (2022)

    Article  Google Scholar 

  15. Whitman, M.E., Mattord, H.J.: Management of Information Security. Cengage Learning, Stamford (2013)

    Google Scholar 

  16. Lundgren, M., Bergström, E.: Dynamic interplay in the information security risk management process. Int. J. Risk Assess. Manage. 22, 212–230 (2019)

    Article  Google Scholar 

  17. Lynne, M.M.: Toward a theory of knowledge reuse: types of knowledge reuse situations and factors in reuse success. J. Manag. Inf. Syst. 18, 57–93 (2001)

    Article  Google Scholar 

  18. Lambrinoudakis, C., et al.: Compendium of risk management frameworks with potential interoperability: supplement to the interoperable EU risk management framework report. European Union Agency for Cybersecurity (ENISA) (2022)

    Google Scholar 

  19. Papadatos, K., et al.: Interoperable EU Risk Management Toolbox. European Union Agency for Cybersecurity (ENISA) (2022)

    Google Scholar 

  20. Yskout, K., Scandariato, R., Joosen, W.: Do security patterns really help designers? In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, pp. 292–302 (2015)

    Google Scholar 

  21. Labunets, K., Paci, F., Massacci, F.: Which security catalogue is better for novices? In: 2015 IEEE Fifth International Workshop on Empirical Requirements Engineering (EmpiRE), pp. 25–32 (2015)

    Google Scholar 

  22. Riaz, M., et al.: Identifying the implied: findings from three differentiated replications on the use of security requirements templates. Empir. Softw. Eng. 22(4), 2127–2178 (2016). https://doi.org/10.1007/s10664-016-9481-1

    Article  MathSciNet  Google Scholar 

  23. Hasan, B., Schäfer, P., Gómez, J.M., Kurzhöfer, J.: Risk catalogue for mobile business applications. In: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications, pp. 43–53. SCITEPRESS - Science and Technology Publications, Lda, Lisbon, Portugal (2016)

    Google Scholar 

  24. Schmitz, C., Schmid, M., Harborth, D., Pape, S.: Maturity level assessments of information security controls: an empirical analysis of practitioners assessment capabilities. Comput. Secur. 108, 102306 (2021)

    Article  Google Scholar 

  25. Quinn, S., Ivy, N., Barrett, M., Witte, G., Gardner, R.: Identifying and estimating cybersecurity risk for enterprise risk management. Natl. Inst. Stand. Technol. NIST Spec. Publ., 1–52 (2021)

    Google Scholar 

  26. Brunner, M., Sauerwein, C., Felderer, M., Breu, R.: Risk management practices in information security: exploring the status quo in the DACH region. Comput. Secur. 92, 101776 (2020)

    Article  Google Scholar 

  27. Bergström, E.: Supporting information security management: developing a method for information classification. In: School of Informatics, vol. Doctoral dissertation, p. 310. University of Skövde, Skövde, Sweden (2020)

    Google Scholar 

  28. Fibikova, L., Müller, R.: A simplified approach for classifying applications. In: Pohlmann, N.R., Helmut; Schneider, Wolfgang (ed.) ISSE 2010 Securing Electronic Business Processes, pp. 39–49. Vieweg+Teubner (2011)

    Google Scholar 

  29. Rees, J., Allen, J.: The state of risk assessment practices in information security: an exploratory investigation. J. Organ. Comput. Electron. Commer. 18, 255–277 (2008)

    Article  Google Scholar 

  30. Oates, B.J.: Researching Information Systems and Computing. Sage, London (2006)

    Google Scholar 

  31. ISO/IEC 27005: Information technology – Security techniques – Information security risk management. ISO/IEC (2018)

    Google Scholar 

  32. Marotta, A., Carrozza, G., Battaglia, L., Montefusco, P., Manetti, V.: Applying the SecRAM methodology in a CLOUD-based ATM environment. In: 2013 International Conference on Availability, Reliability and Security, pp. 807–813 (2013)

    Google Scholar 

  33. SESAR 3 Joint Undertaking. https://www.sesarju.eu/

  34. Reynolds, T.J., Gutman, J.: Laddering theory, method, analysis, and interpretation. J. Advert. Res. 28, 11–31 (1988)

    Google Scholar 

  35. Skalkos, A., Tsohou, A., Karyda, M., Kokolakis, S.: Identifying the values associated with users’ behavior towards anonymity tools through means-end analysis. Comput. Hum. Behav. Rep. 2, 100034 (2020)

    Article  Google Scholar 

  36. Modesto Veludo-de-Oliveira, T., Akemi Ikeda, A., Cortez Campomar, M.: Laddering in the practice of marketing research: barriers and solutions. J. Cetacean Res. Manag. 9, 297–306 (2006)

    Google Scholar 

  37. Lumivero. https://lumivero.com/products/nvivo/

  38. Kaarst-Brown, M.L., Thompson, E.D.: Cracks in the security foundation: employee judgments about information sensitivity. In: Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, pp. 145–151. ACM (2015)

    Google Scholar 

  39. Bergström, E., Karlsson, F., Åhlfeldt, R.-M.: Developing an information classification method. Inf. Comput. Secur. 29, 209–239 (2021)

    Article  Google Scholar 

Download references

Acknowledgement

We gratefully acknowledge the grant from the Swedish Civil Contingencies Agency (MSB), project VISKA (MSB 2021–14650) and the funding from the SESAR JU under the EU H2020 research and innovation programme (grant agreement 731765).

Author information

Authors and Affiliations

  1. School of Engineering, Department of Computer Science and Informatics, Jönköping University, Jönköping, Sweden

    Erik Bergström

  2. School of Informatics, University of Skövde, Skövde, Sweden

    Martin Lundgren

  3. SINTEF Digital, Trondheim, Norway

    Karin Bernsmed & Guillaume Bour

Authors
  1. Erik Bergström
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Lundgren
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Karin Bernsmed
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Guillaume Bour
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Erik Bergström .

Editor information

Editors and Affiliations

  1. University of Nottingham, Nottingham, UK

    Steven Furnell

  2. University of Plymouth, Plymouth, UK

    Nathan Clarke

Rights and permissions

Reprints and permissions

Copyright information

© 2023 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bergström, E., Lundgren, M., Bernsmed, K., Bour, G. (2023). “Check, Check, Check, We Got Those” – Catalogue Use in Information Security Risk Management. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38530-8_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38529-2

  • Online ISBN: 978-3-031-38530-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation