Abstract
Information Security Risk Management (ISRM) is fundamental in most organisations today. The literature describes ISRM as a complex activity, and one way of addressing this is to enable knowledge reuse in the shape of catalogues. Catalogues in the ISRM domain can contain lists of, e.g. assets, threats and security controls. In this paper, we focus on three aspects of catalogue use. Why we need catalogues, how catalogue granularity is perceived, and how catalogues help novices in practice. As catalogue use is not yet a widespread practice in the ISRM, we have selected a domain where catalogues are a part of the ISRM work. In this case, the Air Traffic Management (ATM) domain uses a methodology that includes catalogues and is built on ISO/IEC 27005. The results are based on data collected from 19 interviews with ATM professionals that are either experts or novices in ISRM. With this paper, we nuance the view on what catalogues can contribute with. For example, consistency, coherency, a starting point and new viewpoints. At the same time, we identify the need to inform about the aim of the catalogues and the limitations that come with catalogue use in order to leverage the use – especially from a novice perspective.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Fortune Media IP Limited. https://fortune.com/education/articles/this-cybersecurity-job-is-one-of-the-fastest-growing-in-the-u-s-and-it-pays-six-figures/
Osborn, E., Simpson, A.: Risk and the small-scale cyber security decision making dialogue—a UK case study. Comput. J. 61, 472–495 (2018)
Carvalho, R.M., Andrade, R.M., Lelli, V., Silva, E.G., de Oliveira, K.M.: What about catalogs of non-functional requirements? In: REFSQ Workshops (2020)
Sá-Soares, F., Soares, D., Arnaud, J.: A catalog of information systems outsourcing risks. Int. J. Inf. Syst. Proj. Manage. 2, 23–43 (2022)
de Gramatica, M., Labunets, K., Massacci, F., Paci, F., Tedeschi, A.: The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals. In: Fricker, S.A., Schneider, K. (eds.) REFSQ 2015. LNCS, vol. 9013, pp. 98–114. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16101-3_7
Rudolph, M.: Generation of usable policy administration points for security and privacy. Technische Universität Kaiserslautern, vol. Ph.D., p. 386, Fraunhofer Verlag (2020)
Labunets, K.: Security Risk Assessment Methods: An Evaluation Framework and Theoretical Model of the Criteria Behind Methodsâ Success. University of Trento (2016)
Leming, R.: Why is information the elephant asset? An answer to this question and a strategy for information asset management. Bus. Inf. Rev. 32, 212–219 (2015)
Andersson, S.: Problems in information classification: insights from practice. Inf. Comput. Secur. (2023)
Luh, R., Temper, M., Tjoa, S., Schrittwieser, S., Janicke, H.: PenQuest: a gamified attacker/defender meta model for cyber security assessment and education. J. Comput. Virol. Hacking Tech. 16(1), 19–61 (2019). https://doi.org/10.1007/s11416-019-00342-x
Souag, A., Mazo, R., Salinesi, C., Comyn-Wattiau, I.: Reusable knowledge in security requirements engineering: a systematic mapping study. Requirements Eng. 21(2), 251–283 (2015). https://doi.org/10.1007/s00766-015-0220-8
Asgari, H., et al.: Provisioning for a distributed ATM security management: the GAMMA approach. IEEE Aerosp. Electron. Syst. Mag. 32, 5–21 (2017)
Nie, R.T., Zhao, Y., Dai, J.H.: Evaluation on safety performance of air traffic management based on fuzzy theory. In: 2009 International Conference on Measuring Technology and Mechatronics Automation, pp. 554–557 (2009)
Bernsmed, K., Bour, G., Lundgren, M., Bergström, E.: An evaluation of practitioners’ perceptions of a security risk assessment methodology in air traffic management projects. J. Air Transp. Manag. 102, 102223 (2022)
Whitman, M.E., Mattord, H.J.: Management of Information Security. Cengage Learning, Stamford (2013)
Lundgren, M., Bergström, E.: Dynamic interplay in the information security risk management process. Int. J. Risk Assess. Manage. 22, 212–230 (2019)
Lynne, M.M.: Toward a theory of knowledge reuse: types of knowledge reuse situations and factors in reuse success. J. Manag. Inf. Syst. 18, 57–93 (2001)
Lambrinoudakis, C., et al.: Compendium of risk management frameworks with potential interoperability: supplement to the interoperable EU risk management framework report. European Union Agency for Cybersecurity (ENISA) (2022)
Papadatos, K., et al.: Interoperable EU Risk Management Toolbox. European Union Agency for Cybersecurity (ENISA) (2022)
Yskout, K., Scandariato, R., Joosen, W.: Do security patterns really help designers? In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, pp. 292–302 (2015)
Labunets, K., Paci, F., Massacci, F.: Which security catalogue is better for novices? In: 2015 IEEE Fifth International Workshop on Empirical Requirements Engineering (EmpiRE), pp. 25–32 (2015)
Riaz, M., et al.: Identifying the implied: findings from three differentiated replications on the use of security requirements templates. Empir. Softw. Eng. 22(4), 2127–2178 (2016). https://doi.org/10.1007/s10664-016-9481-1
Hasan, B., Schäfer, P., Gómez, J.M., Kurzhöfer, J.: Risk catalogue for mobile business applications. In: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications, pp. 43–53. SCITEPRESS - Science and Technology Publications, Lda, Lisbon, Portugal (2016)
Schmitz, C., Schmid, M., Harborth, D., Pape, S.: Maturity level assessments of information security controls: an empirical analysis of practitioners assessment capabilities. Comput. Secur. 108, 102306 (2021)
Quinn, S., Ivy, N., Barrett, M., Witte, G., Gardner, R.: Identifying and estimating cybersecurity risk for enterprise risk management. Natl. Inst. Stand. Technol. NIST Spec. Publ., 1–52 (2021)
Brunner, M., Sauerwein, C., Felderer, M., Breu, R.: Risk management practices in information security: exploring the status quo in the DACH region. Comput. Secur. 92, 101776 (2020)
Bergström, E.: Supporting information security management: developing a method for information classification. In: School of Informatics, vol. Doctoral dissertation, p. 310. University of Skövde, Skövde, Sweden (2020)
Fibikova, L., Müller, R.: A simplified approach for classifying applications. In: Pohlmann, N.R., Helmut; Schneider, Wolfgang (ed.) ISSE 2010 Securing Electronic Business Processes, pp. 39–49. Vieweg+Teubner (2011)
Rees, J., Allen, J.: The state of risk assessment practices in information security: an exploratory investigation. J. Organ. Comput. Electron. Commer. 18, 255–277 (2008)
Oates, B.J.: Researching Information Systems and Computing. Sage, London (2006)
ISO/IEC 27005: Information technology – Security techniques – Information security risk management. ISO/IEC (2018)
Marotta, A., Carrozza, G., Battaglia, L., Montefusco, P., Manetti, V.: Applying the SecRAM methodology in a CLOUD-based ATM environment. In: 2013 International Conference on Availability, Reliability and Security, pp. 807–813 (2013)
SESAR 3 Joint Undertaking. https://www.sesarju.eu/
Reynolds, T.J., Gutman, J.: Laddering theory, method, analysis, and interpretation. J. Advert. Res. 28, 11–31 (1988)
Skalkos, A., Tsohou, A., Karyda, M., Kokolakis, S.: Identifying the values associated with users’ behavior towards anonymity tools through means-end analysis. Comput. Hum. Behav. Rep. 2, 100034 (2020)
Modesto Veludo-de-Oliveira, T., Akemi Ikeda, A., Cortez Campomar, M.: Laddering in the practice of marketing research: barriers and solutions. J. Cetacean Res. Manag. 9, 297–306 (2006)
Lumivero. https://lumivero.com/products/nvivo/
Kaarst-Brown, M.L., Thompson, E.D.: Cracks in the security foundation: employee judgments about information sensitivity. In: Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, pp. 145–151. ACM (2015)
Bergström, E., Karlsson, F., Åhlfeldt, R.-M.: Developing an information classification method. Inf. Comput. Secur. 29, 209–239 (2021)
Acknowledgement
We gratefully acknowledge the grant from the Swedish Civil Contingencies Agency (MSB), project VISKA (MSB 2021–14650) and the funding from the SESAR JU under the EU H2020 research and innovation programme (grant agreement 731765).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bergström, E., Lundgren, M., Bernsmed, K., Bour, G. (2023). “Check, Check, Check, We Got Those” – Catalogue Use in Information Security Risk Management. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-38530-8_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38529-2
Online ISBN: 978-3-031-38530-8
eBook Packages: Computer ScienceComputer Science (R0)