Abstract
Industry managers have long recognized the vital importance of information security for their businesses, but at the same time they perceived security as a technology-driven rather then a business-driven field. Today, this notion is changing and security management is shifting from technology- to business-oriented approaches. Whereas there is evidence of this shift in the literature, this paper argues that security standards and academic work have not yet taken it fully into account. We examine whether this disconnect has lead to a misalignment of IT security requirements in businesses versus industry standards and academic research. We conducted 13 interviews with practitioners from 9 different firms to investigate this question. The results present evidence for a significant gap between security requirements in industry standards and actually reported security vulnerabilities. We further find mismatches between the prioritization of security factors in businesses, standards and real-world threats. We conclude that security in companies serves the business need of protecting information availability to keep the business running at all times.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Larsen, A.: Global security survey: Virus attack, http://Informationweek.com/743/security.htm (visited, October 2008)
Campbell, K., Gordon, L., Loeb, M., Zhou, L.: The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security 11(3), 431–448 (2003)
Ishiguro, M., Tanaka, H., Matsuura, K., Murase, I.: The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market. In: The Workshop on the Economics of Securing the Information Infrastructure, WESII (2006)
Telang, R., Wattal, S.: An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price. IEEE Transactions on Software Engineering (2007)
Egan, M., Mather, T.: The Executive Guide to Information Security: Threats, Challenges, and Solutions. Addison-Wesley Professional, Reading (2004) ISBN: 0321304519
Bishop, M.: Introduction to Computer Security. Addison-Wesley Longman, Amsterdam (2004) ISBN-10: 0321247442
ISACA, Information Systems Audit and Control Association (2000), COBIT, www.isaca.org/COBIT (visited, May 2007)
Neubauer, Klemen, Biffl: Business Process-based Valuation of IT-Security. In: Proceedings of the seventh international workshop on Economics-driven software engineering research EDSER 2005 (2005)
Roeckle, H., Schimpf, G., Weidinger, R.: Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In: Proceedings of the fifth ACM workshop on Role-based access control table of contents, pp. 103–110 (2000) ISBN:1-58113-259-X
ISO/IEC Std. ISO 17799:2005, Information Technology – Security Techniques - Code of Practice for Information Security Management, ISO (2005)
NVD, U.S. National Institute of Standards and Technology: National Vulnerability Database (NVD), http://nvd.nist.gov/ (visited October 21, 2008)
Cavusoglu, H., Mishra, B., Raghunathan, S.: The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce 9(1), 69 (2004)
Myagmar, S., Yurcik, W.: Why Johnny Can Hack: The Mismatch between Vulnerabilities and Security Standards. In: IEEE International Symposium on Secure Software Engineering, ISSSE 2006 (2006)
DoD, Department of Defense (1983), Trusted Computer System Evaluation Criteria,1983. DoD 5200.28-STD, Library No. S225, 7ll, http://csrc.ncsl.nist.gov/publications/secpubs/rainbow/std001.txt
CC, Common Criteria, and Common Criteria Recognition Agreement, (CCRA) (2006), http://www.commoncriteriaportal.org/ (visited, January 2009)
Schneier, B.: Crypto-Gram Newsletter, Issue (November 15, 2008, http://www.schneier.com/crypto-gram-0811.html#4
Boehm, B.: Value-Based Software Engineering: Overview and Agenda. Value-Based Software Engineering: Overview and Agenda 15(3), USC-CSE-2005-504 (2005)
Biffl, S.: Message from the Track Chairs SPPI. In: 32nd EUROMICRO Conference on Software Engineering and Advanced Applications, EUROMICRO 2006 (2006)
Mell, P., Scarfone, P.: A Complete Guide to the Common Vulnerability Scoring System Version 2.0. National Institute of Standards and Technology 2007 (2007), http://www.first.org/cvss/cvss-guide.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Frühwirth, C. (2009). On Business-Driven IT Security Management and Mismatches between Security Requirements in Firms, Industry Standards and Research Work. In: Bomarius, F., Oivo, M., Jaring, P., Abrahamsson, P. (eds) Product-Focused Software Process Improvement. PROFES 2009. Lecture Notes in Business Information Processing, vol 32. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02152-7_28
Download citation
DOI: https://doi.org/10.1007/978-3-642-02152-7_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02151-0
Online ISBN: 978-3-642-02152-7
eBook Packages: Computer ScienceComputer Science (R0)