Skip to main content
SpringerLink
Log in

On Business-Driven IT Security Management and Mismatches between Security Requirements in Firms, Industry Standards and Research Work

  • Conference paper
Product-Focused Software Process Improvement (PROFES 2009)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 32))

Abstract

Industry managers have long recognized the vital importance of information security for their businesses, but at the same time they perceived security as a technology-driven rather then a business-driven field. Today, this notion is changing and security management is shifting from technology- to business-oriented approaches. Whereas there is evidence of this shift in the literature, this paper argues that security standards and academic work have not yet taken it fully into account. We examine whether this disconnect has lead to a misalignment of IT security requirements in businesses versus industry standards and academic research. We conducted 13 interviews with practitioners from 9 different firms to investigate this question. The results present evidence for a significant gap between security requirements in industry standards and actually reported security vulnerabilities. We further find mismatches between the prioritization of security factors in businesses, standards and real-world threats. We conclude that security in companies serves the business need of protecting information availability to keep the business running at all times.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Larsen, A.: Global security survey: Virus attack, http://Informationweek.com/743/security.htm (visited, October 2008)

  2. Campbell, K., Gordon, L., Loeb, M., Zhou, L.: The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security 11(3), 431–448 (2003)

    Article  Google Scholar 

  3. Ishiguro, M., Tanaka, H., Matsuura, K., Murase, I.: The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market. In: The Workshop on the Economics of Securing the Information Infrastructure, WESII (2006)

    Google Scholar 

  4. Telang, R., Wattal, S.: An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price. IEEE Transactions on Software Engineering (2007)

    Google Scholar 

  5. Egan, M., Mather, T.: The Executive Guide to Information Security: Threats, Challenges, and Solutions. Addison-Wesley Professional, Reading (2004) ISBN: 0321304519

    Google Scholar 

  6. Bishop, M.: Introduction to Computer Security. Addison-Wesley Longman, Amsterdam (2004) ISBN-10: 0321247442

    Google Scholar 

  7. ISACA, Information Systems Audit and Control Association (2000), COBIT, www.isaca.org/COBIT (visited, May 2007)

  8. Neubauer, Klemen, Biffl: Business Process-based Valuation of IT-Security. In: Proceedings of the seventh international workshop on Economics-driven software engineering research EDSER 2005 (2005)

    Google Scholar 

  9. Roeckle, H., Schimpf, G., Weidinger, R.: Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In: Proceedings of the fifth ACM workshop on Role-based access control table of contents, pp. 103–110 (2000) ISBN:1-58113-259-X

    Google Scholar 

  10. ISO/IEC Std. ISO 17799:2005, Information Technology – Security Techniques - Code of Practice for Information Security Management, ISO (2005)

    Google Scholar 

  11. NVD, U.S. National Institute of Standards and Technology: National Vulnerability Database (NVD), http://nvd.nist.gov/ (visited October 21, 2008)

  12. Cavusoglu, H., Mishra, B., Raghunathan, S.: The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce 9(1), 69 (2004)

    Google Scholar 

  13. Myagmar, S., Yurcik, W.: Why Johnny Can Hack: The Mismatch between Vulnerabilities and Security Standards. In: IEEE International Symposium on Secure Software Engineering, ISSSE 2006 (2006)

    Google Scholar 

  14. DoD, Department of Defense (1983), Trusted Computer System Evaluation Criteria,1983. DoD 5200.28-STD, Library No. S225, 7ll, http://csrc.ncsl.nist.gov/publications/secpubs/rainbow/std001.txt

  15. CC, Common Criteria, and Common Criteria Recognition Agreement, (CCRA) (2006), http://www.commoncriteriaportal.org/ (visited, January 2009)

    Google Scholar 

  16. Schneier, B.: Crypto-Gram Newsletter, Issue (November 15, 2008, http://www.schneier.com/crypto-gram-0811.html#4

  17. Boehm, B.: Value-Based Software Engineering: Overview and Agenda. Value-Based Software Engineering: Overview and Agenda 15(3), USC-CSE-2005-504 (2005)

    Google Scholar 

  18. Biffl, S.: Message from the Track Chairs SPPI. In: 32nd EUROMICRO Conference on Software Engineering and Advanced Applications, EUROMICRO 2006 (2006)

    Google Scholar 

  19. Mell, P., Scarfone, P.: A Complete Guide to the Common Vulnerability Scoring System Version 2.0. National Institute of Standards and Technology 2007 (2007), http://www.first.org/cvss/cvss-guide.pdf

Download references

Author information

Authors and Affiliations

  1. Software Business Laboratory, Helsinki University of Technology, Otaniementie 17, Espoo, Finland

    Christian Frühwirth

Authors
  1. Christian Frühwirth
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Fraunhofer IIESE, Fraunhoferplatz 1, 67663, Kaiserslautern, Germany

    Frank Bomarius

  2. Department of Information Processing Science, University of Oulu, P.O.Box 3000, 90014, Finland

    Markku Oivo

  3. VTT Technical Research Centre of Finland, Tietotie 3, 02150, Espoo, Finland

    Päivi Jaring

  4. Department of Computer Science, University of Helsinki, P.O.Box 68, 00014, Helsinki, Finland

    Pekka Abrahamsson

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Frühwirth, C. (2009). On Business-Driven IT Security Management and Mismatches between Security Requirements in Firms, Industry Standards and Research Work. In: Bomarius, F., Oivo, M., Jaring, P., Abrahamsson, P. (eds) Product-Focused Software Process Improvement. PROFES 2009. Lecture Notes in Business Information Processing, vol 32. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02152-7_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-02152-7_28

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-02151-0

  • Online ISBN: 978-3-642-02152-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation