ABSTRACT
Information Security Management Systems (ISMS) aim at ensuring proper protection of information values and information processing systems (i.e., assets). Information Security Risk Management (ISRM) techniques are incorporated in ISMSs to deal with threats and vulnerabilities that impose risks to information security properties of these assets. The ongoing evolution of information systems as well as the ever-changing threat landscape requires enterprises to adopt new approaches to ensure the consistent compliance with their information security goals. The great challenge enterprises are facing is to efficiently deal with all changes to their assets, their risk exposure and the impact of these changes to their ISMS and ISRM activities. We present a model-based approach for continuous information security management based on semi-automated workflows triggered by changes of the underlying asset catalogue, the operational environment and the threat landscape. The prototypical implementation was evaluated in a real-world industrial setting demonstrating high usability when integrating stakeholders from different domains in a continuous risk management process.
- Rafael Accorsi and Thomas Stocker. 2012. On the exploitation of process mining for security audits - the conformance checking case.. In 27th Annual ACM Symposium on Applied Computing. ACM. Google ScholarDigital Library
- Kristian Beckers, Maritta Heisel, Bjørnar Solhaug, and Ketil Stølen. 2014. ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System. In Computer Safety, Reliability and Security. Springer International Publishing, Cham, 315--344.Google Scholar
- Amel Bennaceur, Arosha K Bandara, Michael Jackson, Wei Liu, Lionel Montrieux, Thein Than Tun, Yijun Yu, and Bashar Nuseibeh. 2014. Requirements-driven mediation for collaborative security. SEAMS (2014), 37--42. Google ScholarDigital Library
- Bernhard J Berger, Karsten Sohr, and Rainer Koschke. 2016. Automatically Extracting Threats from Extended Data Flow Diagrams. ESSoS 9639, 4 (2016), 56--71. Google ScholarDigital Library
- Stefanie Betz, Susan Hickl, and Andreas Oberweis. 2011. Risk-aware business process modeling and simulation using XML nets. In Commerce and enterprise computing (cec), 2011 IEEE 13th conference on. IEEE, 349--356. Google ScholarDigital Library
- Michael Brunner, Andrea Mussmann, and Ruth Breu. 2018. Introduction of a Tool-Based Continuous Information Security Management System: An Exploratory Case Study. In 2018 IEEE International Conference on Software Quality, Reliability and Security Companion, QRS Companion 2018, Lisbon, Portugal, July 16-20, 2018. 483--490.Google ScholarCross Ref
- Michael Brunner, Christian Sillaber, and Ruth Breu. 2017. Towards Automation in Information Security Management Systems. In 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS). IEEE, 160--167.Google Scholar
- Michael Brunner, Christian Sillaber, Lukas Demetz, Markus Manhart, and Ruth Breu. 2018. Towards data-driven decision support for organizational IT security audits. it - Information Technology 60, 4 (2018), 207.Google Scholar
- Joobin Choobineh, Gurpreet Dhillon, Michael R Grimaila, and Jackie Rees. 2007. Management of Information Security - Challenges and Research Directions. CAIS (2007).Google Scholar
- Raffaele Conforti, Marcello La Rosa, Arthur HM Ter Hofstede, Giancarlo Fortino, Massimiliano de Leoni, Wil MP van der Aalst, and Michael J Adams. 2013. A software framework for risk-aware business process management. In Proceedings of the CAiSE'13 Forum at the 25th International Conference on Advanced Information Systems Engineering (CAiSE): CEUR Workshop Proceedings, Volume 998. 130--137.Google Scholar
- Fred D Davis. 1989. Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. Mis Quarterly 13, 3 (1989), 319--340. Google ScholarDigital Library
- Folker Den Braber, Ida Hogganvik, MS Lund, Ketik Stølen, and Fredrik Vraalsen. 2007. Model-based security analysis in seven steps --- a guided tour to the CORAS method. BT Technology Journal 25, 1 (2007), 101--117. Google ScholarDigital Library
- Andreas Ekelhart, Stefan Fenz, and Thomas Neubauer. 2009. AURUM: A Framework for Information Security Risk Management. In System Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on. IEEE, 1--10. Google ScholarDigital Library
- Stefan Fenz, Johannes Heurix, Thomas Neubauer, and Fabian Pechstein. 2014. Current challenges in information security risk management. Inf. Manag. Comput. Security 22, 5 (2014), 410--430.Google ScholarCross Ref
- German Federal Office for Information Security (BSI). 2017. BSI-Standard 200-1: Managementsysteme für Informationssocherheit. German Federal Office for Information Security.Google Scholar
- Alan R Hevner, Salvatore T March, Jinsoo Park, and Sudha Ram. 2008. Design science in Information Systems research. Management Information Systems Quarterly 28, 1 (2008), 6. Google ScholarDigital Library
- Hannes Holm, Khurram Shahzad, Markus Buschle, and Mathias Ekstedt. 2015. P<sup>2</sup>CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language. IEEE Transactions on Dependable and Secure Computing 12, 6 (2015), 626--639.Google ScholarDigital Library
- Ronald A Howard. 2012. Dynamic probabilistic systems: Markov models. Vol. 1. Courier Corporation.Google Scholar
- ISACA. 2012. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISA. Google ScholarDigital Library
- ISO/IEC. 2011. ISO/IEC 27005: Information technology - Security Techniques - Information security risk management.Google Scholar
- ISO/IEC. 2013. ISO/IEC 27001: Information technology - Security techniques - Information security management system - Requirements.Google Scholar
- Pontus Johnson, Alexandre Vernotte, Mathias Ekstedt, and Robert Lagerström. 2016. pwnPr3d - An Attack-Graph-Driven Probabilistic Threat-Modeling Approach. ARES (2016), 278--283.Google Scholar
- Bilge Karabacak and Ibrahim Sogukpinar. 2005. ISRAM: information security risk analysis method. Computers & Security 24, 2 (2005), 147--159. Google ScholarDigital Library
- John G Kemeny and J Laurie Snell. 1983. Finite Markov chains: with a new appendix" Generalization of a fundamental matrix". Springer.Google Scholar
- Paul J Krause and Dominic A Clark. 1993. Representing uncertain knowledge - an artificial intelligence approach. (1993). Google ScholarDigital Library
- John O Long. 2012. ITIL® 2011 at a Glance. Springer Science & Business Media.Google Scholar
- Liliana Pasquale, Paola Spoletini, Mazeiar Salehie, Luca Cavallaro, and Bashar Nuseibeh. 2016. Automating trade-off analysis of security requirements. Requirements Engineering 21, 4 (2016), 481--504. Google ScholarDigital Library
- Atle Refsdal and Ketil Stølen. 2009. Employing Key Indicators to Provide a Dynamic Risk Picture with a Notion of Confidence. IFIPTM 300, 1 (2009), 215--233.Google Scholar
- Per Runeson, Martin Höst, Austen Rainer, and Björn Regnell. 2012. Case Study Research in Software Engineering - Guidelines and Examples. Wiley Publishing. Google ScholarDigital Library
- Mazeiar Salehie, Liliana Pasquale, Inah Omoronyia, Raian Ali, and Bashar Nuseibeh. 2012. Requirements-driven adaptive security: Protecting variable assets at runtime. In Requirements Engineering Conference (RE), 2012 20th IEEE International. IEEE, 111--120. Google ScholarDigital Library
- Andreas Schaad and Mike Borozdin. 2012. TAM2: automated threat analysis. In SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing. ACM Request Permissions, New York, New York, USA, 1103--1108. Google ScholarDigital Library
- Teodor Sommestad, Mathias Ekstedt, and Hannes Holm. 2013. The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures. IEEE Systems Journal 7, 3 (2013), 363--373.Google ScholarCross Ref
- Zahoor Ahmed Soomro, Mahmood Hussain Shah, and Javed Ahmed. 2016. Information security management needs more holistic approach - A literature review. Int J. Information Management 36, 2 (2016), 215--225. Google ScholarDigital Library
- David J Spiegelhalter. 1985. Probabilistic Reasoning in Predictive Expert Systems. UAI (1985).Google Scholar
- Gary Stoneburner, Alice Y Goguen, and Alexis Feringa. 2002. SP 800-30. Risk Management Guide for Information Technology Systems. Technical Report. Google Scholar
- Suriadi Suriadi, Burkhard Weiss, Axel Winkelmann, Arthur H M ter Hofstede, Michael Adams, Raffaele Conforti, Colin Fidge, Marcello La Rosa, Chun Ouyang, Michael Rosemann, Anastasiia Pika, and Moe Wynn. 2014. Current research in risk-aware business process management: overview, comparison, and gap analysis. (2014).Google Scholar
- Stefan Thalmann, Daniel Bachlechner, Lukas Demetz, and Ronald Maier. 2012. Challenges in Cross-Organizational Security Management. In 2012 45th Hawaii International Conference on System Sciences (HICSS). IEEE, 5480--5489. Google ScholarDigital Library
- The Common Criteria Recognition Agreement Members. 2006. Common Criteria for Information Technology Security Evaluation.Google Scholar
- Simon Tjoa, Stefan Jakoubi, Gernot Goluch, Gerhard Kitzler, Sigrun Goluch, and Gerald Quirchmayr. 2011. A Formal Approach Enabling Risk-Aware Business Process Modeling and Simulation. IEEE Transactions on Services Computing 4, 2 (2011), 153--166. Google ScholarDigital Library
- V Venkatesh and F D Davis. 2000. A theoretical extension of the Technology Acceptance Model: Four longitudinal field studies. Management Science 46, 2 (Feb. 2000), 186--204. Google ScholarDigital Library
- David Vose. 2008. Risk analysis: a quantitative guide. John Wiley & Sons.Google Scholar
- Zeki Yazar. 2002. A qualitative risk analysis and management tool-CRAMM. SANS InfoSec Reading Room White Paper 11 (2002), 12--32.Google Scholar
Index Terms
- Enabling change-driven workflows in continuous information security management
Recommendations
Organizational management role in information security management system
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed SystemsThis paper proposes an organizational management model for implementing the Information Security Management System (ISMS) Plan, Do, check and Act (PDCA) framework to achieve an improved balance between the effectiveness and efficiency of an ...
Analysis of the challenges faced in establishing and maintaining an information security management system on the Brazilian scene
SBSI '15: Proceedings of the annual conference on Brazilian Symposium on Information Systems: Information Systems: A Computer Socio-Technical Perspective - Volume 1The ISO 27001 adoption grows worldwide motivated primarily by the need for compliance and as a way of improving the management of assets and risks of organizations. Many are the challenges to establish and maintain a Information Security Management ...
Information system integrated security
CISIM '08: Proceedings of the 2008 7th Computer Information Systems and Industrial Management ApplicationsSecurity is an important part of information system design and development. The security of information system (IS) cannot be solved only by management of information technologies security because information technologies constitute only a part of IS. A ...
Comments