A multifaceted evaluation of the reference model of information assurance & security

The evaluation of a conceptual model, which is an outcome of a qualitative research, is an arduous task due to the lack of a rigorous basis for evaluation. Overcoming this challenge, the paper at hand presents a detailed example of a multifaceted evaluation of a Reference Model of Information Assurance & Security (RMIAS), which summarises the knowledge acquired by the Information Assurance & Security community to date in one all-encompassing model. A combination of analytical and empirical evaluation methods is exploited to evaluate the RMIAS in a sustained way overcoming the limitations of separate methods. The RMIAS is analytically evaluated regarding the quality criteria of conceptual models and compared with existing models. Twenty-six semistructured interviews with IAS experts are conducted to test the merit of the RMIAS. Three workshops and a case study are carried out to verify the practical value of the model. The paper discusses the evaluation methodology and evaluation results.

[1]  Rafael Valencia-García,et al.  Basis for an integrated security ontology according to a systematic review of existing proposals , 2011, Comput. Stand. Interfaces.

[2]  Wasim A. Al-Hamdani Non risk assessment information security assurance model , 2009 .

[3]  T. D. Wilson,et al.  On conceptual models for information seeking and retrieval research , 2003, Inf. Res..

[4]  Daniel L. Moody,et al.  The “Physics” of Notations: Toward a Scientific Basis for Constructing Visual Notations in Software Engineering , 2009, IEEE Transactions on Software Engineering.

[5]  David Lacey,et al.  Managing the Human Factor in Information Security: How to win over staff and influence business managers , 2009 .

[6]  Prattana Punnakitikasem,et al.  Information Security Management System for Government Agency Preparation of ISO/IEC 27001:2013 Standard Certification, a Case Study of a Tourism Organization , 2015 .

[7]  Herbert J. Mattord,et al.  Principles of Information Security, 4th Edition , 2011 .

[8]  Yulia Cherdantseva,et al.  Secure*BPMN : a graphical extension for BPMN 2.0 based on a reference model of information assurance & security , 2014 .

[9]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[10]  Donald L. Pipkin Information Security: Protecting the Global Enterprise , 2000 .

[11]  Robert E. Slavin,et al.  Best-Evidence Synthesis: An Alternative to Meta-Analytic and Traditional Reviews , 1986 .

[12]  Denis Trèek,et al.  An integral framework for information systems security management , 2003, Comput. Secur..

[13]  Ulrich Frank,et al.  Evaluation of Reference Models , 2006 .

[14]  Daniel L. Moody,et al.  Theoretical and practical issues in evaluating the quality of conceptual models: current state and future directions , 2005, Data Knowl. Eng..

[15]  Rossouw von Solms,et al.  The information security management toolbox - taking the pain out of security management , 2002, Inf. Manag. Comput. Secur..

[16]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[17]  Xin Lu Information assurance conception model and applications for largescale information systems , 2006, 2006 8th international Conference on Signal Processing.

[18]  Edgar R. Weippl,et al.  Security Ontology: Simulating Threats to Corporate Assets , 2006, ICISS.

[19]  Paolo Giorgini,et al.  Modeling and Verifying Security Policies in Business Processes , 2014, BMMDS/EMMSAD.

[20]  Donn B. Parker,et al.  Fighting computer crime , 1983 .

[21]  Michael D. Myers,et al.  The qualitative interview in IS research: Examining the craft , 2007, Inf. Organ..

[22]  Peter Loos,et al.  Perspectives on Reference Modeling , 2007 .

[23]  Daniel Amyot,et al.  Analysing the Cognitive Effectiveness of the BPMN 2.0 Visual Notation , 2010, SLE.

[24]  Peter G. Neumann,et al.  Computer-related risks , 1994 .

[25]  Corey D. Schou,et al.  A Model for Information Assurance : An Integrated Approach , 2001 .

[26]  Melissa Dark,et al.  An information security ethics education model , 2008 .

[27]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[28]  Daniel L. Moody,et al.  The method evaluation model: a theoretical model for validating information systems design methods , 2003, ECIS.

[29]  Jede Andreas,et al.  Towards a document-driven approach for designing reference models , 2016 .

[30]  Guttorm Sindre,et al.  An Analytical Evaluation of BPMN Using a Semiotic Quality Framework , 2005, EMMSAD.

[31]  Steven L. Alter Defining information systems as work systems: implications for the IS field , 2008, Eur. J. Inf. Syst..

[32]  Rene Saint-Germain,et al.  Information Security Management Best Practice Based on ISO/IEC 17799 , 2005 .

[33]  Erland Jonsson,et al.  Towards an integrated conceptual model of security and dependability , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[34]  Frank Teuteberg,et al.  Towards a document-driven approach for designing reference models: From a conceptual process model to its application , 2016, J. Syst. Softw..

[35]  Guttorm Sindre,et al.  Analytical Evaluation of Notational Adaptations to Capture Location of Activities in Process Models , 2012 .

[36]  Jeremy Hilton,et al.  Information Security and Information Assurance: Discussion about the Meaning, Scope, and Goals , 2014 .

[37]  Jeremy Hilton,et al.  A Reference Model of Information Assurance & Security , 2013, 2013 International Conference on Availability, Reliability and Security.

[38]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[39]  Sabbari Mehdi,et al.  A Security Model and its Strategies for Web Services , 2011 .

[40]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .