The 14 Layered Framework for Including Social and Organisational Aspects in Security Management

The ultimate aim of the COINS - COntrolled INformation Security – project is to investigate, assess, and provide tools to improve the information security status in organizations with a focus on public agencies. A central question for the project is how information security issues are communicated within the organizations, specifically underlining that communication is control in a cybernetic sense. The project is carried out in a number of steps embracing to design modelling techniques and metrics for information security issues in organizations (1), collect data from Swedish governmental agencies (2), use the modelling techniques to model communication of information security in organizations from different perspectives (3), to apply metrics on the data in order to assess information security levels in the agencies (4), identify gaps (5) and needs for improvement (6). The 14 layered framework, which is based on well established knowledge within information security: frameworks, models, standards, and terminology is presented. The scientific base is cybernetics, including variety engineering and recursion to provide adaptation and learning. The motivation for the research is that communication of information security issues within organizations tend to be insufficient and the mental connections between IT-security and information security work are weak, which prohibits the organization from learning and adapting in its security work. This is a report on research in progress.

[1]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[2]  Brian Randell,et al.  Fundamental Concepts of Dependability , 2000 .

[3]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[4]  Angus Stevenson,et al.  Concise Oxford English Dictionary , 2009 .

[5]  J. G. Miller Living systems. , 1972, Currents in modern biology.

[6]  Stafford Beer,et al.  Cybernetics and Management. , 1960 .

[7]  S. Beer The Brain of the Firm , 1972 .

[8]  Viktor Mikhaĭlovich Glushkov,et al.  An Introduction to Cybernetics , 1957, The Mathematical Gazette.

[9]  Norbert Wiener,et al.  Cybernetics: Control and Communication in the Animal and the Machine. , 1949 .

[10]  John P. Van Gigch,et al.  Applied General Systems Theory , 1974 .

[11]  Judy Pearsall,et al.  The concise Oxford English dictionary , 2016 .

[12]  F. H. Adler Cybernetics, or Control and Communication in the Animal and the Machine. , 1949 .

[13]  Eckhard D. Falkenberg,et al.  FRISCO: A framework of information system concepts : The FRISCO report (WEB edition) , 1998 .

[14]  David Simms,et al.  The Heart of Enterprise , 1980 .

[15]  P. B. Checkland,et al.  Images of systems and the systems image: presidential address to ISGSR, June 1987 , 1988 .

[16]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[17]  W. Ashby,et al.  An Introduction to Cybernetics , 1957 .

[18]  Clive H. Elphick,et al.  Brain of the Firm , 1981 .

[19]  R. Flood,et al.  Rethinking the Fifth Discipline: Learning Within the Unknowable , 1999 .

[20]  Jonas Hallberg,et al.  COINS Report #1. Modelling the Communication of Information Security Issues , 2009 .

[21]  Joël de Rosnay,et al.  The macroscope: A new world scientific system , 1979 .

[22]  Eckhard D. Falkenberg,et al.  A Framework of Information System Concepts (The FRISCO Report) , 1998 .