Assessment of Enterprise Information Security — The Importance of Information Search Cost

There are today several methods and standards available for assessment of the level of information security in an enterprise. A problem with these assessment methods is that they neither provide an indication of the amount of effort required to obtain the assessment nor an approximation of this measure’s credibility. This paper describes a part of a new method for assessing the level of enterprise information security expresses the credibility of the results in terms of confidence levels and make use of an estimation of the cost of searching for security evidence. Such methods for predicting information search cost of assessments are detailed in the paper. Search cost predictions are used for providing guidance on how to minimize the effort spent on performing enterprise information security assessments. The conclusions are based on a security assessment performed at a large European energy company and a statistical survey among Swedish security experts.

[1]  R. Yin Case Study Research: Design and Methods , 1984 .

[2]  Shari Lawrence Pfleeger,et al.  Soup or Art? The Role of Evidential Force in Empirical Software Engineering , 2005, IEEE Softw..

[3]  Marianne Swanson,et al.  Security Self-Assessment Guide for Information Technology Systems , 2001 .

[4]  Pontus Johnson,et al.  Enterprise Software System Integration : An Architectural Perspective , 2002 .

[5]  Mathias Ekstedt,et al.  Using Enterprise Architecture for CIO Decision-Making On the Importance of Theory , 2004 .

[6]  Bo Edvardsson,et al.  The need for critical thinking in evaluation of information : Criteria, principles and responsibility , 1998 .

[7]  Erik Johansson,et al.  Assessment of enterprise information security - the importance of prioritization $ , 2005, Ninth IEEE International EDOC Enterprise Computing Conference (EDOC'05).

[8]  Pontus Johnson,et al.  Assessment of Enterprise Information Security : Estimating the Credibility of the Results , 2005 .

[9]  T. Saaty,et al.  The Analytic Hierarchy Process , 1985 .

[10]  Claes Wohlin,et al.  An evaluation of methods for prioritizing software requirements , 1998, Inf. Softw. Technol..

[11]  Magnus Gammelgård,et al.  Consistent enterprise software system architecture for the CIO - a utility-cost based approach $ , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[12]  Christopher J. Alberts,et al.  OCTAVE Catalog of Practices, Version 2.0 , 2001 .

[13]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .