Risk model development for information security in organization environment based on business perspectives

Digital information plays an essential role in supporting organizational business. However, incidents of sensitive information leakage often happen in organization environment. Therefore, risk analysis needs to be performed to recognize the impact of information security threat in organization. In order to carry out those risk analyses, risk model is needed to map risk of information security threat. The selection of proper risk model provides proper result related to risk analysis. The proper risk model must have objectivity and appropriate context. However, most of the existing risk models focus on the technical approach and use expert judgment as a weighting method. Meanwhile, organizations use business perspectives to determine decisions. Therefore, this study has the objective to fill the needs of organizations by developing a new risk model. The proposed risk model focuses on business aspects involvement and reducing subjective methods. The proposed risk model also uses three processes to result output, i.e., adaptable classification data, data measurement and cross-label analysis. Test mining and categorical clustering are involved to handle those three processes. Testing of the proposed model is carried out to define ability and limitation of model by involving 30 targets. The result states that the proposed model has advantages in objectivity, context approach and detailed output, while the limited scope of work becomes weakness of these models.

[1]  Fang Liu,et al.  Enterprise data breach: causes, challenges, prevention, and future directions , 2017, WIREs Data Mining Knowl. Discov..

[2]  Neeraj Suri,et al.  Quantitative assessment of software vulnerabilities based on economic-driven security metrics , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[3]  John A. Clark,et al.  Risk profiles and distributed risk assessment , 2009, Comput. Secur..

[4]  Jian Sheng Dai,et al.  A study on the service and trend of Fintech security based on text-mining: focused on the data of Korean online news , 2017, Journal of Computer Virology and Hacking Techniques.

[5]  Hong Liu,et al.  Identifying Sensitive Data Items within Hadoop , 2015, 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems.

[6]  Latifa Ben Arfa Rabai,et al.  Classification of Security Threats in Information Systems , 2014, ANT/SEIT.

[7]  Wael A. Awad,et al.  Empirical assessment for security risk and availability in public Cloud frameworks , 2016, 2016 11th International Conference on Computer Engineering & Systems (ICCES).

[8]  Zhao Gang,et al.  A New Security and Privacy Risk Assessment Model for Information System Considering Influence Relation of Risk Elements , 2014, 2014 Ninth International Conference on Broadband and Wireless Computing, Communication and Applications.

[9]  Babu M. Mehtre,et al.  An overview of vulnerability assessment and penetration testing techniques , 2015, Journal of Computer Virology and Hacking Techniques.

[10]  Joaquin Garcia-Alfaro,et al.  Using an Event Data Taxonomy to Represent the Impact of Cyber Events as Geometrical Instances , 2018, IEEE Access.

[11]  Alireza Tamjidyamcholo,et al.  Application of fuzzy set theory to evaluate the rate of aggregative risk in information security , 2013, 2013 International Conference on Research and Innovation in Information Systems (ICRIIS).

[12]  Faramarz Safi-Esfahani,et al.  A checklist based evaluation framework to measure risk of information security management systems , 2019, International Journal of Information Technology.

[13]  Maria Luisa Damiani,et al.  Segmentation techniques for the summarization of individual mobility data , 2017, Wiley Interdiscip. Rev. Data Min. Knowl. Discov..

[14]  Wee Keong Ng,et al.  A User-Centric Approach to Pricing Information , 2016, 2016 IEEE Second International Conference on Big Data Computing Service and Applications (BigDataService).

[15]  Durai Raj Vincent,et al.  Effective Mining Approach to Produce Quality Search Results Using Proposed Approach , 2017 .

[16]  Veera Ravinuthala,et al.  A Keyword Extraction Approach for Single Document Extractive Summarization Based on Topic Centrality , 2017 .

[17]  Marco Vieira,et al.  Analysis of Field Data on Web Security Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[18]  Rana Khudhair Abbas Ahmed,et al.  Overview of Security Metrics , 2016 .

[19]  Paulus Insap Santosa,et al.  Metrics analysis of risk profile: A perspective on business aspects , 2018, 2018 International Conference on Information and Communications Technology (ICOIACT).

[20]  Gunnar Ellingsena,et al.  CENTERIS 2014-Conference on ENTERprise Information Systems / ProjMAN 2014-International Conference on Project MANagement / HCIST 2014-International Conference on Health and Social Care Information Systems and Technologies Internet of Things and Smart Objects for MHealth Monitoring and Control , 2014 .

[21]  D. Razak,et al.  Small Medium Enterprises (SMES) in turkey and Malaysia a comparative discussion on issues and challenges , 2018 .

[22]  Ulrich Frank,et al.  Components of a multi-perspective modeling method for designing and managing IT security systems , 2016, Inf. Syst. E Bus. Manag..

[23]  Kornelije Rabuzin,et al.  HOW TO CALCULATE INFORMATION VALUE FOR EFFECTIVE SECURITY RISK ASSESSMENT , 2006 .

[24]  Paulus Insap Santosa,et al.  An Approach for Risk Estimation in Information Security Using Text Mining and Jaccard Method , 2018 .

[25]  E. Garnevska,et al.  Effective Life Cycle Management in SMEs: Use of a Sector-Based Approach to Overcome Barriers , 2018 .

[26]  Martin Suhartana Modeling of Risk Factors in Determining Network Security Level , 2014 .

[27]  Jen-Yi Pan,et al.  Design and Implementation of Website Information Disclosure Assessment System , 2015, PloS one.

[28]  E. Nickolov CRITICAL INFORMATION INFRASTRUCTURE PROTECTION: ANALYSIS, EVALUATION AND EXPECTATIONS , 2005 .

[29]  Neeraj Suri,et al.  Assessing the security of internet-connected critical infrastructures , 2014, Secur. Commun. Networks.

[30]  Barbara Hauer,et al.  Data and Information Leakage Prevention Within the Scope of Information Security , 2015, IEEE Access.

[31]  Marjan Keramati,et al.  Novel security metrics for ranking vulnerabilities in computer networks , 2014, 7'th International Symposium on Telecommunications (IST'2014).

[32]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[33]  Rob Johnson,et al.  Text Classification for Data Loss Prevention , 2011, PETS.

[34]  Tansu Alpcan,et al.  Modeling dependencies in security risk management , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[35]  Wenjie Zhang,et al.  Research on Supply Chain Information Classification Based on Information Value and Information Sensitivity , 2007, 2007 International Conference on Service Systems and Service Management.

[36]  Yuejin Tan,et al.  Sustainable Queuing-Network Design for Airport Security Based on the Monte Carlo Method , 2018 .

[37]  Fabio Martinelli,et al.  Cyber-insurance survey , 2017, Comput. Sci. Rev..

[38]  P. Zimmet,et al.  CXCR4 Antagonism Attenuates the Development of Diabetic Cardiac Fibrosis , 2015, PloS one.