Introducing OSSF: A framework for online service cybersecurity risk management

This paper proposes a new framework for online services security risk management which can be used by both service providers and service consumers. The proposed framework was validated through a case study performed in a large enterprise environment. The key components of the proposed framework are Threat model and Risk model. These models are designed to fit specific features of online services and the surrounding cyberspace environment. A risk management process is an integral part of the framework. The process is suitable for frequent and recurrent risk assessments. The process execution results in identification and performance of proper tasks which contribute to treatment of identified security risks and deficiencies. Online services risk score could be continuously documented and reported if the process is executed on a regular basis.

[1]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[2]  Omer F. Rana,et al.  Identifying cyber risk hotspots: A framework for measuring temporal variance in computer network risk , 2016, Comput. Secur..

[3]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[4]  Andrew E O Obwanda An information security risk management gap analysis tool based on ISO/IEC 27005:2011 compliance for SMEs in Kenya , 2018 .

[5]  Gregory A. Witte,et al.  Framework for Improving Critical Infrastructure Cybersecurity | NIST , 2014 .

[6]  N. Pletneva COMMENTARY ON THE INTERNATIONAL STANDARD ISO 31000–2009 “RISK MANAGEMENT. PRINCIPLES AND GUIDELINES” , 2014 .

[7]  R. Yin Case Study Research: Design and Methods , 1984 .

[8]  Barack Obama,et al.  Statement on the Release of the 'Framework for Improving Critical Infrastructure Cybersecurity' by the National Institute of Standards and Technology, February 12, 2014 , 2014 .

[9]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[10]  Joint Task Force Transformation Initiative Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach , 2014 .

[11]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[12]  R. Yin,et al.  Case Study Research: Design and Methods (4th ed. , 2009 .