A Conceptual Model for Information Security Risk Considering Business Process Perspective

Information security risk assessment (ISRA) and modeling has become a prominent topic in the last decade. ISRA methods have been developed by many researchers, showing that this issue is always on the lookout for review. Business process is a new perspective in ISRA domain. In this perspective, risk assessment is based on business processes rather than organization's assets. This research is aimed to conduct a systematic review of the ISRA model developed in recent years. Research papers from 2010 to 2017 were selected and examined in the context of information security risk assessment, modeling, and its relationship with business process management. In addition to the current taxonomy, new aspects were added to analyze these papers, i.e. risk context, adaptive ability, and model purpose. Based on analysis results, two research gaps in information security risk modeling were found. First, risk model should have comprehensive assessment method that considers vulnerability propagation and resource valuation in different resources level. Second, risk model should also be able to adapt to business process changes. In this paper, research challenges faced with respect to such issues are outlined and a new conceptual model for ISRA is proposed.

[1]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[2]  Minqiang Li,et al.  An information systems security risk assessment model under uncertain environment , 2011, Appl. Soft Comput..

[3]  Bashar Nuseibeh,et al.  Resolving vulnerability identification errors using security requirements on business process models , 2013, Inf. Manag. Comput. Secur..

[4]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[5]  Sahin Albayrak,et al.  A quantitative framework for dependency-aware organizational IT Risk Management , 2010, 2010 10th International Conference on Intelligent Systems Design and Applications.

[6]  Raimundas Matulevicius,et al.  A taxonomy for assessing security in business process modelling , 2013, IEEE 7th International Conference on Research Challenges in Information Science (RCIS).

[7]  Ana Paula Cabral Seixas Costa,et al.  Information security risk analysis model using fuzzy decision theory , 2016, Int. J. Inf. Manag..

[8]  Eric Dubois,et al.  A Security Risk Assessment Model for Business Process Deployment in the Cloud , 2014, 2014 IEEE International Conference on Services Computing.

[9]  Activité ad‐hoc Types de tâches Introduction to BPMN , 2004 .

[10]  Jae Choi,et al.  A system dynamics model for information security management , 2015, Inf. Manag..

[11]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[12]  L. Pan,et al.  A systematic review of information security risk assessment , 2016 .

[13]  S. Tjoa,et al.  Risk-Aware Business Process Management—Establishing the Link Between Business and Security , 2010 .

[14]  Minqiang Li,et al.  A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis , 2014, Inf. Sci..

[15]  Eva Hariyanti,et al.  Penyusunan Panduan Pengelolaan Keamanan Informasi Untuk Firewall Configuration Berdasarkan Kerangka Kerja PCI DSS v.3.1 dan COBIT 5 , 2016 .

[16]  Gyunyoung Heo,et al.  Development of a cyber security risk model using Bayesian networks , 2015, Reliab. Eng. Syst. Saf..

[17]  Alena Buchalcevova,et al.  Introducing OSSF: A framework for online service cybersecurity risk management , 2017, Comput. Secur..

[18]  Chi-Chun Lo,et al.  A hybrid information security risk assessment procedure considering interdependences between controls , 2012, Expert Syst. Appl..

[19]  Oscar González Rojas,et al.  Value at Risk Within Business Processes: An Automated IT Risk Governance Approach , 2016, BPM.

[20]  Ketil Stølen,et al.  The CORAS Framework for a Model-Based Risk Management Process , 2002, SAFECOMP.

[21]  Ding Tan Quantitative Risk Analysis Step-By-Step , 2003 .

[22]  Ronald S. Ross,et al.  Guide for Conducting Risk Assessments , 2012 .

[23]  S. T. Buckland,et al.  An Introduction to the Bootstrap. , 1994 .

[24]  Zeki Yazar,et al.  A Qualitative Risk Analysis and Management Tool-CRAMM , 2019 .

[25]  Ana Paula Cabral Seixas Costa,et al.  A multidimensional approach to information security risk management using FMEA and fuzzy theory , 2014, Int. J. Inf. Manag..

[26]  Malcolm W. Harkins,et al.  Managing Risk and Information Security: Protect to Enable (Second Edition) , 2016 .

[27]  Thomas R. Peltier F ACILITATED R ISK A NALYSIS P ROCESS (FRAP) , 2000 .

[28]  Qijun Gu,et al.  Information Security Management System , 2014, Encyclopedia of Cryptography and Security.

[29]  Umesh Kumar Singh,et al.  Information security risks management framework - A step towards mitigating security risks in university network , 2017, J. Inf. Secur. Appl..

[30]  Herbert J. Mattord,et al.  Principles of Incident Response and Disaster Recovery , 2006 .

[31]  F. Caeldries Reengineering the Corporation: A Manifesto for Business Revolution , 1994 .

[32]  Theodore Tryfonas,et al.  System Dynamics Approach to Malicious Insider Cyber-Threat Modelling and Analysis , 2017, HCI.

[33]  Alain Pirovano,et al.  A Risk Propagation Based Quantitative Assessment Methodology for Network Security - Aeronautical Network Case Study , 2011, 2011 Conference on Network and Information Systems Security.

[34]  Raimundas Matulevicius,et al.  Securing business processes using security risk-oriented patterns , 2014, Comput. Stand. Interfaces.

[35]  Kobra Khanmohammadi,et al.  Business Process-Based Information Security Risk Assessment , 2010, 2010 Fourth International Conference on Network and System Security.

[36]  H. R. Shahriari,et al.  A model for asset valuation in security risk analysis regarding assets' dependencies , 2012, 20th Iranian Conference on Electrical Engineering (ICEE2012).

[37]  Jhareswar Maiti,et al.  Risk analysis using FMEA: Fuzzy similarity value and possibility theory based approach , 2014, Expert Syst. Appl..

[38]  Sergio B. Guarro Principles and procedures of the LRAM approach to information systems risk analysis and management , 1987, Comput. Secur..

[39]  Michel Dagenais,et al.  FEMRA: Fuzzy Expert Model for Risk Assessment , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.

[40]  Mohamed Cheriet,et al.  Taxonomy of information security risk assessment (ISRA) , 2016, Comput. Secur..