A checklist based evaluation framework to measure risk of information security management systems

Today, information is rapidly increasing. For most of this information, data security and protection from unauthorized access are of great importance. Maybe information is created by an individual or a few people, but creating security for the information should be done by all assets of hardware, software and people. This entails organizing all elements of the system, and training and monitoring the performance of the people. One of the standards provided for the creation of security is ISMS. This standard is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a system in terms of security. ISMS receives several parameters from users, assesses the risks and offers some controls (guidelines) to improve them. Collecting primary parameters is also very important in ISMS. Usually these parameters are collected personally, which result in getting inaccurate outcomes. The most important parameters include confidentiality, integrity, availability, threat and vulnerability. This paper tries to provide a method based on checklists so that by assessing the users’ responses to these checklists, one can more accurately insert the vulnerability parameter value as a standard input of ISMS, in order to gain better outcomes, and more accurately perform choice of controls. In the assessment, the standard deviation method is calculated, and comparison between the common mode of ISMS and the proposed method shows that the latter works 30% better than the conventional method. People may refuse to respond sincerely due to different reasons, and the percentage of the results may differ, since the results are obtained as cross-sectional at a certain time.

[1]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[2]  Steve Elky An Introduction to Information System Risk Management , 2007 .

[3]  Ashok Kumar Das,et al.  Government regulations in cyber security: Framework, standards and recommendations , 2019, Future Gener. Comput. Syst..

[4]  Mathias Ekstedt,et al.  Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[5]  Daniel Díaz-López,et al.  Dynamic counter-measures for risk-based access control systems , 2016 .

[6]  Ketil Stølen,et al.  A UML-based Method for the Development of Policies to Support Trust Management , 2008, IFIPTM.

[7]  محمد محمودی میمند,et al.  رتبه بندی موانع پیاده سازی سیستم مدیریت امنیت اطلاعات و بررسی میزان آمادگی مدیریت اکتشاف , 2015 .

[8]  Béatrix Barafort,et al.  Integrated risk management process assessment model for IT organizations based on ISO 31000 in an ISO multi-standards context , 2018, Comput. Stand. Interfaces.

[9]  Zhong Chen,et al.  Evaluating Network Security With Two-Layer Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[10]  Rabiah Ahmad,et al.  Integrating information quality dimensions into information security risk management (ISRM) , 2017, J. Inf. Secur. Appl..

[11]  Umesh Kumar Singh,et al.  Information security risks management framework - A step towards mitigating security risks in university network , 2017, J. Inf. Secur. Appl..

[12]  Enn Tyugu,et al.  Artificial intelligence in cyber defense , 2011, 2011 3rd International Conference on Cyber Conflict.

[13]  Moazzam Khan Security metric based risk assessment. , 2013 .

[14]  Béatrix Barafort,et al.  Integrating risk management in IT settings from ISO standards and management systems perspectives , 2017, Comput. Stand. Interfaces.

[15]  Graeme G. Shanks,et al.  A situation awareness model for information security risk management , 2014, Comput. Secur..

[16]  Ibrahim Sogukpinar,et al.  A quantitative method for ISO 17799 gap analysis , 2006, Comput. Secur..

[17]  Yixian Yang,et al.  An attack graph based network security evaluation model for hierarchical network , 2010, 2010 IEEE International Conference on Information Theory and Information Security.

[18]  Roger Frost,et al.  International Organization for Standardization (ISO) , 2004 .

[19]  Jianbin Hu,et al.  Applying Attack Graphs to Network Security Metric , 2009, 2009 International Conference on Multimedia Information Networking and Security.

[20]  Dale Tesch,et al.  Security Threat Mitigation and Response, Understanding Cisco Security Mars , 2006 .