Using Stakeholder Knowledge for Data Quality Assessment in IS Security Risk Management Processes

The availability of high quality documentation of the IS as well as knowledgeable stakeholders are an important prerequisite for successful IS security risk management processes. However, little is known about the relationship between stakeholders, their knowledge about the IS, security documentation and how quality aspects influence the security and risk properties of the IS under investigation. We developed a structured data quality assessment process to identify quality issues in the security documentation of an information system. For this, organizational stakeholders were interviewed about the IS under investigation and models were created from their description in the context of an ongoing security risk management process process. Then, the research model was evaluated in a case study. We found that contradictions between the models created from stakeholder interviews and those created from documentation were a good indicator for potential security risks. The findings indicate that the proposed data quality assessment process provides valuable inputs for the ongoing security and risk management process. While current research considers users as the most important resource in security and risk management processes, little is known about the hidden value of various entities of documentation available at the organizational level. This study highlights the importance of utilizing existing IS security documentation in the security and risk management process and provides risk managers with a toolset for the prioritization of security documentation driven improvement activities.

[1]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[2]  H. Dan O'Hair,et al.  Handbook of risk and crisis communication , 2010 .

[3]  Ruth Breu,et al.  Quality Matters: Systematizing Quality Deficiencies in the Documentation of Business Security Requirements , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[4]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[5]  Roberto J. Mejias An Integrative Model of Information Security Awareness for Assessing Information Systems Security Risk , 2012, 2012 45th Hawaii International Conference on System Sciences.

[6]  M. Lynne Markus,et al.  Participation in Development and Implementation - Updating An Old, Tired Concept for Today's IS Contexts , 2004, J. Assoc. Inf. Syst..

[7]  Daniel J. Ryan,et al.  Quantifying information security risks using expert judgment elicitation , 2012, Comput. Oper. Res..

[8]  Maria-Eugenia Iacob,et al.  ArchiMate 1.0 Specification , 2009 .

[9]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[10]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[11]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[12]  Ruth Breu,et al.  Using Business Process Model Awareness to improve Stakeholder Participation in Information Systems Security Risk Management Processes , 2015, Wirtschaftsinformatik.

[13]  Shuk Ying Ho,et al.  Human-computer interaction and management information systems: Foundations , 2008, J. Assoc. Inf. Sci. Technol..

[14]  William N. Dilla,et al.  The relationship between internal audit and information security: An exploratory investigation , 2012, Int. J. Account. Inf. Syst..

[15]  Edwin A. Locke,et al.  Participation in decision making: An information exchange perspective. , 1997 .

[16]  H. Susanto,et al.  Information Security Management System Standards : A Comparative Study of the Big Five , 2011 .

[17]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[18]  Haralambos Mouratidis,et al.  A Conceptual Framework to Analyze Human Factors of Information Security Management System (ISMS) in Organizations , 2014, HCI.

[19]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[20]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[21]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[22]  Sandeep Purao,et al.  Action Design Research , 2011, MIS Q..

[23]  F. Kohlbacher The Use of Qualitative Content Analysis in Case Study Research , 2006 .

[24]  Thomas Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management , 2001 .