• PDF / 502,283 Bytes
• 15 Pages / 439.37 x 666.142 pts Page_size
• 4 Downloads / 207 Views

DOWNLOAD

REPORT

Abstract. This paper describes the development of an information security framework that aims to comparatively assess the quality of management processes in the context of cyber-security of organizations operating within critical infrastructure sectors. A design science approach was applied to establish a framework artifact that consists of the four dimensions “Security Ambition”, “Security Process”, “Resilience” and “Business Value”. These dimensions were related to the balanced scorecard concept and information security literature. The framework includes metrics, measurement approaches and aggregation methods. In its adapted form, our framework enables a systematic compilation of information security, and seeks to display the security situation of a focal firm against the desired future states, industry benchmarks, and allows for an investigation of interdependencies. The design science research process included workshops, cyclic refinements of the instrument, pretests and the framework evaluation within 30 critical infrastructure organizations. The framework was found to be particularly useful as learning and benchmarking tool capable of highlighting weaknesses, strengths, and gaps in relation to standards. Keywords: BSC
Cyber-security Information security management


Critical infrastructure
Design science


1 Introduction Today’s organizations in the private and public sectors have become increasingly dependent on Information and Communication Technologies (ICTs) to develop and offer their services and products. While these ICTs offer considerable advantages, their wide-spread access expose individuals, organizations and nations to risks, which in particular include Internet-related security breaches [1]. A missing understanding of the risk cultures and exposures related to developing and operating ICT can lead to significant negative impacts. Consequently, there is a natural interest of a wide range of stakeholders including citizens and governments [2] to ensure that any organization in © IFIP International Federation for Information Processing 2016 Published by Springer International Publishing AG 2016. All Rights Reserved A.M. Tjoa et al. (Eds.): CONFENIS 2016, LNBIP 268, pp. 127–141, 2016. DOI: 10.1007/978-3-319-49944-4_10

128

E.W.N. Bernroider et al.

an economy, in particular those operating critical infrastructures, manage their ICT risks appropriately. An infrastructure is considered to be critical when its maintenance is essential for vital societal functions. A damage to a critical infrastructure, such as energy supply or transportation [3], may have a significant negative impact for the security of the country and the well-being of its citizens. An important and growing area of research and standard development deals with organizational-related cyber-security issues. Cyber-security has been defined by the International Communications Union (ITU) to mean “a collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best pract

Recommend Documents

General Theory of Information Security

176 66 49MB

Cyber Security Deterrence and IT Protection for Critical Infrastruct

142 101 2MB

Quantitative Information Security Vulnerability Assessment for Norwegian Critical Infrastructure

176 102 8MB

Practical Information Security Management A Complete Guide to Planni

341 27 9MB

Information Security of Highly Critical Wireless Networks

148 45 1MB

Critical Information Infrastructures Security 10th International Con

162 42 16MB

Critical Information Infrastructures Security 15th International

171 104 8MB

Critical Information Infrastructures Security 12th International Con

188 74 19MB

Critical Information Infrastructures Security 14th International

169 73 16MB

Critical Information Infrastructures Security 9th International Conf

176 25 31MB

Standardization in information security management

163 45 68KB

Automated Security Assessment for IDaaS Framework

196 26 3MB