Enabling change-driven workflows in continuous information security management
Pages 1924 - 1933
Abstract
Information Security Management Systems (ISMS) aim at ensuring proper protection of information values and information processing systems (i.e., assets). Information Security Risk Management (ISRM) techniques are incorporated in ISMSs to deal with threats and vulnerabilities that impose risks to information security properties of these assets. The ongoing evolution of information systems as well as the ever-changing threat landscape requires enterprises to adopt new approaches to ensure the consistent compliance with their information security goals. The great challenge enterprises are facing is to efficiently deal with all changes to their assets, their risk exposure and the impact of these changes to their ISMS and ISRM activities. We present a model-based approach for continuous information security management based on semi-automated workflows triggered by changes of the underlying asset catalogue, the operational environment and the threat landscape. The prototypical implementation was evaluated in a real-world industrial setting demonstrating high usability when integrating stakeholders from different domains in a continuous risk management process.
References
[1]
Rafael Accorsi and Thomas Stocker. 2012. On the exploitation of process mining for security audits - the conformance checking case. In 27th Annual ACM Symposium on Applied Computing. ACM.
[2]
Kristian Beckers, Maritta Heisel, Bjørnar Solhaug, and Ketil Stølen. 2014. ISMS-CORAS: A Structured Method for Establishing an ISO 27001 Compliant Information Security Management System. In Computer Safety, Reliability and Security. Springer International Publishing, Cham, 315--344.
[3]
Amel Bennaceur, Arosha K Bandara, Michael Jackson, Wei Liu, Lionel Montrieux, Thein Than Tun, Yijun Yu, and Bashar Nuseibeh. 2014. Requirements-driven mediation for collaborative security. SEAMS (2014), 37--42.
[4]
Bernhard J Berger, Karsten Sohr, and Rainer Koschke. 2016. Automatically Extracting Threats from Extended Data Flow Diagrams. ESSoS 9639, 4 (2016), 56--71.
[5]
Stefanie Betz, Susan Hickl, and Andreas Oberweis. 2011. Risk-aware business process modeling and simulation using XML nets. In Commerce and enterprise computing (cec), 2011 IEEE 13th conference on. IEEE, 349--356.
[6]
Michael Brunner, Andrea Mussmann, and Ruth Breu. 2018. Introduction of a Tool-Based Continuous Information Security Management System: An Exploratory Case Study. In 2018 IEEE International Conference on Software Quality, Reliability and Security Companion, QRS Companion 2018, Lisbon, Portugal, July 16-20, 2018. 483--490.
[7]
Michael Brunner, Christian Sillaber, and Ruth Breu. 2017. Towards Automation in Information Security Management Systems. In 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS). IEEE, 160--167.
[8]
Michael Brunner, Christian Sillaber, Lukas Demetz, Markus Manhart, and Ruth Breu. 2018. Towards data-driven decision support for organizational IT security audits. it - Information Technology 60, 4 (2018), 207.
[9]
Joobin Choobineh, Gurpreet Dhillon, Michael R Grimaila, and Jackie Rees. 2007. Management of Information Security - Challenges and Research Directions. CAIS (2007).
[10]
Raffaele Conforti, Marcello La Rosa, Arthur HM Ter Hofstede, Giancarlo Fortino, Massimiliano de Leoni, Wil MP van der Aalst, and Michael J Adams. 2013. A software framework for risk-aware business process management. In Proceedings of the CAiSE'13 Forum at the 25th International Conference on Advanced Information Systems Engineering (CAiSE): CEUR Workshop Proceedings, Volume 998. 130--137.
[11]
Fred D Davis. 1989. Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. Mis Quarterly 13, 3 (1989), 319--340.
[12]
Folker Den Braber, Ida Hogganvik, MS Lund, Ketik Stølen, and Fredrik Vraalsen. 2007. Model-based security analysis in seven steps --- a guided tour to the CORAS method. BT Technology Journal 25, 1 (2007), 101--117.
[13]
Andreas Ekelhart, Stefan Fenz, and Thomas Neubauer. 2009. AURUM: A Framework for Information Security Risk Management. In System Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on. IEEE, 1--10.
[14]
Stefan Fenz, Johannes Heurix, Thomas Neubauer, and Fabian Pechstein. 2014. Current challenges in information security risk management. Inf. Manag. Comput. Security 22, 5 (2014), 410--430.
[15]
German Federal Office for Information Security (BSI). 2017. BSI-Standard 200-1: Managementsysteme für Informationssocherheit. German Federal Office for Information Security.
[16]
Alan R Hevner, Salvatore T March, Jinsoo Park, and Sudha Ram. 2008. Design science in Information Systems research. Management Information Systems Quarterly 28, 1 (2008), 6.
[17]
Hannes Holm, Khurram Shahzad, Markus Buschle, and Mathias Ekstedt. 2015. P<sup>2</sup>CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language. IEEE Transactions on Dependable and Secure Computing 12, 6 (2015), 626--639.
[18]
Ronald A Howard. 2012. Dynamic probabilistic systems: Markov models. Vol. 1. Courier Corporation.
[19]
ISACA. 2012. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISA.
[20]
ISO/IEC. 2011. ISO/IEC 27005: Information technology - Security Techniques - Information security risk management.
[21]
ISO/IEC. 2013. ISO/IEC 27001: Information technology - Security techniques - Information security management system - Requirements.
[22]
Pontus Johnson, Alexandre Vernotte, Mathias Ekstedt, and Robert Lagerström. 2016. pwnPr3d - An Attack-Graph-Driven Probabilistic Threat-Modeling Approach. ARES (2016), 278--283.
[23]
Bilge Karabacak and Ibrahim Sogukpinar. 2005. ISRAM: information security risk analysis method. Computers & Security 24, 2 (2005), 147--159.
[24]
John G Kemeny and J Laurie Snell. 1983. Finite Markov chains: with a new appendix" Generalization of a fundamental matrix". Springer.
[25]
Paul J Krause and Dominic A Clark. 1993. Representing uncertain knowledge - an artificial intelligence approach. (1993).
[26]
John O Long. 2012. ITIL® 2011 at a Glance. Springer Science & Business Media.
[27]
Liliana Pasquale, Paola Spoletini, Mazeiar Salehie, Luca Cavallaro, and Bashar Nuseibeh. 2016. Automating trade-off analysis of security requirements. Requirements Engineering 21, 4 (2016), 481--504.
[28]
Atle Refsdal and Ketil Stølen. 2009. Employing Key Indicators to Provide a Dynamic Risk Picture with a Notion of Confidence. IFIPTM 300, 1 (2009), 215--233.
[29]
Per Runeson, Martin Höst, Austen Rainer, and Björn Regnell. 2012. Case Study Research in Software Engineering - Guidelines and Examples. Wiley Publishing.
[30]
Mazeiar Salehie, Liliana Pasquale, Inah Omoronyia, Raian Ali, and Bashar Nuseibeh. 2012. Requirements-driven adaptive security: Protecting variable assets at runtime. In Requirements Engineering Conference (RE), 2012 20th IEEE International. IEEE, 111--120.
[31]
Andreas Schaad and Mike Borozdin. 2012. TAM2: automated threat analysis. In SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing. ACM Request Permissions, New York, New York, USA, 1103--1108.
[32]
Teodor Sommestad, Mathias Ekstedt, and Hannes Holm. 2013. The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures. IEEE Systems Journal 7, 3 (2013), 363--373.
[33]
Zahoor Ahmed Soomro, Mahmood Hussain Shah, and Javed Ahmed. 2016. Information security management needs more holistic approach - A literature review. Int J. Information Management 36, 2 (2016), 215--225.
[34]
David J Spiegelhalter. 1985. Probabilistic Reasoning in Predictive Expert Systems. UAI (1985).
[35]
Gary Stoneburner, Alice Y Goguen, and Alexis Feringa. 2002. SP 800-30. Risk Management Guide for Information Technology Systems. Technical Report.
[36]
Suriadi Suriadi, Burkhard Weiss, Axel Winkelmann, Arthur H M ter Hofstede, Michael Adams, Raffaele Conforti, Colin Fidge, Marcello La Rosa, Chun Ouyang, Michael Rosemann, Anastasiia Pika, and Moe Wynn. 2014. Current research in risk-aware business process management: overview, comparison, and gap analysis. (2014).
[37]
Stefan Thalmann, Daniel Bachlechner, Lukas Demetz, and Ronald Maier. 2012. Challenges in Cross-Organizational Security Management. In 2012 45th Hawaii International Conference on System Sciences (HICSS). IEEE, 5480--5489.
[38]
The Common Criteria Recognition Agreement Members. 2006. Common Criteria for Information Technology Security Evaluation.
[39]
Simon Tjoa, Stefan Jakoubi, Gernot Goluch, Gerhard Kitzler, Sigrun Goluch, and Gerald Quirchmayr. 2011. A Formal Approach Enabling Risk-Aware Business Process Modeling and Simulation. IEEE Transactions on Services Computing 4, 2 (2011), 153--166.
[40]
V Venkatesh and F D Davis. 2000. A theoretical extension of the Technology Acceptance Model: Four longitudinal field studies. Management Science 46, 2 (Feb. 2000), 186--204.
[41]
David Vose. 2008. Risk analysis: a quantitative guide. John Wiley & Sons.
[42]
Zeki Yazar. 2002. A qualitative risk analysis and management tool-CRAMM. SANS InfoSec Reading Room White Paper 11 (2002), 12--32.
Index Terms
- Enabling change-driven workflows in continuous information security management
Recommendations
Organizational management role in information security management system
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed SystemsThis paper proposes an organizational management model for implementing the Information Security Management System (ISMS) Plan, Do, check and Act (PDCA) framework to achieve an improved balance between the effectiveness and efficiency of an ...
An Opportunity-Based Approach to Information Security Risk
Computer Security. ESORICS 2023 International WorkshopsAbstractThe traditional approach to Information Security Risk Management (ISRM) is to assume that risk can only affect businesses negatively. However, it is interesting to notice that the latest edition of the standard ISO/IEC 27005:2022 Guidance on ...
Analysis of the challenges faced in establishing and maintaining an information security management system on the Brazilian scene
SBSI '15: Proceedings of the annual conference on Brazilian Symposium on Information Systems: Information Systems: A Computer Socio-Technical Perspective - Volume 1The ISO 27001 adoption grows worldwide motivated primarily by the need for compliance and as a way of improving the management of assets and risks of organizations. Many are the challenges to establish and maintain a Information Security Management ...
Comments
Information & Contributors
Information
Published In
April 2019
2682 pages
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 08 April 2019
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
SAC '19
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%
Upcoming Conference
SAC '25
- Sponsor:
- sigapp
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 248Total Downloads
- Downloads (Last 12 months)29
- Downloads (Last 6 weeks)4
Reflects downloads up to 03 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in