Technological advances continue to evolve at a continually increasing rate. Despite these improving increases in technology, the utilization of theoretical frameworks in risk management or information security may be deficient due to the inadequate substantiation of the theory. Furthermore, academic research to corroborate existing theories relevant to risk management or information security is underway, but current research may not be supportive of existing theories. According to Chuy et al. (2010), the roles of theories may not be fully understood and arguably used by others in the research process. In this article, a discussion will be presented on several theories regarding information security and risk management. Additionally, the selected theories will be compared to the implied use to information security and risk. In addition, a brief analysis of each theory will be conducted regarding whether abundant research exists on the specific theory that can be used by the academic community and others. Finally, a discussion will be offered on any challenges that may arise for each theory that does not have sufficient supportive research.
Theoretical Discussion
Information security and risk has become a priority for organization vying to protect a network and organizational data from unscrupulous entities (Zhao, Xue, & Whinston, 2013). In the operation of systems and/or processes, theoretical frameworks may be used to assist organizations in the development of security control measures that support the denial of threats such as phishing attacks and rootkit installations (Sun, Srivastava, & Mock, 2006). In addition, Sun et al. (2006) summarized that theoretical frameworks assist in methodologies associated with the identi...
... middle of paper ...
...g in the Dempster–Shafer theory. International Journal of Approximate Reasoning, 52(8), 1124-1135. doi:10.1016/j.ijar.2011.06.003
Srivastava, R. P., Mock, T. J., & Gao, L. (2011). The Dempster-Shafer theory: An introduction and fraud risk assessment illustration. Australian Accounting Review, 21(3), 282-291. doi:10.1111/j.1835-2561.2011.00135.x
Sun, L., Srivastava, R. P., & Mock, T. J. (2006). An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22(4), 109-142. Retrieved from http://www.jmis-web.org/
Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30(1), 123-152. Retrieved from 10.2753/MIS0742-1222300104
National Institute of Standards and Technology (NIST): Risk Management Guide for Information Technology Systems. Special Publication 800-30, 2002.
During the process of analyzing an organizations effectiveness to manage cybersecurity risks, there are ranges of security policies that need to be implemented. A prime example of this concept is the cybersecurity policies developed for consulting firm Booz Allen Hamilton. The direct division formed to address the firm’s requirements within cyberspace is the Cyber Solution Network (CSN). The CSN division within Booz Allen Hamilton has a range of policies used to ensure the firm is protected against risk.
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Today process and technology alone can’t assure a secure organizational atmosphere. To compromise a satisfactorily secure organization, cybersecurity polices and procedures are inaugurated and expertise within an
After looking into each of the seven layers in the OSI model it is apparent that there are many ways to exploit a security flaw within a system. A good security analyst has to look at the overall picture to keep the entire system secure and not just one or two layers. Information technology security measures are not a one time fix; it is a continuous process that must occur to keep pace with ever changing protocols, applications, and the ingenuity of attackers.
The phrase ‘cyber risk’ means jeopardizing an organization’s financial status and revenue due to the advancement in technology (IRM, 2014). The concern with the increase growth in technology, it causes a high risk in security and privacy. Cyber risk may not only occur in big or small organizations, but also data breach in high-profile personnel’s or release of government documents. While businesses and society continue to engage in the use of technology, the potential cyber threat is really underestimated. Cyber risk management will help prevent the release of confidential and personal information to the attackers. Some examples of recent cyber attacks are the massive data breach at Target and the leak of confidential information in Panama.
Fumey-Nassah, G. (2007). The management of economic ramification of information and network security on an organization. Proceedings of the 4th annual conference on Information security curriculum development. doi: 10.1145/1409908.1409936.
Principle of Security Management by Brian R. Johnson, Published by Prentice-Hall copyright 2005 by Pearson Education, Inc.
Risk Management is the process of identifying, analyzing and responding to risk factors throughout the life of a project and in the best interests of its objectives (Stanleigh, 2015). This paper is focused on the trends and methods of managing risks in a project. It also analyzes different ways of mitigating risks in a project and why risk management is important in an information technology (IT) environment.
A brief review the above-mentioned research studies regarding behavioral information security reveals the reoccurring theme of applying existing behavioral theory models to the information security context, with the theory of planned behavior being mentioned in the literature review sections of all of the research articles. All of the research studies seek to identify the factors that shape the attitudes and behavioral intentions of employee end users and all have significant implications for IT policymakers within organizations.
Institutions of higher learning are increasingly using Information and Communication systems in administration, teaching, learning and research. This infrastructure needs to be available, secure and well protected. It therefore becomes crucial for information security practitioners in public universities to implement effective information security programs. Information security focuses on technological issues and important elements of an organization such as people, process, business strategies etc., which also mandates the need for information security. A comprehensive security framework incorporates three basic components: people, technology, and process. When correctly assembled, the people, technology, and process elements of an information security framework work together to secure the environment and remain consistent with an institutions business objectives. (Mark, C.A. Wiley & A. John Wiley, 2011)
Few of these can be surmounted without disproportionate difficulty, whereas others may be so imposing that they preclude launching a campaign. Here we are considering few requirements for an organization to survive in this competitiveness. Patents that provide some protection for new products or processes. High start-up costs where in most cases, this kind of barrier is the most horrifying one for small businesses. Knowledge, that is, Lack of technical, marketing manufacturing or engineering expertise can all be a significant obstacle to successful market entry. Market saturation is a reality that it is more difficult to carve out a niche in a crowded market than it is to establish a presence in a market marked by relatively light competition. These days, risk management is a necessity for companies or organizations. Here it means that private companies without a sound risk management process in place could wind up at a competitive disadvantage. Now when we consider an organization, the general manager determines the risks from the information security threats which are created will affect the competitive disadvantages; it empowers the information technology and security communities of interest to control the risks. To control the risks, we need to consider four strategies they are avoidance/prevention, transference, mitigation and
Safety of information is the most valuable asset in any organization particular those who provide financial service to others. Threats can come from a variety of sources such as human threats, natural disasters and technical threats. By identifying the potential threats to the network, security measure can be taken to combat these threats, eliminate them or reduce the likelihood and impact if they should occur.
There are number of different models proposed as framework for information security but one of the best model is McCumber model which was designed by John McCumber. In this model the elements to be studied are organized in a cube structure, in which each axis indicates a dissimilar viewpoint of some information security issue and there are three major modules in each axis. This model with 27 little cubes all organized together looks similar like a Rubik's cube. There are three axes in the cube they are: goals desired, Information states, and measures to be taken. At the intersection of three axes you can research on all angles of an information security problem.