Business process-based valuation of IT-security

Neubauer, Thomas; Klemen, Markus; Biffl, Stefan

doi:10.1145/1082983.1083099

Cited by 13 publications

(6 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These approaches propose theoretical reference models to fill the void between business and risk domains. In other respects, Neubauer et al [57] propose a framework for the analysis of the security of business processes from the point of view of cost-benefit. Their framework proposal is defined for integration into any business process management approach.…”

Section: Related Workmentioning

confidence: 99%

Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models

et al. 2019

View full text Add to dashboard Cite

show abstract

Section: Related Workmentioning

confidence: 99%

Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models

et al. 2019

View full text Add to dashboard Cite

show abstract

“…In early risk assessment approaches, the idea of using business processes was introduced to avoid focusing solely on technical security issues (CCTA, 1987; Halliday et al , 1996; Rainer et al , 1991). Later, annual loss expectancy (Suh and Han, 2003), loss of disruption (Neubauer et al , 2005) and business goals (Khanmohammadi and Houmb, 2010) began to be used to determine the criticality and importance of vulnerabilities in terms of losses or interruption. In these approaches the impact of a given vulnerability is determined but not the security required.…”

Section: Related Workmentioning

confidence: 99%

Resolving vulnerability identification errors using security requirements on business process models

Taubenberger

Jürjens

et al. 2013

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Purpose -In any information security risk assessment, vulnerabilities are usually identified by information-gathering techniques. However, vulnerability identification errors -wrongly identified or unidentified vulnerabilities -can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost-effectively.Design/methodology/approach -This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models. Business process models have been selected for use, because there is a close relationship between business process objectives and risks.Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.Findings -Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.Research limitations/implications -Security requirements should be explicitly evaluated in risk assessments considering the business context. Results of any evaluation of security requirements could be used to indicate the security of information. The approach was only tested in the insurance domain and therefore results may not be applicable to other business sectors.Originality/value -It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

show abstract

“…Information security investment not only relates to the direct income of the defender, but also impacts the indirect income of the defender [7], so we choose I to reflect the intangible asset produced by information security investment of the E-commerce organization. K represents the attack cost of the attacker.…”

Section: Information Security Game Model Of the Defender And The Attamentioning

confidence: 99%

Information Security Game Analysis with Penalty Parameter

Sun

Kong

et al. 2008

2008 International Symposium on Electronic Commerce and Security

View full text Add to dashboard Cite

This paper analyzes information security in the Ecommerce based on game theory, and this game analysis method is applied to information security for the first time. We set up the information security game model of the defender and the attacker, make the equilibrium analysis of this game model, and get the ideal strategy combination. Then we introduce the penalty parameter of the defender and the penalty parameter of the attacker to solve the problem that the restriction condition is not satisfied. The introduction of the penalty parameter of the defender promotes the defender to invest in information security, and the introduction of the penalty parameter of the attacker promotes the attacker to take no attack strategy. This paper provides good reference for information security in the E-commerce.

show abstract

Business process-based valuation of IT-security

Abstract: Abstract

Cited by 13 publications

References 7 publications

Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models

Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models

Resolving vulnerability identification errors using security requirements on business process models

Information Security Game Analysis with Penalty Parameter

Contact Info

Product

Resources

About