Proceedings of the First ACM Workshop on Information Security Governance 2009
DOI: 10.1145/1655168.1655179
|View full text |Cite
|
Sign up to set email alerts
|

Security risk management using internal controls

Abstract: Rather than treating security as an independent technical concern, it should be considered as just another risk that needs to be managed alongside all other business risks. An Internal Controls approach to security risk management is proposed whereby automated catalogues are built in order to provide information about security controls used to mitigate risk in business processes. Real-time evaluation and measurement of control efficacy in this model become essential to the management of risk using these catalo… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
6
0

Year Published

2010
2010
2018
2018

Publication Types

Select...
4
4

Relationship

3
5

Authors

Journals

citations
Cited by 10 publications
(6 citation statements)
references
References 10 publications
0
6
0
Order By: Relevance
“…In practice, security is a process [35] and the objective of a Security Risk Management paradigm is to treat security as just another risk that needs to be managed alongside other risks to business objectives. This Internal Controls style approach of achieving reasonable assurance regarding the achievement of objectives [1,14,38] follows an OODA-style loop [8]: firstly, identifying security risks (threats), secondly, selecting and deploying security controls that mitigate the risks, and finally, measuring the efficacy of the controls at mitigating risk. Blakely et.…”
Section: Security Risk Management As a Bureaucratic Statementioning
confidence: 99%
“…In practice, security is a process [35] and the objective of a Security Risk Management paradigm is to treat security as just another risk that needs to be managed alongside other risks to business objectives. This Internal Controls style approach of achieving reasonable assurance regarding the achievement of objectives [1,14,38] follows an OODA-style loop [8]: firstly, identifying security risks (threats), secondly, selecting and deploying security controls that mitigate the risks, and finally, measuring the efficacy of the controls at mitigating risk. Blakely et.…”
Section: Security Risk Management As a Bureaucratic Statementioning
confidence: 99%
“…In [6,11,19] a compensating uni-norm operator ⊙ e is described for aggregating in a non-linear manner, for neutral element e : [0..1]. Intuitively, this uni-norm operator may be thought of as a combination of probabilistic product when operand severity values are less than e, and probabilistic sum when operand severity values are greater than e. Using this operator, for example with e = 0.6, to aggregate trust along a chain causes the calculation to be less sensitive to aggregation of higher trust values along the chains.…”
Section: Compensating Aggregation Operatorsmentioning
confidence: 99%
“…We argue that Triangular Norms provide a natural approach to aggregating trust. Triangular norms and conorms are classes of well-understood aggregation operators that are used to combine values in the metric space [0..1] [8,26] and have been used to aggregate knowledge for a variety of applications such as fuzzy-logic [8], risk management [11], multimedia databases [10] and medical decision support systems [6].…”
Section: Introductionmentioning
confidence: 99%
“…Internal control processes within organizations help to ensure business processes behave according to the business objectives, external regulations or security rules [1] [2]. Recent legal requirements such as the SarbanesOxley Act [3] and EuroSOX [4] increased the adoption of the practice of creating internal business controls to ensure business process compliance.…”
Section: Introductionmentioning
confidence: 99%