Selecting the Business Information Security Officer with ECU@Risk and the Critical Role Model

Crespo-Martínez, Paul E.

doi:10.1007/978-3-030-20154-8_34

Cited by 2 publications

(2 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, the required data input for quantitative assessments-for example, measures such as single loss expectancy, annualised rate of occurrence, and annualised loss expectancy-may not be readily available [23], and other limitations include complexity, limited scope, subjectivity, lack of standardisation, and cost [24]. Many organisations therefore often pursue a qualitative risk evaluation by assigning values to IT assets, including corporate information, which is one of the most important assets of an organisation [25]. This has been highlighted by the data breaches and attacks suffered by many organisations in recent years [26], and information security management is being increasingly viewed as an important tool in ensuring organisational continuity [27,28].…”

Section: Concepts and Methodsmentioning

confidence: 99%

IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture

Metin,

Duran,

Telli

et al. 2024

Information

View full text Add to dashboard Cite

In today’s technology-centric business environment, where organizations encounter numerous cyber threats, effective IT risk management is crucial. An objective risk assessment—based on information relating to business requirements, human elements, and the security culture within an organisation—can provide a sound basis for informed decision making, effective risk prioritisation, and the implementation of suitable security measures. This paper focuses on asset valuation, supply chain risk, and enhanced objectivity—via a “segregation of duties” approach—to extend and apply the capabilities of an established security culture framework. The resultant system design aims at mitigating subjectivity in IT risk assessments, thereby diminishing personal biases and presumptions to provide a more transparent and accurate understanding of the real risks involved. Survey responses from 16 practitioners working in the private and public sectors confirmed the validity of the approach but suggest it may be more workable in larger organisations where resources allow dedicated risk professionals to operate. This research contributes to the literature on IT and cyber risk management and provides new perspectives on the need to improve objectivity in asset valuation and risk assessment.

show abstract

Section: Concepts and Methodsmentioning

confidence: 99%

IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture

Metin,

Duran,

Telli

et al. 2024

Information

View full text Add to dashboard Cite

show abstract

“…For example, measures such as single loss expectancy, annualized rate of occurrence, and annualized loss expectancy may not be readily available [9]. Many organizations therefore often pursue a qualitative risk evaluation, by assigning values to IT assets, including corporate information, which is one of the most important assets of an organization [10]. This has been highlighted by the data breaches and attacks suffered by many organizations in recent years [11], and information security management is increasingly viewed as an important tool in ensuring organisational sustainability [12,13].…”

Section: Relevant Literature and Standardsmentioning

confidence: 99%

Digitalisation and IT Risk Management: Towards a System for Improved Business Sustainability

Metin,

Duran,

Telli

et al. 2023

Preprint

View full text Add to dashboard Cite

To proactively manage information security, enterprises often employ information security risk assessment techniques. Asset value - which is used to calculate the financial impact of possible threats - is one of the key parameters of information security risk. However, assets in a system are rarely independent, and their values are typically interdependent. Asset owners and IT teams may hold different views as regards these values, and there is thus the need to reduce subjectivity in a qualitative risk assessment. The research entails the development of a conceptual framework derived from the literature to minimize subjectivity, and the design of a system based on those concepts. The study uses the Unified Modeling Language as a design tool and puts forward an object-oriented model for defining asset values, in which the relationships between assets, vulnerabilities and related threats are identified. A “segregation of duties” approach is integrated into the risk management system to mitigate against subjectivity and better determine asset values. Survey responses from 16 practitioners working in the private and public sectors confirm the validity of the approach, but suggest it may be more workable in larger organisations where resources allow dedicated risk professionals to operate.

show abstract

Selecting the Business Information Security Officer with ECU@Risk and the Critical Role Model

Cited by 2 publications

References 0 publications

IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture

IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture

Digitalisation and IT Risk Management: Towards a System for Improved Business Sustainability

Contact Info

Product

Resources

About