Estimation of deficiency risk and prioritization of information security controls: A data-centric approach |
| |
| Institution: | 1. Cyber Security Institute, Department of Computer Science, USA;2. School of Accounting & Management Information Systems, USA;3. The University of Tulsa, 800 S. Tucker Drive, Tulsa, OK 74104, USA;1. California State University, Monterey Bay, Seaside, CA 93955, United States;2. California State University, San Marcos, San Marcos, CA 92096-0001, United States;3. DePaul University, Chicago, IL 60604, United States;4. Shidler College of Business, University of Hawai''i at Mānoa, Honolulu, IL 96822, United States;1. Department of Management Information Systems, University of Regensburg, Universitätsstraße 31, Regensburg 93053, Germany;2. School of Information Systems, UNSW Business School, Kensington, NSW 2052, Australia;3. Faculty of Business Administration and Economics, Paderborn University, Warburger Strasse 100, Paderborn 33098, Germany;1. K.U.Leuven, Belgium, Faculty of Business and Economics, Department of Decision Sciences and Information Management, Research Center for Management Informatics (LIRIS);2. K.U.Leuven, Belgium, Campus Brussel (HUB), Centre for Information Management, Modeling and Simulation - CIMS, Faculty. of Economics & Business, Warmoesberg 26, 1000 Brussel;3. K.U.Leuven, Belgium, Faculty of Business and Economics, Department of Decision Sciences and Information Management, Research Center for Management Informatics (LIRIS), Naamsestraat 69, B-3000 Leuven, Office number, HOG 03.118\n |
| |
| Abstract: | Risk of unauthorized disclosure or modification of corporate data can impact in different ways, including affecting operations, the public image and/or the firm's legal/compliance exposure. While management views risk along these dimensions, the information technology function (ITF) typically views risk from an IT infrastructure compromise viewpoint, and this drives the establishment of IT security controls. It is oftentimes difficult for the internal audit function (IAF) to assess control deficiency risk (CDR) in the area of information security, as well as estimate the importance of each in-place security control. Using a design science approach, we propose the Operational, Public image, Legal (OPL) model and method to classify the security criticality of the organization's data along three dimensions. Through an empirical study, we demonstrate how the OPL method allows for a quantitative estimation of the importance of in-place security controls as well as the CDR of missing controls. This information provides guidance on strategies for testing in-place controls during audit, as well as for determining which controls may need to be incrementally added. |
| |
| Keywords: | |
| 本文献已被 ScienceDirect 等数据库收录! |
|
