Abstract
Today, information is rapidly increasing. For most of this information, data security and protection from unauthorized access are of great importance. Maybe information is created by an individual or a few people, but creating security for the information should be done by all assets of hardware, software and people. This entails organizing all elements of the system, and training and monitoring the performance of the people. One of the standards provided for the creation of security is ISMS. This standard is intended to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a system in terms of security. ISMS receives several parameters from users, assesses the risks and offers some controls (guidelines) to improve them. Collecting primary parameters is also very important in ISMS. Usually these parameters are collected personally, which result in getting inaccurate outcomes. The most important parameters include confidentiality, integrity, availability, threat and vulnerability. This paper tries to provide a method based on checklists so that by assessing the users’ responses to these checklists, one can more accurately insert the vulnerability parameter value as a standard input of ISMS, in order to gain better outcomes, and more accurately perform choice of controls. In the assessment, the standard deviation method is calculated, and comparison between the common mode of ISMS and the proposed method shows that the latter works 30% better than the conventional method. People may refuse to respond sincerely due to different reasons, and the percentage of the results may differ, since the results are obtained as cross-sectional at a certain time.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
International Organization for Standardization (ISO) (2005) New ISO/IEC standard gives overview of information security management systems. [Online]. Available: https://www.iso.org/news/2009/05/Ref1223.html. Accessed Apr 2019
International Organization for Standardization (ISO) ISO/IEC 23988:2007-Common vulnerability scoring system support-a code of practice for the use of information technology (IT) in the delivery of assessments [Online]. Available: https://www.iso.org/standard/41840.html. Accessed Apr 2019
OWASP Application Security Verification Standard–Web Application Standard [Online]. Available: http://www.owasp.org. Accessed Apr 2019
International Organization for Standardization. International Organization for Standardization (ISO) [Online]. Available: https://www.iso.org/. Accessed Apr 2019
Institute of Standards and Industrial Research of Iran (ISIRI). International Organization for Standardization (ISO) [Online]. Available: https://www.iso.org/member/1803.html. Accessed Apr 2019
Tajfar AH, Mahmoudi Maymand M, Fatemeh R, Pouria R (2015) Ranking the barriers of implementing information security management system and investigation of readiness rate of exploration management. J Inf Technol Manag 6(4):551–566
Bilge K, Ibrahim S (2006) A quantitative method for ISO 17799 gap analysis. Comput Secur 25(6):413–419
Gary S, Alice G, Alexis F (2002) Risk management guide for information technology systems. National Institute of Standards and Technology (NIST), Gaithersburg
Webb J, Ahmad A, Maynard SB, Shanks G (2014) A situation awareness model for information security risk management. Comput Secur 44:1–15
Chanchala J, Umesh KS (2017) Information security risks management framework—a step towards mitigating security risks in university network. J Inf Secur Appl 35(C):128–137
Béatrix B, Antoni-Lluís M, Antonia M (2017) Integrating risk management in IT settings from ISO standards and management systems perspectives. Comput Stand Interfaces 54(Part 3):176–185
Elahe S, Hamidreza S (2011) Quantitative criteria for vulnerability of computer networks using attack graph and vulnerability scoring system. In: Eighth conference of Iranian Society of Cryptography, 2011
Khan M (2013) Security metric based risk assessment. Georgia Tech Theses and Dissertations
Dale T, Abelar G (2006) Security threat mitigation and response: understanding cisco security MARS. Cisco Press, Indianapolis (Part of the Networking Technology series)
Tyugu E (2011) Artificial intelligence in cyber defence. In: 3rd International conference on cyber conflict (ICCC), Tallinn Estonia, 2011
Anming X, Zhuhua C, Cong T, Jianbin H, Zhong C (2009) Evaluating network security with two-layer attack graphs. In: 2009 Annual computer security applications conference, Honolulu, HI, USA, 2009
Haihui G, Lize G, Yixian Y, Kewei L (2010) An attack graph based network security evaluation model for hierarchical network. In: 2010 IEEE international conference on information theory and information security, Beijing, China, 2010
Anming X, Weiping W, Li Z, Jianbin H, Zhong C (2009) Applying attack graphs to network security metric. In: 2009 International conference on multimedia information networking and security, Hubei, China, 2009
Steve E (2006) An introduction to information systems risk management. SANS Press Room, SANS Institute. https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204
Refsdal A, Solhaug B, Stølen K (2008) A UML-based method for the development of policies to support trust management. In: Karabulut Y, Mitchell J, Herrmann P, Jensen CD (eds) Trust management II. IFIPTM 2008. IFIP – The International Federation for Information Processing, vol 263. Springer, Boston, MA
Hannes H, Mathias E, Dennis A (2012) Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans Dependable Secure Comput 9(6):825–837
Daniel D-L, Ginés D-T, Félix G-M, Gregorio M-P (2016) Dynamic counter-measures for risk-based access control systems: an evolutive approach. Future Gen Comput Syst 55:321–335
Béatrix B, Antoni-Lluís M, Antònia M (2018) Integrated risk management process assessment model for IT organizations based on ISO 31000 in an ISO multi-standards context. Comput Stand Interfaces 60:57–66
Palaniappan S, Rabiah A, Ali Z, Muliati S (2017) Integrating information quality dimensions into information security risk management (ISRM). J Inf Secur Appl 36:1–10
Jangirala S, Ashok KD, Neeraj K (2019) Government regulations in cyber security: framework, standards and recommendations. Future Gen Comput Syst 92:178–188
Author information
Authors and Affiliations
Corresponding author
Appendix 1: Questionnaires list
Appendix 1: Questionnaires list
Rights and permissions
About this article
Cite this article
Mortazavi, S.A.R., Safi-Esfahani, F. A checklist based evaluation framework to measure risk of information security management systems. Int. j. inf. tecnol. 11, 517–534 (2019). https://doi.org/10.1007/s41870-019-00302-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41870-019-00302-0