Proposing framework for comparative evaluation of information security risk assessment methods (Case of study: Iranian Research Institute for Information Science and Technology (IranDoc))

Document Type : Original Article

Authors

1 Assistant Professor,،Iranian Research Institute for Information Science and Technology (IranDoc)،Tehran, Iran

2 Ph.D.,Iranian Research Institute for Information Science and Technology (IranDoc)Tehran, Iran

Abstract

One of the key actions in information security management is information security risk management, the main stage of which is known as "information security risk assessment". So far, various methods, standards and frameworks have been formed for this purpose. The main question that has been considered in this study is that despite this range of information security risk assessment methods, how should an organization choose and implement the appropriate method for its goals and situation. In order to answer this question, in this research, first, an evaluation framework consisting of 13 evaluation criteria was designed in two categories: the nature of the method and the adaptation of the method to the organizational situation. Then, based on this framework, 18 well-known information security risk assessment methods were evaluated in the organizational case of Iranian Research Institute for Information Science and Technology (IranDoc). The results of this evaluation showed that the proposed framework has the required validity. Based on these results, the ISO 27005 standard was recognized as the most appropriate method of information security risk assessment in the investigated case. At the end, based on these results and in line with further development and validation of the presented framework, suggestions were presented.

Keywords

Main Subjects


[1].      S. Nodeh Farahani, H. Jabari, and H. Panahian, "Proposing a conceptual model of components and indicators of human capital affecting the information security of organizations," protectiv & security researches, vol. 9, pp. 147-170, 2020. (in Persian). DOR: 20.1001.1.26455129.1399.9.35.6.7
[2].      N. Feng, H. J. Wang, and M. Li, "A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis," INFORM SCIENCES, vol. 256, pp. 57-73, 2014. doi: 10.1016/j.ins.2013.02.036
[3].      Committee on National Security Systems (CNSS), "Committee on National Security Systems (CNSS) Glossary," https://www.niap-ccevs.org/Ref/CNSSI_4009.pdf, 2022.
[4].      M. Malekalkalami, "Evaluating the performance of information security management at the central libraries of public universities in Tehran, according to the international standard-ISO/IEC", Journal of Information Processing and Management, vol. 28, No.4, pp. 895-916, 2013. (in Persian) doi: 10.35050/JIPM010.2013.016
[5].      S. Kwon, S. Jang, J. Lee, and S. Kim, "Common defects in information security management system of Korean companies," J SYST SOFTWARE, vol. 80, no. 10, pp. 1631-1638, 2007. doi: 10.1016/j.jss.2007.01.015
[6].      B. Von Solms, "Information security–the fourth wave," Computers & security, vol. 25, no. 3, pp. 165-168, 2006.
[7].      J. F. Van Niekerk, and R. Von Solms, "Information security culture: A management perspective," COMPUT SECUR, vol. 29, no. 4, pp. 476-486, 2010. doi: 0.1016/j.cose.2006.03.004
[8].      B. Von Solms, "Information security—the third wave?," COMPUT SECUR, vol. 19, no. 7, pp. 615-620, 2000. doi: 10.1016/S0167-4048(00)07021-8
[9].      M. Ostrowska, and S. Mazur, "Risk in a crisis situation," PROC ECON FINANC, vol. 23, no. 10, pp. 615-621, 2015. doi: 10.1016/S2212-5671(15)00373-1
[10].   K.S. Chin, D.W. Tang, J.B. Yang, S. Y. Wong, and H. Wang, "Assessing new product development project risk by Bayesian network with a systematic probability generation methodology," EXPERT SYST APPL, vol. 36, pp. 9879-9890, 2009. doi: 10.1016/j.eswa.2009.02.019
[11].   J. S. Broderick, "ISMS, security standards and security regulations," information security technical report, vol. 11, pp. 26-31, 2006.
[12].   H. Bateni and P. Saeidi, "The effect of information quality integrity on information security risk management," Information Technology Innovation and Applied Communications, vol. 0, pp. 23-35, 2019. (in Persian).
[13].   ISO (International Organization for Standardization), "ISO/IEC 27001 Information security management systems: Requirements," https://www.iso.org/standard/27001., 2022.
[14].   S. A. Malik and B. Holt, "Factors that affect the adoption of Enterprise Risk Management (ERM)," OR Insight, vol. 26, pp. 253-269, 2013. doi: 10.1057/ori.2013.7
[15].   S.A Charsoughi, M.A. Doustari, A. Yazdian Varjani, S.A. Mahdavi Ardestani, "Artificial Neural Network Application in Risk Information Security Assessment", Journal of Electronics & Cyber Defense, vol. 1, no.4, pp 23-33, 2014. (in Persian). DOR: 20.1001.1.23224347.1392.1.4.4.1
[16].   S.A Charsoughi, M.A. Doustari, A. Yazdian Varjani, S.A. Mahdavi Ardestani, " Information Security Risk Assessment Using Artificial Neural Network Application in Risk Information Security Assessment", Journal of Electronics & Cyber Defense, vol. 1, no.1, pp 1-13, 2013. (in Persian). DOR: 20.1001.1.23224347.1392.1.1.1.2
[17].   M.C. Lee, "Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method," International Journal of Computer Science & Information Technology, vol. 6, p. 29, 2014.
[18].   D. Ionita, "Current established risk assessment methodologies and tools," University of Twente, 2013.
[19].   G. Wangen, C. Hallstensen, and E. Snekkenes, "A framework for estimating information security risk assessment method completeness: Core Unified Risk Framework, CURF," INT J INF SECUR, vol. 17, pp. 681-699, 2018. doi: 10.1007/s10207-017-0382-0
[20].   W. Labuschagne, "A comparative framework for evaluating information security risk management methods," Rand Afrikaans University, Standard Bank Academy for Information Technology, 2004.
[21].   L. Pan and A. Tomlinson, "A systematic review of information security risk assessment," International Journal of Safety and Security Engineering, vol. 6, pp. 270-281, 2016. doi: 10.2495/SAFE-V6-N2-270-281
[22].   A. Shameli-Sendi, R. Aghababaei-Barzegar, and M. Cheriet, "Taxonomy of information security risk assessment (ISRA)," COMPUT SECUR, vol. 57, pp. 14-30, 2016.
[23].   F. Macedo and M. M. Da Silva, "Comparative study of information security risk assessment models," Universidad Técnica de Lisboa, Lisboa, 2012. Doi: 10.1016/j.cose.2015.11.001
[24].   A. Behnia, R. Abd Rashid, and J. A. Chaudhry, "A survey of information security risk analysis methods," SmartCR, vol. 2, pp. 79-94, 2012.
[25].   V. Agrawal, "A Comparative Study on Information Security Risk Analysis Methods," J. Comput., vol. 12, pp. 57-67, 2017. doi: 10.17706/jcp.12.1.57-67
[26].   P. Vartiainen, "On the principles of comparative evaluation," EVALUATION-US, vol. 8, pp. 359-371, 2002. doi: 10.1177/135638902401462484
[27].   J. C. Pomerol and S. Barba-Romero, Multicriterion decision in management: principles and practice vol. 25: Springer Science & Business Media, 2012.
[28].   H. S. Shih, H. J. Shyur, and E. S. Lee, "An extension of TOPSIS for group decision making," MATH COMPUT MODEL, vol. 45, pp. 801-813, 2007. doi: 10.1016/j.mcm.2006.03.023
[29].   T. A. Chandrinos, "Analysis of frameworks/methods for information security risk management," University of Piraeus, Thailand, 2023.
[30].   G. Wangen and E. Snekkenes, "A taxonomy of challenges in information security risk management," in Proceeding of Norwegian Information Security Conference/Norsk informasjonssikkerhetskonferanse-NISK 2013-Stavanger, 18th-20th November 2013, 2013.
[31].   M. Shokry, A. I. Awad, M. K. Abd-Ellah, and A. A. Khalaf, "When Security Risk Assessment Meets Advanced Metering Infrastructure: Identifying the Appropriate Method," SUSTAINABILITY-BASEL, vol. 15, p. 9812, 2023. doi: 10.3390/su15129812
[32].   K. Kiran, S. Mukkamala, A. Katragadda, and D. Reddy, "Performance and analysis of risk assessment methodologies in information security," International Journal of Computer Trends and Technology (IJCTT), vol. 4, pp. 3685-3692, 2013.
[33].   S. M. Sulaman, K. Weyns, and M. Höst, "A review of research on risk analysis methods for IT systems," in Proceedings of the 17th International Conference on Evaluation and Assessment in Software Engineering, 2013, pp. 86-96.
[34].   Z. Rodion, "Analysis of information risk management methods," University of Jyvaskyla, 2014.
[35].   P. Shamala, R. Ahmad, and M. Yusoff, "A conceptual framework of info structure for information security risk assessment (ISRA)," Journal of Information Security and Applications, vol. 18, pp. 45-52, 2013. Doi: 10.1016/j.jisa.2013.07.002
[36].   J. V. Barraza de la Paz, L. A. Rodríguez-Picón, V. Morales-Rocha, and S. V. Torres-Argüelles, "A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0," Systems, vol. 11, p. 218, 2023. doi: 10.3390/systems11050218
[37].   M. Berrady, "ISRAM Method Comparison Comparative: framework study for risk assessment methods," University of Oslo, 2021.
[38].   M. S. Saleh and A. Alfantookh, "A new comprehensive framework for enterprise information security risk management," Applied computing and informatics, vol. 9, pp. 107-118, 2011. doi: 10.1016/j.aci.2011.05.002
[39].   SESAR, "Selection of Risk Assessment Methods Object of Study," University of Trento, SESAR JOINT UNDERTAKING, 2011.
[40].   J. L. Spears, "A holistic risk analysis method for identifying information security risks," in Security Management, Integrity, and Internal Control in Information Systems: IFIP TC-11 WG 11.1 & WG 11.5 Joint Working Conference 7, 2005, pp. 185-202.
[41].   E. Koza, "Semantic Analysis of ISO/IEC 27000 Standard Series and NIST Cybersecurity Framework to Outline Differences and Consistencies in the Context of Operational and Strategic Information Security," Medicon Engineering Themes, vol. 2, pp. 26-39, 2022.
[42].   Central Bank, "Central Bank of The Islamic Republic of Iran," https://www.cbi.ir/, 2023.
[43].   R. K. Devi, D. I. Sensuse, and R. R. Suryono, "Information Security Risk Assessment (ISRA): A Systematic Literature Review," Journal of Information Systems Engineering & Business Intelligence, vol. 8, pp. 207-217, 2022. doi: 10.20473/jisebi.8.2.207-217
[44].   A. S. C. Junior and C. H. Arima, "Cyber Risk Management and iso 27005 Applied in Organizations: A Systematic Literature Review," REVISTA FOCO, vol. 16, pp. e1188-e1188, 2023.
[45].   S. Fenz, J. Heurix, T. Neubauer, and F. Pechstein, "Current challenges in information security risk management," Information Management & Computer Security, vol. 22, pp. 410-430, 2014. doi: 10.1108/IMCS-07-2013-0053
[46].   H. Bateni and P. Saeidi, "The effect of information quality integrity on information security risk management," Information and Communication Technology Innovations, vol 1, pp. 23-35, 2019 https://ait.ihu.ac.ir/article_204800.html 
 
Volume 12, Issue 2 - Serial Number 46
number 46, summer 2024
September 2024
  • Receive Date: 04 March 2024
  • Revise Date: 20 July 2024
  • Accept Date: 08 August 2024
  • Publish Date: 31 August 2024