Conceptual Design of a Method to Support IS Security Investment Decisions within the Context of Critical Business Processes

Heinz Lothar Grob, Gereon Strauch, Jan Hermans

Abstract

In order to safeguard the compliance of information systems, private enterprises and governmental organizations can implement a large variety of distinct measures, ranging from technical measures to organizational measures. Especially in the context of critical information system infrastructure e.g. data centers, the decision for specific safeguards is complex. An appropriate method for the profitability assessment of alternative IS security measures in the context of critical business processes has not so far been developed. With this article we propose a conceptual design for a method which enables the determination of the success of alternative security investments on the basis of a process-oriented perspective. Within the scope of a design science approach we combine established artifacts of the field of IS security management with those of the field of process management and controlling. On that basis we develop a concept that allows decision-makers to prioritize the investments for dedicated IS safeguards in the context of critical business processes.

References

  1. Anderson, R., Moore, T.: The Economics of Information Security. Science 314 (2006) 610- 613
  2. Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI). A practical quantitative model. In: Fernández-Medina, E., Hernández, J.C., García, L.J. (eds.): Security in Information Systems, 3rd Int. Workshop on Security in Information Systems (WOSIS'05), In conjunction with ICEIS'05 (2005), New York (2005) 239-252
  3. Neubauer, T., Klemen, M., Biffl, S.: Business process-based valuation of IT-security. In: Sullivan, K. (ed.): Seventh international workshop on Economics-driven software engineering research, St. Louis (2005) 1- 5
  4. Hevner, A.R., March, S.T., Park, J., Ram, S.: Design Science in Information Systems Research. MIS Quarterly 28 (2004) 75-105
  5. Becker, J., Niehaves, B.: Epistemological Perspectives on IS Research - A Framework for Analyzing and Systematizing Epistemological Assumptions. Information Systems Journal 17 (2007) 197-214
  6. Le Veque, V.: Information Security - a Strategic Approach. Wiley, Hoboken (2006)
  7. Hyslop, M.: Critical Information Infrastructures: Resilience and Protection. Springer, New York (2007)
  8. Röhrig, S.: Using Process Models to Analyse IT Security Requirements. Zürich (2003)
  9. Jakoubi, S., Tjoa, S., Quirchmayr, G.: Rope: A Methodology for Enabling the Risk-Aware Modelling and Simulation of Business Processes. In: Österle, H., Schelp, J., Winter, R. (eds.): Fifteenth European Conference on Information Systems, St. Gallen (2007) 1596- 1607
  10. Business Continuity Institute: Business Continuity Management - Good Practice. In: Institute, T.B.C. (ed.): (2005)
  11. Seibold, H.: It-Risikomanagement, München (2006)
  12. Grob, H.L., Strauch, G., Buddendick, C.: Conceptual Design of a Method to Support IS Security Investment Decisions. In: Kop, C., Kaschek, R. (eds.): International Conference on Information Systems Technology and its Applications (ISTA 08), Klagenfurt (2008)
  13. BSI: BSI-Standard 100-2: IT-Baseline Protection Methodology. (2005)
  14. BSI: BSI-Standards 100-3: Risk Analysis based on IT-Baseline Protection. (2005) 19
  15. BSI: IT-Baseline Protection Catalogues. Bonn (2007)
  16. von Rössing, R.: Betriebliches Kontinuitätsmanagement. mitp Verlag, Bonn (2005)
  17. Kairab, S.: A Practical Guide to Security Assesments. Auerbach, Boca Raton (2005)
  18. Vidalis, S., Blyth, A.: Understanding and Developing a Threat Assessment Model. 2nd European Conference on Information Warefare, London (2002)
  19. Benkler, Y.: Peer Production of Survivable Critical Infrastructures. In: Grady, M.F., Parisi, F. (eds.): The Law and Economics of Cybersecurity. Cambridge University Press, Cambridge (2006) 73-114
  20. Barroso, L.A., Dean, J., Hölzle, U.: Web Search for a Planet: The Google Cluster Architecture. IEEE Micro 23 (2003) 22-28
  21. Neubauer, T., Heurix, J.: Defining Secure Business Processes with Respect to Multiple Targets. In: Jakoubi, S., Tjoa, S., Weipel, E.R. (eds.): Third International Conference on Availability, Reliability and Security (ARES 2008). IEEE Computer Society, Barcelona, Spain (2008) 758-764
  22. Asnar, Y., Giorgini, P.: Modelling Risk and Indentifiying Countermeasure in Organisations. In: Lopez, J. (ed.): Critical Information Infrastructures Security: First International Workshop, Critis 2006, Vol. 4347. Springer, LNCS, Samos Island, Greece (2006 ) 79-90
  23. BITKOM: Reliable Data Centers Guideline. (2006)
  24. Kaplan, R.S., Norton, D.P.: The Balanced Scorecard-Measures that Drive Performance. Harvard Business Review 70 (1992) 71-79
  25. Chen, P.P.: Entity-Relationship Model: Towards a Unified View of Data. ACM Transactions on Database Systems 1 (1976) 9-36
  26. Scheer, A.-W.: ARIS - Business Process Modeling. Springer, Berlin (1998)
Download


Paper Citation


in Harvard Style

Lothar Grob H., Strauch G. and Hermans J. (2008). Conceptual Design of a Method to Support IS Security Investment Decisions within the Context of Critical Business Processes . In Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008) ISBN 978-989-8111-44-9, pages 113-121. DOI: 10.5220/0001741601130121


in Bibtex Style

@conference{wosis08,
author={Heinz Lothar Grob and Gereon Strauch and Jan Hermans},
title={Conceptual Design of a Method to Support IS Security Investment Decisions within the Context of Critical Business Processes},
booktitle={Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)},
year={2008},
pages={113-121},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001741601130121},
isbn={978-989-8111-44-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)
TI - Conceptual Design of a Method to Support IS Security Investment Decisions within the Context of Critical Business Processes
SN - 978-989-8111-44-9
AU - Lothar Grob H.
AU - Strauch G.
AU - Hermans J.
PY - 2008
SP - 113
EP - 121
DO - 10.5220/0001741601130121