Information Security Governance Analysis Using Probabilistic Relational Models

Waldo Rocha Flores, Mathias Ekstedt

Abstract

This paper proposes the use of Probabilistic Relational Models (PRM) for analyzing dependencies between Information Security Governance (ISG) components and its impact on process capability of mitigating information security vulnerabilities. Using the PRM enables inference between different ISG components expressed in probabilities, and also inference on the process capability. A concrete PRM which exemplifies how to assess the capability of the access control process is further presented, and thus showing how the PRM can be adapted to fit the analysis of a specific process in an organizational environment.

References

  1. Von Solms, S H. Information Security Governance - Compliance Management vs. Operational Management. Computer & Security. September 2005, pp. 443-447.
  2. Winter, R and Fischer, R. Essential layers, artifacts, and dependencies of enterprise architecture. Journal of Enterprise Architecture, volume 3. 2007, pp. 7-18.
  3. Lagerström, Robert, et al., et al. A Method for Creating Enterprise Architecture Metamodels - Applied to System Modifiabiltiy Analysis. International Journal of Computer Science and Applications, Vol. 6, No. 5. 2009, pp. 89-120.
  4. ISACA. Control Objectives for Information and related Technology: ISACA, 2007.
  5. ISO/IEC. ISO/IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management. Switzerland : ISO/IEC, 2005.
  6. ISO/IEC, JTC1/SC27. Common criteria for information technology security evaluation - part 1: introduction and general model: ISO/IEC, 2006.
  7. A Modeling Language for Interoperability Assessments. Ullberg, J, Johnson, P and Buschle, M. Stockholm : Springer, 2011. IWEI, Lecture Notes in Business Information Processing. pp. 61-74.
  8. Sommestad, Teodor, Ekstedt, Mathias and Johnson, Pontus. A probabilistic relational model for security risk analysis. Computers & Security 29. 2010, pp. 659-679.
  9. Learning probabilistic relational models. Friedman, N, et al., et al. 1999. Proceeding of the 16th International Joint Conference on Artificial Interlligence. pp. 1300-1309.
  10. Jensen, Finn V. An introduction to Bayesian networks. New York : Springer-Verlag, 1996.
  11. ISACA. Information Security Governance: Guidance for Board of directors and Executive management 2nd Edition: ISACA, 2006.
  12. ISF. The standard of Good Practice for Information Security: Information Security Forum, 2007.
  13. NIST. Special Publication 800-100 Information Security Handbook: A Guide for Managers: NIST, 2006.
  14. US-CERT. Governing for Enterprise Security (GES) Implementation Guide: US-CERT, 2007.
  15. Chang, Shuchih E and Ho, Chienta B. Organizational factors to the effectiveness of implementing information security management. Industrial Management and Data Systems, Vol. 3 No 3. 2006, pp. 345-361.
  16. Kankanhalli, Atreyi, et al., et al. An integrative study of information systems security effective-ness. Journal of International Journal of Information Management 23. 2003, pp. 139-154.
  17. Knapp, Kenneth, et al., et al. Information Security Effectiveness: Conceptualization and Validation of a Theory. International Journal of Information Security and Privacy, Volume 1 Issue 2. 2007, pp. 37-60.
  18. Chang, Shuchih and Lin, Chin-Shien. Exploring organizational culture for information security management. Industrial Management and Data Systems, Vol. 107 No 3. 2007, pp. 438-458.
  19. Simonsson, M, Johnson, P and Ekstedt, M. The effect of IT Governance Maturity on IT Governance Performance. Information Systems Management. December 2010, pp. 10-24.
Download


Paper Citation


in Harvard Style

Rocha Flores W. and Ekstedt M. (2011). Information Security Governance Analysis Using Probabilistic Relational Models . In Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011) ISBN 978-989-8425-61-4, pages 142-150. DOI: 10.5220/0003588001420150


in Bibtex Style

@conference{wosis11,
author={Waldo Rocha Flores and Mathias Ekstedt},
title={Information Security Governance Analysis Using Probabilistic Relational Models},
booktitle={Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)},
year={2011},
pages={142-150},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003588001420150},
isbn={978-989-8425-61-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)
TI - Information Security Governance Analysis Using Probabilistic Relational Models
SN - 978-989-8425-61-4
AU - Rocha Flores W.
AU - Ekstedt M.
PY - 2011
SP - 142
EP - 150
DO - 10.5220/0003588001420150