A Systematic Approach to Define the Domain of Information System Security Risk Management - Intentional Perspectives on Information Systems Engineering

Information Technology Reference

In-Depth Information

but the semantics remains largely the same. However, the cause of the risk is pre-

sented as a composition of elements, which are different depending on the sources.

Differences and equivalences are shown in Table 1.

The concept of asset is often mentioned in the definition of risk found in secu-

rity related standards. It is sometimes associated with threat [ 25] , sometimes with

vulnerability [ 23] and sometimes with attack [ 8] . In any case, the concept of asset

plays a role in the definition of risk and should be linked to it. However, due to page

limits, we cannot go into such details here. More details can be found in [38].

5 ISSRM Domain Model

The first step of the method has resulted in an alignment of the ISSRM concepts,

found in the literature. The second step of the method includes the construction

of the ISSRM domain model, presented in Fig. 2. For each concept of the align-

ment table, a name is chosen. Then, concepts are linked based on the relationships

identified in [ 39] . A glossary is provided together with the domain model, giving a

definition for each of its concepts. In this section we introduce the main concepts

and their definitions. They are illustrated by examples related to an architecture

engineering company [ 38] . The ISSRM domain model features three principal

groups of concepts: (i) asset -related concepts, (ii) risk -related concepts, and (iii)

risk treatment -related concepts.

Asset-related concepts describe what are the important assets to protect, and what

are the criteria to guarantee asset security. The concepts are:

Asset - anything that has value to the organisation and is necessary for achieving

its objectives. Examples: technical plan; structure calculation process; architectural

competence; operating system; Ethernet network; people encoding data; system

administrator; air conditioning of server room.

Note: This concept is the generalisation of the business asset and IS asset

concepts.

Business asset - information, process, skill inherent to the business of the

organisation that has value to the organisation in terms of its business model

and is necessary for achieving its objectives. Examples: technical plan; structure

calculation process; architectural competence.

Note: Business assets are immaterial.

IS asset - a component or part of the IS that has value to the organisation and

is necessary for achieving its objectives and supporting business assets. An IS asset

can be a component of the IT system, like hardware, software or network, but also

people or facilities playing a role in the IS and therefore in its security. Examples:

operating system; Ethernet network; people encoding data; system administrator;

air conditioning of server room.

Note 1: IS assets are (with the exception of software) material.

Note 2: Sometimes, for conducting a macroscopic analysis, it is necessary to

define a system composed of various IS assets as an IS asset.

Search WWH ::

Custom Search

Home