Skip to main content
SpringerLink
Log in

Risk model development for information security in organization environment based on business perspectives

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Digital information plays an essential role in supporting organizational business. However, incidents of sensitive information leakage often happen in organization environment. Therefore, risk analysis needs to be performed to recognize the impact of information security threat in organization. In order to carry out those risk analyses, risk model is needed to map risk of information security threat. The selection of proper risk model provides proper result related to risk analysis. The proper risk model must have objectivity and appropriate context. However, most of the existing risk models focus on the technical approach and use expert judgment as a weighting method. Meanwhile, organizations use business perspectives to determine decisions. Therefore, this study has the objective to fill the needs of organizations by developing a new risk model. The proposed risk model focuses on business aspects involvement and reducing subjective methods. The proposed risk model also uses three processes to result output, i.e., adaptable classification data, data measurement and cross-label analysis. Test mining and categorical clustering are involved to handle those three processes. Testing of the proposed model is carried out to define ability and limitation of model by involving 30 targets. The result states that the proposed model has advantages in objectivity, context approach and detailed output, while the limited scope of work becomes weakness of these models.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Simorjay, F.: Data classification for cloud readiness (2014)

  2. Li, G., Sheng Dai, J., Mi Park, E., Taek Park, S.: A study on the service and trend of Fintech security based on text-mining: focused on the data of Korean online news. J. Comput. Virol. Hack. Tech. 13(4), 249–255 (2017)

    Article  Google Scholar 

  3. Security Industry Association: Data Privacy and Security Trends for 2018. Technical report, Security Industry Association (2018)

  4. Verizon. 2017 Data Breach Investigations Report. Technical Report (2017)

  5. Ponemon Institute LLC. The Impact of Data Breaches on Reputation & Share Value. Technical Report May (2017)

  6. Kaspersky Lab ZAO, Global Corporate IT Security Risks: 2013. Technical Report May, Kaspersky (2013)

  7. PWC. US Cybercrime: Rising Key Findings from the 2014 US State of Cybercrime Survey. PWC, July, p. 21 (2014)

  8. Marotta, A., Martinelli, F., Nanni, S., Orlando, A., Yautsiukhin, A.: Cyber-insurance survey. Comput. Sci. Rev. 24, 35–61 (2017)

    Article  Google Scholar 

  9. Goldstein, A., Frank, U.: Components of a Multi-perspective Modeling Method for Designing and Managing IT Security Systems. Information Systems and e-Business Management, vol. 14, pp. 101–140. Springer, Berlin (2015)

    Google Scholar 

  10. Keramati, M., Keramati, M.: Novel Security Metrics for Ranking Vulnerabilities in Computer Networks. In: 7th International Symposium on Telecommunications (IST’2014), pp. 883–888 (2014)

  11. Ahmed, R.K.A.: Overview of security metrics. Softw. Eng. 4(4), 59–64 (2016)

    Google Scholar 

  12. Cheng, L., Liu, F., Daphne Yao, D.: Enterprise data breach: causes, challenges, prevention, and future directions. Wiley Interdiscip. Rev. Data Min. Knowl. Discov. 7(5), 1–14 (2017)

    Article  Google Scholar 

  13. Chivers, H., Clark, J.A., Cheng, P.C.: Risk profiles and distributed risk assessment. Comput. Secur. 28(7), 521–535 (2009)

    Article  Google Scholar 

  14. Suhartana, M., Pardamean, B., Soewito, B.: Modeling of risk factors in determining network security level. Int. J. Secur. Appl. 8(3), 193–208 (2014)

    Google Scholar 

  15. Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)

    Article  Google Scholar 

  16. Ghani, H., Luna, J., Suri, N.: Quantitative assessment of software vulnerabilities based on economic-driven security metrics. In: 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–8 (2013)

  17. Filipe, M., da Silva, M.M.: Comparative Study of Information Security Risk Assessment Models. Instituto Superior Técnico, Universidade Técnica de Lisboa, pp. 1–11

  18. Ponemon Institute LLC. Reputation Impact of a Data Breach. Technical Report November, Ponemon Institute LLC (2011)

  19. Ghani, H., Khelil, A., Suri, N., Csertan, G., Gonczy, L., Urbanics, G., Clarke, J.: Assessing the security of internet connected critical infrastructures (The CoMiFin Project Approach). Secur. Commun. Netw. 7(12), 2713–2725 (2014)

    Article  Google Scholar 

  20. Chang, S.E., Ho, C.B.: Organizational factors to the effectiveness of implementing information security management. Ind. Manag. Data Syst. 106(3), 345–361 (2006)

    Article  Google Scholar 

  21. Ruivo, P., Santos, V., Oliveira, T.: Data protection in services and support roles—a qualitative research amongst ICT professionals. Procedia Technol. 16, 710–717 (2014)

    Article  Google Scholar 

  22. Hart, M., Manadhata, P., Johnson, R.: Text classification for data loss prevention. In: Privacy Enhancing Technologies, pp. 18–37 (2011)

  23. Hauer, B.: Data and information leakage prevention within the scope of information security. IEEE Access 3, 2554–2565 (2015)

    Article  Google Scholar 

  24. Sajko, M., Rabuzin, K., Bača, M.: How to calculate information value for effective security risk assessment. J. Inf. Organ. Sci. 30(2), 263–278 (2006)

    Google Scholar 

  25. Shi, X., Li, D., Zhu, H., Zhang, W.: Research on supply chain information classification based on information value and information sensitivity, vol. 7 (2007)

  26. Ashwin Kumar, T.K., Liu, H., Thomas, J.P., Mylavarapu, G.: Identifying sensitive data items within hadoop. In: Proceedings of2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security and 2015 IEEE 12th International Conference on Embedded Software and Systems, pp. 1308–1313 (2015)

  27. Rao, D., Keong Ng, W.: A user-centric approach to pricing information. In: Proceedings of 2016 IEEE 2nd International Conference on Big Data Computing Service and Applications, BigDataService 2016, pp. 202–209 (2016)

  28. OWASP. OWASP Risk Rating Methodology (2015)

  29. Scambray, J., Olson, E.: Improving Web Application Security. Microsoft Corporation (2003)

  30. FIRST. Common Vulnerability Scoring System v3.0: Specification Document (2015)

  31. Alpcan, T., Bambos, N.: Modeling dependencies in security risk management. In: 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009), pp. 113–116 (2009)

  32. Tamjidyamcholo, A., Sapiyan Bin, M., Tamjid Yamchello, H., Gholipour, R.: Application of fuzzy set theory to evaluate the rate of aggregative risk in information security. In: 3rd International Conference on Research and Innovation in Information Systems—2013 (ICRIIS’13), vol. 2013, pp. 410–415 (2013)

  33. Tianshui, W., Gang, Z.: A new security and privacy risk assessment model for information system considering influence relation of risk elements. In: Proceedings—2014 9th International Conference on Broadband and Wireless Computing, Communication and Applications, BWCCA 2014, pp. 233–238 (2015)

  34. El-attar, N.E, Awad, W.A., Omara, F.A.: Empirical assessment for security risk and availability in public cloud frameworks. In: 11th International Conference on Computer Engineering & Systems (ICCES), pp. 17–25. IEEE Conference Publications (2016)

  35. Nugroho, L.E., Santosa, P.I.: An approach for risk estimation in information security using text mining and Jaccard method. Bull. Electr. Eng. Inform. 7(3), 393–399 (2018)

    Article  Google Scholar 

  36. Ibnugraha, P.D., Nugroho, L.E., Santosa, P.I.: Metrics analysis of risk profile: a perspective on business aspects. In: International Conference on Information and Communications Technology (ICOIACT), pp. 275–279. IEEE Conference Publications (2018)

  37. Fonseca, J., Seixas, N., Vieira, M., Madeira, H.: Analysis of field data on web security vulnerabilities. IEEE Trans. Dependable Secure Comput. 11(2), 89–100 (2014)

    Article  Google Scholar 

  38. Elavarasan, D., Vincent, D.: Effective mining approach to produce quality search results using proposed approach. Int. J. Intell. Eng. Syst. 10(3), 435–443 (2017)

    Google Scholar 

  39. Krishna Ravinuthala, V.V.M., Reddy Chinnam, S.: A keyword extraction approach for single document extractive summarization based on topic centrality. Int. J. Intell. Eng. Syst. 10(5), 153–161 (2017)

    Google Scholar 

  40. Shubhamangala, B.R., Saha Snehanshu, P.D.: Application security risk: assessment and modeling. ISACA J. 2, 37 (2016)

    Google Scholar 

  41. Gonzalez Granadillo, G.D., Rubio Hernan, J., Garcia Alfaro, J.: Using an event data taxonomy to represent the impact of cyber events as geometrical instances. IEEE Access 6, 8810–8828 (2017)

    Article  Google Scholar 

  42. Abdul Razak, D., Asri Abdullah, M., Ersoy, A.: Small medium enterprises (SMES) in turkey and malaysia a comparative discussion on issues and challenges. Int. J. Bus. Econ. Law 15(3), 1–10 (2018)

    Google Scholar 

  43. Seidel-Sterzik, H., McLaren, S., Garnevska, E.: Effective life cycle management in SMEs: use of a sector-based approach to overcome barriers. Sustainability (Switzerland) 10(2), 1–22 (2018)

    Article  Google Scholar 

  44. Clark, A., Tan, T.T., Barbee, C., Donker, J., Palmer, A., Skramstad, E.: Threats to the Financial Services Sector: Financial Services Sector Analysis of PwC’s: Global Economic Crime Survey, p. 2014. Technical Report, PWC (2014)

  45. Nickolov, E.: Critical information infrastructure protection: analysis, evaluation and expectations. Inf. Secur. 17(May), 105–119 (2005)

    Google Scholar 

  46. Shah, S., Mehtre, B.M.: An overview of vulnerability assessment and penetration testing techniques. J. Comput. Virol. Hack. Tech. 11(1), 27–49 (2015)

    Article  Google Scholar 

  47. Cho, Y., Pan, J.: Design and implementation of website information disclosure assessment system. PLoS ONE 10(3), 1–29 (2015)

    Google Scholar 

  48. Amir, S., Mortazavi, R.: A checklist based evaluation framework to measure risk of information security management systems. Int. J. Inf. Technol. 11(3), 517–534 (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Applied Science, Telkom University, Bandung, Indonesia

    Prajna Deshanta Ibnugraha

  2. Department of Electrical Engineering and Information Technology, Universitas Gadjah Mada, Yogyakarta, Indonesia

    Lukito Edi Nugroho & Paulus Insap Santosa

Authors
  1. Prajna Deshanta Ibnugraha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lukito Edi Nugroho
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paulus Insap Santosa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Prajna Deshanta Ibnugraha.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ibnugraha, P.D., Nugroho, L.E. & Santosa, P.I. Risk model development for information security in organization environment based on business perspectives. Int. J. Inf. Secur. 20, 113–126 (2021). https://doi.org/10.1007/s10207-020-00495-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-020-00495-7

Keywords

Search

Navigation