Abstract
Based on statistical data, a contradiction is shown between an increase in financial investments in the information security (IS) of organizations and a steady increase in the number of IS incidents caused by internal users. A conclusion is made about the cognitive vulnerability and low degree of validity of modern IS risk assessment methods. Stereotypes have been identified, the result of which are cognitive errors in assessing IS risks: the priority of technical protection of information from external threats of IS over organizational and technical protection from internal threats; distrust of the internal client, perception of it exclusively as an object of tough managerial influence, ignoring its subjective role in IS management; restriction of work with personnel within the IS management system with one-time measures and static criteria for assessing human risks and inattention to systemic measures and dynamic, situational criteria. The necessity of updating standards for IS risk management, as well as the development of new methods and tools for assessing, IS risks based on rejecting outdated stereotypes, is substantiated.
Similar content being viewed by others
REFERENCES
PriceWaterhouseCoopers. The Global State of Information Security® Survey 2018. https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html. Accessed March 31, 2020.
Investigation of the Level of Information Security in Companies in Russia and the CIS for 2019. https://searchinform.ru/research-2019/. Accessed March 31, 2020.
Investigation of Confidential Information Leaks from Financial Segment Organizations in 2019. https://www. infowatch.ru/analytics/reports/21649. Accessed March 31, 2020.
Kahneman, D., Slovic, P., and Tversky, A., Judgment under Uncertainty: Heuristics and Biases, Cambridge Univ. Press, 1982.
Pereira, T. and Santos, H., Insider threats: The major challenge to security risk management, Human Aspects of Information Security, Privacy, and Trust. HAS 2015; Lect. Notes Comput. Sci., 2015, vol. 9190, pp. 654–663.
Sadok, M. and Spagnoletti, P., A business aware information security risk and analysis method, in Information Technology and Innovation Treads in Organization, D’Atri, A., Ferrara, M., George, J.F., and Spagnoletti, P., Eds., 2011, pp. 453–460.
Asosheh, A., Dehmoubed, B., and Khani, A., A new quantitative approach for information security risk assessment, IEEE International Conference on Intelligence and Security Informatics (ISI 2009), 2009, pp. 229–239. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5137311&isnumber=5137253. https://doi.org/10.1109/ISI.2009.5137311. Accessed March 31, 2020.
Posey, C., Roberts, T.L., Lowry, P.B., Bennett, R.J., and Courtney, J., Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors, MIS Q., 2013, vol. 37, no. 4, pp. 1189–1210.
Posey, C., Roberts, T.L., Lowry, P.B., and Hightower, R.T., Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders, Inf. Manage., 2014, vol. 51, no. 5, pp. 551–567. http://dx.doi.org/CrossRefGoogleScholar. Accessed March 31, 2020.
Schultz, E.E., A framework for understanding and predicting insider attacks, Comput. Secur., 2002, vol. 21, no. 6, pp. 526–531.
Wood, B., An insider threat model for adversary simulation, in Research on Mitigating the Insider Threat to Information Systems, Anderson, R.H., Ed., RAND, 2000, no. 2. https://www.yumpu.com/en/document/read/22015185/an-insider-threat-model-for-adversary-simulation-. Accessed April 1, 2020.
Caputo, D., Marcus, A., Maloof, M., and Stephens, G., Detecting insider theft of trade secrets, IEEE Secur. Priv., 2009, vol. 7, no. 6, pp. 14–21.
Theoharidou, M., Kokolakis, S., Karyda, M., and Kiountouzis, E., The insider threat to information systems and the effectiveness of ISO17799, Comput. Secur., 2005, vol. 24, no. 6, pp. 472–484.
Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., and Gritzalis, D., An insider threat prediction model, TrustBus 2010: Trust, Privacy and Security in Digital Business; Lect. Notes Comput. Sci., 2010, vol. 6264, pp. 26–37. https://doi.org/10.1007/978-3-642-15152-1_3.
Cappelli, D.M., Moore, A.P., Trzeciak, R.F., and Shimeall, T.J., Common Sense Guide to Prevention and Detection of Insider Threat, Pittsburgh: Carnegie Mellon Univ., 2009, 3rd ed.
Duran, F., Conrad, S., Conrad, G., Duggan, D., and Held, E., Building a system for insider security, IEEE Secur. Priv., 2009, vol. 7, no. 6, pp. 30–38.
Microsoft Security Assessment Tool 4.0. https://www.microsoft.com/ru-RU/download/details.aspx?id=12273. Accessed March 31, 2020.
ISO/IEC 17799-2005: Technologies de l’information – Techniques de security – Code de pratique pour la gestion de security d’information. https://www.iso.org/standard/39612.html. Accessed March 31, 2020.
NIST SP 800-53 rev.5: Security and Privacy Controls for Information Systems and Organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5-draft.pdf. Accessed March 31, 2020.
NIST SP 800-137: Information Security Continuous Monitoring for Federal information Systems and Organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf. Accessed March 31, 2020.
Beres, Y., Mont, M.C., Griffin, J., and Shiu, S., Using security metrics coupled with predictive modeling and simulation to assess security processes, 3rd International Symposium on Empirical Software Engineering and Measurement, Lake Buena Vista, FL, 2009, pp. 564–573. https://doi.org/10.1109/ESEM.2009.5314213
Kononov, A.A., Cognitive distortions as threats to information security and methods of countering them, in Sovremennye problemy i zadachi obespecheniya informatsionnoi bezopasnosti: Sb. statei (Current Problems of Information Security: Collection of Papers), Moscow, 2017, pp. 27–32.
Coles-Kemp, L. and Theoharidou, M., Insider threat and information security management, in Insider Threats in Cyber Security. Advances in Information Security, Probst, C., Hunker, J., Gollmann, D., and Bishop, M., Eds., Boston, MA: Springer, 2010, vol. 49, pp. 45–71.
GOST (State Standard) R 22.3.07–2014: Safety in Emergency Situations. Life Safety Culture. General Provisions. https://base.garant.ru/70981162/. Accessed March 31, 2020.
GOST (State Standard) R IEC 62508–2014: Risk Management. Analysis of Human Factor Impact on Reliability. https://base.garant.ru/71268248/. Accessed March 31, 2020.
Saks, A.M., Translating employee engagement research into practice, Organ. Dyn., 2017, vol. 46, no. 2, pp. 76–86.
Employee Engagement and Motivation. Understand the Concept of Employee Engagement and Learn How to Build an Engaged and Motivated Workforce. Chartered Institute of Personnel and Development, 2018. /https://www.cipd.co.uk. Accessed March 31, 2020.
Veretkovskaya, O.V., Organization’s personnel Engagement as a relevant task of modern companies, Ekon. Biz.: Teor. Prakt., 2019, no. 4-2, pp. 40–43.
Mashin, V.A., Safety culture: The principle of an atmosphere of trust in the organization, Elektr. Stantsii, 2018, no. 9, no. 1046, pp. 2–14.
Astakhova, L.V., The ontological status of trust in information security, Sci. Tech. Inf. Process., 2016, vol. 43, no. 1, pp. 58–65.
Ashenden, D. and Sasse, A., CISOs and organisational culture: Their own worst enemy?, Comput. Secur., 2013, vol. 39, part B, pp. 396–405.
Mansfield-Devine, S., Raising awareness: People are your last line of defence, Comput. Fraud Secur., 2017, vol. 2017, no. 11, pp. 10–14.
Heartfield, R. and Loukas, G., Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework, Comput. Secur., 2018, vol. 76, pp. 101–127.
Rakhmetov, R., Information security risk management. Part 5. NIST SP 800-30 Standard (continued). NIST SP 800-137 Standard. https://www.securityvision.ru/blog/upravlenie-riskami-informatsionnoy-bezopasnosti-chast-5-standart-nist-sp-800-30-prodolzhenie-standar/. Accessed March 31, 2020.
Chockalingam, S., Hadžiosmanović, D., Pieters, W., Teixeira, A., and van Gelder, P., Integrated safety and security risk assessment methods: A survey of key characteristics and applications, Critical Information Infrastructures Security. CRITIS 2016; Lect. Notes Comput. Sci., 2017, vol. 10242, pp. 50–62.
Legostaeva, E.S., Methodological prerequisites for the study of cognitive errors, in Sovremennaya nauka v teorii i praktike: Monogr. (Contemporary Science in Theory and Practice: Monography), Akutin, S.P., Ed., Moscow, 2018, pp. 53–72.
Yudkowsky, E., Cognitive biases potentially affecting judgment of global risks, in Global Catastrophic Risks, Bostrom, N. and Ćirković, M.M., Eds., New York: Oxford Univ. Press, 2008, pp. 91–119.https://intelligence.org/files/CognitiveBiases.pdf. Accessed April 1, 2020.
Infowatch Person Monitor. https://www.infowatch.ru/products/person-monitor. Accessed March 31, 2020.
Searchinform Profilecenter. https://searchinform.ru/products/kib/profilecenter. Accessed March 31, 2020.
Mel’nikova, O.T. and Khoroshilov, D.A., Strategies for validating qualitative research in psychology, Psikhol. Issled., 2015, vol. 8, no. 44, pp. 3. http://psystudy.ru. Accessed April 18, 2020.
Denzin, N., The Research Act: A Theoretical Introduction to Sociological Methods, New York: Imprint Routledge, 2009. https://doi.org/10.4324/9781315134543. Accessed April 18, 2020.
Funding
This article was prepared with the support of the Government of the Russian Federation (Resolution No. 211 of March 16, 2013, Agreement No. 02. А03.21.0011).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
The authors declare that they have no conflicts of interest.
About this article
Cite this article
Astakhova, L.V. The Validity of Information Security Risk Assessment Methods for Organizations. Sci. Tech. Inf. Proc. 47, 241–247 (2020). https://doi.org/10.3103/S014768822004005X
Received:
Published:
Issue Date:
DOI: https://doi.org/10.3103/S014768822004005X