Skip to main content
SpringerLink
Log in

The Validity of Information Security Risk Assessment Methods for Organizations

  • Published:
Scientific and Technical Information Processing Aims and scope

Abstract

Based on statistical data, a contradiction is shown between an increase in financial investments in the information security (IS) of organizations and a steady increase in the number of IS incidents caused by internal users. A conclusion is made about the cognitive vulnerability and low degree of validity of modern IS risk assessment methods. Stereotypes have been identified, the result of which are cognitive errors in assessing IS risks: the priority of technical protection of information from external threats of IS over organizational and technical protection from internal threats; distrust of the internal client, perception of it exclusively as an object of tough managerial influence, ignoring its subjective role in IS management; restriction of work with personnel within the IS management system with one-time measures and static criteria for assessing human risks and inattention to systemic measures and dynamic, situational criteria. The necessity of updating standards for IS risk management, as well as the development of new methods and tools for assessing, IS risks based on rejecting outdated stereotypes, is substantiated.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

REFERENCES

  1. PriceWaterhouseCoopers. The Global State of Information Security® Survey 2018. https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html. Accessed March 31, 2020.

  2. Investigation of the Level of Information Security in Companies in Russia and the CIS for 2019. https://searchinform.ru/research-2019/. Accessed March 31, 2020.

  3. Investigation of Confidential Information Leaks from Financial Segment Organizations in 2019. https://www. infowatch.ru/analytics/reports/21649. Accessed March 31, 2020.

  4. Kahneman, D., Slovic, P., and Tversky, A., Judgment under Uncertainty: Heuristics and Biases, Cambridge Univ. Press, 1982.

    Book  Google Scholar 

  5. Pereira, T. and Santos, H., Insider threats: The major challenge to security risk management, Human Aspects of Information Security, Privacy, and Trust. HAS 2015; Lect. Notes Comput. Sci., 2015, vol. 9190, pp. 654–663.

    Article  Google Scholar 

  6. Sadok, M. and Spagnoletti, P., A business aware information security risk and analysis method, in Information Technology and Innovation Treads in Organization, D’Atri, A., Ferrara, M., George, J.F., and Spagnoletti, P., Eds., 2011, pp. 453–460.

  7. Asosheh, A., Dehmoubed, B., and Khani, A., A new quantitative approach for information security risk assessment, IEEE International Conference on Intelligence and Security Informatics (ISI 2009), 2009, pp. 229–239. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5137311&isnumber=5137253. https://doi.org/10.1109/ISI.2009.5137311. Accessed March 31, 2020.

  8. Posey, C., Roberts, T.L., Lowry, P.B., Bennett, R.J., and Courtney, J., Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors, MIS Q., 2013, vol. 37, no. 4, pp. 1189–1210.

    Article  Google Scholar 

  9. Posey, C., Roberts, T.L., Lowry, P.B., and Hightower, R.T., Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders, Inf. Manage., 2014, vol. 51, no. 5, pp. 551–567. http://dx.doi.org/CrossRefGoogleScholar. Accessed March 31, 2020.

    Article  Google Scholar 

  10. Schultz, E.E., A framework for understanding and predicting insider attacks, Comput. Secur., 2002, vol. 21, no. 6, pp. 526–531.

    Article  Google Scholar 

  11. Wood, B., An insider threat model for adversary simulation, in Research on Mitigating the Insider Threat to Information Systems, Anderson, R.H., Ed., RAND, 2000, no. 2. https://www.yumpu.com/en/document/read/22015185/an-insider-threat-model-for-adversary-simulation-. Accessed April 1, 2020.

  12. Caputo, D., Marcus, A., Maloof, M., and Stephens, G., Detecting insider theft of trade secrets, IEEE Secur. Priv., 2009, vol. 7, no. 6, pp. 14–21.

    Article  Google Scholar 

  13. Theoharidou, M., Kokolakis, S., Karyda, M., and Kiountouzis, E., The insider threat to information systems and the effectiveness of ISO17799, Comput. Secur., 2005, vol. 24, no. 6, pp. 472–484.

    Article  Google Scholar 

  14. Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., and Gritzalis, D., An insider threat prediction model, TrustBus 2010: Trust, Privacy and Security in Digital Business; Lect. Notes Comput. Sci., 2010, vol. 6264, pp. 26–37. https://doi.org/10.1007/978-3-642-15152-1_3.

  15. Cappelli, D.M., Moore, A.P., Trzeciak, R.F., and Shimeall, T.J., Common Sense Guide to Prevention and Detection of Insider Threat, Pittsburgh: Carnegie Mellon Univ., 2009, 3rd ed.

    Google Scholar 

  16. Duran, F., Conrad, S., Conrad, G., Duggan, D., and Held, E., Building a system for insider security, IEEE Secur. Priv., 2009, vol. 7, no. 6, pp. 30–38.

    Article  Google Scholar 

  17. Microsoft Security Assessment Tool 4.0. https://www.microsoft.com/ru-RU/download/details.aspx?id=12273. Accessed March 31, 2020.

  18. ISO/IEC 17799-2005: Technologies de l’information – Techniques de security – Code de pratique pour la gestion de security d’information. https://www.iso.org/standard/39612.html. Accessed March 31, 2020.

  19. NIST SP 800-53 rev.5: Security and Privacy Controls for Information Systems and Organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5-draft.pdf. Accessed March 31, 2020.

  20. NIST SP 800-137: Information Security Continuous Monitoring for Federal information Systems and Organizations. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf. Accessed March 31, 2020.

  21. Beres, Y., Mont, M.C., Griffin, J., and Shiu, S., Using security metrics coupled with predictive modeling and simulation to assess security processes, 3rd International Symposium on Empirical Software Engineering and Measurement, Lake Buena Vista, FL, 2009, pp. 564–573. https://doi.org/10.1109/ESEM.2009.5314213

  22. Kononov, A.A., Cognitive distortions as threats to information security and methods of countering them, in Sovremennye problemy i zadachi obespecheniya informatsionnoi bezopasnosti: Sb. statei (Current Problems of Information Security: Collection of Papers), Moscow, 2017, pp. 27–32.

  23. Coles-Kemp, L. and Theoharidou, M., Insider threat and information security management, in Insider Threats in Cyber Security. Advances in Information Security, Probst, C., Hunker, J., Gollmann, D., and Bishop, M., Eds., Boston, MA: Springer, 2010, vol. 49, pp. 45–71.

    Google Scholar 

  24. GOST (State Standard) R 22.3.07–2014: Safety in Emergency Situations. Life Safety Culture. General Provisions. https://base.garant.ru/70981162/. Accessed March 31, 2020.

  25. GOST (State Standard) R IEC 62508–2014: Risk Management. Analysis of Human Factor Impact on Reliability. https://base.garant.ru/71268248/. Accessed March 31, 2020.

  26. Saks, A.M., Translating employee engagement research into practice, Organ. Dyn., 2017, vol. 46, no. 2, pp. 76–86.

    Article  Google Scholar 

  27. Employee Engagement and Motivation. Understand the Concept of Employee Engagement and Learn How to Build an Engaged and Motivated Workforce. Chartered Institute of Personnel and Development, 2018. /https://www.cipd.co.uk. Accessed March 31, 2020.

  28. Veretkovskaya, O.V., Organization’s personnel Engagement as a relevant task of modern companies, Ekon. Biz.: Teor. Prakt., 2019, no. 4-2, pp. 40–43.

  29. Mashin, V.A., Safety culture: The principle of an atmosphere of trust in the organization, Elektr. Stantsii, 2018, no. 9, no. 1046, pp. 2–14.

  30. Astakhova, L.V., The ontological status of trust in information security, Sci. Tech. Inf. Process., 2016, vol. 43, no. 1, pp. 58–65.

    Article  Google Scholar 

  31. Ashenden, D. and Sasse, A., CISOs and organisational culture: Their own worst enemy?, Comput. Secur., 2013, vol. 39, part B, pp. 396–405.

  32. Mansfield-Devine, S., Raising awareness: People are your last line of defence, Comput. Fraud Secur., 2017, vol. 2017, no. 11, pp. 10–14.

    Article  Google Scholar 

  33. Heartfield, R. and Loukas, G., Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework, Comput. Secur., 2018, vol. 76, pp. 101–127.

    Article  Google Scholar 

  34. Rakhmetov, R., Information security risk management. Part 5. NIST SP 800-30 Standard (continued). NIST SP 800-137 Standard. https://www.securityvision.ru/blog/upravlenie-riskami-informatsionnoy-bezopasnosti-chast-5-standart-nist-sp-800-30-prodolzhenie-standar/. Accessed March 31, 2020.

  35. Chockalingam, S., Hadžiosmanović, D., Pieters, W., Teixeira, A., and van Gelder, P., Integrated safety and security risk assessment methods: A survey of key characteristics and applications, Critical Information Infrastructures Security. CRITIS 2016; Lect. Notes Comput. Sci., 2017, vol. 10242, pp. 50–62.

    Article  Google Scholar 

  36. Legostaeva, E.S., Methodological prerequisites for the study of cognitive errors, in Sovremennaya nauka v teorii i praktike: Monogr. (Contemporary Science in Theory and Practice: Monography), Akutin, S.P., Ed., Moscow, 2018, pp. 53–72.

  37. Yudkowsky, E., Cognitive biases potentially affecting judgment of global risks, in Global Catastrophic Risks, Bostrom, N. and Ćirković, M.M., Eds., New York: Oxford Univ. Press, 2008, pp. 91–119.https://intelligence.org/files/CognitiveBiases.pdf. Accessed April 1, 2020.

  38. Infowatch Person Monitor. https://www.infowatch.ru/products/person-monitor. Accessed March 31, 2020.

  39. Searchinform Profilecenter. https://searchinform.ru/products/kib/profilecenter. Accessed March 31, 2020.

  40. Mel’nikova, O.T. and Khoroshilov, D.A., Strategies for validating qualitative research in psychology, Psikhol. Issled., 2015, vol. 8, no. 44, pp. 3. http://psystudy.ru. Accessed April 18, 2020.

  41. Denzin, N., The Research Act: A Theoretical Introduction to Sociological Methods, New York: Imprint Routledge, 2009. https://doi.org/10.4324/9781315134543. Accessed April 18, 2020.

Download references

Funding

This article was prepared with the support of the Government of the Russian Federation (Resolution No. 211 of March 16, 2013, Agreement No. 02. А03.21.0011).

Author information

Authors and Affiliations

  1. Department of Information Security, South Ural State University (National Research University), 454080, Chelyabinsk, Russia

    L. V. Astakhova

Authors
  1. L. V. Astakhova
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to L. V. Astakhova.

Ethics declarations

The authors declare that they have no conflicts of interest.

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Astakhova, L.V. The Validity of Information Security Risk Assessment Methods for Organizations. Sci. Tech. Inf. Proc. 47, 241–247 (2020). https://doi.org/10.3103/S014768822004005X

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.3103/S014768822004005X

Keywords:

Search

Navigation