Figure 2 - uploaded by Sebastian Pape
Content may be subject to copyright.
Benchmarking Section
Source publication
A web-based platform was developed to support the inter-organisational collaboration between small and medium-sized energy providers. Since critical infrastructures are subject to new security regulations in Germany, the platform particularly serves for the exchange of experience and for mutual support in information security. The focus of this wor...
Context in source publication
Citations
... The idea to assess the maturity levels of ISO/IEC 27002 controls is also supported by standard GRC (governance, risk, compliance) tools like risk2value which is also used by major companies [8]. There also exist several academic approaches relying on similar maturity-based approaches [9,10,11]. ...
Maturity models are a widely used concept for measuring information security. The idea is to systematically evaluate the maturity of security-relevant processes in an organisation. This enables decision makers to get an overview of the implementation status of relevant processes to identify neuralgic points. Maturity models thus play a central role in the conception of information security management systems (ISMS). Some industries, for instance, the German automotive industry, have even established security maturity levels as the de facto standard for measuring information security. However, the quality of security maturity level assessments has not been sufficiently investigated yet. We have analysed to what extent security managers can accurately assess the maturity levels of security controls. To verify the quality of maturity level assessments a case study was conducted where security experts assessed a subset of the ISO/IEC 27002 security controls for a hypothetical scenario using the COBIT maturity levels. Additionally, ex-post interviews have been conducted with several study participants to verify some of the hypotheses developed during the previous analyses. Our results show that many security experts struggled with the task and did not perform well. However, we discovered professional characteristics that have a strong significant effect on the assessment capabilities. We also identified various types of additional support that can help practitioners to make more reliable assessments in practice. Moreover, the experts self-perception was overly optimistic when asked to assess their performance. We even found a weak inverted correlation for more experienced experts, also known as Dunning-Kruger effect. Our results have a strong impact on practise since they indicate that practitioners need support to carry out high-quality assessments and they also show what kind of support addresses the identified challenges.
Information security risk assessment frameworks support decision-makers in assessing and understanding the risks their organisation is exposed to. However, there is a lack of lightweight approaches. Most existing frameworks require security-related information that are not available and that are very challenging to gather. So they are not suitable in practice, especially for small and medium-sized enterprises (SMEs) who often lack in data and in security knowledge. On the other hand, other explicit SME approaches have far less informative value than the proposed framework. Moreover, many approaches only provide extensive process descriptions that are challenging for SMEs. In order to overcome this challenge, we propose LiSRA, a lightweight, domain-specific framework to support information security decision-making. It is designed with a two-sided input where domain experts initially provide domain-specific information (e.g. attack scenarios for a specific domain), whereupon users can focus on specifying their security practices and organisational characteristics by entering information that many organisations have already collected. This information is then linked to attack paths and to the corresponding adverse impacts in order to finally assess the total risk. Moreover, LiSRA can be used to get transparent recommendations for future security activities and presents detailed insights on the mitigating effects of each recommendation. The security activities are being evaluated taking into account the security activities already in place, and also considering the dependencies between multiple overlapping activities that can be of complementary, substitutive or dependent nature. Both aspects are ignored by most existing evaluation approaches which can lead to an over-investment in security. A prototype has been implemented, and the applicability of the framework has been evaluated with performance and robustness analyses and with initial qualitative evaluations.
