No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Vergleichbare Informationssicherheits-Kennzahlen innerhalb einer Branche: Äpfel oder Birnen, das ist hier die Frage
Abstract
„Ich frage nach Äpfeln, und du antwortest mir von Birnen“ so lauten vereinzelt Aussagen des Managements an den Informationssicherheitsverantwortlichen, wenn es um die Frage des Informationssicherheits-Status eines Unternehmens geht. Wird diese Frage dazu noch im Konzern-Kontext mit mehreren Unternehmen gestellt, fällt die Antwort des Managements noch deutlicher aus. Warum? Der Informationssicherheits-Status eines Unternehmens ist nur indirekt z. B. mithilfe von Kennenzahlen oder Metriken messbar. Diese Näherung ist notwendig, da bisher noch kein Gold-Standard hierfür existiert. Um eine Schätzung zu erhalten, muss man also zuverlässige Messungen finden. Eine Möglichkeit, die Informationssicherheit zu bewerten, besteht darin, ein Reifegradmodell anzuwenden und das Niveau der Kontrollen zu bewerten. Dies muss nicht zwingend dem Sicherheitsniveau entsprechen. Dennoch ist die Bewertung des Reifegrads der Informationssicherheit in Unternehmen seit Jahren eine große Herausforderung. Obwohl viele Studien durchgeführt wurden, um diese Herausforderungen zu bewältigen, fehlt es immer noch an Forschung, um diese Bewertungen richtig zu analysieren. Das Hauptziel dieses Ansatzes ist es, zu zeigen, wie man den Analytic Hierarchy Process (AHP) verwendet, um den Reifegrad der Informationssicherheit innerhalb einer Branche mit verschiedenen Unternehmen zu vergleichen. Um diesen Ansatz zu validieren werden Daten von einem großen international agierenden Medien- und Technologieunternehmen verwendet.
ResearchGate has not been able to resolve any citations for this publication.
Generally, measuring the Information Security maturity(ISM) is the first step to build a new knowledge
information security management system in an organization. Knowing the ISM level helps organizations
decide the type of protection strategies and policies will be taken and their priorities to strengthen their
competitive ability. One of the possible ways to solve the problem is a using multiple criteria decision-making
(MCDM) methodology. Analytic hierarchy process (AHP) is one of the most commonly used MCDM methods,
which combines subjective and personal preferences in the information security assessment process. However, the AHP involves human subjectivity, which introduces vagueness type of uncertainty and requires the use of decision-making under those uncertainties. In this paper, the IS maturity is based on hierarchical multilevel information security gap analysis model for ISO 27001:2013 security standard. The concept of fuzzy set is applied to Analytic Hierarchical Process (AHP) to propose a model for measuring organizations IS maturity under uncertain environment. Using fuzzy AHP approach helps determine more efficiently importance weights of factors and indicators, especially deal with imprecise and uncertain expert comparison judgments. A case study is used to illustrate the better new method for IS evaluation
Cyber space is affecting all areas of our life. Cloud computing is the cutting-edge technology of this cyber space and has established itself as one of the most important resources sharing technologies for future on-demand services and infrastructures that support Internet of Things (IOTs), big data platforms and software-defined systems/services. More than ever, security is vital for cloud environment. There exist several cloud security models and standards dealing with emerging cloud security threats. However, these models are mostly reactive rather than proactive and they do not provide adequate measures to assess the overall security status of a cloud system. Out of existing models, capability maturity models, which have been used by many organizations, offer a realistic approach to address these problems using management by security domains and security assessment on maturity levels. The aim of the paper is twofold: first, it provides a review of capability maturity models and security metrics; second, it proposes a cloud security capability maturity model (CSCMM) that extends existing cyber security models with a security metric framework.
measuring information security is difficult; it is difficult to have one metrics that covers all types of devices. Security metrics is a standard used for measuring any organization's security. Good metrics are needed for analysts to answer many security related questions. Effective measurement and reporting are required to improve effectiveness and efficiency of controls, and ensure strategic alignment in an objective, reliable, and efficient manner. This paper provides an overview of the security metrics and its definition, standards, advantages, types, problems, taxonomies, risk assessment methods and also classifies the security metrics and explains its risks.
Information security can be achieved by implementing a set of appropriate controls. However, identifying and selecting the most effective information security controls in organizations have been major challenges for years. Although many studies have been done to address these challenges, there is still lack of research to rank these controls. In this study, a fuzzy Analytic Hierarchy Process was used to prioritize and select effective managerial domains and control objectives in information security controls. In this research, the process of implementing ISO 27001 Information Security in National Iranian Oil Products Distribution Company was selected. According to results, the access control, information systems acquisition, development and maintenance have the highest priorities among the information security controls in managerial domains. On the other hand, the business continuity management and asset management have the lowest priorities among the studied information security controls. Furthermore, it was found that among 39 control objectives, the user access management and third party service delivery management have the highest and lowest priorities, respectively.
One of the major challenges of information warfare is how to effectively combat existing and future cyber threats and vulnerabilities. In this paper, a quantifiable and rigorous approach for entities (governments, organizations, etc.) is proposed to better assess their ‘cyber maturity’ level. The authors also propose to examine the reliability and security of networks in terms of scientific-based risk metrics. The risk metrics are built upon (1) a ‘modified’ CVSS Base Score using the Analytic Hierarchy Process (AHP), and (2) the foundation of repeatable quantitative characteristics (‘for example’ vulnerabilities). A case study is examined which highlights the resulting benefits and challenges.
T here is a good reason why searching for meaningful security metrics continues despite the abundance of purportedly effective ones: because many traditional approaches just do not measure up. They gauge the functionality and efficiency of preventive security measures. Doing such, they are wrong-headed and frequently lead to inappropriate security decisions. Instead, the effectiveness of security programs, 1 taking into account value and uncertainty, should be measured. This is a much more difficult challenge because it depends on the measurement of the value of something not happening (i.e., a bad outcome that has been deterred, avoided or prevented). But how can one be certain that bad things are not happening due to the security tools and services in place? Is the lack of bad events a matter of chance? Or, were there unrealistic expectations about the existence of threats and the degree of vulnerability? The reality is that total certainty is not attainable. 2 However, that does not preclude the need to deploy security. It is better to make good security decisions based upon less-precise estimates of value and risk than to make poor security decisions supported by precise, though inaccurate, metrics. Consequently, it is postulated that it is better to try to improve how to estimate value loss and uncertainty rather than seek out an increasing number of less meaningful, readily measured metrics. It is important to recognize, however, that the techniques described here are not a panacea and there are challenges in measuring less-tangible characteristics such as value loss and uncertainty. Nevertheless, there has been substantial progress recently in the measurement of the value of intangibles, 3 which should serve to enhance the practicality of this approach. Some of the numerous definitions of the terms "metrics" or "security metrics" must be considered. In the US National Institute of Standards and Technology (NIST) publication Security Metrics Guide for Information Technology Systems, 4 the word "metrics" is defined as follows: Metrics are tools designed to facilitate decision making and improve performance and accountability through collection, analysis and reporting of relevant performance-related data. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions, based on observed measurements.
This paper examines the application of AHP in evaluating information security policy decision making with respect to Indonesian e-government systems. We suggest a new model based on four aspects of information security (management, technology, economy and culture) and three information security components (confidentiality, integrity and availability). AHP methodology was applied to analyze the decision making process. It is found that management and technology were the dominant aspects of information security, while availability was the main concern of information security elements for e-government information systems.
This chapter documents what we believe to be the first systematic study of the costs of cybercrime. The initial workshop paper was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs – both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now “cyber” because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/euros/dollars a year; transitional frauds cost a few pounds/euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around $2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime; or to put it another way, cyber-crooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.
Information security risk analysis becomes an increasingly essential component of organization’s
operations. Traditional Information security risk analysis is quantitative and qualitative analysis methods.
Quantitative and qualitative analysis methods have some advantages for information risk analysis.
However, hierarchy process has been widely used in security assessment. A future research direction may
be development and application of soft computing such as rough sets, grey sets, fuzzy systems, generic
algorithm, support vector machine, and Bayesian network and hybrid model. Hybrid model are developed
by integrating two or more existing model. A Practical advice for evaluation information security risk is
discussed. This approach is combination with AHP and Fuzzy comprehensive method
The term " assurance" has been used for decades in trusted system development as an expression of confidence that one has in the strength of mechanisms or countermeasures. One of the unsolved problems of security engineering is the adoption of measures or metrics that can reliably depict the assurance associated with a specific hardware and software system. This paper reports on a recent attempt to focus requirements in this area by examining those currently in use. It then suggests a categorization of Information Assurance (IA) metrics that may be tailored to an organization's needs1. We believe that the provision of security mechanisms in systems is a subset of the systems engineering discipline having a large software-engineering correlation. There is general agreement that no single system metric or any "one-prefect" set of IA metrics applies across all systems or audiences. The set most useful for an organization largely depends on their IA goals, their technical, organizational and operational needs, and the financial, personnel, and technical resources that are available.
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.
In today's information-based economy, organizations must avoid costly information security breaches. Unfortunately, organizations cannot make all of their information 100% secure all of the time. There are economic, as well as technical, impediments that prevent perfect information security. Accordingly, organizations usually prepare an annual fixed (limited) budget for the maintenance and improvement of their information security systems. Two key issues confront the chief information security officer (CISO) of an organization: how to spend this limited information security budget most effectively, and how to make the case to the organization's chief financial officer (CFO) for an increase in funds to further enhance the organization's information security. The primary objective of this article is to show how to use the analytic hierarchy process (AHP) to address these two information security issues.
This book offers a simple introduction to the fundamentals and applications of the Analytic Hierarchy Process (AHP) without a pre-requisite for a sophisticated mathematical background. It provides a quick and intuitive understanding of the methodology using spreadsheet examples and explains in a step-by-step fashion how to use Super Decisions, a freely available software developed by the Creative Decisions Foundations. The book is intended to be a resource for decision makers with little or no exposure to the field of Operations Research (OR); however, the book can be used as a very gentle introduction to the AHP methodology and/or as an AHP hands-on supplement for standard OR textbooks. AHP is an intuitive and mathematically simple methodology in the field of multi-criteria decision making. Because of this, most AHP books assume the reader has basic OR mathematical background. However, AHP simplicity suggests that decision makers from all disciplines can take advantage of the methodology without struggling with the mathematics behind it. To fulfill this need, this book delivers a quick and practical understanding of the method that can be useful for corporate executives.
Ethical dilemmas require evaluation of alternatives in light of conflicting principles. Because of the difficulty of making and defending such complex decisions, we may compromise the quality of our ethical decisions and debates. We need a methodology that combines the weighted effects of multiple ethical guidelines on the issue at hand. This paper describes how the Analytic Hierarchy Process can help us improve ethical decision making.
Information system is a large-scale complex system. It includes many uncertain factors, as software, hardware, people and so on. As a result, information systems security risk is related to many ambiguous factors, what are difficult to measure, with ambiguity. This paper introduces the information system security risk generating mechanism, and based on the risk assessment of factors, builds information system security risk assessment model based on fuzzy analytic hierarchy process, which could be used to evaluate the security situation of information system.
Planning information security investment is somewhere between art and science. This paper reviews and compares existing scientific
approaches and discusses the relation between security investment models and security metrics. To structure the exposition,
the high-level security production function is decomposed into two steps: cost of security is mapped to a security level,
which is then mapped to benefits. This allows to structure data sources and metrics, to rethink the notion of security productivity,
and to distinguish sources of indeterminacy as measurement error and attacker behavior. It is further argued that recently
proposed investment models, which try to capture more features specific to information security, should be used for all strategic
security investment decisions beneath defining the overall security budget.
In this paper the authors review the developments of the analytic hierarchy process (AHP) since its inception. The focus of this paper is a neutral review on the methodological developments rather than reporting its applications that have appeared since its introduction. In particular, we discuss problem modelling, pair-wise comparisons, judgement scales, derivation methods, consistency indices, incomplete matrix, synthesis of the weights, sensitivity analysis and group decisions. All have been important areas of research in AHP.
1. How to Make a Decision. 2. The Seven Pillars of the AHP. 3. Architectural Design. 4. Designing a Mousetrap. 5. Designing the Best Catamaran. 6. The Selection of a Bridge. 7. Measuring Dependence Between Activities: Input Output Application to the Sudan. 8. Technological Choice in Less Developed Countries. 9. Market Attractiveness of Developing Countries. 10. An AHP Based Approach to the Design and Evaluation of a Marketing Driven Business and Corporate Strategy. 11. New Product Pricing Strategy. 12. Incorporating Expert Judgment in Economic Forecasts - the Case of the U.S. Economy in 1992. 13. A New Macroeconomic Forecasting and Policy Evaluation Method. 14. Forecasting the Future of the Soviet Union. 15. Abortion and the States: How Will the Supreme Court Rule on the Upcoming Pennsylvania Abortion Issue. 16. The Benefits and Costs of Authorizing Riverboat Gambling. 17. The Case of the Spotted Owl vs. the Logging Industry. 18. Selection of Recycling Goal Most Likely to Succeed. 19. To Drill or Not to Drill: A Synthesis of Expert Judgments. 20. Modeling the Graduate Business School Admissions Process. 21. Infertility Decision Making. 22. The Decision by the US Congress on China's Trade Status: A Multicriteria Analysis. 23. Deciding Between Angioplasty and Coronary Artery Bypass Surgery. Index.
Selection of information security controls based on AHP and GRA
- K K Choo
- S Mubarak
- D Mani
Hierarchical multilevel information security gap analysis models based on ISO/IEC 27001: 2013
- AAN Al-shameri
Accounting for Value and Uncertainty in Security Metrics
- C W Axelrod
- CW Axelrod
Maturity based approach for ISMS
- K Haufe