Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Assessment of Enterprise Information Security: How to make it Credible and Efficient
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
2005 (English)Doctoral thesis, comprehensive summary (Other scientific)
Abstract [en]

Information is an important business asset in today’s enterprises. Hence enterprise information security is an important system quality that must be carefully managed. Although enterprise information security is acknowledged as one of the most central areas for enterprise IT management, the topic still lacks adequate support for decision making on top-management level.

This composite thesis consists of four articles which presents the Enterprise Information Security Assessment Method (EISAM), a comprehensive method for assessing the current state of the enterprise information security. The method is useful in helping guide top-management’s decision-making because of the following reasons: 1) it is easy to understand, 2) it is prescriptive, 3) it is credible, and 4) it is efficient.

The assessment result is easy to understand because it presents a quantitative estimate. The result can be presented as an aggregated single value, abstracting the details of the assessment. The result is easy to grasp and enables comparisons both within the organization and in terms of industry in general.

The method is prescriptive since it delivers concrete and traceable measurements. This helps guide top-level management in their decisions regarding enterprise-wide information security by highlighting the areas where improvements efforts are essential.

It is credible for two reasons. Firstly, the method presents an explicit and transparent definition of enterprise information security. Secondly, the method in itself includes an indication of assessment uncertainty, expressed in terms of confidence levels.

The method is efficient because it focuses on important enterprise information security aspects, and because it takes into account how difficult it is to find security related evidence. Being resource sparse it enables assessments to take place regularly, which gives valuable knowledge for long-term decision-making.

The usefulness of the presented method, along with its development, has been verified through empirical studies at a leading electric power company in Europe and through statistical surveys carried out among information security experts in Sweden.

The success from this research should encourage further researcher in using these analysis techniques to guide decisions on other enterprise architecture attributes.

Place, publisher, year, edition, pages
Stockholm: KTH , 2005. , 28 p.
Series
Trita-ICS, ISSN 1104-3504 ; 0502
Keyword [en]
Enterprise Information Security, Enterprise Architecture, Security Assessment, Information Technology Management
National Category
Computer and Information Science
Identifiers
URN: urn:nbn:se:kth:diva-545OAI: oai:DiVA.org:kth-545DiVA: diva2:14379
Public defence
2005-12-16, Sal F2, Lindstedtsvägen 28, Stockholm, 10:00
Opponent
Supervisors
Note
QC 20101028Available from: 2005-12-08 Created: 2005-12-08 Last updated: 2010-10-28Bibliographically approved
List of papers
1. Assessment of Enterprise Information Security: An Architecture Theory Diagram Definition
Open this publication in new window or tab >>Assessment of Enterprise Information Security: An Architecture Theory Diagram Definition
2005 (English)In: Proceedings CSER 2005, 2005, 136-146 p.Conference paper, Published paper (Refereed)
Abstract [en]

In order to manage and improve something, it is normally necessary to be able to assess the current state of affairs. A problem with assessment, however, is that in order to assess, it is normally necessary to be able to define the assessment topic. These general statements are also true within the area of Enterprise Information Security. Although much has been written on the topic, there is little consensus on what Enterprise Information Security really is. The lack of consensus lessens the credibility of existing assessment approaches.

This paper presents a well-defined, transparent, and quantified method for the assessment of Enterprise Information Security. The method is based on the consolidation of the most prominent sources on the topic and results in a single quantitative estimate of the level of Enterprise Information Security in a company.

The usefulness of the presented method has been verified by a case study at a large European electric utility.

The present paper is a part of an ongoing research project on a credible and cost-effective method for Enterprise Information Security assessment.

National Category
Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-8895 (URN)0-615-12843-2 (ISBN)
Conference
3rd Annual Conference on Systems Engineering Research
Note
QC 20101028Available from: 2005-12-08 Created: 2005-12-08 Last updated: 2010-10-28Bibliographically approved
2. Assessment of Enterprise Information Security: The Importance of Prioritization
Open this publication in new window or tab >>Assessment of Enterprise Information Security: The Importance of Prioritization
2005 (English)In: Ninth IEEE International EDOC Enterprise Computing Conference, Proceedings, 2005, 207-218 p.Conference paper, Published paper (Refereed)
Abstract [en]

Assessing the level of information, security in an enterprise is a serious challenge for many organizations. This paper considers the prioritization of the field of enterprise information security. The paper thus considers how we may know what parts Of information security are important for a company to address and what parts are not. Two methods for prioritization are used. The results demonstrate to what extent different standards committees, guideline authors and expert groups differ in their opinions on what the important issues are in enterprise information security. The ISOJEC 17799, the NIST SP 800-26, the ISF standards committees, the CMU/SEI OCTAVE framework authors and an expert panel at the Swedish Information Processing Society (DFS) are considered. The differences in prioritization have important consequences on enterprise information security assessments. The effects on the information security assessment results in a European energy company are presented in the paper.

Keyword
Computational methods, Data privacy, Data processing, Information retrieval systems, Societies and institutions, Standards, Enterprise information security, Information Processing Society (IPS), Prioritization, Standards committees
National Category
Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-8896 (URN)10.1109/EDOC.2005.9 (DOI)000234341900018 ()2-s2.0-33749392679 (Scopus ID)0-7695-2441-9 (ISBN)
Conference
9th IEEE International Enterprise Distributed Object Computing Conference, Enschede, NETHERLANDS, SEP 19-23, 2005
Note
QC 20101028Available from: 2005-12-08 Created: 2005-12-08 Last updated: 2010-10-28Bibliographically approved
3. Assessment of Enterprise Information Security: Estimating the Credibility of the Results
Open this publication in new window or tab >>Assessment of Enterprise Information Security: Estimating the Credibility of the Results
2005 (English)In: Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS 05) at the 13th IEEE Requirements Engineering Conference (RE 05), 2005Conference paper, Published paper (Other academic)
National Category
Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-8897 (URN)
Note
QC 20101028Available from: 2005-12-08 Created: 2005-12-08 Last updated: 2010-10-28Bibliographically approved
4. Assessment of Enterprise Information Security: The Importance of Information Search Cost
Open this publication in new window or tab >>Assessment of Enterprise Information Security: The Importance of Information Search Cost
2006 (English)In: Proceedings of the Annual Hawaii International Conference on System Sciences, ISSN 1530-1605, Vol. 9, 219a- p.Article in journal (Refereed) Published
Abstract [en]

There are today several methods and standards available for assessment of the level of information security in an enterprise. A problem with these assessment methods is that they neither provide an indication of the amount of effort required to obtain the assessment nor an approximation of this measure's credibility. This paper describes a part of a new method for assessing the level of enterprise information security expresses the credibility of the results in terms of confidence levels and make use of an estimation of the cost of searching for security evidence. Such methods for predicting information search cost of assessments are detailed in the paper. Search cost predictions are used for providing guidance on how to minimize the effort spent on performing enterprise information security assessments. The conclusions are based on a security assessment performed at a large European energy company and a statistical survey among Swedish security experts.

Keyword
Confidence levels, Information security assessments, Security evidences, Approximation theory, Expert systems, Industrial management, Information dissemination, Systems analysis
National Category
Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-8898 (URN)10.1109/HICSS.2006.67 (DOI)2-s2.0-33749635085 (Scopus ID)
Note
QC 20101028Available from: 2005-12-08 Created: 2005-12-08 Last updated: 2010-10-28Bibliographically approved

Open Access in DiVA

fulltext(400 kB)2097 downloads
File information
File name FULLTEXT01.pdfFile size 400 kBChecksum MD5
e9f3ab9dfd9c1abc226be247b95d75ffe591f9c590d0e73750f41bd15f5dcddbb509d6a5
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Johansson, Erik
By organisation
Industrial Information and Control Systems
Computer and Information Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 2097 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 2150 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf