Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
The mitigation of ICT risks using EMITL tool: An empirical study
KTH, School of Information and Communication Technology (ICT), Computer and Systems Sciences, DSV.
KTH, School of Information and Communication Technology (ICT), Computer and Systems Sciences, DSV.
2005 (English)In: Security Management, Integrity, and Internal Control in Information Systems / [ed] Dowland, P; Furnell, S; Thuraisingham, B; Wang, XS, 2005, Vol. 193, p. 157-173Conference paper, Published paper (Refereed)
Abstract [en]

As the dependence on ICT in running organisations' core services is increasing, so is the exposure to the associated risks due to ICT use. In order to meet organisational objectives in ICT dependent organisations, risks due to ICT insecurity need to be addressed effectively and adequately. To achieve this, organisations must have effective means for the management of ICT risks. This involves assessment of the actual exposure to ICT risks relevant to their environment and implementation of relevant countermeasures based on the assessment results. On the contrary, in most organisations, ICT security (or ICT risk management) is perceived by the top management as a technical problem. As a result, measures for ICT risk mitigation that are ultimately put in place in such organisations tend to be inadequate. Furthermore, the traditional way of managing risks by transferring them to the insurance companies is not yet working, as it is difficult to estimate the financial consequences due to ICT-related risks. There is, therefore, a need to have methods or ways which can assist in interpreting ICT risks into a financial context (senior management language) thereby creating a common understanding of ICT risks among technical people and the management within ICT-dependent organisations. With a common understanding, it would be possible to realise a coordinated approach towards ICT risk mitigation. This paper is an attempt to investigate whether ICT risk mitigation can be enhanced using a customised software tool. A software tool for converting financial terminologies (financial risk exposure) to corresponding ICT security terminologies (countermeasures) is presented. The Estimated Maximum Information Technology Loss (EMitL) tool is investigated for its suitability as an operational tool for the above-mentioned purpose. EMitL is a tool utilised in a framework (Business Requirements on Information Technology Security BRITS) to bridge the understanding gap between senior management and the technical personnel (when it comes to ICT risk management). This work is based on an empirical study which involved interviews and observations conducted in five non-commercial organisations in Tanzania. The study was designed to establish the state of ICT security management practice in the studied organisations. The results of the study are being used here to investigate the applicability of the EMitL tool to address the observed state. The results from this study show that it is possible to customise EMitL into a usefully operational tool for interpreting risk exposure due to ICT into corresponding countermeasures. These results underline the need to further improve EMitL for wider use.

Place, publisher, year, edition, pages
2005. Vol. 193, p. 157-173
Series
IFIP International Federation for Information Processing, ISSN 1571-5736 ; 193
Keywords [en]
ICT risk management, EMitL tool, countermeasures
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:kth:diva-43255DOI: 10.1007/0-387-31167-X_10ISI: 000235172900010Scopus ID: 2-s2.0-34250156409ISBN: 978-0-387-29826-9 (print)ISBN: 978-0-387-31167-8 (print)OAI: oai:DiVA.org:kth-43255DiVA, id: diva2:448762
Conference
Joint Working Conference on Security Management, Integrity, and Internal Control in Information Systems Location: George Mason Univ, Fairfax, VA Date: DEC 01-02, 2005
Note

QC 20111018

Available from: 2011-10-18 Created: 2011-10-14 Last updated: 2018-01-12Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Magnusson, ChristerYngström, Louise
By organisation
Computer and Systems Sciences, DSV
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 91 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf