Change search
ReferencesLink to record
Permanent link

Direct link
Assessment of Enterprise Information Security in Electric Utilities: The Importance of Prioritization
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.ORCID iD: 0000-0002-3293-1681
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
2006 (English)In: Proceedings CIGRE Session 2006, 2006Conference paper (Refereed)
Abstract [en]

In today’s large electric utilities enterprise system is highly complex. Technically, they possess several hundreds of extensively interconnected and heterogeneous IT systems performing tasks that vary from Enterprise Resource Planning (ERP) to real-time control and monitoring of the processes, such as Distributed Control System (DCS) and Supervisory Control and Data Acquisition System (SCADA). Organizationally, the enterprise system embraces business processes and business units using, as well as maintaining and acquiring, the IT systems. Information and systems are to a large extent becoming integrated in industry operations since communication and sharing of information are becoming more efficient and faster than before. However, the networking and interconnection of systems can increase the enterprise exposure to information security risks. The significance of information security has been continuously increasing in the management of organizations and in ensuring their operating ability as well as in maintaining disturbance-free and efficient operations. Thus, enterprise information security has become an increasingly important system quality. Assessing a sufficient level of information security is a necessary pre-requisite for the continuance and credibility of operations. But assessing the level of information security in an enterprise is a serious challenge for many organizations, since the area still lacks sufficient support for decision-making on a top-management level. One problem with such assessments is that there are various views on what, exactly, should be measured. There are different opinions on what the constituent parts of enterprise information security are and what these parts? relative importance is. Addressing that problem, this paper presents an operational definition and prioritization of the field of enterprise information security. First, the paper proposes a framework for capturing the semantic essence of enterprise information security. Then, the relative weights of the framework?s subdomains are quantified. Two methods for prioritization are used to obtain the weights. The results demonstrate to what extent different standards committees, guideline authors and expert groups differ in their opinions on what the important issues are in enterprise information security. As prioritization sources, the ISO/IEC 17799, the NIST SP 800-26, the ISF standards committees, the CMU/SEI OCTAVE framework authors and an expert panel at the Swedish Information Processing Society (DFS) are considered. To demonstrate the practical consequences, the effects of varying prioritizations on the enterprise information security assessment results in a European energy company are presented.

Place, publisher, year, edition, pages
, IR-EE-ICS, 2006:006
Keyword [en]
Enterprise, Information, Security, Assessment, Prioritization
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
URN: urn:nbn:se:kth:diva-80068ScopusID: 2-s2.0-84876750611OAI: diva2:495941
CIGRE Session 2006, Paris, France, 27th August – 1st September 2006

QC 20141103

Available from: 2012-02-09 Created: 2012-02-09 Last updated: 2014-11-03Bibliographically approved

Open Access in DiVA

No full text

Other links


Search in DiVA

By author/editor
Johansson, ErikJohnson, PontusCegrell, Torsten
By organisation
Industrial Information and Control Systems
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 54 hits
ReferencesLink to record
Permanent link

Direct link