Assessing The Relative Importance of Information Security Governance Processes on Reducing Negative Impacts From Information Security Incidents
Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Today the extent and value of electronic data is constantly growing. Dealing across the internet depends on how secure consumers believe their personal data are. And therefore, information security becomes essential to any business with any form of web strategy, from simple business-to-consumer, or business-to-business to the use of extranets, e-mail and instants messaging. It matters too any organization that depends on computers for its daily existence.
This master thesis has its focus on Information Security Governance. The goal of this thesis was to study different Information Security processes within the five objectives for Information Security Governance in order to identify which processes that organizations should prioritize in order to reduce negative consequences on the data, information and software of a business from security incidents. By surveying IT experts, it was possible to gather their relative opinion regarding the relationship between Information Security Governance processes and security incidents.
By studying the five desired objectives for Information Security Governance,
Alignment, Risk Management, Resource Management, Performance Measurement
the result indicated that some processes within Performance Measurements have a difference in relation to other processes. For those processes a conclusion can be made that they are not as important as the processes which they were compared to. A reason for this can be that the processes within performance measurement are different in such a way that they measure an incident after it has actually happened.
While other processes within the objectives for ISG are processes which needs to be fulfilled in order to prevent that an incident happens. This could obviously explain why the expert‟s choose to value the processes within performance measurement less important compared to other processes.
However, this conclusion cannot be generalized, since the total amount of completed responses where less than expected. More respondents would have made the result more reliable. The majority of the respondents were academicals and their opinion and experience may be different from the IT experts within the industry, which have a better understanding of how it actually works in reality within an organization.
Place, publisher, year, edition, pages
2010. , 58 p.
Information Technology, Information Security, Information Security Governance
Electrical Engineering, Electronic Engineering, Information Engineering
IdentifiersURN: urn:nbn:se:kth:diva-81417OAI: oai:DiVA.org:kth-81417DiVA: diva2:497435
Master of Science in Engineering - Computer Science and Technology
Johnson, Pontus, Professor