A case study in Security, Risk and Compliance artefact engineering

Implementing and maintaining Information Security (IS) is cumbersome. Frameworks and models are used to implement IS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on nine years of Design Science Research (DSR) on IS and describes the design and engineering of an artefact architecture which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via integrated dash-boarding and a reporting tool. Three examples are presented to illustrate the way the artefact works.

Springer, 2019

Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.

This paper examines research methods for designing and engineering a Business Information Security (BIS) artefact. Preventing and responding to cybercrime is becoming an integral part of management practices which are supervised by the Board of Directors (BoD), and it can no longer be perceived as just traditional IT. In order to improve the maturity of business information security a transformation is needed and this requires adequate reporting and dashboarding. Dashboard functions such as the current versus the desired state of the Maturity of Business Information Security (MBIS) reflect certain parameters that boards can influence. Determining the key dashboard functions that reflect these parameters of control was the main motivation for this research paper and the ultimate goal was to engineer a BIS artefact. We propose a research and design method that could be used to establish an experimental dashboard with initial parameters of control based on a Group Support System (GSS) approach. Finally, GSS is evaluated as a method for a) examining which parameters are effective for BIS, from multiple perspectives and b) helping to implement the artefact (make it fit the purpose) as well as the associated decision-making.

2017

This paper proposes research methods for designing and engineering a Business Information Security (BIS) artefact. Defining research methods to establish artefact functions (e.g. dash-boarding, risk register) that reflect the parameters of control for Board of Directors, is the main motivation for this research paper. The ultimate goal is to engineer this BIS artefact and thereby solve the problem of a low level of BIS maturity. We propose a research method that can be used to establish an experimental dashboard with initial parameters of control, based on a Design Science Research (DSR) approach. Group Support System (GSS) research can assist organisations applying the artefact into the organisations with the accompanying collaboration and decision making (fit to purpose) processes.

This paper examines research methods for designing and engineering a Business Information Security (BIS) artefact. Preventing and responding to cybercrime is becoming an integral part of management practices which are supervised by the Board of Directors (BoD), and it can no longer be perceived as just traditional IT. In order to improve the maturity of business information security a transformation is needed and this requires adequate reporting and dashboarding. Dashboard functions such as the current versus the desired state of the Maturity of Business Information Security (MBIS) reflect certain parameters that boards can influence. Determining the key dashboard functions that reflect these parameters of control was the main motivation for this research paper and the ultimate goal was to engineer a BIS artefact. We propose a research and design method that could be used to establish an experimental dashboard with initial parameters of control based on a Group Support System (GSS) approach. Finally, GSS is evaluated as a method for a) examining which parameters are effective for BIS, from multiple perspectives and b) helping to implement the artefact (make it fit the purpose) as well as the associated business alignment and decision-making

iadis.net

In the context of design and management of Information Systems, IS Security plays an important role among the nonfunctional aspects together with quality of services, trust, performance, etc. Literature shows an increasing interest in this topic, and several communities of researchers and practitioners are contributing to the development of a discipline where different backgrounds and approaches are involved. Principles, standard and best practices have been issued in order to manage the risks related to what is called an information asset. However, the focus remains on protecting the IT infrastructure and considering the safeguard of the business goals as a consequence of this achievement. Such approach has shown limits in several practical cases nevertheless the advantages in terms of his capability to be formalized and generalized. Some recent works claim for a deeper understanding of the context in which incidents happens, focusing on behavior, perception and intention of people interacting with the IT infrastructure. This paper aims to contribute to this field taking in to account the wide scope of the domain and stressing the value of an incident based case study in the understanding process of context related aspects when information asset identification and security control selection phases of a risk assessment process are performed.

Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology - DESRIST '09, 2009

Against the background of the current financial crisis and an aftermath of increasing regulation, companies enhance and integrate information systems in the areas of risk management, governance and compliance. Based on experience with isolated and often immature partial solution in these fields, major challenges are the evolution of a suitable risk management solution component as well as the conceptual design of an integrated "Governance, Risk and Compliance" (GRC) approach. Another challenge is the rollout of such an integrated GRC solution. In this paper, we develop and evaluate a situational method that supports the implementation of an integrated GRC solution. The proposed situational method is comprised of 21 method fragments that support conceptual, strategic, organizational, technical, and cultural rollout aspects. Furthermore, method configurations are specified that identify only those method fragments that are relevant for certain roles, e.g. project manager or GRC expert.

IT security has become one of the key issues in information systems and the more global an information system, the bigger the threats it becomes exposed to. The technology to make information systems safe exists, however organisational and design aspects of such systems still need to be addressed. Security is usually not dealt with at the level of business processes and so security policies are typically not linked to system design and implementation. Even at the system level, security features are generally regarded as add on, rather as a key design issue. For this reason we introduce an approach for increasing the security levels of global information systems through business engineering technology. Keywords IT security, business process security, security of global information systems.

Information Systems are increasingly becoming essential to the success of business organizations. They play a central role in the success of almost all components of the organization such as business decision-making, business strategy formulation, business goal modeling, managing organizational resources, structure, managing organizational data etc. However, protecting information systems and organizational resources from security threats is a critical task in the management of the business, which alternately, negatively affects the alignment process between business and information systems. Managing information security within business organizations calls for a clear understanding of the viewpoint of business and the architecture of the system that is being used in the organization. This paper presents a requirements engineering based approach to modeling and maping the issue of information security at an early stage of the system's development life cycle in the context of alignment between business and information systems.

2005

In our research, we have been concerned with the question of how to make relevant features of security situations visible to users in order to allow them to make informed decisions regarding potential privacy and security problems, as well as regarding potential implications of their actions. To this end, we have designed technical infrastructures that make visible the configurations, activities, and implications of available security mechanisms. This thus allows users to make informed choices and take coordinated and appropriate actions when necessary. This work differs from the more traditional security usability work in that our focus is not only on the usability of security mechanism (e.g., the ease-of-use of an access control interface), but how security can manifest itself as part of people's interactions with and through information systems (i.e., how people experience and interpret privacy and security situations, and are enabled or constrained by existing technological mechanisms to act appropriately). In this paper, we report our experiences designing, developing, and testing two technical infrastructures for supporting this approach for usable security.