A Conceptual Framework for Threat Assessment Based on Organization’s Information Security Policy

Read full paper at:
www.scirp.org/journal/PaperInformation.aspx?PaperID=50218#.VDINCVfHRK0

Author(s)  

Joseph Elias Mbowe¹, Irina Zlotnikova¹, Simon S. Msanjila², George S. Oreku³

Affiliation(s)

¹School of Computational Science and Communication Engineering, The Nelson Mandela African Institution of Science and Technology, Arusha, Tanzania.
²Faculty of Science and Technology, Mzumbe University, Morogoro, Tanzania.
³Faculty of Economics, North West University, Vanderbijlpark, South Africa.

ABSTRACT

The security breaches of sensitive information have remained difficult to solve due to increased malware programs and unauthorized access to data stored in critical assets. As risk appetite differ from one organization to another, it prompts the threat analysis tools be integrated with organization’s information security policy so as to ensure security controls at local settings. However, it has been noted that the current tools for threat assessment processes have not encompassed information security policy for effective security management (i.e. confidentiality, integrity and availability) based on organization’s risk appetite and culture. The information security policy serves as a tool to provide guidance on how to manage and secure all business operations including critical assets, infrastructure and people in the organization. This guidance (e.g. usage and controls) facilitates the provisions for threat assessment and compliance based on local context. The lack of effective threat assessment frameworks at local context have promoted the exposure of critical assets such as database servers, mails servers, web servers and user smart-devices at the hand of attackers and thus increase risks and probability to compromise the assets. In this paper we have proposed a conceptual framework for security threat assessment based on organization’s information security policy. Furthermore, the study proposed the policy automation canvas for provision of a methodology to alert the security managers what possible threats found in their organizations for quick security mitigation without depending on security expertise.

KEYWORDS

Critical Asset, Information Security, Information Security Policy, Threat Analysis, Threat Assessment, Security Threat Visualization

Cite this paper

Mbowe, J. , Zlotnikova, I. , Msanjila, S. and Oreku, G. (2014) A Conceptual Framework for Threat Assessment Based on Organization’s Information Security Policy. Journal of Information Security, 5, 166-177. doi: 10.4236/jis.2014.54016.

 

References

[1]	Fink, D. (1994) A Security Framework for Information Systems Outsourcing. Information Management & Computer Security, 2, 3-8. http://dx.doi.org/10.1108/09685229410068235
[2]	Symons, C. (2005) It Governance Framework. Forrester Best Practices, 29, 2005.
[3]	Oreku, G.S. and Li, J. (2005) Rethinking e-Commerce Security. International Conference on Computational Intelligence for Modelling, Control and Automation and International Conference on Intelligent Agents, Web Technologies and Internet Commerce, Vol. 1, 223-228.
[4]	Oreku, G.S. and Mbowe, J.E. (2014) Critical Infrastructure Protection. The International Conference on Digital Security and Forensics (DigitalSec2014), The Society of Digital Information and Wireless Communication.
[5]	Yeboah, T. (2013) A Proposed Information Technology Audit Framework for Microfinance Kumasi. Journal of Engineering Computers & Applied Sciences, 2, 1-7.
[6]	DBIR (2014) 2014 Data Breach Investigation Report. Verizon Document, Tech. Rep.
[7]	Beckers, K., Faβbender, S., Hatebur, D., Heisel, M. and Coté, I. (2013) Common Criteria Compliant Software Development (cc-casd). Proceedings of the 28th Annual ACM Symposium on Applied Computing, 1298-1304.
[8]	Alberts, C., Dorofee, A., Stevens, J. and Woody, C. (2003) Introduction to the Octave Approach. Carnegie Mellon University, Pittsburgh.
[9]	den Braber, F., Hogganvik, I., Lund, M., Stolen, K. and Vraalsen, F. (2007) Model-Based Security Analysis in Seven Stepsa Guided Tour to the CORAS Method. BT Technology Journal, 25, 101-117. http://dx.doi.org/10.1007/s10550-007-0013-9
[10]	Scandariato, R., Wuyts, K. and Joosen, W. (2014) A Descriptive Study of Microsoft Threat Modeling Technique. Requirements Engineering, 1-18.
[11]	Sommestad, T., Ekstedt, M. and Holm, H. (2013) The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures. Systems Journal, 7, 363-373. http://dx.doi.org/10.1109/JSYST.2012.2221853
[12]	Keating, C.G. (2014) Validating the Octave Allegro Information Systems Risk Assessment Methodology: A Case Study. Ph.D. Dissertation, Nova Southeastern University.
[13]	Abdullah, H. Ooda-Octave, a Novel Approach to Information Security Risk Analysis. http://osprey.unisa.ac.za/TechnicalReports/h5.pdf
[14]	Lund, M.S., Solhaug, B. and Stolen, K. (2011) A Guided Tour of the Coras Method. Model-Driven Risk Analysis, Springer, 23-43. http://dx.doi.org/10.1007/978-3-642-12323-8_3
[15]	ISO 21827 Information Technology Security Techniques. Code of Practice for Information Security Management. http://www.sabs.co.za/content/uploads/files/SANS21827%28colour%29.pdf                                 eww141006lx
[16]	De Bruin, T., Freeze, R., Kaulkarni, U. and Rosemann, M. (2005) Understanding the Main Phases of Developing a Maturity Assessment Model.