An Improved Information and Knowledge Security Risk Management Framework

Abstract

Information security risk management (ISRM) is the process that helps organizations improve their security posture by recognizing and dealing with all risks in an e ective manner. It assists security practitioners in identifying critical assets, their vulnerabilities and subsequent threats in a systematic manner. It also builds an understanding of the organization's risk appetite while providing an e ective way for educating the management about risks posed to their business and why they should spend on controlling them. Other bene ts include improved security awareness within the organization and compliance to many legal and regulatory standards. Currently, there are various risk assessment/management methodologies in use by the industry. These methods ease the ISRM process for an organization by providing step by step tasks and activities and sometimes by providing worksheets and tools too. They provide guidelines and best practices and support organizations in complying with the required standards/laws in the most e ective and e cient manner. Our review of the ISRM literature revealed that much of the research in the past few years has been focused in either of the two directions: (1) comparing and evaluating these methods in an attempt to benchmark them so as to provide organizations a resource using which they may select one method from a pool of many; the one that suits their requirements and ts their context best (2) identifying de ciencies or limitations in these methods or problems that occur while practicing them along with potential solutions. Regarding the rst direction, researchers have performed the comparison not according to a standard criterion but with respect to di erent factors each time. A comprehensive solution in the form of well-categorized assessment factors was still lacking. As the rst contribution of this thesis, we have proposed a framework, \RiskE4" that can be utilized for evaluating risk management methods and improvement techniques based on a structured criterion. RiskE4 constitutes a taxonomy of ISRM assessment factors and a table representing correlation among them. Every organization has certain priorities or limitations that dictate policies regarding their scope 2 Abstract for risk management. Based on those, they prefer risk management methods that suit their needs best. RiskE4 can help evaluate or categorize these methods in future, thereby enabling an easy pick and choose solution for risk practitioners. From a research perspective, it can help researchers evaluate any improvement techniques they propose for risk management. We believe that RiskE4 can create a paradigm for future studies on evaluation and comparison of risk management techniques. With regards to the second research direction, solutions have been proposed in literature that have addressed one or more de ciencies. A holistic ISRM framework however, that covers all aspects of knowledge protection while sustaining the security of other IT assets was still missing. As the second major contribution of this thesis, we propose a framework called \IKOSST", with the objective to achieve signi cant improvement in ISRM processes all over the world. The major distinguishing features of IKOSST are (i) introducing collaboration with a knowledge center for improving accuracy of risk estimation and (ii) the inclusion of an extended RACI chart (RACI+) in the asset identi cation phase. While the rst could not have been experimented for obvious limitations, the second has been evaluated by practically trying it out in two di erent organizations under limited scope. The risk assessment methods/formulas used in both case studies were di erent in order to demonstrate the framework's interoperability. The results showed that several new critical assets were identi ed and threats and risks exposed through the inclusion of RACI+ activity. The framework is not standalone. Rather, it can simply be integrated with any risk assessment method that an organization has previously implemented. We believe that IKOSST can improve the granularity of asset and risk identi cation by a great extent and also pave way for achieving accuracy in risk assessment.