Collective information structure model for Information Security Risk Assessment (ISRA)
| Date | 11 May 2015 |
| Pages | 193-219 |
| DOI | https://doi.org/10.1108/JSIT-02-2015-0013 |
| Published date | 11 May 2015 |
| Author | Palaniappan Shamala,Rabiah Ahmad,Ali Hussein Zolait,Shahrin bin Sahib |
| Subject Matter | Information & knowledge management,Information systems |
Collective information structure
model for Information Security
Risk Assessment (ISRA)
Palaniappan Shamala
Faculty of Computer Science and Information Technology,
University Tun Hussein Onn Malaysia (UTHM), Johor, Malaysia
Rabiah Ahmad
Center for Advanced Computing Technology,
Faculty of Information and Communication Technology,
UniversitiTeknikal Malaysia Melaka (UTeM), Melaka, Malaysia
Ali Hussein Zolait
College of Information Technology, University of Bahrain, Sakhir,
Kingdom of Bahrain, and
Shahrin bin Sahib
Center for Advanced Computing Technology,
Faculty of Information and Communication Technology,
UniversitiTeknikal Malaysia Melaka (UTeM), Melaka, Malaysia
Abstract
Purpose – Information security has become an essential entity for organizations across the globe to
eliminate the possible risks in their organizations by conducting information security risk assessment
(ISRA). However, the existence of numerous different types of risk assessment methods, standards,
guidelines and specications readily available causes the organizations to face the daunting tasks in
determining the most suitable method that would augur well in meeting their needs. Therefore, to
overcome this tedious process, this paper suggests collective information structure model for ISRA.
Design/methodology/approach – The proposed ISRA model was developed by deploying a
questionnaire using close-ended questions administrated to a group of information security
practitioners in Malaysia (N⫽80). The purpose of the survey was to strengthen and add more relevant
additional features to the existing framework, as it was developed based on secondary data.
Findings – Previous comparative and analyzed studies reveals that all the six types of ISRA
methodologies have features of the same kind of information with a slight difference in form. Therefore,
questionnaires were designed to insert additional features to the research framework. All the additional
features chosen were based on high frequency of more than half percentage agreed responses from
respondents. The analyses results inspire in generating a collective information structure model which
more practical in the real environment of the workplace.
The authors would like to thank University Tun Hussien Onn Malaysia (UTHM) for supporting
this research. The authors would also like to thank SIRIM QAS, CyberSecurity and all the
Information Security Practitioners for their support.
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1328-7265.htm
Collective
information
structure
model
193
Received 11 February 2015
Revised 3 April 2015
Accepted 4 April 2015
Journalof Systems and
InformationTechnology
Vol.17 No. 2, 2015
pp.193-219
©Emerald Group Publishing Limited
1328-7265
DOI 10.1108/JSIT-02-2015-0013
Practical implications – Generally, organizations need to make comparisons between
methodologies and decide on the best due to the inexistence of agreed reference benchmark in ISRA
methodologies. This tedious process leads to unwarranted time, money and energy consumption.
Originality/value – The collective information structure model for ISRA aims to assist organizations
in getting a general view of ISRA ow and gathering information on the requirements to be met before
risk assessment can be conducted successfully. This model can be conveniently used by organizations
to complete all the required planning as well as to select the suitable methods to complete the ISRA.
Keywords Risk assessment, Collective information structure, Info-structure, Information security,
Information security risk assessment (ISRA)
Paper type Research paper
1. Introduction
Information security has drawn attention from researchers, professionals, journalists,
legislators, governments and citizens to raise awareness among organizations to invest
in information security for decision-making and for the continuance of high-standard
business operations (Jourdan et al., 2010). Hence, regardless of being government,
private or public organizations, most of them are currently applying a range of security
counter measures, policies, procedures and guidelines to protect their organizations.
This awareness was due to the fact that security incidents can lead to severely adverse
consequences for organizations, such as substantial losses to the industry through the
direct loss of information assets and nancial impact, a loss in organizational reputation
and customer condence and a loss of employee productivity or the risk of legal issues
(Alberts and Dorofee, 2002;Dzazali et al., 2009;Shedden et al., 2010,2011).
To maintain condentiality, integrity, availability, non-repudiation, accountability,
authenticity and reliability, the organizations apply information security risk
assessments (ISRA) to determine the extent of the potential threats and the risks
associated with the information technology (IT) system (Söderström et al., 2009;Syalim
et al., 2009). An ISRA method identies the security risks in the organizations and
provides a measured, analyzed security risk prole of the critical assets in order to build
plans to treat the risks (Lichtenstein, 1996;Shedden et al., 2009,2010,2011).
Although there are numerous ISRA methods currently available, many
organizations are facing the daunting tasks of determining the most appropriate
methodology based on their specic needs (Vorster and Labuschagne, 2005). On the
contrary, the inexistence of one ideal risk assessment method that would be suitable for
all organizations has made the situation even more cumbersome for end-users
(Lichtenstein, 1996). Furthermore, the currently available ISRA methodologies do not
dene detailed steps of risk assessment.
However, this lacking was overcome by using an ISRA info-structure which anchors
on identifying the similarities in info-structure among the existing ISRA methodologies.
Two types of comparative studies have been conducted to identify the similarities in
info-structure among the existing ISRA methodologies (Shamala et al., 2013).
Info-structure is the layout of information which is organized in a useful fashion and can
be navigated at any time. The ISRA info-structure was developed based on secondary
data.
Therefore, a survey was conducted to strengthen and add more relevant features
based on the actual risk assessment environment. In addition, through this study,
valuable information regarding the general information and complete picture of ISRA
JSIT
17,2
194
To continue reading
Request your trial