Three Models to Measure Information Security Compliance

2009 ◽  
Vol 3 (4) ◽  
pp. 43-67 ◽  
Author(s):  
Wasim A Al-Hamdani
Keyword(s):  
Information Security ◽  
Local Implementation ◽  
Security Measure ◽  
Local Standard ◽  
Local Strategy ◽  
Security Standard ◽  
Security Compliance ◽  
Sets Theory ◽  
Standard Sets ◽  
Empty Element

This work introduces three models to measure information security compliance. These are the cardinality model, the second’s model, which is based on vector space, and the last model is based on the priority principle. Each of these models will be presented with definitions, basic operations, and examples. All three models are based on a new theory to understand information security called the Information Security Sets Theory (ISST). The ISST is based on four basic sets: external sets, local strategy sets, local standard sets, and local implementation sets. It should be noted that two sets are used to create local standard sets—local expansion and local creation. The major differences between the Zermelo Fraenkel set theory and the ISST are the elimination of using empty element and empty set. This assumption is based on “there is not empty security” measure and the is substituted to be and is defined as “minimum security (or system default security)”. The main objective of this article is to achieve new modeling system for information security compliance. The compliance measurement is defined in the first model as the cardinality between local strategy sets and the actual local implementation. The second model is looking at the security compliance as the angle between two sets, local implementation and local standard. The third model is based on the priority philosophy for local security standard.

Three Models to Measure Information Security Compliance

2011 ◽  
pp. 351-373
Author(s):  
Wasim A Al-Hamdani
Keyword(s):  
Information Security ◽  
Set Theory ◽  
Local Implementation ◽  
Local Standard ◽  
Local Strategy ◽  
Security Standard ◽  
Security Compliance ◽  
Sets Theory ◽  
Standard Sets ◽  
Empty Element

This work introduces three models to measure information security compliance. These are the cardinality model, the second’s model, which is based on vector space, and the last model is based on the priority principle. Each of these models will be presented with definitions, basic operations, and examples. All three models are based on a new theory to understand information security called the Information Security Sets Theory (ISST). The ISST is based on four basic sets: external sets, local strategy sets, local standard sets, and local implementation sets. It should be noted that two sets are used to create local standard sets—local expansion and local creation. The major differences between the Zermelo Fraenkel set theory and the ISST are the elimination of using empty element and empty set. This assumption is based on “there is not empty security” measure and the is substituted to be and is defined as “minimum security (or system default security)”. The main objective of this article is to achieve new modeling system for information security compliance. The compliance measurement is defined in the first model as the cardinality between local strategy sets and the actual local implementation. The second model is looking at the security compliance as the angle between two sets, local implementation and local standard. The third model is based on the priority philosophy for local security standard.

Mapping information security standard ISO 27002 to an ontological structure

2016 ◽  
Vol 24 (5) ◽  
pp. 452-473 ◽  
Author(s):  
Stefan Fenz ◽  
Stefanie Plieschnegger ◽  
Heidi Hobel
Keyword(s):  
Information Security ◽  
Formal Representation ◽  
Content Type ◽  
Security Standard ◽  
Compliance Checking ◽  
Baseline Knowledge ◽  
Standards And Guidelines ◽  
Security Compliance ◽  
Security Standards ◽  
Machine Readable

Purpose The purpose of this paper is to increase the degree of automation within information security compliance projects by introducing a formal representation of the ISO 27002 standard. As information is becoming more valuable and the current businesses face frequent attacks on their infrastructure, enterprises need support at protecting their information-based assets. Design/methodology/approach Information security standards and guidelines provide baseline knowledge for protecting corporate assets. However, the efforts to check whether the implemented measures of an organization adhere to the proposed standards and guidelines are still significantly high. Findings This paper shows how the process of compliance checking can be supported by using machine-readable ISO 27002 control descriptions in combination with a formal representation of the organization’s assets. Originality/value The authors created a formal representation of the ISO 27002 standard and showed how a security ontology can be used to increase the efficiency of the compliance checking process.

Security of ICTs Supporting Healthcare Activities

2013 ◽  
pp. 208-228
Author(s):  
José Manuel Gaivéo
Keyword(s):  
Information Security ◽  
Information And Communication Technologies ◽  
International Security ◽  
Communication Technologies ◽  
Risk Classification ◽  
Organizational Information ◽  
Security Standard ◽  
Information And Communication ◽  
Information Assets ◽  
Level Of Risk

Healthcare activities and all that are related with it are conducted by people. This single fact has brought up many precautions about patients and about information related with their health. Using information and communication technologies to support this kind of information requires particular attention about what happens, namely about who can use it and for what it can be used. This chapter intends to identify the vulnerabilities that could be explored, using an international security standard to support a proactive attitude in face of potential threats that explore the identified vulnerabilities, damaging organizational information assets. Another intention is the establishment of a basis of references in information security to define a level of risk classification to build a referential to the potential that a given threat has to exploit the vulnerabilities of an asset, preventing damages to personal and organizational property, including information, and also activity continuity.

Exploring the Impact of Security Policy on Compliance

2018 ◽  
pp. 256-274 ◽  
Author(s):  
Winfred Yaokumah ◽  
Peace Kumah
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Structural Equation ◽  
Partial Least Square ◽  
Least Square ◽  
Security Monitoring ◽  
Roles And Responsibilities ◽  
Security Compliance ◽  
Security Operations ◽  
The Impact

Extant studies on compliance with security policies have largely ignored the impact of monitoring, security operations, and roles and responsibilities on employees' compliance. This chapter proposes a theoretical model that integrates security policy, monitoring, security operations, and security roles to examine employees' security compliance. Data were collected from 233 IT security and management professionals. Using partial least square structural equation modelling and testing hypotheses, the study finds that information security policy has significant indirect influence on information security compliance. The effect of security policy is fully mediated by security roles, operations security activities, and security monitoring activities. Security policy strongly influences operations security activities and has the greatest effect on security roles and responsibilities. Among the three mediating variables, monitoring has the most significant influence on security compliance. Conversely, the direct impact of security policy on compliance is not significant.

Towards a Student Security Compliance Model (SSCM)

2020 ◽  
pp. 204-216
Author(s):  
Felix Nti Koranteng
Keyword(s):  
Developing Countries ◽  
Information Security ◽  
Predictive Factors ◽  
Security Policy ◽  
Educational Institutions ◽  
Qualitative And Quantitative ◽  
Weakest Link ◽  
Compliance Model ◽  
Security Compliance ◽  
Behavioural Theories

Users are considered the weakest link in ensuring information security (InfoSec). As a result, users' security behaviour remains crucial in many organizations. In response, InfoSec research has produced many behavioural theories targeted at explaining information security policy (ISP) compliance. Meanwhile, these theories mostly draw samples from employees often in developing countries. Such theories are not applicable to students in educational institutions since their psychological orientation with regards to InfoSec is different when compared with employees. Based on this premise, the chapter presents arguments founded on synthesis from existing literature. It proposes a students' security compliance model (SSCM) that attempts to explain predictive factors of students' ISP compliance intentions. The study encourages further research to confirm the proposed relationships using qualitative and quantitative techniques.

scholarly journals Security standard compliance and continuous verification for Industrial Internet of Things

2020 ◽  
Vol 16 (6) ◽  
pp. 155014772092273 ◽  
Author(s):  
Ani Bicaku ◽  
Markus Tauber ◽  
Jerker Delsing
Keyword(s):  
Internet Of Things ◽  
Best Practice ◽  
Automatic Monitoring ◽  
Industrial Internet Of Things ◽  
Industrial Systems ◽  
Best Practice Guidelines ◽  
Industrial Internet ◽  
Security Standard ◽  
Compliance Verification ◽  
Security Compliance

Due to globalization and digitalization of industrial systems, standard compliance is gaining more attention. In order to stay competitive and remain in business, different sectors within industry are required to comply with multiple regulations. Compliance aims to fulfill regulations by including all measures imposed by laws and standards. Every device, application, or service implements several technologies at many levels, and standards support interoperability across them. They help to create global markets for industries and enable networked development in order to be successful and sustainable. This work highlights the importance of standard compliance and continuous verification in industrial Internet of Things and implements an automatic monitoring and standard compliance verification framework. In this work, we focus on security, safety, and organizational aspects of industrial Internet of Things. We identify a number of standards and best practice guidelines, which are used to extract security, safety, and organizational measurable indicator points. In addition, a metric model is provided that forms the basis for the necessary information needed for compliance verification, including requirements, standards, and metrics. Also, we present the prototype of the monitoring and standard compliance verification framework used to show the security compliance of an industrial Internet of Things use case.

Sign in / Sign up

Export Citation Format

Share Document