Pre-publication: On business-driven IT security management and mismatches between security requirements in firms, industry standards and research work
From Software Business Community
On business-driven IT security management and mismatches between security requirements in firms, industry standards and research work
Authors
Abstract or summary
Work in Progress: Managers in the software industry have long recognized the vital importance of information security for their businesses, but at the same time they perceived security as a technology-driven field rather then a business-driven one. Today, this notion is changing and security management is shifting from technology- to business-oriented approaches. Whereas there is strong evidence of this shift in the literature, this paper argues that security standards and academic work have not yet taken it fully into account. The motivation of this work is to examine whether this disconnect has lead to misalignment of IT security requirements in businesses versus industry standards and academic research. We analyzed existing literature and conducted 13 interviews with practitioners from 9 different firms to investigate this question. The results present evidence for a quantitative gap between security requirements in industry standards and actually reported security vulnerabilities. The interviews further reveal mismatches between the prioritization of security factors in businesses, standards and real-world threats. While security standards mostly focus on information authentication and integrity, businesses emphasize information availability over all other factors. We conclude that security in today’s companies clearly serves a business need, the need to keep the business running at all times.
References
References 1. Bishop, Matt. (2004), “Introduction to Computer Security”, Addison-Wesley Longman, Amsterdam, ISBN-10: 0321247442
2. Boehm, B., (2005), “Value-Based Software Engineering: Overview and Agenda”, Value-Based Software Engineering: Overview and Agenda, 15(3), USC-CSE-2005-504, 2005.
3. Biffl, S., (2006) "Message from the Track Chairs SPPI," 32nd EUROMICRO Conference on Software Engineering and Advanced Applications (EUROMICRO'06), 2006.
4. Campbell K, LA Gordon LA, Loeb MP and L Zhou (2003) “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market”, Journal of Computer Security, 11(3), 431-448
5. Cavusoglu H, Mishra B and S Raghunathan (2004) ‘The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers” International Journal of Electronic Commerce, 9(1), 69, 2004
6. CC, Common Criteria, and Common Criteria Recognition Agreement, (CCRA) 2006. Available online at http://www.commoncriteriaportal.org/ , visited January 2009
7. Egan, M., Mather, T., (2004), “The Executive Guide to Information Security: Threats, Challenges, and Solutions”, Addison-Wesley Professional, 2004, ISBN: 0321304519 .
8. DoD, Department of Defense, (1983), “Trusted Computer System Evaluation Criteria”, 1983. DoD 5200.28-STD., Library No. S225,7ll, Available online at http://csrc.ncsl.nist.gov/publications/secpubs/rainbow/std001.txt
9. ISACA, Information Systems Audit and Control Association, (2000), COBIT, available online at www.isaca.org/COBIT, visited May 2007
10. Ishiguro M., Tanaka H., Matsuura K., Murase I., (2006), "The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market", The Workshop on the Economics of Se-curing the Information Infrastructure (WESII) 2006
11. ISO/IEC Std. ISO 17799:2005, “Information Technology – Security Techniques - Code of Practice for Information Security Management”, ISO, 2005.
12. Larsen, A. 1999. “Global security survey: Virus attack”. Available at: http://Informationweek.com/743/security.htm
13. Mell, P., Scarfone, P., (2007), "A Complete Guide to the Common Vulnerability Scoring System Version 2.0", National Institute of Standards and Technology 2007. Available online at: http://www.first.org/cvss/cvss-guide.pdf
14. Myagmar, S. and Yurcik, W., (2006), “Why Johnny Can Hack: The Mismatch between Vulnerabilities and Security Standards“, IEEE International Symposium on Secure Software Engineering (ISSSE ’06), Arlington, VA, Mar 2006.
15. Neubauer, Klemen, Biffl., (2005) “Business Process-based Valuation of IT-Security” Proceedings of the seventh international workshop on Economics-driven software engineering research EDSER 05
16. NVD, U.S. National Institute of Standards and Technology: National Vulnerability Database (NVD). Available online at http://nvd.nist.gov/ , visited Oct. 21st, 2008.
17. Roeckle, H., Schimpf, G., Weidinger, R., (2000), "Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization", Proceedings of the fifth ACM workshop on Role-based access control table of contents, Pp: 103 - 110, ISBN:1-58113-259-X, 2000
18. Schneier, B. “Crypto-Gram Newsletter”, Issue Nov. 15th, 2008. Available online at http://www.schneier.com/crypto-gram-0811.html#4
19. Telang, R., Wattal, S., (2007), “An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price”. IEEE Transactions on Software Engineering.