How is it possible to calculate IT security effectiveness?

Kivimaa, Kristjan

January 2022

In IT Security world, there is lack of available, reliable systems for measuring securitylevels/posture. They lack the range of quantitative measurements and easy and fast deployment,and potentially affects companies of all sizes.Readily available security standards provide qualitative security levels, but not quantitative results– that would be easily comparable. This deficiency makes it hard for companies to evaluate theirsecurity posture accurately. Absence of security metrics makes it complicated for customers toselect the appropriate measures for particular security level needed.The research question for this research project is – “How is it possible to calculate IT securityeffectiveness?”.The aim of this research is to use this reference model to calculate and to optimize majoruniversity’s and a small CSP-s (Cloud Service Provider) security posture and their spending’s onsecurity measures. Aim is to develop a reference model to support IT Security team and businessside to make reasoned and optimal decisions about IT security and all that with a reasonablenumber of manhours.In this Graded Security Expert System (GSES) aka Graded Security Reference Model (GSRM) thequantitative metrics of the graded security approach are used to express the relations betweensecurity goals, security confidence and security costs.What makes this model unique, is the option to use previous customers security templates/models– cutting the implementation time from 500+ manhours to as low as 50 manhours. The firstcustomers 500+ manhours will also be cut down to 50+ manhours on the second yearimplementing the expert system.The Graded Security Reference Model (GSRM) was developed using a combination oftheoretical method and design science research. The model is based on InfoSec (info security)activities and InfoSec spendings from previous year – cost and effectiveness – gathered fromexpert opinionsBy implementing GSRM, user can gather quantitative security levels as no other model, or astandard provides those.GSRM delivers very detailed and accurate (according to university’s IT Security Team)effectiveness levels per spendings brackets.GSRM was created as a graded security reference model on CoCoViLa platform, which is unique asit provides quantitative results corresponding to company’s security posture.Freely available models and standards either provide vague quantitative security postureinformation or are extremely complicated to use – BIS/ISKE (not supported any more).This Graded Security Reference Model has turned theories presented in literature review into afunctional, graphical model.The GSRM was used with detailed data from the 15+k users university and their IT security team(all members have 10+ years of IT security experience) concluded that the model is reasonablysimple to implement/modify, and results are precise and easily understandable. It was alsoobserved that the business side had no problems understanding the results and very fewexplanatory remarks were needed.

Security effectiveness

IT security

Computer Systems

Datorsystem

An Investigation of Factors that Affect HIPAA Security Compliance in Academic Medical Centers

Brady, James William

01 January 2010

HIPAA security compliance in academic medical centers is a central concern of researchers, academicians, and practitioners. Increased numbers of data security breaches and information technology implementations have caused concern over the confidentiality, integrity, and availability of electronic personal health information. The federal government has implemented stringent HIPAA security compliance reviews and significantly extended the scope and enforcement of the HIPAA Security Rule. However, academic medical centers have shown limited compliance with the HIPAA Security Rule. Therefore, the goal of this study was to investigate the factors that may affect HIPAA security compliance in academic medical centers. Based on a review of the literature of technology acceptance and security effectiveness, this study proposed a theoretical model that uses management support, security awareness, security culture, and computer self-efficacy to predict security behavior and security effectiveness and thus HIPAA security compliance in academic medical centers. To empirically assess the effect of the above-noted variables on HIPAA security compliance in academic medical centers, a Web-based survey was developed. The survey instrument was designed as a multi-line measure that used Likert-type scales. Previous validated scales were adapted and used in the survey. The sample for this investigation was health care information technology professionals who are members of the Group on Information Resources within the Association of American Medical Colleges. Two statistical methods were used to derive and validate predictive models: multiple linear regression and correlation analysis. The results of the investigation demonstrated that security awareness, management support, and security culture were significant predictors of both security effectiveness and security behavior. Security awareness was the most significant predictor of security effectiveness and security behavior. Due to the presence of collinearity, Pearson correlation analysis was used to develop a composite factor, consisting of management support and security culture, for the final multiple linear regression model. By enhancing the understanding of HIPAA security compliance in academic medical centers, the outcomes of this study will contribute to the body of knowledge of security compliance. The empirical results of this research also will provide guidance for individuals and organizations involved with HIPAA security compliance initiatives in health care.

Compliance

HIPAA

Information Security

Information Systems

Security Effectiveness

Technology Acceptance

Computer Sciences

Effective Cyber Security Strategies for Small Businesses

Cook, Kimberly Diane

01 January 2017

Disruptive technologies developed in the digital age expose individuals, businesses, and government entities to potential cyber security vulnerabilities. Through the conceptual framework of general systems theory, this multiple case study was used to explore the strategies among owners of 4 retail small- and medium-size enterprises (SMEs) in Melbourne, Florida, who successfully protected their businesses against cyber attacks. The data were collected from a review of archival company documents and semistructured interviews. Yin's 5-phased cycles for analyzing case studies provided the guidelines for the data analysis process. Three themes emerged from thematic analysis across the data sets: cyber security strategy, reliance on third-party vendors for infrastructure services, and cyber security awareness. The study findings indicated that the SME owners' successful cyber security strategies might serve as a foundational guide for others to assess and mitigate cyber threat vulnerabilities. The implications for positive social change include the potential to empower other SME owners, new entrepreneurs, and academic institutions with successful cyber security strategies and resources to affect changes within the community. SME owners who survive cyber attacks may spur economic growth by employing local residents, thus stimulating the socioeconomic lifecycle. Moreover, implementation of these successful strategies may catalyze consumer confidence, resulting in greater economic prosperity.

cyber security awareness

cyber security effectiveness

cyber security strategy

cyber security third party reliance

SME cyber security guidance

SMEs