A quantitative man-machine model for cyber security efficiency analysis

Jung, Sung-Oh

25 April 2007

The analysis of security defense processes is of utmost importance in the management of various cyber-security attacks, which are increasing in scope and rapidity. Organizations need to optimize their resources based on a sound understanding of the level of their security defense processes' efficiency and the impact of their investment. Modeling and characterization of the dynamics of cyber security management are essential to risk prediction, damage assessment, and resource allocations. This dissertation addresses the interactions between human factors and information systems. On the basis of the spiral life cycle model of software development processes, we develop a realistic, holistic security attack-defense model - Man-Machine Model (M3), which combines human factors and information systems' (i.e., machine) states under an integrated analytical framework. M3 incorporates man and machine components. The man component is comprised of several variables such as Skill & Knowledge (SKKN) and Teamwork Quality (TWQ). The machine component is composed of variables such as traffic volume and the amount of downtime. M3 enables the analysis of intrusion detection and incident response process efficiency, i.e., security defense team performance. With data analysis, we formulate and test four major research hypotheses based on the data collected during security experiments. Through hypothesis testing, we evaluate regression models to estimate the security defense team performance (i.e. efficiency) at different levels of human intelligence (e.g., skill and knowledge) and teamwork (e.g., teamwork quality). We assess the fitness and significance of the regression models, and verify their assumptions. Based on these results, organizations can hire those who have an appropriate level of skill and knowledge when it concerns investments to increase the level of skill and knowledge of security personnel. They also can attempt to increase the level of skill and knowledge of security personnel.

security process

efficiency

human

Identifying Factors Contributing Towards Information Security Maturity in an Organization

Edwards, Madhuri M.

01 January 2018

Information security capability maturity (ISCM) is a journey towards accurate alignment of business and security objectives, security systems, processes, and tasks integrated with business-enabled IT systems, security enabled organizational culture and decision making, and measurements and continuous improvements of controls and governance comprising security policies, processes, operating procedures, tasks, monitoring, and reporting. Information security capability maturity may be achieved in five levels: performing but ad-hoc, managed, defined, quantitatively governed, and optimized. These five levels need to be achieved in the capability areas of information integrity, information systems assurance, business enablement, security processes, security program management, competency of security team, security consciousness in employees, and security leadership. These areas of capabilities lead to achievement of technology trustworthiness of security controls, integrated security, and security guardianship throughout the enterprise, which are primary capability domains for achieving maturity of information security capability in an organization. There are many factors influencing the areas of capabilities and the capability domains for achieving information security capability maturity. However, there is little existing study done on identifying the factors that contribute to achievement of the highest level of information security capability maturity (optimized) in an organization. This research was designed to contribute to this area of research gap by identifying the factors contributing to the areas of capabilities for achieving the highest level of information security capability maturity. The factors were grouped under the eight capability areas and the three capability domains in the form of an initial structural construct. This research was designed to collect data on all the factors using an online structured questionnaire and analyzing the reliability and validity of the initial structural construct following the methods of principal components analysis (PCA), Cronbach Alpha reliability analysis, confirmatory factor analysis (CFA), and structural equation modeling. A number of multivariate statistical tests were conducted on the data collected regarding the factors to achieve an optimal model reflecting statistical significance, reliability, and validity. The research was conducted in four phases: expert panel and pilot study (first phase), principal component analysis (PCA) and reliability analysis (RA) of the factor scales (second phase), confirmatory factor analysis (CFA) using LISREL (third phase), and structural equation modeling (SEM) using LISREL (fourth phase). The final model subsequent to completing the four phases reflected acceptance or rejection of the eleven hypotheses defined in the initial structural construct of this study. The final optimized model was obtained with the most significant factors loading on the capability areas of information integrity, information security assurance, business enablement, security process maturity, security program management, competency of security team, security conscious employees, and security leadership, including the most significant factors loading the three capability domains of security technology trustworthiness, security integration, and security guardianship. All the eleven hypotheses were accepted as part of the optimal structural construct of the final model. The model provides a complex integrated framework of information security maturity requiring multi-functional advancements and maturity in processes, people, and technology, and organized security program management and communications fully integrated with the business programs and communications. Information security maturity is concluded as a complex function of multiple maturity programs in an organization leading to organized governance structures, multiple maturity programs, leadership, security consciousness, and risk-aware culture of employees.

Capability Maturity

Information Security

Information Systems Audit

Risk Management

Security Maturity

Security Process Maturity

Computer Sciences

INCORPORATING SECURITY IN SERVICE LEVEL AGREEMENTS

Asghar, Syed Usman

January 2020

No description available.

Computer Systems

Datorsystem

Bezpečnost podnikové informatiky v souvislosti s ITIL / Information Security in the context of ITIL

Korous, Petr

January 2011

The diploma thesis discusses information security management in the context of ITIL framework. In the introductory part is explained the concept of information security, its importance and main goals. In subsequent chapters, the work aims to explore methodologies, frameworks and standards related to information security and internal control. Selected frameworks and models and described and compared with each other based on different criteria. The comparison is also one of the benefits of the work because similar topics which compare different models of internal control and information security are quite rare in the literature. The practical part of the thesis forms new methodology on basis of researched models and standards, including ISO 27000, ITIL and COBIT. This methodology provides a relatively simple way to evaluate the level of information security in an organization. It uses process capability model which is applied on selected company. Another benefit of the thesis is the developed methodology and its demonstration on a selected company.

Simulace správy informační bezpečnosti ve fakultním prostředí / Simulating information security management within a university environment

Hložanka, Filip

January 2020

This diploma thesis is concerned with simulating information security management within a university environment. It is divided into three parts. The theoretical part focuses on describing the assets which could be part of a faculty network, attacks that could target it, security processes which could protect it and users that are active within it. The analytical part then applies these segments on a real faculty network. Based on this analysis, a set of specific assets, attacks, security processes and other tasks is created in order to simulate a simplified version of the analyzed network using a sophisticated cybernetic polygon. The security of the network is then assessed after several iterations of the simulations. Its parameters are adjusted in the effort to increase its security and the module is tested on an academic employee in order to assess its effectiveness. The conclusion evaluates the possibilities of increasing the security of the simulated network as well as the usability of the cybernetic polygon in practice.