«A Reclassiﬁcation of IS Security Analysis Approaches Ali Sunyaev∗ Florian Tremmel† Christian Mauro‡ Jan Marco Leimeister∗∗ Helmut ...»
Please quote as: Sunyaev, A.; Tremmel, F.; Mauro, C.; Leimeister, J. M. & Krcmar,
H. (2009): A Re-Classification of IS security analysis approaches. In: Proceedings of
the Fifteenth Americas Conference on Information Systems (AMCIS), San Francisco,
Americas Conference on Information Systems (AMCIS)
AMCIS 2009 Proceedings
Association for Information Systems Year 2009
A Reclassiﬁcation of IS Security Analysis
Ali Sunyaev∗ Florian Tremmel† Christian Mauro‡ Jan Marco Leimeister∗∗ Helmut Krcmar†† ∗ Technische Universitat Munchen, email@example.com † Technische Universitat Munchen, ﬂorian.firstname.lastname@example.org ‡ Technische Universitat Munchen, email@example.com ∗∗ Universitat Kassel, firstname.lastname@example.org †† Technische Universit¨t M¨ nchen,, email@example.com a u This paper is posted at AIS Electronic Library (AISeL).
http://aisel.aisnet.org/amcis2009/570 Sunyaev et al. A Re-Classification of IS Security Analysis Approaches A Re-Classification of IS Security Analysis Approaches Ali Sunyaev Florian Tremmel Technische Universität München, Germany Technische Universität München, Germany firstname.lastname@example.org email@example.com Christian Mauro Jan Marco Leimeister Technische Universität München, Germany Universität Kassel, Germany firstname.lastname@example.org email@example.com Helmut Krcmar Technische Universität München, Germany firstname.lastname@example.org
ABSTRACTThe role of security management in the development and operation of information systems has a long tradition of research in computer science, information systems and management science. Integrating the economic, organizational, and technical aspects of information systems security analysis and assessment requires a bridging of these different research streams.
We examined major articles published concerning IS security using a new classification scheme for IS security analysis and assessment approaches. We looked at approaches discussed in recent publications as well those examined as in past articles that have attempted to classify various approaches to IS security. This paper therefore organizes a diverse collection of literature into a cohesive whole with the aim of providing IS management with an overview of current security analysis approaches, thereby offering management an effective aide for selecting the methods best suited to their needs. Furthermore, this work structures IS security research into a classification scheme that can also be used in future research and practice.
Keywords Information Systems Security, Security Management, Risk Management, Information Security Management Standards.
INTRODUCTIONThe goal of information systems (IS) security analysis and security assessment is the identification and evaluation of possible threats (Siponen, 2005a): security analysis and security assessment are both integral parts of security management. Various reviews or summaries of information systems security analysis approaches exist, however their respective motivations, backgrounds, and foci differ (Cody, Sharman, Rao and Upadhyaya, 2008). The goal of this paper is to provide an integrated classification of IS security analysis and assessment approaches as a guide to the subject for managers. Unlike previous reviews, we have summarized existing approaches and assigned them into unique and clear categories that were identified during our literature review process. In addition, synonyms and homonyms that appear in the various approaches are identified and classified which allows for better understanding and comparison of the approaches. Furthermore, in contrast to other works, this paper does not focus on IS security development but on IS security analysis. This specialization allows a more detailed analysis so that the different foci of IS security analysis approaches can be identified and a more precise delineation of the approaches can be presented. The newly developed classification could prove useful to both researchers and practitioners in this field.
In the first section of the paper, “Research Approach”, we describe the literature search, article selection, and article categorization processes we used. Existing IS security analysis approaches are analyzed in the “Related Work and Existing Literature Reviews” section. The results of the classification are presented in the section “Systematization of the Security Analysis Approaches”. We outline a theoretical framework for systemizing and analyzing existing IS Security Analysis approaches in the section “Theory of the Framework”. In our conclusion we summarize our key findings and provide recommendations for future work in this area.
RESEARCH APPROACHThe research approach used for the literature review was proposed by (Webster and Watson, 2002). A search was performed spanning IS security, information management, information systems, as well as risk and security management literature.
To identify relevant articles selected journals in these fields were examined by means of a full-text electronic search1 using selected keywords such as “information systems security”, “IS security (risk) analysis”, “IS security (risk) assessment”, and “security and risk management”2. This search identified a total of 465 articles. The titles and abstracts of each article were examined to determine their relevance for this research (i.e. the article related to the topic security analysis). This process generated 99 articles for in-depth review. In an effort to broaden the search beyond the original set of journals we used a snowball sampling technique (Goodman, 1961) and cited works of potential interest in those 99 articles were analyzed which yielded an additional 71 sources for our research. These sources included dissertations, master and bachelor theses, working papers from universities, conference proceedings, and publications from organizations and governmental agencies. In all a total of 161 articles were reviewed in-depth.
The categorization of the literature was concept-driven (Webster et al., 2002). Each article was examined to assess if it contained a suggestion for the systematization of security analysis approaches or already identified subclasses. Out of the 161 reviewed articles, 15 included such a suggestion. Table 1 identifies these articles and their area of focus. The table also shows which parts of the systematization are addressed by each article. An X in the column „assessment approaches‟ indicates that the article addresses the systematization of assessment approaches. Astonishingly, two types of approaches – namely checklists or legislation accommodations - were not covered or mentioned by any of these articles.
The following databases were used: Business Source Premier, Science direct, JSTOR archive, INSPEC All issues of the following journals were searched in an effort to include leading journals in the selected disciplines and broaden the search in German-speaking areas: ACM Computing Surveys, ACM Transactions on Information and System Security, Bank Accounting & Finance, Communications of the ACM, Computers & Security, European Journal of Information Systems, HMD Praxis der Wirtschaftsinformatik, IEEE Security & Privacy, IEEE Software; IEEE Transactions Journals, IM Information Management & Consulting, Information and Organization, Information Management & Computer Security, Information Security Management, Information Systems Journal, Information Systems Management, Information Systems Research, Information Systems Security, Internal Auditor, International Journal of Network Management, Journal of Computer Security, Journal of Management Information Systems, Journal of Research and Practice in Information Technology, Journal of the Association for Information Systems, Management & Information Technologies, Management Information Systems Quarterly, Strategic Finance.
(Initiative D21) X (Karabacaka and Sogukpinar, 2005) X (Kokolakis, Demopoulos and Kiountouzis, 2000) X (Siponen, 2005a) X X (Hoo, 2000) X X (Su, 2006) X Table 1. Articles of Interest
RELATED WORK AND EXISTING LITERATURE REVIEWSThe literature review yielded five research publications that classify methods used in information systems security. These are the works of (Baskerville, 1993), (BITKOM, 2006), (Dhillon et al., 2001), (Eloff et al., 2000), and (Siponen, 2005b). Below we review each of these works and discuss what elements they bring to the classification scheme being developed and identify their shortcomings as relates to IS security analysis approaches.
(Siponen, 2005b) - An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice (Siponen, 2005b) addresses information systems security (ISS) methods. His systematization consists of five classes (checklists, IS security standards, IS security maturity criteria, risk management, and formal methods), three of which are connected to IS security analysis. Two of Siponen‟s suggested classes, ISS maturity criteria and formal methods, are not security analysis approaches. Instead, their focus is on ensuring the secure development of information systems. The other three suggested classes are checklists, ISS standards, and risk management which correspond with the classes checklist, IT security management approaches, and risk analysis approaches which are suggested in the following paper. In contrast to Siponen‟s work the systematization developed in this paper distinguishes between standards and best practice models, which are subclasses of the IT security management approaches. Furthermore, in this paper the term risk analysis is used, instead of risk management. This is due to the fact that the focus of this paper is narrower than that of Siponen‟s work. Therefore, only risk analysis, which is part of the risk management, is of interest for this work.
Siponen‟s work addresses ISS Methods and therefore has a larger scope than our paper.
Siponen suggests five classes which are somewhat disjointed. The five classes are not further subdivided which limits the decision support for the reader.
Siponen does not consider legislation accommodation which impact IS security nor IS security assessment approaches.
(Dhillon et al., 2001) - Current Directions in IS Security Research: Towards Socio-Organizational Perspectives (Dhillon et al., 2001) classify IS security by deriving four models from the fields of sociology and philosophy. Subsequently, various IS security approaches are assigned into these models. The IS security approaches they mention are, among others, checklists, risk analysis methods, and security evaluation methods where risk analysis is part of risk management. Because security analysis is only a part of security management, the class risk analysis is preferred to the class risk management as used by (Siponen, 2005b). The class evaluation is defined roughly: “Another category of research in computer security is in evaluation methods, whose rationale stems from the need to measure security” (Dhillon et al., 2001, 136). Approaches that they assign to this class include security models such as Bell-LaPadula as well as standards such as BS 7799. This particular systematization uses the term “standard” because security models are not appropriate for conducting a security analysis.
Dhillon and Backhouse examine socio-organizational aspects of information systems and IS security. Technical and economical aspects are not studied.
Dhillon‟s and Backhouse‟s systematization classifies IS security methods according to the sociological and philosophical theories that they are based on. This approach is more scientific but is impractical for use in decision support.
For sociological and philosophical purposes the classification can be considered complete but it is not suitable for IS security purposes. As mentioned, the technical and economical aspects of IS security are ignored in Dhillon‟s and Backhouse‟s systematization.
Some of the content in this work is outdated. For example, the standard BS 7799 is no longer in use.