FREE ELECTRONIC LIBRARY - Books, dissertations, abstract

Pages:   || 2 | 3 |

«A Reclassification of IS Security Analysis Approaches Ali Sunyaev∗ Florian Tremmel† Christian Mauro‡ Jan Marco Leimeister∗∗ Helmut ...»

-- [ Page 1 ] --

Please quote as: Sunyaev, A.; Tremmel, F.; Mauro, C.; Leimeister, J. M. & Krcmar,

H. (2009): A Re-Classification of IS security analysis approaches. In: Proceedings of

the Fifteenth Americas Conference on Information Systems (AMCIS), San Francisco,


Americas Conference on Information Systems (AMCIS)

AMCIS 2009 Proceedings

Association for Information Systems Year 2009

A Reclassification of IS Security Analysis


Ali Sunyaev∗ Florian Tremmel† Christian Mauro‡ Jan Marco Leimeister∗∗ Helmut Krcmar†† ∗ Technische Universitat Munchen, sunyaev@in.tum.de † Technische Universitat Munchen, florian.tremmel@accenture.com ‡ Technische Universitat Munchen, mauro@in.tum.de ∗∗ Universitat Kassel, leimeister@uni-kassel.de †† Technische Universit¨t M¨ nchen,, krcmar@in.tum.de a u This paper is posted at AIS Electronic Library (AISeL).

http://aisel.aisnet.org/amcis2009/570 Sunyaev et al. A Re-Classification of IS Security Analysis Approaches A Re-Classification of IS Security Analysis Approaches Ali Sunyaev Florian Tremmel Technische Universität München, Germany Technische Universität München, Germany sunyaev@in.tum.de florian.tremmel@accenture.com Christian Mauro Jan Marco Leimeister Technische Universität München, Germany Universität Kassel, Germany mauro@in.tum.de leimeister@uni-kassel.de Helmut Krcmar Technische Universität München, Germany krcmar@in.tum.de


The role of security management in the development and operation of information systems has a long tradition of research in computer science, information systems and management science. Integrating the economic, organizational, and technical aspects of information systems security analysis and assessment requires a bridging of these different research streams.

We examined major articles published concerning IS security using a new classification scheme for IS security analysis and assessment approaches. We looked at approaches discussed in recent publications as well those examined as in past articles that have attempted to classify various approaches to IS security. This paper therefore organizes a diverse collection of literature into a cohesive whole with the aim of providing IS management with an overview of current security analysis approaches, thereby offering management an effective aide for selecting the methods best suited to their needs. Furthermore, this work structures IS security research into a classification scheme that can also be used in future research and practice.

Keywords Information Systems Security, Security Management, Risk Management, Information Security Management Standards.


The goal of information systems (IS) security analysis and security assessment is the identification and evaluation of possible threats (Siponen, 2005a): security analysis and security assessment are both integral parts of security management. Various reviews or summaries of information systems security analysis approaches exist, however their respective motivations, backgrounds, and foci differ (Cody, Sharman, Rao and Upadhyaya, 2008). The goal of this paper is to provide an integrated classification of IS security analysis and assessment approaches as a guide to the subject for managers. Unlike previous reviews, we have summarized existing approaches and assigned them into unique and clear categories that were identified during our literature review process. In addition, synonyms and homonyms that appear in the various approaches are identified and classified which allows for better understanding and comparison of the approaches. Furthermore, in contrast to other works, this paper does not focus on IS security development but on IS security analysis. This specialization allows a more detailed analysis so that the different foci of IS security analysis approaches can be identified and a more precise delineation of the approaches can be presented. The newly developed classification could prove useful to both researchers and practitioners in this field.

In the first section of the paper, “Research Approach”, we describe the literature search, article selection, and article categorization processes we used. Existing IS security analysis approaches are analyzed in the “Related Work and Existing Literature Reviews” section. The results of the classification are presented in the section “Systematization of the Security Analysis Approaches”. We outline a theoretical framework for systemizing and analyzing existing IS Security Analysis approaches in the section “Theory of the Framework”. In our conclusion we summarize our key findings and provide recommendations for future work in this area.

–  –  –


The research approach used for the literature review was proposed by (Webster and Watson, 2002). A search was performed spanning IS security, information management, information systems, as well as risk and security management literature.

To identify relevant articles selected journals in these fields were examined by means of a full-text electronic search1 using selected keywords such as “information systems security”, “IS security (risk) analysis”, “IS security (risk) assessment”, and “security and risk management”2. This search identified a total of 465 articles. The titles and abstracts of each article were examined to determine their relevance for this research (i.e. the article related to the topic security analysis). This process generated 99 articles for in-depth review. In an effort to broaden the search beyond the original set of journals we used a snowball sampling technique (Goodman, 1961) and cited works of potential interest in those 99 articles were analyzed which yielded an additional 71 sources for our research. These sources included dissertations, master and bachelor theses, working papers from universities, conference proceedings, and publications from organizations and governmental agencies. In all a total of 161 articles were reviewed in-depth.

The categorization of the literature was concept-driven (Webster et al., 2002). Each article was examined to assess if it contained a suggestion for the systematization of security analysis approaches or already identified subclasses. Out of the 161 reviewed articles, 15 included such a suggestion. Table 1 identifies these articles and their area of focus. The table also shows which parts of the systematization are addressed by each article. An X in the column „assessment approaches‟ indicates that the article addresses the systematization of assessment approaches. Astonishingly, two types of approaches – namely checklists or legislation accommodations - were not covered or mentioned by any of these articles.

–  –  –

The following databases were used: Business Source Premier, Science direct, JSTOR archive, INSPEC All issues of the following journals were searched in an effort to include leading journals in the selected disciplines and broaden the search in German-speaking areas: ACM Computing Surveys, ACM Transactions on Information and System Security, Bank Accounting & Finance, Communications of the ACM, Computers & Security, European Journal of Information Systems, HMD Praxis der Wirtschaftsinformatik, IEEE Security & Privacy, IEEE Software; IEEE Transactions Journals, IM Information Management & Consulting, Information and Organization, Information Management & Computer Security, Information Security Management, Information Systems Journal, Information Systems Management, Information Systems Research, Information Systems Security, Internal Auditor, International Journal of Network Management, Journal of Computer Security, Journal of Management Information Systems, Journal of Research and Practice in Information Technology, Journal of the Association for Information Systems, Management & Information Technologies, Management Information Systems Quarterly, Strategic Finance.

–  –  –

(Initiative D21) X (Karabacaka and Sogukpinar, 2005) X (Kokolakis, Demopoulos and Kiountouzis, 2000) X (Siponen, 2005a) X X (Hoo, 2000) X X (Su, 2006) X Table 1. Articles of Interest


The literature review yielded five research publications that classify methods used in information systems security. These are the works of (Baskerville, 1993), (BITKOM, 2006), (Dhillon et al., 2001), (Eloff et al., 2000), and (Siponen, 2005b). Below we review each of these works and discuss what elements they bring to the classification scheme being developed and identify their shortcomings as relates to IS security analysis approaches.

(Siponen, 2005b) - An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice (Siponen, 2005b) addresses information systems security (ISS) methods. His systematization consists of five classes (checklists, IS security standards, IS security maturity criteria, risk management, and formal methods), three of which are connected to IS security analysis. Two of Siponen‟s suggested classes, ISS maturity criteria and formal methods, are not security analysis approaches. Instead, their focus is on ensuring the secure development of information systems. The other three suggested classes are checklists, ISS standards, and risk management which correspond with the classes checklist, IT security management approaches, and risk analysis approaches which are suggested in the following paper. In contrast to Siponen‟s work the systematization developed in this paper distinguishes between standards and best practice models, which are subclasses of the IT security management approaches. Furthermore, in this paper the term risk analysis is used, instead of risk management. This is due to the fact that the focus of this paper is narrower than that of Siponen‟s work. Therefore, only risk analysis, which is part of the risk management, is of interest for this work.


Siponen‟s work addresses ISS Methods and therefore has a larger scope than our paper.

Siponen suggests five classes which are somewhat disjointed. The five classes are not further subdivided which limits the decision support for the reader.

Siponen does not consider legislation accommodation which impact IS security nor IS security assessment approaches.

(Dhillon et al., 2001) - Current Directions in IS Security Research: Towards Socio-Organizational Perspectives (Dhillon et al., 2001) classify IS security by deriving four models from the fields of sociology and philosophy. Subsequently, various IS security approaches are assigned into these models. The IS security approaches they mention are, among others, checklists, risk analysis methods, and security evaluation methods where risk analysis is part of risk management. Because security analysis is only a part of security management, the class risk analysis is preferred to the class risk management as used by (Siponen, 2005b). The class evaluation is defined roughly: “Another category of research in computer security is in evaluation methods, whose rationale stems from the need to measure security” (Dhillon et al., 2001, 136). Approaches that they assign to this class include security models such as Bell-LaPadula as well as standards such as BS 7799. This particular systematization uses the term “standard” because security models are not appropriate for conducting a security analysis.


Dhillon and Backhouse examine socio-organizational aspects of information systems and IS security. Technical and economical aspects are not studied.

Dhillon‟s and Backhouse‟s systematization classifies IS security methods according to the sociological and philosophical theories that they are based on. This approach is more scientific but is impractical for use in decision support.

For sociological and philosophical purposes the classification can be considered complete but it is not suitable for IS security purposes. As mentioned, the technical and economical aspects of IS security are ignored in Dhillon‟s and Backhouse‟s systematization.

Some of the content in this work is outdated. For example, the standard BS 7799 is no longer in use.

–  –  –

Pages:   || 2 | 3 |

Similar works:

«Bedienungsanleitung für Keppeler Sportgewehre Instruction manual for Keppeler sporting rifle Bedienungsanleitung für Keppeler Sportgewehre lesen Sie diese Bedienungsanweisung und die angegebenen Warnungen / Hinweise genau durch, bevor Sie diese Waffe in die Hand nehmen. (ab Seite 3) Instructtion manual for Keppeler sporting rifle Read the instructions and warnings in this manuel carefully before using this weapen. ( from page 13) Keppeler Technische Entwicklung GmbH Tele: 0049 (0)7971 911241...»

«Universität Stuttgart Institut A für Mechanik Bericht über die Tätigkeit des Instituts Wintersemester 1995/96 Sommersemester 1996 Bericht aus dem Institut A für Mechanik 3 / 1996 Herausgeber Universität Stuttgart Institut A für Mechanik o. Prof. Dr.-Ing. habil. L. Gaul Prof. Dr.-Ing. A. Kistner Prof. Dr.-Ing. H. Sorg ISSN 0946-7157 Pfaffenwaldring 9 Universität Stuttgart 70550 Stuttgart Telefon (0711) 685-6277 Institut A für Mechanik Telefax (0711) 685-6282 Bericht über die Tätigkeit...»

«DISS. ETH Nr.: 15648 Unterstützung der Zielorientierung und -formulierung in der Entwicklung komplexer Produkte – am Beispiel einer neuen Aufzugstechnologie ABHANDLUNG zur Erlangung des Titels DOKTOR DER TECHNISCHEN WISSENSCHAFTEN der EIDGENÖSSISCHEN TECHNISCHEN HOCHSCHULE ZÜRICH vorgelegt von THOMAS DÜNSER dipl. Masch.-Ing. ETH geboren am 07.09.1976 aus dem FÜRSTENTUM LIECHTENSTEIN Angenommen auf Antrag von Prof. Dr. Markus Meier Prof. Dr.-Ing. Sándor Vajna Prof. Dr. habil. Alois...»

«Facetten räumlicher Immersion in technischen Medien Britta Neitzel Als Boris Becker 1999 in einer AOL-Werbung begeistert «Ich bin drin!» ausrief, nachdem er sich ins Internet eingewählt hatte, saß er noch an einem Schreibtisch. 2008 können Internet-Benutzer offenbar in der Badewanne bleiben, um «drin» zu sein. In einer Werbung für ihre «Call & Surf»-Pakete zeigt die Telekom ein Paar, das einer Arie lauscht, während es in einem Schaumbad Champagner schlürft. Nur benutzt das Paar...»

«Erste Schritte in EurekaRLP 2020 Inhalt 1 Registrieren 2 Nutzerverwaltung 3 Dashboard 4 Dokumente in die Trägerakte hochladen 5 Akkreditierung 6 Antrag stellen 7 Allgemeine Hinweise zur Bedienung 8 Mailsystem und Aufgaben 8.1 Mailsystem 8.2 Eine Aufgabe erstellen Kontakt Bei technischen Fragen wenden Sie sich bitte an: EurekaRLP-Helpdesk Tel. 06131-32 84 88 E-Mail: Helpdesk@ism-mainz.de Bei fachlichen und inhaltlichen Fragen wenden Sie sich bitte an die Zwischengeschaltete Stelle. ©...»

«Deutscher Bundestag 17/10372 Drucksache 17. Wahlperiode 23. 07. 2012 Antwort der Bundesregierung auf die Kleine Anfrage der Abgeordneten Harald Ebner, Cornelia Behm, Bärbel Höhn, weiterer Abgeordneter und der Fraktion BÜNDNIS 90/DIE GRÜNEN – Drucksache 17/10256 – Haltung der Bundesregierung zu ökologischen und toxikologischen Risiken von gentechnisch veränderten Bt-Toxin produzierenden Pflanzen Vo r b e m e r k u n g d e r F r a g e s t e l l e r Über die Hälfte der in der EU für...»

«0RUSKRORJLH GHU JHNUPPWHQ )OlFKHQWUDJZHUNH Luis Câncio Martins Institut für Baustatik und Konstruktion Eidgenössische Technische Hochschule Zürich Zürich Mai 1996 7KH HPSLUH RI PDQ RYHU WKLQJV LV IRXQGHG RQ WKH DUWV DQG VFLHQFHV DORQH IRU QDWXUH LV RQO\ WR EH FRPPDQGHG E\ REH\LQJ KHU )UDQFLV %DFRQ ,QKDOWVYHU]HLFKQLV Prolog v Bezeichnungen vii Kurzfassung xi Summary xii Résumé xiii 1 Einleitung 1.1 Morphologie und Konstruktion 1 1.2 Die konstruktive Aufgabe 4 1.3 Übersicht 7 2...»

«Philippine-Welser Str. 20/C-14 6020 Innsbruck Alexander Carmele Österreich H +43 681 81531688 Curriculum Vitæ B alexander.carmele@uibk.ac.at Angaben zur Person Deutsch Nationalität 5. Dezember 1976 Geburtsdatum Zell/Mosel, Deutschland Geburtsort ledig Familienstand Ausbildung Physik (Dr. rer. nat.), Technische Universität, Berlin, Deutschland, in der AG Nichtlineare 07/2008 – 11/2010 Optik und Quantenelektronik von Halbleitern. Promotion: Photon statistics and phonon signatures in the...»

«Wärmeund Impulstransport in Schlicker-Reaktions-gesinterten Metallschäumen Von der Fakultät für Maschinenwesen der Rheinisch-Westfälischen Technischen Hochschule Aachen zur Erlangung des akademischen Grades eines Doktors der Ingenieurwissenschaften genehmigte Dissertation vorgelegt von Jörg Sauerhering Berichter: Univ. Prof. Dr.-Ing. Robert Pitz-Paal Univ. Prof. Dr.-Ing. Thomas Wetzel Tag der mündlichen Prüfung: 12.01.2012 Diese Dissertation ist auf den Internetseiten der...»

«Laser in der Materialbearbeitung Forschungsberichte des IFSW A. Heß Vorteile und Herausforderungen beim Laserstrahlschweißen mit Strahlquellen höchster Fokussierbarkeit Laser in der Materialbearbeitung Forschungsberichte des IFSW Herausgegeben von Prof. Dr. phil. nat. habil. Thomas Graf, Universität Stuttgart Institut für Strahlwerkzeuge (IFSW) Das Strahlwerkzeug Laser gewinnt zunehmende Bedeutung für die industrielle Fertigung. Einhergehend mit seiner Akzeptanz und Verbreitung wachsen...»

<<  HOME   |    CONTACTS
2016 www.book.dislib.info - Free e-library - Books, dissertations, abstract

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.