IRIS

Security breaches on the socio-technical systems organizations depend on cost the latter billions of dollars of losses each year. Although information security is a growing concern, most organizations deploy technical security measures to prevent security attacks, overlooking social and organizational threats and the risks faced because of them. In this paper, we propose a method to information security risk analysis inspired by the ISO27k standard series and based on two state-of-art methods, namely the socio-technical security requirements method STS and the risk analysis method CORAS. The method captures social interactions among stakeholders, while capturing both the risks that threaten their assets as well as those arising while interacting with others. Then, the method suggests how assets are to be protected based on the information classification and potential losses incurred by security breaches. An example from the healthcare domain is used throughout the paper to illustrate the method.

Information security risk management / Dashti, Salimeh; Giorgini, Paolo; Paja, Elda. - STAMPA. - 305:(2017), pp. 18-33. (Intervento presentato al convegno 10th IFIP WG 8.1 Working Conference on the Practice of Enterprise Modelling, PoEM 2017 tenutosi a Leuven nel 22nd-24th November 2017) [10.1007/978-3-319-70241-4_2].

Information security risk management

Giorgini, Paolo;Paja, Elda
2017-01-01

Abstract

Security breaches on the socio-technical systems organizations depend on cost the latter billions of dollars of losses each year. Although information security is a growing concern, most organizations deploy technical security measures to prevent security attacks, overlooking social and organizational threats and the risks faced because of them. In this paper, we propose a method to information security risk analysis inspired by the ISO27k standard series and based on two state-of-art methods, namely the socio-technical security requirements method STS and the risk analysis method CORAS. The method captures social interactions among stakeholders, while capturing both the risks that threaten their assets as well as those arising while interacting with others. Then, the method suggests how assets are to be protected based on the information classification and potential losses incurred by security breaches. An example from the healthcare domain is used throughout the paper to illustrate the method.
2017
The Practice of Enterprise Modeling: 10th IFIP WG 8.1. Working Conference, PoEM 2017: Proceedings
Heidelberg
Springer Professional
9783319702407
978-3-319-70241-4
2-s2.0-85035070635
Dashti, Salimeh; Giorgini, Paolo; Paja, Elda
Information security risk management / Dashti, Salimeh; Giorgini, Paolo; Paja, Elda. - STAMPA. - 305:(2017), pp. 18-33. (Intervento presentato al convegno 10th IFIP WG 8.1 Working Conference on the Practice of Enterprise Modelling, PoEM 2017 tenutosi a Leuven nel 22nd-24th November 2017) [10.1007/978-3-319-70241-4_2].
File in questo prodotto:
File Dimensione Formato  
Poem-Sali--2017.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 3.76 MB
Formato Adobe PDF
  Visualizza/Apri
3.76 MB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/195582
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 4
  • ???jsp.display-item.citation.isi??? ND
  • OpenAlex ND
social impact