Metin, B.; Duran, S.; Telli, E.; Mutlutürk, M.; Wynn, M. IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture. Information2024, 15, 55.
Metin, B.; Duran, S.; Telli, E.; Mutlutürk, M.; Wynn, M. IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture. Information 2024, 15, 55.
Metin, B.; Duran, S.; Telli, E.; Mutlutürk, M.; Wynn, M. IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture. Information2024, 15, 55.
Metin, B.; Duran, S.; Telli, E.; Mutlutürk, M.; Wynn, M. IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation That Engenders a Security Culture. Information 2024, 15, 55.
Abstract
To proactively manage information security, enterprises often employ information security risk assessment techniques. Asset value - which is used to calculate the financial impact of possible threats - is one of the key parameters of information security risk. However, assets in a system are rarely independent, and their values are typically interdependent. Asset owners and IT teams may hold different views as regards these values, and there is thus the need to reduce subjectivity in a qualitative risk assessment. The research entails the development of a conceptual framework derived from the literature to minimize subjectivity, and the design of a system based on those concepts. The study uses the Unified Modeling Language as a design tool and puts forward an object-oriented model for defining asset values, in which the relationships between assets, vulnerabilities and related threats are identified. A “segregation of duties” approach is integrated into the risk management system to mitigate against subjectivity and better determine asset values. Survey responses from 16 practitioners working in the private and public sectors confirm the validity of the approach, but suggest it may be more workable in larger organisations where resources allow dedicated risk professionals to operate.
Keywords
risk assessment; information security; risk management; segregation of duties; security culture model; SCM; COBIT 2019; unified modelling language; ISO 27001
Subject
Business, Economics and Management, Business and Management
Copyright:
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.