A Huiristic Method for Information Scaling in Manufacturing Organizations
DOI:
https://doi.org/10.11113/jt.v69.3150Keywords:
Assets information, scaling method, heuristicAbstract
Protecting information assets is very vital to the core survival of an organization. By increasing in cyber-attacks and viruses worldwide, it has become essential for organizations to adopt innovative and rigorous procedures to keep these vital assets out of the reach of exploiters. Although worldwide complying with an international information security standard such as ISO 27001 has been raised, with over 7000 registered certificates, few Iranian companies are under ISO 27001 certified. Also organization needs to perform a risk assessment in order to determine the organization's asset exposure to risk and determine the best way to manage this. The determination of risk within the methodology is based upon the standard formula, which the risk is calculated from the multiplication of the asset value, threats and vulnerability. The ISO 27001 requires is that 'An appropriate risk assessment shall be undertaken'. One of the main factors for risk assessment is identifying and scoring of Information asset in this process. Due to different values of asset in organizations, the main purpose of this study is to identify and investigate a weighted method to assign different values of assets in order to minimize vulnerability in manufacturing systems. This study also aims at improving asset value scoring by using heuristic methods. A real world case study was selected for implementation of this approach based on ISO27001` in Iran.
References
Sun, L., R. P. Srivastava, and T. J. Mock. 2006. An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions. Journal of Management Information Systems. 22(4): 109–142.
Gordon, L.A., et al. 2005 CSI/FBI Computer Crime and Security Survey. Computer Security Institute.
An, M., Y. Chen, and C. J. Baker, 2011. A Fuzzy Reasoning and Fuzzy-Analytical Hierarchy Process Based Approach to the Process of Railway Risk Information: A Railway Risk Management System. Information Sciences. 181(18): 3946–3966.
Büyüközkan, G. and D. Ruan. 2010. Choquet Integral Based Aggregation Approach to Software Development Risk Assessment. Information Sciences. 180(3): 441–451.
Campbell, K., et al. 2003. The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market. Journal of Computer Security. 11(3): 431–448.
Cavusoglu, H., B. Mishra, and S. Raghunathan. 2004. The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce. 9(1): 70–104.
Ekelhart, A., et al. 2007. Security Ontologies: Improving Quantitative Risk Analysis. In System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on. IEEE.
Karabacak, B. and I. Sogukpinar. 2005. ISRAM: Information Security Risk Analysis Method. Computers & Security. 24(2): 147–159.
Gordon, L. A. and M. P. Loeb. 2002. The Economics of Information Security Investment. ACM Transactions on Information and System Security (TISSEC). 5(4): 438–457.
Yue, W. T., et al. 2007. Network Externalities, Layered Protection and IT Security Risk Management. Decision Support Systems. 44(1): 1–16.
Wu, D. D. et al. 2010. A Risk Analysis Model in Concurrent Engineering Product Development. Risk Analysis. 30(9): 1440–1453.
Grunske, L. and D. Joyce. 2008. Quantitative Risk-based Security Prediction for Component-based Systems with Explicitly Modeled Attack Profiles. Journal of Systems and Software. 81(8): 1327–1345.
Alberts, C. J. and A. Dorofee. 2002. Managing Information Security Risks: the OCTAVE Approach. Addison-Wesley Longman Publishing Co., Inc.
Landoll, D. J. and D. Landoll. 2005. The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. CRC Press.
Alter, S. and S. Sherer. 2004. A General, But Readily Adaptable Model of Information System Risk. Communications of the AIS. 14(1): 1–28.
Salmela, H. 2007. Analysing Business Losses Caused by Information Systems Risk: A Business Process Analysis Approach. Journal of Information Technology. 23(3): 185–202.
Chen, S.-J. and S.-M. Chen. 2003. Fuzzy Risk Analysis Based on Similarity Measures of Generalized Fuzzy Numbers. Fuzzy Systems, IEEE Transactions on. 11(1): 45–56.
Fan, C.-F. and Y.-C. Yu. 2004. BBN-based Software Project Risk Management. Journal of Systems and Software. 73(2): 193–203.
Wu, D. and D. L. Olson. 2009. Enterprise Risk Management: Coping with Model Risk in a Large Bank. Journal of the Operational Research Society. 61(2): 179–190.
Von Solms, R. 1998. Information Security Management (3): The Code of Practice for Information Security Management (BS 7799). Information Management & Computer Security. 6(5): 224–225.
Fenz, S. et al. 2007. Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard. In Dependable Computing. PRDC 2007. 13th Pacific Rim International Symposium on. 2007: IEEE.
Downloads
Published
Issue
Section
License
Copyright of articles that appear in Jurnal Teknologi belongs exclusively to Penerbit Universiti Teknologi Malaysia (Penerbit UTM Press). This copyright covers the rights to reproduce the article, including reprints, electronic reproductions, or any other reproductions of similar nature.
