Information security management framework suitability estimation for small and medium enterprise
Abstract
Information security is one of the key concerns of an enterprise or organization. To assure suitable management of information security a list of information security management frameworks has been developed by a number of institutions and authors. A condensed information in information security management framework is very important to a small and medium enterprise as this type of enterprise usually lacks resources for information security expertise and deep analysis. Despite the fact, the information security management process and its frameworks, on the other hand, are very complex and require a big number of different elements. At the moment the comparison it is very shallow, as all properties of the comparison are treated equally important. In real life, the importance of different criteria of information security management framework and their suitability for small and medium enterprise vary. Therefore we use the Analytic Hierarchy Process to construct a hierarchy of information security management frameworks quality and applicability in small and medium enterprise and define the weights for each of the criteria. Weighted criteria express the importance of the criteria and executed the final comparison of alternatives (five information security management frameworks) is more realistic (similar to experts opinion) comparing to existing comparisons.
First published online 20 June 2019
Keyword : information security management framework, suitability, small and medium enterprise, SME, multi criteria, MCDM, AHP
How to Cite
Kaušpadienė, L., Ramanauskaitė, S., & Čenys, A. (2019). Information security management framework suitability estimation for small and medium enterprise. Technological and Economic Development of Economy, 25(5), 979-997. https://doi.org/10.3846/tede.2019.10298
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
Abdel-Basset, M., Manogaran, G., & Mohamed, M. (2018). Internet of Things (IoT) and its impact on supply chain: A framework for building smart, secure and efficient systems. Future Generation Computer Systems, 86, 614-628. https://doi.org/10.1016/j.future.2018.04.051
Alnuem, M., Alrumaih, H., & Al-Alshaikh, H. (2015). A comparison study of information security risk management frameworks in cloud computing. In Cloud computing (pp. 103-109). Retrieved from https://pdfs.semanticscholar.org/d495/a0732d0aaa211c05b1637975cbebb1009634.pdf
Aminnezhad, A., Mahmod, R., & Abdullah, M. T. (2016). Survey on economics of information security. International Journal of Computer Science and Network Security (IJCSNS), 16(7), 99-116.
Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610-613. https://doi.org/10.1126/science.1130992
Baudry, G., Macharis, C., & Vallée, T. (2018). Range-based Multi-Actor Multi-Criteria Analysis: A combined method of Multi-Actor Multi-Criteria Analysis and Monte Carlo simulation to support participatory decision making under uncertainty. European Journal of Operational Research, 264(1), 257-269. https://doi.org/10.1016/j.ejor.2017.06.036
Bose, P. A., Biswas, S., Nandi, S., & Chakraborty, S. (2018). MATEM: A unified framework based on trust and MCDM for assuring security, reliability and QoS in DTN routing. Journal of Network and Computer Applications, 104, 1-20. https://doi.org/10.1016/j.jnca.2017.12.005
Bradley, D., & Josang, A. (2004). Mesmerize: an open framework for enter-prise security management. In Proceedings of the Second Workshop on Australasian Information Security, Data Mining and Web Intelligence, and Software Internation-Alisation (Vol. 32, pp. 37-42). Australian Computer Society, Inc.
Brauers, W. K. M., & Zavadskas, E. K. (2010). Project management by MULTIMOORA as an instrument for transition economies. Technological and Economic Development of Economy, 16(1), 5-24. https://doi.org/10.3846/tede.2010.01
Chemane, L. A., Ekenberg, L., Popov, O., Carrilho, S., Floor, R., & Mozambique, M. (2005). Government network and information security MCDM framework for the selection of security mechanisms. In CNIS 2005, 14–16 November, Phoenix, AZ, USA. Acta Press.
Chen, T., Li, Y., & Wang, H. (2011). A dissonance reduction method for intuitionistic fuzzy multicriteria decision-making problems. Pan-Pacific Management Review, 14(1), 1-27.
Dayanandan, U., & Kalimuthu, V. (2018). Software architectural quality assessment model for security analysis using Fuzzy Analytical Hierarchy Process (FAHP) method. 3D Research, 9(3), 31. https://doi.org/10.1007/s13319-018-0183-x
Eloff, M. M., & von Solms, S. H. (2000). Information security management: a hierarchical framework for various approaches. Computers & Security, 19(3), 243-256. https://doi.org/10.1016/S0167-4048(00)88613-7
Eze, S. C., Olatunji, S., Chinedu-Eze, V. C., & Bello, A. O. (2018). Key success factors influencing SME managers’ information behaviour on emerging ICT (EICT) adoption decision-making in UK SMEs. The Bottom Line, 31(3/4), 250-275. https://doi.org/10.1108/BL-02-2018-0008
Health Information Trust Alliance. (2014). Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53: Why Choosing the CSF is the Best Choice. Retrieved from https://hitrustalliance.net/documents/ csf_rmf_related/CSFComparisonWhitpaper.pdf
Hwang, C. L., & Lin, M. J. (2012). Group decision making under multiple criteria: methods and applications (Vol. 281). Springer Science & Business Media.
International Organization for Standardization. (2013). ISO/IEC 27001:2013. Information technology -- Security techniques -- Information security management systems -- Requirements. Retrieved from https://www.iso.org/standard/54534.html
Kauspadiene, L., Cenys, A., Goranin, N., Tjoa, S., & Ramanauskaite, S. (2017). High-level self-sustaining information security management framework. Baltic Journal of Modern Computing, 5(1), 107. https://doi.org/10.22364/bjmc.2017.5.1.07
Keršuliene, V., Zavadskas, E. K., & Turskis, Z. (2010). Selection of rational dispute resolution method by applying new stepwise weight assessment ratio analysis (SWARA). Journal of Business Economics and Management, 11(2), 243-258. https://doi.org/10.3846/jbem.2010.12
Keshavarz Ghorabaee, M., Zavadskas, E. K., Olfat, L., & Turskis, Z. (2015). Multicriteria inventory classification using a new method of evaluation based on distance from average solution (EDAS). Informatica, 26(3), 435-451. https://doi.org/10.15388/Informatica.2015.57
Kim, E. Y., & Kim, K. W. (2014). A theoretical framework for cognitive and non-cognitive interventions for older adults: stimulation versus compensation. Aging & Mental Health, 18(3), 304-315. https://doi.org/10.1080/13607863.2013.868404
Knapp, K. J., Morris Jr, R. F., Marshall, T. E., & Byrd, T. A. (2009). Information security policy: An organizational-level process model. Computers & Security, 28(7), 493-508. https://doi.org/10.1016/j.cose.2009.07.001
Lopes, I., & Oliveira, P. (2014). Understanding information security culture: a survey in small and medium sized enterprises. In New Perspectives in Information Systems and Technologies (Vol. 1, pp. 277-286). Cham: Springer. https://doi.org/10.1007/978-3-319-05951-8_27
Mardani, A., Jusoh, A., Zavadskas, E. K., Khalifah, Z., & Nor, K. M. (2015). Application of multiplecriteria decision-making techniques and approaches to evaluating of service quality: a systematic review of the literature. Journal of Business Economics and Management, 16(5), 1034-1068. https://doi.org/10.3846/16111699.2015.1095233
McLaughlin, M. D., & Gogan, J. (2018). Challenges and best practices in information security management. MIS Quarterly Executive, 17(3), 12.
Miloslavskaya, N., & Tolstaya, S. (2017). Organization’s business continuity in cyberspace. In First International Early Research Career Enhancement School on Biologically Inspired Cognitive Architectures (pp. 289-295). Cham: Springer. https://doi.org/10.1007/978-3-319-63940-6_41
Oliveira, T., Alhinho, M., Rita, P., & Dhillon, G. (2017). Modelling and testing consumer trust dimensions in e-commerce. Computers in Human Behavior, 71, 153-164. https://doi.org/10.1016/j.chb.2017.01.050
Pamučar, D., & Ćirović, G. (2015). The selection of transport and handling resources in logistics centers using Multi-Attributive Border Approximation area Comparison (MABAC). Expert Systems with Applications, 42(6), 3016-3028. https://doi.org/10.1016/j.eswa.2014.11.057
Rebollo, O., Mellado, D., Sánchez, L. E., & Fernández-Medina, E. (2011). Comparative analysis of information security governance frameworks: a public sector approach. In The Proceedings of the11th European Conference on eGovernment–ECEG (pp. 482-490). Academic Conferences Limited.
Saaty, T. L. (1980). The analytic hierarchy process: Planning, priority setting, resources allocation. New York, NY: McGraw.
Saaty, T. L., Ozdemir, M. S., & Shang, J. S. (2015). The rationality of punishment–measuring the severity of crimes: an AHP-based orders-of-magnitude approach. International Journal of Information Technology & Decision Making, 14(01), 5-16. https://doi.org/10.1142/S0219622014500850
SABSA Institute. (2019). Welcome to the official SABSA website. Retrieved from http://www.sabsa.org
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82. https://doi.org/10.1016/j.cose.2015.10.006
Salminen, M., & Hossain, K. (2018). Digitalisation and human security dimensions in cybersecurity: an appraisal for the European High North. Polar Record, 54(2), 108-118. https://doi.org/10.1017/S0032247418000268
Sherwood, J., Clark, A., & Lynas, D. (1995). Enterprise security architecture [white paper, 2009]. SABSA.
Singh, S., & Misra, S. C. (2018). Migration of PLM systems to cloud. International Journal of Communication Systems, 31(18), 3815. https://doi.org/10.1002/dac.3815
Trcek, D. (2006). Managing information systems security and privacy. Springer Science & Business Media.
Turskis, Z., Goranin, N., Nurusheva, A., & Boranbayev, S. (2019). A fuzzy WASPAS-based approach to determine critical information infrastructures of EU sustainable development. Sustainability, 11(2), 424. https://doi.org/10.3390/su11020424
Udroiu, A., & Vevera, V. (2018). Lifelong learning for raising cybersecurity awareness. In 12th International Technology, Education and Development Conference (INTED), 2018. https://doi.org/10.21125/inted.2018.1272
Vasiu, I., & Vasiu, L. (2018). Cybersecurity as an essential sustainable economic development factor. European Journal of Sustainable Development, 7(4), 171-178. https://doi.org/10.14207/ejsd.2018.v7n4p171
Vinogradova, I., Podvezko, V., & Zavadskas, E. K. (2018). The recalculation of the weights of criteria in MCDM methods using the bayes approach. Symmetry, 10(6), 205. https://doi.org/10.3390/sym10060205
Zavadskas, E. K., & Turskis, Z. (2010). A new additive ratio assessment (ARAS) method in multicriteria decision‐making. Technological and Economic Development of Economy, 16(2), 159-172. https://doi.org/10.3846/tede.2010.10
Zavadskas, E. K., Stević, Ž., Tanackov, I., & Prentkovskis, O. (2018). A novel multicriteria approach– rough step-wise weight assessment ratio analysis method (R-SWARA) and its application in logistics. Studies in Informatics and Control, 27(1), 97-106. https://doi.org/10.24846/v27i1y201810
Alnuem, M., Alrumaih, H., & Al-Alshaikh, H. (2015). A comparison study of information security risk management frameworks in cloud computing. In Cloud computing (pp. 103-109). Retrieved from https://pdfs.semanticscholar.org/d495/a0732d0aaa211c05b1637975cbebb1009634.pdf
Aminnezhad, A., Mahmod, R., & Abdullah, M. T. (2016). Survey on economics of information security. International Journal of Computer Science and Network Security (IJCSNS), 16(7), 99-116.
Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610-613. https://doi.org/10.1126/science.1130992
Baudry, G., Macharis, C., & Vallée, T. (2018). Range-based Multi-Actor Multi-Criteria Analysis: A combined method of Multi-Actor Multi-Criteria Analysis and Monte Carlo simulation to support participatory decision making under uncertainty. European Journal of Operational Research, 264(1), 257-269. https://doi.org/10.1016/j.ejor.2017.06.036
Bose, P. A., Biswas, S., Nandi, S., & Chakraborty, S. (2018). MATEM: A unified framework based on trust and MCDM for assuring security, reliability and QoS in DTN routing. Journal of Network and Computer Applications, 104, 1-20. https://doi.org/10.1016/j.jnca.2017.12.005
Bradley, D., & Josang, A. (2004). Mesmerize: an open framework for enter-prise security management. In Proceedings of the Second Workshop on Australasian Information Security, Data Mining and Web Intelligence, and Software Internation-Alisation (Vol. 32, pp. 37-42). Australian Computer Society, Inc.
Brauers, W. K. M., & Zavadskas, E. K. (2010). Project management by MULTIMOORA as an instrument for transition economies. Technological and Economic Development of Economy, 16(1), 5-24. https://doi.org/10.3846/tede.2010.01
Chemane, L. A., Ekenberg, L., Popov, O., Carrilho, S., Floor, R., & Mozambique, M. (2005). Government network and information security MCDM framework for the selection of security mechanisms. In CNIS 2005, 14–16 November, Phoenix, AZ, USA. Acta Press.
Chen, T., Li, Y., & Wang, H. (2011). A dissonance reduction method for intuitionistic fuzzy multicriteria decision-making problems. Pan-Pacific Management Review, 14(1), 1-27.
Dayanandan, U., & Kalimuthu, V. (2018). Software architectural quality assessment model for security analysis using Fuzzy Analytical Hierarchy Process (FAHP) method. 3D Research, 9(3), 31. https://doi.org/10.1007/s13319-018-0183-x
Eloff, M. M., & von Solms, S. H. (2000). Information security management: a hierarchical framework for various approaches. Computers & Security, 19(3), 243-256. https://doi.org/10.1016/S0167-4048(00)88613-7
Eze, S. C., Olatunji, S., Chinedu-Eze, V. C., & Bello, A. O. (2018). Key success factors influencing SME managers’ information behaviour on emerging ICT (EICT) adoption decision-making in UK SMEs. The Bottom Line, 31(3/4), 250-275. https://doi.org/10.1108/BL-02-2018-0008
Health Information Trust Alliance. (2014). Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53: Why Choosing the CSF is the Best Choice. Retrieved from https://hitrustalliance.net/documents/ csf_rmf_related/CSFComparisonWhitpaper.pdf
Hwang, C. L., & Lin, M. J. (2012). Group decision making under multiple criteria: methods and applications (Vol. 281). Springer Science & Business Media.
International Organization for Standardization. (2013). ISO/IEC 27001:2013. Information technology -- Security techniques -- Information security management systems -- Requirements. Retrieved from https://www.iso.org/standard/54534.html
Kauspadiene, L., Cenys, A., Goranin, N., Tjoa, S., & Ramanauskaite, S. (2017). High-level self-sustaining information security management framework. Baltic Journal of Modern Computing, 5(1), 107. https://doi.org/10.22364/bjmc.2017.5.1.07
Keršuliene, V., Zavadskas, E. K., & Turskis, Z. (2010). Selection of rational dispute resolution method by applying new stepwise weight assessment ratio analysis (SWARA). Journal of Business Economics and Management, 11(2), 243-258. https://doi.org/10.3846/jbem.2010.12
Keshavarz Ghorabaee, M., Zavadskas, E. K., Olfat, L., & Turskis, Z. (2015). Multicriteria inventory classification using a new method of evaluation based on distance from average solution (EDAS). Informatica, 26(3), 435-451. https://doi.org/10.15388/Informatica.2015.57
Kim, E. Y., & Kim, K. W. (2014). A theoretical framework for cognitive and non-cognitive interventions for older adults: stimulation versus compensation. Aging & Mental Health, 18(3), 304-315. https://doi.org/10.1080/13607863.2013.868404
Knapp, K. J., Morris Jr, R. F., Marshall, T. E., & Byrd, T. A. (2009). Information security policy: An organizational-level process model. Computers & Security, 28(7), 493-508. https://doi.org/10.1016/j.cose.2009.07.001
Lopes, I., & Oliveira, P. (2014). Understanding information security culture: a survey in small and medium sized enterprises. In New Perspectives in Information Systems and Technologies (Vol. 1, pp. 277-286). Cham: Springer. https://doi.org/10.1007/978-3-319-05951-8_27
Mardani, A., Jusoh, A., Zavadskas, E. K., Khalifah, Z., & Nor, K. M. (2015). Application of multiplecriteria decision-making techniques and approaches to evaluating of service quality: a systematic review of the literature. Journal of Business Economics and Management, 16(5), 1034-1068. https://doi.org/10.3846/16111699.2015.1095233
McLaughlin, M. D., & Gogan, J. (2018). Challenges and best practices in information security management. MIS Quarterly Executive, 17(3), 12.
Miloslavskaya, N., & Tolstaya, S. (2017). Organization’s business continuity in cyberspace. In First International Early Research Career Enhancement School on Biologically Inspired Cognitive Architectures (pp. 289-295). Cham: Springer. https://doi.org/10.1007/978-3-319-63940-6_41
Oliveira, T., Alhinho, M., Rita, P., & Dhillon, G. (2017). Modelling and testing consumer trust dimensions in e-commerce. Computers in Human Behavior, 71, 153-164. https://doi.org/10.1016/j.chb.2017.01.050
Pamučar, D., & Ćirović, G. (2015). The selection of transport and handling resources in logistics centers using Multi-Attributive Border Approximation area Comparison (MABAC). Expert Systems with Applications, 42(6), 3016-3028. https://doi.org/10.1016/j.eswa.2014.11.057
Rebollo, O., Mellado, D., Sánchez, L. E., & Fernández-Medina, E. (2011). Comparative analysis of information security governance frameworks: a public sector approach. In The Proceedings of the11th European Conference on eGovernment–ECEG (pp. 482-490). Academic Conferences Limited.
Saaty, T. L. (1980). The analytic hierarchy process: Planning, priority setting, resources allocation. New York, NY: McGraw.
Saaty, T. L., Ozdemir, M. S., & Shang, J. S. (2015). The rationality of punishment–measuring the severity of crimes: an AHP-based orders-of-magnitude approach. International Journal of Information Technology & Decision Making, 14(01), 5-16. https://doi.org/10.1142/S0219622014500850
SABSA Institute. (2019). Welcome to the official SABSA website. Retrieved from http://www.sabsa.org
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82. https://doi.org/10.1016/j.cose.2015.10.006
Salminen, M., & Hossain, K. (2018). Digitalisation and human security dimensions in cybersecurity: an appraisal for the European High North. Polar Record, 54(2), 108-118. https://doi.org/10.1017/S0032247418000268
Sherwood, J., Clark, A., & Lynas, D. (1995). Enterprise security architecture [white paper, 2009]. SABSA.
Singh, S., & Misra, S. C. (2018). Migration of PLM systems to cloud. International Journal of Communication Systems, 31(18), 3815. https://doi.org/10.1002/dac.3815
Trcek, D. (2006). Managing information systems security and privacy. Springer Science & Business Media.
Turskis, Z., Goranin, N., Nurusheva, A., & Boranbayev, S. (2019). A fuzzy WASPAS-based approach to determine critical information infrastructures of EU sustainable development. Sustainability, 11(2), 424. https://doi.org/10.3390/su11020424
Udroiu, A., & Vevera, V. (2018). Lifelong learning for raising cybersecurity awareness. In 12th International Technology, Education and Development Conference (INTED), 2018. https://doi.org/10.21125/inted.2018.1272
Vasiu, I., & Vasiu, L. (2018). Cybersecurity as an essential sustainable economic development factor. European Journal of Sustainable Development, 7(4), 171-178. https://doi.org/10.14207/ejsd.2018.v7n4p171
Vinogradova, I., Podvezko, V., & Zavadskas, E. K. (2018). The recalculation of the weights of criteria in MCDM methods using the bayes approach. Symmetry, 10(6), 205. https://doi.org/10.3390/sym10060205
Zavadskas, E. K., & Turskis, Z. (2010). A new additive ratio assessment (ARAS) method in multicriteria decision‐making. Technological and Economic Development of Economy, 16(2), 159-172. https://doi.org/10.3846/tede.2010.10
Zavadskas, E. K., Stević, Ž., Tanackov, I., & Prentkovskis, O. (2018). A novel multicriteria approach– rough step-wise weight assessment ratio analysis method (R-SWARA) and its application in logistics. Studies in Informatics and Control, 27(1), 97-106. https://doi.org/10.24846/v27i1y201810