Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

An Opportunity-Based Approach to Information Security Risk

  • Conference paper
  • First Online:
Computer Security. ESORICS 2023 International Workshops (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14399))

Included in the following conference series:

  • 809 Accesses

Abstract

The traditional approach to Information Security Risk Management (ISRM) is to assume that risk can only affect businesses negatively. However, it is interesting to notice that the latest edition of the standard ISO/IEC 27005:2022 Guidance on managing information security risks provides a definition of risk that covers both positive and negative consequences. Hence, present and future business leaders can expect information security professionals in their organisations to report on positive aspects of information security risk in addition to negative risk, which is a rather new and radical idea. Since information security risk assessment has traditionally focused on threats, no guidelines currently exist for how to identify, describe or assess positive risk in the context of ISRM. The aim of this study is to describe an opportunity-based approach to information security risk. In addition, this paper discusses some limitations of how ISO/IEC 27005:2022 defines risk, and hence this paper also proposes a definition of positive risk in the context of ISRM. Finally, some strategies to describe and assess positive risk are described.

Supported by Sykehuspartner Trust.

Supported by the Raksha Project, funded by the Research Council of Norway.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Kitchenham, B.: Procedures for performing systematic reviews. Keele, UK, Keele Univ. 33(2004), 1–26 (2004)

    Google Scholar 

  2. Mills, J., Bonner, A., Francis, K.: The development of constructivist grounded theory. Int J Qual Methods 5, 25–35 (2006)

    Article  Google Scholar 

  3. Whitten, D.: The chief information security officer: An analysis of the skills required for success. Journal Of Computer Information Systems. 48, 15–19 (2008)

    Google Scholar 

  4. Information Standardization: Information security, cybersecurity and privacy protection - Information security management systems - Requirements (2022)

    Google Scholar 

  5. Information Standardization: Risk management - Guidelines (2018)

    Google Scholar 

  6. Information Standardization: Information technology - Security techniques - Information security management systems - Overview and vocabulary (2018)

    Google Scholar 

  7. Information Standardization: Information security, cybersecurity and privacy protection - Guidance on managing information security risks (2022)

    Google Scholar 

  8. Information Standardization: Quality management systems - Requirements (2015)

    Google Scholar 

  9. International Organization for Standardization - 0. Explanatory note and overview on ISO Survey 2021 results. https://www.iso.org/the-iso-survey.html. Accessed 13 Jan 2023

  10. Information Standardization: ISO Guide 73:2009, Risk management - Vocabulary (2009)

    Google Scholar 

  11. Technology Standardization: Technology risk management framework for information systems and organizations (2018). https://doi.org/10.6028/NIST.SP.800-37r2. Accessed 13 Jan 2023

  12. Information Standardization: Risk management - Risk assessment techniques (2019)

    Google Scholar 

  13. Harris, S., Maymi, F.: CISSP All-in-One Exam Guide, 7 th edn. McGraw Hill LLC (2016)

    Google Scholar 

  14. Gregory, P.: CISM Certified Information Security Manager All-in-One Exam Guide. McGraw Hill LLC (2018)

    Google Scholar 

  15. Information Standardization: Information security, cybersecurity and privacy protection - Guidance on managing information security risks (2018)

    Google Scholar 

  16. Mayer, N., Aubert, J., Grandry, E., Feltus, C., Goettelmann, E., Wieringa, R.: An integrated conceptual model for information system security risk management supported by enterprise architecture management. Softw. Syst. Model. 18, 2285–2312 (2019)

    Article  Google Scholar 

  17. Bergström, E., Lundgren, M., Ericson, A.: Revisiting information security risk management challenges: a practice perspective. Inform. Comput. Secur. 27, 358–372 (2019)

    Article  Google Scholar 

  18. Diefenbach, T., Lucke, C., Lechner, U.: Towards an integration of information security management, risk management and enterprise architecture management-a literature review. In: 2019 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pp. 326–333 (2019)

    Google Scholar 

  19. Abbass, W., Baina, A., Bellafkih, M.: Improvement of information system security risk management. In: 2016 4th IEEE International Colloquium on Information Science and Technology (CiSt), pp. 182–187 (2016)

    Google Scholar 

  20. Fenz, S., Heurix, J., Neubauer, T., Pechstein, F.: Current challenges in information security risk management. Inform. Manage. Comput. Secur. 22, 410–430 (2014)

    Article  Google Scholar 

  21. Tran, D., Jøsang, A.: Information security posture to organize and communicate the information security governance program. In: Proceedings of the 18th European Conference on Management Leadership and Governance, ECMLG 2022, vol. 18, pp. 515–522 (2022)

    Google Scholar 

  22. Aleksandrov, M., Vasiliev, V., Aleksandrova, S.: Implementation of the risk-based approach methodology in information security management systems. In: 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT &QM &IS), pp. 137–139 (2021)

    Google Scholar 

  23. Shamala, P., Ahmad, R., Zolait, A., Sedek, M.: Integrating information quality dimensions into information security risk management (ISRM). J. Inform. Secur. Appl. 36, 1–10 (2017)

    Google Scholar 

  24. Webb, J., Ahmad, A., Maynard, S., Shanks, G.: A situation awareness model for information security risk management. Comput. Security. 44, 1–15 (2014)

    Article  Google Scholar 

  25. Riesco, R., Villagrá, V.: Leveraging cyber threat intelligence for a dynamic risk framework. Int. J. Inf. Secur. 18, 715–739 (2019)

    Article  Google Scholar 

  26. Putra, I., Mutijarsa, K.: Designing information security risk management on bali regional police command center based on ISO 27005. In: 2021 3rd East Indonesia Conference on Computer and Information Technology (EIConCIT), pp. 14–19 (2021)

    Google Scholar 

  27. Le Grand, C.: Positive security, risk management, and compliance. EDPACS 47, 1–10 (2013)

    Article  Google Scholar 

  28. Rajbhandari, L.: Consideration of opportunity and human factor: required paradigm shift for information security risk management. In: 2013 European Intelligence and Security Informatics Conference, pp. 147–150 (2013)

    Google Scholar 

  29. Olsson, R.: In search of opportunity management: is the risk management process enough? Int. J. Project Manage. 25, 745–752 (2007)

    Article  Google Scholar 

  30. Hillson, D.: Extending the risk process to manage opportunities. Int. J. Project Manage. 20, 235–240 (2002)

    Article  Google Scholar 

  31. Ivascu, L., Cioca, L.: Opportunity risk: integrated approach to risk management for creating enterprise opportunities. Adv. Educ. Res. 49, 77–80 (2014)

    Google Scholar 

  32. Purdy, G.: ISO 31000: 2009-setting a new standard for risk management. Risk Anal. An Int. J. 30, 881–886 (2010)

    Article  Google Scholar 

  33. Aven, T.: On the new ISO guide on risk management terminology. Reliab. Eng. Syst. Saf. 96, 719–726 (2011)

    Article  Google Scholar 

  34. Wangen, G., Snekkenes, E.: A taxonomy of challenges in information security risk management. In: Proceeding of Norwegian Information Security Conference/Norsk Informasjonssikkerhetskonferanse-NISK 2013-Stavanger, 18th-20th November 2013 (2013)

    Google Scholar 

  35. Lion, R., Meertens, R.: Security or opportunity: the influence of risk-taking tendency on risk information preference. J. Risk Res. 8, 283–294 (2005)

    Article  Google Scholar 

  36. Axelos. ITIL Foundation, ITIL (ITIL 4 Foundation). The Stationery Office (2020)

    Google Scholar 

  37. Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann (2014)

    Google Scholar 

  38. Chun Tie, Y., Birks, M., Francis, K.: Grounded theory research: a design framework for novice researchers. SAGE Open Med. 7, 2050312118822927 (2019)

    Article  Google Scholar 

  39. Stol, K., Ralph, P., Fitzgerald, B.: Grounded theory in software engineering research: a critical review and guidelines. In: Proceedings of The 38th International Conference on Software Engineering, pp. 120–131 (2016)

    Google Scholar 

  40. Birks, D., Fernandez, W., Levina, N., Nasirin, S.: Grounded theory method in information systems research: its nature, diversity and opportunities. Eur. J. Inf. Syst. 22, 1–8 (2013)

    Article  Google Scholar 

  41. Tran, D., Jøsang, A.: Business language for information security. In: International Symposium on Human Aspects of Information Security and Assurance, pp. 169–180 (2023)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Oslo, 0373, Oslo, Norway

    Dinh Uy Tran, Sigrid Haug Selnes, Audun Jøsang & Janne Hagen

Authors
  1. Dinh Uy Tran
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sigrid Haug Selnes
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Audun Jøsang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Janne Hagen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dinh Uy Tran .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  3. University of Trento, Trento, Italy

    Silvio Ranise

  4. University of Genoa, Genoa, Italy

    Luca Verderame

  5. Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  6. SINTEF A.S., Oslo, Norway

    Rita Ugarelli

  7. Instituto Superior de Engenharia do Porto, Porto, Portugal

    Isabel Praça

  8. Hong Kong Polytechnic University, Hong Kong, China

    Wenjuan Li

  9. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  10. University of Nottingham, Nottingham, UK

    Steven Furnell

  11. Norwegian University of Science and Technology, Gjøvik, Norway

    Basel Katt

  12. Norwegian Computing Center, Oslo, Norway

    Sandeep Pirbhulal

  13. Institute for Energy Technology (IFE), Halden, Norway

    Ankur Shukla

  14. University of Calabria, Rende, Italy

    Michele Ianni

  15. University of Verona, Verona, Italy

    Mila Dalla Preda

  16. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  17. University of Lisbon, Lisbon, Portugal

    Miguel Pupo Correia

  18. University of Twente, Enschede, The Netherlands

    Abhishta Abhishta

  19. University of Amsterdam, Amsterdam, The Netherlands

    Giovanni Sileno

  20. Open University in the Netherlands, Heerlen, The Netherlands

    Mina Alishahi

  21. Robert Gordon University, Aberdeen, UK

    Harsha Kalutarage

  22. Osaka University, Osaka, Japan

    Naoto Yanai

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tran, D.U., Selnes, S.H., Jøsang, A., Hagen, J. (2024). An Opportunity-Based Approach to Information Security Risk. In: Katsikas, S., et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14399. Springer, Cham. https://doi.org/10.1007/978-3-031-54129-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54129-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54128-5

  • Online ISBN: 978-3-031-54129-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation