Modern organisational structure and risk management model are characterised by a wide\udrange of forces including the role of human factors which combine to create an\udunprecedented level of uncertainty and exposure to information security risk, investment and\uddecision making process. Developing a risk-driven investment model for information security\udsystems with consideration of subjective nature of critical human factors, is a challenging\udtask. The overall success of an information security system depends on analysis of the risks\udand threats so that appropriate protection mechanism can be in place to protect them.\udHowever, lack of appropriate analysis of such dependencies and understanding potentially\udresults in information security systems to fail or to fully achieve their that depend on them.\udExisting literature does not provide adequate guidelines for a systematic process or an\udappropriate modelling language to support such analysis. This paper fills this gap by\udintroducing a process that allows information security managers to capture possible riskinvestment\udrelationships and to reason about them. The process is supported by a modelling\udlanguage based on a set of concepts relating to trust and control and secure tropos and\udrequirements engineering. In order to demonstrate the applicability and usefulness of the\udapproach a descriptive example from an UK organisation is used.\udKeywords: Information Security (IS), Information Security Risk-Driven Investment Model (RIDIM),\udRisk, Social Engineering Attacks (SEAs), Security Investment (SI), Return On Investment in\udInformation Security (ROISI).
展开▼
