Towards intelligence-driven information security risk management: an intelligent information security method

Abstract

Information security risk management (ISRM) methods aim to protect organizational information infrastructure from a range of security threats using efficient and cost‐effective means. A review of the literature identified three common practical deficiencies that can undermine ISRM: (1) Information security risk identification is commonly perfunctory; (2) Information security risks are commonly estimated with little reference to the organization’s actual situation; and (3) Information security risk assessment is commonly performed on an intermittent, non‐historical basis. These deficiencies indicate that despite implementing “best practices,” organizations are likely to have inadequate situation awareness (SA) regarding their information security risk environments.

SA is achieved by a decision‐maker in progressive stages. First, one perceives relevant elements of a situation. Once these situational elements are perceived, their intrinsic and contextual meanings can be comprehended in light of established knowledge. Optimal SA is achieved when the decision-maker knows and understands enough about relevant situational elements to project the future of the situation and its implications for operational goals and objectives. Supporting SA is a matter of supporting a decision‐maker’s ability to perceive, comprehend, and project. In ISRM, the general situations of interest are organizational information security risk environments. To answer the research question, “How can situation awareness be increased in information security risk management?” this thesis offers a design science artifact that supports perception, comprehension, and projection by means of a distributed intelligence collection and analysis effort.

This artifact—the Intelligent Information Security Method—is the output of an in‐depth case study of the US Intelligence Community’s enterprise management structure, which was performed using publicly available, open source documents. The intelligence cycle, as executed by the US Intelligence Community, was modeled using Endsley’s SA theory and comparisons were then drawn between the US model and organizations to develop a risk management system for organizations. The Intelligent Information Security Method has two major dimensions. The primary (theoretical) dimension of the method is a high level process that explains how organizational SA can be achieved in general terms. The secondary (practical) dimension of the Method concerns the practical details—or “inner workings”—of this process, which are presented as a comprehensive information security risk management system design.

This thesis makes a significant contribution to information security management theory by explaining management in the cognitive terms of SA, and then describing how an organizational intelligence production effort can be used to support managerial SA. The thesis makes a significant contribution to information security management practice by specifying a management system design that organizations can use to actually achieve this theoretical objective. The Intelligent Information Security Method can be used to improve the quality of ISRM in the implementing organization while simultaneously supporting the management and optimization of the organization’s business processes.