ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
HOW TO MAKE IT CREDIBLE AND EFFICIENT
Erik Johansson
October 2005
Submitted in partial fulfillment of the requirements for the
degree of Doctor of Philosophy
Industrial Information and Control Systems
KTH, Royal Institute of Technology
Stockholm, Sweden
Ex.R. 05-06
TRITA-ICS-0502
ISSN 1104-3504
ISRN KTH/ICS/R--05/02--SE
Cover illustration © 2005 Mathias Ekstedt and Erik Johansson
Stockholm 2005, Universitetsservice US AB
Abstract
Information is an important business asset in today’s enterprises. Hence enterprise information
security is an important system quality that must be carefully managed. Although enterprise
information security is acknowledged as one of the most central areas for enterprise IT
management, the topic still lacks adequate support for decision making on topmanagement level.
This composite thesis consists of four articles which presents the Enterprise Information
Security Assessment Method (EISAM), a comprehensive method for assessing the current state
of the enterprise information security. The method is useful in helping guide topmanagement’s decision-making because of the following reasons: 1) it is easy to
understand, 2) it is prescriptive, 3) it is credible, and 4) it is efficient.
The assessment result is easy to understand because it presents a quantitative estimate. The
result can be presented as an aggregated single value, abstracting the details of the
assessment. The result is easy to grasp and enables comparisons both within the
organization and in terms of industry in general.
The method is prescriptive since it delivers concrete and traceable measurements. This helps
guide top-level management in their decisions regarding enterprise-wide information
security by highlighting the areas where improvements efforts are essential.
It is credible for two reasons. Firstly, the method presents an explicit and transparent
definition of enterprise information security. Secondly, the method in itself includes an
indication of assessment uncertainty, expressed in terms of confidence levels.
The method is efficient because it focuses on important enterprise information security
aspects, and because it takes into account how difficult it is to find security related
evidence. Being resource sparse it enables assessments to take place regularly, which gives
valuable knowledge for long-term decision-making.
The usefulness of the presented method, along with its development, has been verified
through empirical studies at a leading electric power company in Europe and through
statistical surveys carried out among information security experts in Sweden.
The success from this research should encourage further researcher in using these analysis
techniques to guide decisions on other enterprise architecture attributes.
Key words: Enterprise Information Security, Enterprise Architecture, Security Assessment,
Information Technology Management, Architecture Theory Diagram, Electric Power Industry, Chief
Information Officer (CIO), Chief Information Security Officer (CISO).
I
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
Preface
The research and experiences reported herein spans a decade. It is the result of years of
research at the department of Industrial Information and Control Systems (ICS) at the Royal
Institute of Technology (KTH) in Stockholm, Sweden. For me personally, it all started off long
ago when I did research in the field of dependability assessments for safety-critical systems.
I noticed similar difficulties when assessing overall qualities in both safety and security
paradigms. During the years, following my Licentiate thesis, I continued to lecture at KTH,
and momentarily did some consultancies. I then observed an absence of methods for
quantitative assessments of enterprise-wide system qualities, and I was therefore enchanted
when an opportunity aroused to develop a quantitative assessment method for enterprise
information security, from the collaboration between ICS and Vattenfall AB.
Acknowledgements
First of all, I would like to express my sincere gratitude to Professor Torsten Cegrell, for
his encouragement, patience, and support during the overall course of my work. However,
without Dr. Pontus Johnson, the completion of this endeavor would not have been
possible. Pontus has provided me with invaluable support and fruitful collaboration. In
addition, I have greatly enjoyed the creative discussions and teamwork with Dr. Mathias
Ekstedt. I would also like to thank Dr. Johan Schubert for inspiring discussions during my
earlier years of research.
I am also indebted to all the people at the department for creating an atmosphere that has
made all these years both rewarding and fun. In particular, I would like to thank Judith
Westerlund, for always spreading a warm and happy atmosphere! Among the others at the
department I would particularly like to thank the members of the Enterprise Architecture
Research Programme (EARP) for excellent collaboration as well as for amusing and interesting
discussions.
My deep gratitude goes also to the sponsor of this research Vattenfall AB, particularly the
global CIO Group. I would especially like to mention Georg Karlén, without whom this
work would not have been feasible. Many thanks also to a number of individuals from the
Swedish power industry and from the Information Processing Society in Sweden, which
have contributed to results in the thesis by their cooperation and sharing of experience.
Finally, I would like to thank all my friends, my supporting parents, and my beloved wife
Carina and our lovely sons Jakob and Viktor, for their endless encouragement and support.
Stockholm, October 2005
Erik Johansson
III
Table of Contents
ABSTRACT ................................................................................................. I
PREFACE ................................................................................................. III
ACKNOWLEDGEMENTS .......................................................................... III
INTRODUCTION AND SUMMARY ................................................................7
BACKGROUND .............................................................................................................. 7
RESEARCH PURPOSE ..................................................................................................... 8
RELATED WORKS .......................................................................................................... 9
CONTRIBUTIONS ......................................................................................................... 13
RESEARCH DESIGN ...................................................................................................... 15
CONCLUSIONS ............................................................................................................ 18
REFERENCES ............................................................................................................... 21
PAPER A - AN ARCHITECTURE THEORY DIAGRAM DEFINITION ..........31
PAPER B - THE IMPORTANCE OF PRIORITIZATION ................................53
PAPER C - ESTIMATING THE CREDIBILITY OF THE RESULTS ................79
PAPER D - THE IMPORTANCE OF INFORMATION SEARCH COST .........101
V
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
VI
Introduction and Summary
INTRODUCTION AND SUMMARY
This introduction and summary starts with a description of the background for the work. It
continues with describing the rationale of this research and highlighting some related
works. Next follows a summary of the major contributions of the four included papers and
a section about the research design. Finally this introduction and summary closes with an
outline of the main conclusions of the present composite thesis.
BACKGROUND
This composite thesis presents results based upon a research project performed in
collaboration between the department of Industrial and Information Control Systems (ICS) at the
Royal Institute of Technology (KTH) and the company Vattenfall AB 1 . The research project has
focused on the development of a method for the assessment of Enterprise Information Security
(herein denoted as EIS). The project is part of ICS comprehensive research program, the
Enterprise Architecture Research Programme (EARP), that exploits the discipline of Enterprise
Architecture (EA) as an approach for managing the company’s total information system
portfolio. The primary stakeholder for the EA at a company is the persons who are
responsible for the management and evolution of the enterprise system - i.e. the overall
system of IT related entities. The overall goal of the EARP research program is to provide
top-level management with architecture-based tools and methods for planning and
decision-making of enterprise-wide information system, cf. (Johnson 2002).
In today’s large companies enterprise system is highly complex. Technically, large
enterprise possess several hundreds of extensively interconnected and heterogeneous IT
systems performing tasks that vary from Enterprise Resource Planning (ERP) to real-time
control and monitoring of the processes, such as Distributed Control System (DCS) and
Supervisory Control and Data Acquisition System (SCADA). Organizationally, the enterprise
system embraces business processes and business units using, as well as maintaining and
acquiring, the IT systems.
1
Vattenfall AB is one of today’s largest electric power companies operating in Europe (Vattenfall 2005).
7
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
Information and systems are to a large extent becoming integrated in industry operations.
Networking technologies offer tools for making communication and sharing of
information more efficient and faster than before. However, the networking and
interconnection of systems can significantly increase the enterprise exposure to information
security risks (Weiss 2001). In the operations of electric power industry a secure
communication of information is essential. A sufficient level of information security is a
necessary pre-requisite for the continuance and credibility of operations. The significance
of information security has been continuously increasing in the management of
organizations and in ensuring their operating ability as well as in maintaining disturbancefree and efficient operations. Thus, enterprise information security has become an increasingly
important system quality. Even though enterprise information security is one of the most
central areas for enterprise IT management, the area still lacks sufficient support for
decision-making on a top-management level.
The stakeholder amongst others for the present research is the CIO 2 (or the CISO 3 ) of
large enterprises whose needs drive and guide the assessment of enterprise information
security (Gottschalk et al. 2000, Kirkland 2002). The global CIO group at Vattenfall
recognized the need for an adequate method to estimate the level of information security
for the enterprise. Consequently this research project was initiated by Vattenfall. Hence
when it comes to the empirical context of this thesis, the forthcoming description is one
focused towards the requirements of the electric power industries. Furthermore it is within
this particular domain that the present research has been mainly empirically conducted.
However, it is the belief of the author that the need for, and requirements on, an adequate
assessment method regarding enterprise information security is similar in most industrial
domains.
RESEARCH PURPOSE
The purpose of this research project has been derived from Vattenfalls (along with other
large power and energy companies) need of an adequate method for the assessment of
enterprise information security.
Vattenfalls requirements of a good assessment method on enterprise information security
are stated to be; A) easy to understand, B) prescriptive, C) credible, and D) efficient. These
four aspects are further discussed below.
A) Results should be easy to understand. High-level assessment traditionally produces a
document reporting the potential findings. These types of results are difficult to
communicate in the organization and benchmarks of different units are
2
3
8
Chief Information Officer
Chief Information Security Officer
INTRODUCTION AND SUMMARY
impractical. The assessment method should rather present a numerical result.
Furthermore, the global CIO group at Vattenfall argue that the assessment result
would be easier to grasp (and thereby to communicate) if it is presented as a single
aggregated value, abstracting the assessment details. In addition, a numerical result
would be straightforward to use as a benchmark by enabling comparisons within
an organizational unit, between subsidiaries, and in terms of other power electric
companies, when directing new improvements.
B) Results should be prescriptive. In order to guide the top-level management in
decisions about improvement efforts on information security, the results from the
method should be concrete and traceable. The method should point out areas of
weaknesses and strengths thereby giving directions for improvements.
C) The assessment should be credible in two aspects. Firstly, the baseline for the
assessment has to be trustworthy, i.e. the theory has to be widely accepted.
Credible comparisons of organizational units can be established if the theory of
the assessment method is not biased towards any particular source. Secondly, this
type of assessment will always have less-than-perfect credibility; but it must be
clear to know how uncertain the result is.
D) It should be efficient. A detailed assessment of information security at the
enterprise top-level can become very expensive, due to the massive amount of
information and the resources needed to collect the appropriate evidences.
Usually, the resources available for the assessment are limited. The method has to
be efficient in terms of resource usage. An efficient assessment method is a prerequisite to enable frequent assessments to take place. Inexpensive assessment
(even though it may only be indicative) offers valuable knowledge when
performed regularly.
RELATED WORKS
This work has been inspired by, and is in many senses a continuation of, the previous
dissertations of Johnson (2002), and Ekstedt (2004). It spans a wide area of disciplines and
consequently this section will only present a brief review of related work. It begins by
describing the area of Enterprise Architecture (EA) and continues by highlighting the concept
of Information Security followed by a subsection on the notion Enterprise Information Security
(EIS). Lastly it relates to previous research on Decision-making and Assessment methods.
Enterprise Architecture. Managing a large company’s total information system portfolio
is difficult. Since large enterprises of today consist of hundreds of different systems which
are being integrated, there is an increasing need for abstracting these software-based
systems in order to grasp and manage their evolution. Already 1989, Mary Shaw stated that
9
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
“Larger Scale Systems Require Higher-Level Abstraction” (Shaw 1989). However, that was
a call for software architecture, and now it needs to be repeated for the enterprise level of
system architecture. The author agrees with Mathias Ekstedt who pointed out that the
Enterprise Architecture (EA) to a large extent has been deduced as a response to an ever
increasing need for abstracting software systems (Ekstedt 2004).
The area of EA has been widely described, discussed and defined in literature and on
websites (Zachman 1987, Spewak, Sowa and Zachman 1992, The Clinger-Cohen Act 1996,
Boar 1999, Armour et al. 1999a, Armour et al. 1999b, CIO Council 1999, Boster et al.
2000, Armour and Kaisler 2001, Armour et al. 2002, The Open Group 2003, DoDAF
2003, Jonkers et al. 2003, Perks et al. 2003, CIMOSA 2004, EAC 2004, FEAPMO 2004,
GEAO 2004, IFEAD 2004, Ronin 2004, ZIFA 2004).
Many authors have pointed out the close coupling between software architecture and
quality attributes (Boehm et al. 1978, Oskarsson 1982, Barbacci et al. 1995, Shaw et al.1996,
Allen 1997, Barbacci et al. 1997, Fenton and Pfleeger 1997, Bass et al. 1998, Kazman 1998,
Medvidovic 1999, Emmerich 2000, Garlan 2000, Kazman et al. 2001, Andersson 2002,
Johnson 2002, Clements et al. 2002, Ekstedt et al. 2004). Hence, the quality attribute of
information security is naturally a part of the EA discipline. This argument is also
strengthen by literature that state that the quality and appropriateness of a system cannot
be assessed only within the system itself, its overall context must also be taken into
consideration (Parnas 1972, Checkland 1981, Davies 1993, Brooks 1995, Kruchten 2000,
Linthicum 2000, Maier et al. 2000, Suh 2003 and Solms et al. 2004). In the case of the
continuously increasing number of integrated software systems inside companies, this
context is comprised of both the business organization and the IT departments (Stevens et
al. 1998, Johnson 2002, Ekstedt 2004, Stuart et al. 2004, Johnson and Ekstedt 2005).
Information Security. Information security is the protection of information and
information systems from unauthorized access, use, disclosure, disruption, modification, or
destruction in order to provide confidentiality, integrity, and availability of the information
processed in an organization (National Research Council 1991, Barbacci 1995, US
Government 2002). Information security as a concept is wide. Pragmatically, enterprise
information security is defined 4 by many different types of sources (OECD 1992 and 2002,
NIST 1995, Swanson et al. 1996, OMB 1996, Swanson 1998, Gollman 1999, ISO 2000, Liu
2001, Stoneburner 2001, Swanson 2001, Alberts et al. 2001a and 2003, Barman 2002,
Peltier 2002, Stoneburner 2002, SEI 2003, Gartner 2003, BSI 2003, EWICS 2003, FIPS
2003, ISF 2003, IT Governance Institute 2004, Caralli 2004, CEM 2004, Heiser 2004, PWC
2004, Ernst & Young 2005, and Ross et al. 2005).
Just as there is a problem with the consensus in the choice of word for the elaborated piece of reality, here
labelled the enterprise information security, likewise are there many words being used for it. Information Security
is most often used these days, but words such as Computer Security, Information Technology Security,
Information System Security, and even Cyber Security are also frequently encountered. However, in this thesis I
would like to emphasize that it concerns a high-level assessment by denoting the area Enterprise Information Security.
4
10
INTRODUCTION AND SUMMARY
Standards can provide an important component in the information security environment
but they should not be relied on blindly (Mercury 2003). In striving to define the area of
enterprise information security more than a few standards related to Information Security
have thus been analyzed. Several of the sources have different views. For instance some are
focus on security management (e.g. ISO 1997, ISO 2000, ISF 2003, and BSI 2003), some
on general security aspect for the processes (e.g. ITGI 2000 and 2004, and ITIL 2004), and
yet others on some specific security aspects (e.g. NIST 1995, ISO 1996, and SEI 2003).
Others are not applicable for this high-level assessment, because they focus on physical
security, and for specifying security requirements in IT products and systems (e.g. ISO
1998 and 2001, Wood 1990, ITSEC 1991 and CC 2004a-c, and Jones et al. 2005).
Enterprise Information Security. In this work four sources have been used as a base for
defining the area of enterprise information security, cf. (Johansson 2005a). The ISO/IEC
international standard 17799 Information Technology - Code of Practice for Information Security
Management (ISO 2000), National Institute of Standards and Technology (NIST) Special
Publication 800-26 Security Self-Assessment Guide for Information Technology Systems (Swanson
2001), The Standard of Good Practice for Information Security (SOGP), published by Information
Security Forum (ISF 2003), and the Operationally Critical Threat, Asset, and Vulnerability
EvaluationSM (OCTAVE®) approach released by CMU/SEI (Alberts et al. 2001b). In
October 2001 they released the OCTAVE Catalog of Practices that have been used in this
work (Alberts et al. 2001a).
NIST categorizes security technologies according to three primary purposes: support,
prevent, and recover (Swanson et al. 1996). Others (King et al. 2001; Bishop 2003) have
categorized security technologies slightly differently: prevent, detect, and recover. Others
comprise the environmental influence by pointing at the preventive and behavioral
attributes of security (Jonsson 1998). Regardless of which categorization is used, NIST
encourages security managers to use categories to help evaluate the benefit of a security
technology. Until now, security managers have little structured or quantitative guidance on
how to actually evaluate and compare technologies based on categories. The present work
contributes by providing a comprehensive categorization of the area based on syntactic and
semantic analysis (Johansson 2005a). However, finding an objective definition of the
discipline Enterprise Information Security (EIS) is not straight forward.
Based on the research performed by Johnson and Ekstedt, this work has used Architecture
Theory Diagram (ATD) as an approach for defining the area under examination (cf. Johnson
2002, Johnson et al. 2004, and Ekstedt 2004). In present research a new unambiguous and
transparent definition of enterprise information security has thus been created based on
four sources on the topic (Johansson 2005a). This transparent definition of the area
supports in the decision-making process for the CIO (Johnson et al. 2004).
Decision-making. Previous research on decision support in EA is sparse. Kazman, et al.
(Kazman et al. 2001) used multi-attribute analysis techniques to estimate the costs and
benefits of software architectural attributes, such as performance, security, and
11
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
modifiability, so that software engineers could make tradeoffs among information system
architectural design decisions. Other security decision-analysis models have been qualitative
in nature, such as the countermeasure matrix (Straub et al. 1998) which compares two security
risk-mitigation controls by highlighting their strengths and weaknesses relative to
deterrence, prevention, detection, and remedies.
Already 1996, Kontio (Kontio 1996) first proposed using a well-known decision analysis
technique called Analytic Hierarchy Process (Saaty 1990) to help software engineers make
systematic decisions when selecting commercial-off-the-shelf (COTS) products. The same
technique was used in the research performed by Karlsson, within the field of Requirement
Engineering for prioritizing requirements (Karlsson 1996 and 1998). In present research
this analysis technique has been successfully applied to help the organizations make
systematic prioritizations on the enterprise information security area (Johansson 2005b).
Moreover it has been used to perform two different surveys among security experts
(Johansson 2005b and 2005d). The tool FocalPoint used for these prioritizations is based
on the Analytic Hierarchy Process (FocalPoint 2005).
The use of statistical theory typically assumes that all observations are correct; statistical
theory cannot help us assess the credibility of individual observation, e.g. answers to
interview questions, for instance. For these purposes, this work use heuristics as employed
by historian researchers when evaluating the credibility of historical information, and as
employed by the judicial system when evaluating the credibility of witnesses and other
evidence in a court of law (Edvardsson 1998 and Pfleeger 2005). Based on the research of
Edvardsson, in the area of Critical Thinking, the present work has developed a heuristic
model to determine the credibility of individual observations (Johansson 2005c).
The work also relies on traditional statistical theory; a sample of observations may be
employed to estimate a value, e.g. the mean value, of a population. However, statistical
theory states that the fewer samples one uses and the more varied the used population is,
the lower the credibility of the estimation. Nevertheless it is possible to aggregate the
assessment answers into a single value with an estimated confidence level, cf. (Johansson
2005c) and (Blom 1984a and 1984b).
Assessment methods. To the author’s knowledge there is no single assessment method
available (besides the one proposed herein) that complies with all the high-level
requirements earlier stated by Vattenfall. The fact that assessing the qualities of information
security in the enterprise setting is both a technical and an organizational undertaking is
recognizes by most approaches today (e.g. Alberts et al. 2003, ISF 2003, SEI 2003, DFS
2004, and Veriscan 2005). In available assessment methods a lot of the focus relies on
identifying organizational assets that are important for the business by conducting
interviews with different stakeholders. But these methods do not attempt to estimate the
credibility of the measurement in the way the EISAM does (Johansson 2005c). Many
assessment methods use comprehensive checklists based on a standard, e.g. the ISO/IEC
17799 (ISO 2000). Others are mainly related to the security attribute in relation to the
12
INTRODUCTION AND SUMMARY
system design (Butler 2003). The checklist-based assessments inevitable give results that
depend on the skill of the team of respondents and the facilitator’s ability to prioritize the
areas that are most important for the enterprise under examination. Thus, existing metrics
in the field of information security, like (Swanson 2001, Swanson et al. 2003, SEI 2003, and
DFS 2004), does not easily get aggregated into a credible single value. In the method
proposed herein uncertainties of the observations are estimated and taken into account in
the result of the assessment (Johansson 2005c).
In addition, the objectiveness of the assessments is hard to judge since commercially
available methods lack transparency that enables researcher (or customers) to actually
review the baseline of their method. Besides, to the author’s knowledge there is no
available assessment method that neither takes into account for the limitations of the
available resources and optimizes the resources needed for the assessment nor estimates
the credibility of the assessment result, e.g. by examining the credibility of the respondents’
answers. Moreover, do they not assure that the most important areas are being assessed
neither do they estimate the cost of searching for the information needed.
In summary, none of today’s available assessment methods sufficiently satisfy the
requirements of Vattenfalls global CIO group, mentioned earlier in the section ”Research
Purpose.”
CONTRIBUTIONS
The section summarizes the contributions of the present work. Since this is a composite
thesis the details of the contributions are found in the four included papers, i.e. section A
to D (Johansson 2005a, Johansson 2005b, Johansson 2005c, and Johansson 2005d).
The major contribution of this thesis is a comprehensive method for assessing the current
state of enterprise information security. This method has been developed based on six
concepts: Database of Theory, Architecture Theory Diagram, Prioritization of Importance, Statistical
Credibility Analysis, Heuristic Credibility Assessment Model, and Information Search Cost Analysis.
The relation between the included papers describing these six concepts and the four major
characteristics of the presented method are presented in Table 1.
13
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
Table 1. The relation of central concepts to the characteristics of the method
Characteristic
Easy to
understand
Prescriptive
Credible
Database of Theory
X
X
X
Architecture
Theory Diagram
X
X
Concept
Efficient
A
A
Prioritization of
Importance
Statistical
Credibility Analysis
Heuristic
Credibility
Assessment Model
Information Search
Cost Analysis
Described
in paper:
X
B
X
C
X
C
X
D
In summary the presented method has the following characteristics:
-
it presents the final results as a single value that is easy to understand,
-
it indicates areas where improvement efforts are essential,
-
it offers a clear and transparent definition of enterprise information security,
-
it estimates the credibility to facilitate dependable results,
-
it enables prioritizations towards the most important areas for the enterprise,
-
it is resourceful by taking the cost of the information search into account.
The result is easy to understand because it presents a quantitative estimate that abstract the
details of the assessment. The result is easy to grasp and enables comparisons within the
organization and in terms of industry in general (Johansson 2005a and Johansson 2005c).
The method is prescriptive since it delivers concrete and traceable measurements. This helps
guide top-level management in their decisions regarding enterprise-wide information
security by highlighting the areas where there is lack of compliance and improvements
efforts are essential (Johansson 2005a, Johansson 2005b, Johansson 2005c, and Johansson
2005d).
The credibility of the method is established by the comprehensible and transparent definition
of enterprise information security. This has been established by using the concept
Architecture Theory Diagram (ATD) where several different well-known sources on the area of
enterprise information security have been consolidated (Johansson 2005a).
14
INTRODUCTION AND SUMMARY
The credibility of the results is established by indicating its uncertainty. The credibility is
expressed in terms of confidence levels, estimated by using two concepts Statistical
Credibility Analysis and Heuristic Credibility Analysis (Johansson 2005c).
The method is efficient since it focuses on important enterprise information security aspects
(Johansson 2005b). The efficiency is further optimized by taking into account how difficult it
is to find security related evidence (Johansson 2005d). This efficiency of the method
enables assessments to take place regularly, which offers valuable knowledge for long-term
decision-making.
Finally, the usefulness of the presented method, along with its development, has been
verified through empirical studies at a leading electric power company in Europe and
through statistical surveys carried out among information security experts in Sweden.
RESEARCH DESIGN
This section covers the methodological aspects that have guided the present work. It
covers the particularities of how the present work has been conducted, and the research
setting for the overall work is considered.
In table 2 different Research Strategies are listed (adapted from Yin 1994) and the strategies
used in this work are marked. As pointed out by Yin the choice of research strategy
depends mainly on the type of question and to what extent one has control over the event,
cf. Table 2 based on (Yin 1994).
Table 2. Research Strategies (Yin 1994)
Type of research
question
Control over
event
Contemporary
event
Used in
this thesis
How, why
Yes
Yes
No
Survey
Who, what, where,
how many/much
No
Yes
Yes
Archival
Who, what, where,
how many/much
No
Yes / No
Yes
History
How, why
No
No
No
Case Study
How, why
No
Yes
Yes
Experimental
This thesis mainly makes use of three research strategies. Archival Analysis has been used
15
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
when standards and documents have been used to define the area (Johansson 2005a).
Surveys have been used to prioritize the area, e.g. in (Johansson 2005b). Case Studies have
been used to estimate the credibility (Johansson 2005c) and to measure and estimate the
information search cost (Johansson 2005d).
Different types of Data Collection methods are listed in table 3 (Yin 1994). In this particular
work five of these six data collection methods have been used. Their use are described
briefly below.
Documentation has been used to establish the theory from selected standards, cf. (Johansson
2005a). Furthermore, the data collection by documentation has been of great importance in
when corroborating and augmenting evidence from other sources during the case studies,
cf. (Johansson 2005c and Johansson 2005d).
Interviews have been an important source in all the included papers (Johansson 2005a,
Johansson 2005b, Johansson 2005c, and Johansson 2005d). The assessments where made
by surveys based on focused interviews. In (Johansson 2005c) a large amount of the data
collected for estimating the credibility came from open-ended interviews. Finally, the
formal survey presented in (Johansson 2005d) was also based on interviews.
Direct observations have been a valuable source to verify data from interviews, e.g. verify if
fire extinguishers exist in the server room. However, participant observations have also been
used in a couple of occasions, e.g. testing the lengths of password etc, which could be used
to corroborate data from interviews (Johansson 2005c and Johansson 2005d).
16
INTRODUCTION AND SUMMARY
Table 3. Data Collection, strengths and weaknesses for different sources (Yin 1994)
Strengths
Documentation
Stable – can be reviewed
repeatedly
Unobtrusive – not created as
result of the study
Exact – contains exact names,
references, and details of an
event
Broad coverage – long span
of time, many events, and
many settings
Weaknesses
Retrievability – can be low
Used in
this
thesis
Yes
Biased selectively, if collection
is incomplete
Reporting bias – reflects
(unknown) bias of author
Access – may be deliberately
blocked
Archival
records
(same as above for documentation)
(same as above for documentation)
Precise and quantitative
Accessibility due to privacy
reasons
Interviews
Targeted – focused directly
on topic of study
Bias due to poorly constructed
questions
Insightful – provides
perceived causal inferences
Response bias
Yes
Yes
Inaccuracies due to poor recall
Reflexivity – interviewee gives
what interviewer wants to hear
Direct
Observations
Reality – covers event in real
time
Contextual – covers context
of event
Time-consuming
Yes
Selectively – unless broad
coverage
Reflexivity – event may
proceed differently because it is
being observed
Cost – hours needed by human
observers
Participant
Observation
(same as above for direct
observation)
Insightful into interpersonal
behavior and motives
Physical
Artifacts
Insightful into cultural
features
Insightful into technical
operations
(same as above for direct observation)
Yes
Bias due to investigator’s
manipulation of events
Selectivity
No
Availability
17
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
Regarding methods for Research Analysis, this work has mainly applied Statistical Analysis.
The statistical analyses have been used to evaluate the different surveys, to calculate the
confidence intervals, and to consolidate the theory, cf. (Johansson 2005a, Johansson 2005b,
Johansson 2005c, and Johansson 2005d). As a tool for manipulating the data, the software
Microsoft Excel has been used extensively.
In addition the presented assessment method includes other analysis method, for example
the Credibility Analysis and the Information Search Cost Analysis, but they are part of the result
of this thesis and thus are not presented as research analysis methods here. For more
information about these methods read the papers (Johansson 2005c and Johansson 2005d).
CONCLUSIONS
The conclusion of this thesis is that it is possible to develop an adequate method for the
assessment of enterprise information security.
The presented method is called the Enterprise Information Security Assessment Method (EISAM).
It is a comprehensive method for assessing the current state of the enterprise information
security. The EISAM has the following characteristics:
-
it presents the final results as a single value that is easy to understand,
-
it indicates areas where improvement efforts are essential,
-
it offers a clear and transparent definition of enterprise information security,
-
it estimates the credibility to facilitate dependable results,
-
it enables prioritizations towards the most important areas for the enterprise,
-
it is resourceful by taking the cost of the information search into account.
The result is easy to understand because it presents a quantitative estimate. The result is clear
and easy to understand since it can be presented as an aggregated single value, abstracting
the details of the assessment. The result is easy to grasp and enables comparisons within
the organization and in terms of industry in general.
The method is prescriptive since it delivers concrete and traceable measurements. This helps
guide top-level management in their decisions regarding enterprise-wide information
security by highlighting the areas where there is lack of compliance, and where
improvements efforts are essential (Johansson 2005a, Johansson 2005b, Johansson 2005c,
and Johansson 2005d).
18
INTRODUCTION AND SUMMARY
The understandability and the prescriptiveness has essentially been established by using a
Database of Theory and the concept of Architecture Theory Diagram together with Prioritization of
Importance further described in (Johansson 2005a and Johansson 2005b).
The credibility of the method is established by the comprehensible and transparent definition
of enterprise information security. This has been established by using the concept
Architecture Theory Diagram (ATD) where several different well-known sources on the area of
enterprise information security have been consolidated, further described in (Johansson
2005a).
The credibility of the results is established by indicating its uncertainty. The credibility is
expressed in terms of confidence levels, estimated by using the two concepts Statistical
Credibility Analysis and Heuristic Credibility Analysis further described in (Johansson 2005c).
The method is efficient since it focuses on important enterprise information security aspects
(Johansson 2005b). The efficiency is further optimized by taking into account how difficult it
is to find security related evidence. This prediction is based on the concept of Information
Search Cost further described in (Johansson 2005d). This efficiency of the method enables
assessments to take place regularly, which offers valuable knowledge for long-term
decision-making.
In this thesis the feasibility of using the EISAM in guiding enterprises in their information
security related decisions has been demonstrated. In addition, this thesis has provided a
preliminary evaluation of the usefulness of the ATD model on enterprise information
security. Real-world case studies have validated the feasibility of using the proposed
concepts. The usefulness of the proposed method, along with its development, has been
verified through empirical studies at a leading electric power company in Europe and
through statistical surveys carried out among information security experts in Sweden.
The success of this research should encourage further researchers in using these analysis
techniques to guide other enterprise architectural attribute decisions.
19
REFERENCES
Alberts, C., A. Dorofee, and J. Allen (2001a), OCTAVE Catalog of Practices, Version 2.0,
Technical Report CMU/SEI-2001-TR-020 Carnegie Mellon University Software
Engineering Institute, October 2001.
Alberts, C. and A. Dorofee (2001b), OCTAVE Criteria, Version 2.0, Technical Report
CMU/SEI-2001-TR-016, Carnegie Mellon University Software Engineering Institute,
December 2001.
Alberts, C. and A. Dorofee (2003) Managing Information Security Risks: The OCTAVE
Approach. New York: Addison-Wesley, 2003.
Allen, R. (1997), A Formal Approach to Software Architecture, Ph.D. Thesis, Carnegie Mellon
University, 1997.
Andersson, J. (2002), Enterprise Information Systems Management: An Engineering Perspective on the
Aspects of Time and Modifiability, Ph.D. Thesis, Royal Institute of Technology (KTH), 2002.
Armour, F. and S. Kaisler (2001), “Enterprise Architecture: Agile Transition and
Implementation,” IEEE IT Professional Vol. 3, No. 6, 2001.
Armour, F., S. Kaisler, and J. Getter (2002), “A UML-driven Enterprise Architecture Case
Study,” Proceedings of the 36th Hawaii International Conference on System Sciences, 2002.
Armour, F., S. Kaisler, and S. Liu (1999a), “A Big-Picture Look at Enterprise
Architecture”, IEEE IT Professional Vol. 1, No 1, 1999.
Armour, F., S. Kaisler, and S. Liu (1999b), “Building an Enterprise Architecture Step by
Step”, IEEE IT Professional Vol. 1, No 4, 1999.
Barbacci, M., M. Klein, and C. Weinstock (1997), Principles for Evaluating the Quality Attributes
of a Software Architecture, Technical Report CMU/SEI-96-TR-036, Carnegie Mellon
University Software Engineering Institute, 1997.
Barbacci, M., M. Klein, T. Longstaff, and C. Weinstock (1995), Quality Attributes, Technical
Report CMU/SEI-95-TR-021, Carnegie Mellon University Software Engineering Institute,
1995.
Barman S. (2002), Writing Information Security Policies, New Riders Publishing, 2002.
Bass, L., P. Clements, and R. Kazman (1998), Software Architecture in Practice, AddisonWesley, 1998.
Bishop, M. (2003), Computer Security: Art and Science, Addison Wesley, 2003.
Blom, Gunnar (1984a), Sannolikhetsteori med tillämpningar (A), Studentlitteratur, 1984.
Blom, Gunnar (1984b), Statistikteori med tillämpningar (B), Studentlitteratur, 1984.
Boar, B. (1999), Constructing Blueprints for Enterprise IT Architectures, John Wiley & Sons, 1999.
Boehm, B.W., et al. (1978), Characteristics of software quality, North Holland, 1978.
Boster, M., S. Liu, and R. Thomas (2000), “Getting the Most from Your Enterprise
Architecture,” IEEE IT Professional Vol. 2, No. 4, 2000.
21
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
Brooks, F. (1975), The Mythical Man-Month, Anniversary Edition: Essays on Software Engineering,
Addison-Wesley, 1st ed. 1975, 1995.
BSI (2003) - Bundesamt für Sicherheit in der Informationstechnik (Federal Office for
Information Security), IT Baseline Protection Manual, 2003, website http://www.bsi.bund.de/
accessed April 10, 2004.
Butler S.A. (2003), Security Attribute Evaluation Method, Ph.D Thesis, Carnegie Mellon
University, Pittsburgh, USA, May 2003.
Caralli R.A. (2004), The Critical Success Factor Method: Establishing a Foundation for Enterprise
Security Management, Technical Report CMU/SEI-2004-TR-010, Carnegie Mellon University
Software Engineering Institute, 2004
CC (2004a), Common Criteria for Information Technology Security Evaluation, “Part 1:
Introduction and general model,” Version 2.2, CCIMB-2004-01-001, January 2004, available at
http://niap.nist.gov/cc-scheme/cc_docs/cc_v22_part1.pdf last accessed 4 September
2005.
CC (2004b), Common Criteria for Information Technology Security Evaluation, “Part 2:
Security functional requirements,” Version 2.2, CCIMB-2004-01-002, January 2004, available at
http://niap.nist.gov/cc-scheme/cc_docs/cc_v22_part2.pdf last accessed 4 September
2005.
CC (2004c), Common Criteria for Information Technology Security Evaluation, “Part 3:
Security assurance requirements,” Version 2.2, CCIMB-2004-01-003, January 2004, available at
http://niap.nist.gov/cc-scheme/cc_docs/cc_v22_part3.pdf last accessed 4 September
2005.
CEM (2004), Common Methodology for Information Technology Security Evaluation,
“Evaluation Methodology” Version 2.2, CCIMB-2004-01-004, January 2004, available at
http://niap.nist.gov/cc-scheme/cc_docs/cem_v12.pdf last accessed 4 September 2005.
Checkland, P. (1981), Systems Thinking, Systems Practice, John Wiley & Sons, 1981.
CIMOSA, The CIMOSA Association (2004), http://www.cimosa.de , accessed September 7,
2004.
CIO Council (1999), The Federal Enterprise Architecture Framework, Version 1.1, The Chief
Information Officer Council, 1999, available at http://www.cio.gov/archive/fedarch1.pdf
last accessed September 4 2005.
Clinger-Cohen Act (1996), National Defense Authorization Act for Fiscal Year 1996, Division E,
Public Law 104–106, February 10, 1996, http://www.osec.doc.gov/cio/oipr/itmra.pdf
last accessed September 4, 2005.
Davies, A. (1993), Software Requirements: Objects, Functions, and States, Prentice Hall, 1993.
DFS (2004), Swedish Information Processing Society (Dataföreningen i Sverige, DFS),
SBA Check, http://www.dfs.se/products/sbaeng/check last accessed May 2004.
DoDAF (2003), DoD Architecture Framework Version 1.0, DoD Architecture Framework
Working Group, US Department of Defense, 2003.
EAC (2004), Enterprise Architecture Community, http://www.eacommunity.com , last
accessed April 10 2004.
22
REFERENCES
Edvardsson B. (1998), “The Need for Critical Thinking in Evaluation of Information”,
Proceedings of the 18th International Conference on Critical Thinking, Rohnert Park, USA, August 14, 1998.
Ekstedt M. (2004), Enterprise Architecture for IT Management - A CIO Decision Making Perspective
On Electric Power Industry, Ph.D. Thesis, Royal Institute of Technology (KTH), Stockholm,
2004.
Ekstedt M., P. Johnson, Å. Lindström, M. Gammelgård, E. Johansson, L. Plazaola, and E.
Silva (2004), “Consistent Enterprise Software System Architecture for the CIO – A utilityCost Approach”, Proceedings of the 37th annual Hawaii International Conference on System Sciences
(HICSS), Big Island, Hawaii, USA, 2004.
Emmerich W. (2000), “Software engineering for middleware: a roadmap”, International
Conference on Software Engineering, Proceedings of the Conference on The Future of Software Engineering,
Limerick, Ireland, June 04-11, 2000.
Ernst & Young (2004), Global Information Security Survey 2004, at http://www.ey.com,
accessed September 2005.
EWICS (2003), Information Operations – Target, Means and Weapon, Version 1.0, European
Workshop on Industrial Computer Systems TC7 Security subgroup, 2003, available at
http://www.ewics.org, last accessed 2005.
FEAPMO (2004), Federal Enterprise Architecture Program Management Office website,
http://www.feapmo.gov, accessed April 1, 2004.
FIPS (2003), Federal Information Processing Standards Publications, Standards for Security
Categorization of Federal Information and Information Systems, FIPS PUB 199, December 2003.
Fenton, N. and S. Pfleeger (1997), Software Metrics: A Rigorous and Practical Approach, 2nd ed.,
PWS Publishing, 1997.
FocalPoint (2005), Linköping, Sweden, website http://www.focalpoint.se, last accessed 10
February 2005.
Garlan D. (2000), “Software Architecture: a Roadmap,” In A. Finkelstein (ed.), The Future of
Software Engineering: 22nd International Conference on Software Engineering, 2000.
Gartner (2003), Information Security – Establishing a Strong Defense in Cyberspace, Gartner Inc.,
2003, available at http://www.gartner.com/5_about/news/sec_sample.pdf, accessed aug
2005.
GEAO (2004), Global Enterprise Architecture Organization web site, http://www.geao.org,
accessed April 1, 2004
Gollman, D. (1999), Computer Security, Wiley, 1999.
Gottschalk, P., and N. Taylor (2000), “Strategic Management of IS/IT Functions: The Role
of the CIO,” Proceedings of the 33rd Hawaii International Conference on System Sciences, 2000.
Heiser et al. (2004), Enterprise Security Architecture Using IBM Tivoli Security Solutions, website
http://www.redbooks.ibm.com/redbooks.nsf/redbooks ; last accessed October 2004.
IFEAD (2004), Institute for Enterprise Architecture Developments, website,
http://www.enterprise-architecture.info, accessed April 10, 2004.
23
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
ISF (2003) Information Security Forum, The Standard of Good Practice for Information Security,
2003, available at http://www.isfsecuritystandard.com, last accessed 16 May 2004.
ISO (1996), ISO/IEC TR 13335-1:1996 Information technology. Guidelines for the management of
IT security. Concepts and models for IT Security, 1996.
ISO (1997), ISO/IEC TR 13335-2:1997 Information technology. Guidelines for the management of
IT security. Managing and planning IT Security, 1997
ISO (1998), ISO/IEC TR 13335-3:1998 Information technology. Guidelines for the management of
IT security. Techniques for the management of IT security, 1998.
ISO (2000), ISO/IEC International Standard 17799:2000 Information Technology - Security
techniques - Code of Practice for Information Security Management, 2000.
ISO (2001), ISO/IEC TR 13335-5:2001Information technology. Guidelines for the management of
IT security. Management guidance of network security, 2001
ISO (2004), ISO/IEC International Standard 21827 Systems Security Engineering Capability
Maturity Model, at http://www.sse-cmm.org accessed 2004.
ITGI (2000), IT Governance Institute, Control Objectives for Information and related Technology
(COBIT), 3rd. Edition, 2000.
ITGI (2004), IT Governance Institute, COBIT Security Baseline - An Information Security
Survival Kit, 2004.
ITIL (2004), The IT Infrastructure Library (ITIL), at http://www.itil-itsm-world.com/ last
accessed 2004.
ITSEC (1991) Information Technology Security Evaluation Criteria (ITSEC), Provisional
Harmonised Criteria, Office for Official Publications of the European Communities,
Luxembourg, 1991.
Johansson E. and P. Johnson (2005a), “Assessment of EIS - An ATD Definition”,
Proceedings of the 3rd Annual Conference on Systems Engineering Research (CSER), New York,
March 23-25, 2005.
Johansson E. and P. Johnson (2005b), “Assessment of Enterprise Information Security –
The Importance of Prioritization”, Proceedings of the 9th IEEE International Annual Enterprise
Distributed Object Computing Conference (EDOC), Enschede, The Netherlands, September 1923, 2005.
Johansson E. and P. Johnson (2005c), “Assessment of Enterprise Information Security –
Estimating the Credibility of the Results”, Proceeding of the Symposium on Requirements
Engineering for Information Security (SREIS) in the 13th International IEEE Requirements Engineering
Conference, Paris, France, August 29th to September 2nd, 2005.
Johansson E., M. Ekstedt, and P. Johnson (2005d), “Assessment of Enterprise Information
Security – The Importance of Information Search Cost”, to appear in the proceedings of 39th
Hawaii International Conference on System Sciences (HICSS), Kauai, Hawaii, January 4-7, 2006.
Johansson E., P. Sandberg, and L. Pettersson (2005e), “The Enterprise Information
Security Assessment Method - an approach for credible and efficient assessments applied
in an European Energy Company”, to appear in the proceedings of 29th European Safety, Reliability
& Data Association (ESReDA) Seminar on Systems Analysis for a More Secure World, European
Commission Joint Research Centre (JRC), IPSC, Ispra, Italy, October 25-26, 2005.
24
REFERENCES
Johnson, P. (2002), Enterprise Software System Integration – An Architectural Perspective, Ph.D.
Thesis, Royal Institute of Technology (KTH), Stockholm, 2002.
Johnson, P. and M. Ekstedt (2005), The Grand Unified Theory of Software Engineering, Preprint,
ISBN 91-974620-1-2, KTH – Royal Institute of Technology, Stockholm, 2005.
Johnson, P., M. Ekstedt, E. Silva, and L. Plazaola (2004), “Using Enterprise Architecture
for CIO Decision-Making: On the importance of theory”, Proceedings of the 2nd Annual
Conference on Systems Engineering Research (CSER), April 15-16, 2004.
Jones A. and D. Ashenden (2005), Risk management for computer security: protecting your network
and information assets, Elsevier Butterworth-Heinemann, 2005.
Jonkers, H. et al. (2003), “Towards a Language for Coherent Enterprise Architecture
Descriptions,” Proceedings of the 7th IEEE International Enterprise Distributed Object Computing
Conference (EDOC’03), 2003.
Jonsson E. (1998), “An Integrated Framework for Security and Dependability”, Proceedings
of the 1998 workshop on New security paradigms, Virginia, United States, pp. 22-29, 1998.
Karlsson J. (1996), “Software Requirements Prioritizing”, Proceedings of the 2nd IEEE
International Conference on Requirements Engineering, pp. 110–116, 1996.
Karlsson J., et al. (1998), “An evaluation of methods for prioritizing software
requirements”, Information and Software Technology 39, pp. 939–947, 1998.
Kazman R., G. Abowd, L. Bass, P. Clements (1996), "Scenario-Based Analysis of Software
Architecture", IEEE Software November 1996.
Kazman R., M. Klein, M. Barbacci, T. Longstaff, H. Lipson, and J. Carriere (1998), “The
Architecture Tradeoff Analysis Method”, Proceedings of 4th IEEE International Conference on
Engineering Complex Computer Systems (ICECCS '98), Monterey, USA, 1998.
Kazman R., J. Asundi, and M. Klein (2001), “Quantifying the Costs and Benefits of
Architectural Decisions”, Proceedings of the 23rd International Conference on Software Engineering
(ICSE 23), Toronto, Canada, 2001.
Kazman R., M. Klein and P. Clements (2000), ATAM: Method for Architecture Evaluation,
Technical Report CMU/SEI-2000-TR-004 Carnegie Mellon University Software
Engineering Institute, 2000.
King, C., C. Dalton, and E. Osmanoglu (2001), Security Architecture: Design, Deployment &
Operations, McGraw-Hill RSA Press, 2001.
King, G., R. Keohane, and S. Verba (1994), Designing Social Inquiry: Scientific Inference in
Qualitative Research, Princeton University Press, 1994.
Kirkland, N. (2002), “CIO Agenda for Productivity and Growth”, Gartner Symposium ITxpo,
Cannes, France, 4-7 November, 2002.
Kontio, J. (1996), “A Case Study in Applying a Systematic Method for COTS Selection”,
Proceedings of 18th International Conference on Software Engineering, IEEE Computer Society Press,
1996.
Kruchten, P. (2000), The Rational Unified Process: An Introduction, 2nd ed. Addison-Wesley,
2000.
Linthicum, D. (2000), Enterprise Application Integration, Addison Wesley, 2000.
25
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
Liu S. (2001), “A Practical Approach to Enterprise IT Security”, IT Pro September-October,
pp 35-42, 2001.
Maier, M. and E. Rechtin (2000), The Art of Systems Architecting, 2nd ed., CRC Press, 2000.
Medvidovic, N. David S. Rosenblum, and Richard N. Taylor (1999), “A Language and
Environment for Architecture-Based Software Development and Evolution”, Proceedings of
the 21th International Conference on Software Engineering (ICSE), Los Angeles, USA, 1999.
Mercuri, R. (2003), “Standards Insecurity”, Communications of the ACM, Vol. 46, No 12,
2003.
National Research Council (1991), Computers at Risk: Safe Computing in the Information Age,
System Security Study Committee, Commission on Physical Sciences, Mathematics, and
Applications, National Research Council, Washington DC, National Academy Press, 1991,
also available at http://www.nap.edu/catalog/1581.html .
NIST (1995), National Institute of Standards and Technology (NIST) Special Publication
(SP) 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995.
OECD (1992), Organization for Economic Co-operation and Development, Guidelines for
the Security of Information Systems, OECD Recommendation, Paris, 1992.
OECD (2002), Organization for Economic Co-operation and Development, Guidelines for
the Security of Information Systems and Networks: Towards a culture of security, OECD
Recommendation, Paris, 2002.
OMB Circular No. A-130 (1996), “Management of Federal Information Resources”, 1996.
Oskarsson, Ö. (1982), Mechanisms of Modifiability in Large Software Systems, Ph. D. Thesis,
Linköping University, Sweden, 1982.
Parnas, D. (1972), “On the Criteria To Be Used in Decomposing Systems into Modules,”
Communications of the ACM, Vol. 15, No. 12, 1972.
Peltier T. (2002), Information Security, Policies, Procedures, and Standards, Auerbach Publications,
2002.
Perks C. and T. Beveridge (2003), Guide to Enterprise IT Architecture, Springer Verlag, 2003
Pfleeger S.L. (2005), “Soup or Art? The Role of Evidential Force in Empirical Software
Engineering”, IEEE Software Volume 22, Issue 1, p 66 – 73, Jan-Feb 2005.
PWC (2004), PriceWaterhouseCoopers “The State of Information Security, 2003“
http://www.pwc.com, accessed 2004.
Ronin (2004), Ronin International Inc. Enterprise Unified Process website,
http://www.enterpriseunifiedprocess.info, accessed April 1, 2004.
Ross R. et al. (2005), Information Security, National Institute of Standards and Technology
Special Publication 800-53, US Government printing office, Washington D.C., February
2005.
Saaty T.L. (1980), The Analytic Hierarchy Process, McGraw-Hill, New York, USA, 1980.
SEI (2003), Software Engineering Institute, Systems Security Engineering Capability Maturity
Model® SSE-CMM Model Description Document, Version 3.0. June 15, 2003.
26
REFERENCES
Shaw, M. (1989), “Larger Scale Systems Require Higher-Level Abstractions,” Proceedings of
the 5th international workshop on Software specification and design, 1989.
Shaw, M. and D. Garlan (1996), Software Architecture: Perspectives on an Emerging Discipline,
Prentice Hall, 1996.
Solms B., et al. (2004), “The 10 deadly sins of information security management”, Computers
& Security, 23:371–376, 2004.
Sowa, J. and J Zachman (1992), “Extending and Formalizing the Framework for
Information Systems Architecture,” IBM Systems Journal, Vol. 31, No 3, 1992.
Spewak, S. (1992), Enterprise Architecture Planning: Developing a Blueprint for Data, Applications
and Technology, John Wiley & Sons, 1992.
Stevens, R., P. Brook, K. Jackson, and S. Arnold (1998), Systems Engineering: Cooping with
Complexity, Prentice Hall, 1998.
Stoneburner, G. (2001), Underlying Technical Models for Information Technology Security, National
Institute of Standards and Technology Special Publication 800-33, US Government
printing office, Washington D.C., USA, 2001
Stoneburner, G., et al. (2002), Risk Management Guide for Information Technology Systems,
National Institute of Standards and Technology Special Publication 800-30, US
Government printing office, Washington D.C., 2002.
Straub, D.W., and R.J. Welke (1998), “Coping with Systems Risk: Security Planning Models
for Management Decision Making,” Management Information System Quarterly (MISQ) Volume
22, Number 4, 1998.
Stuart A. and H.W. Lawson (2004), “Viewing systems from a business management
perspective: The ISO/IEC 15288 standard”, The Journal Systems Engineering , Volume 7,
Issue 3, pp 229-242, 2004.
Suh B., and Ingoo Han (2003), “The IS risk analysis based on a business model”, Information
& Management, 41(2):149–158, Elsevier Science Publishers, Amsterdam, The Netherlands, 2003.
Swanson M. and Barbara Guttman (1996), Generally Accepted Principles and Practices for Securing
Information Technology Systems, National Institute of Standards and Technology Special
Publication 800-14, US Government printing office, Washington D.C., September 1996.
Swanson M. (1998), Guide for Developing Security Plans for Information Technology Systems,
National Institute of Standards and Technology Special Publication 800-18, US
Government printing office, Washington D.C., December 1998.
Swanson M. (2001), Security Self-Assessment Guide for Information Technology systems, National
Institute of Standards and Technology Special Publication 800-26, US Government
printing office, Washington D.C., November 2001.
Swanson M. et al. (2003), Security Metrics for Information Technology Systems, National Institute
of Standards and Technology Special Publication 800-55, US Government printing office,
Washington D.C., July 2003.
TOG (2003), The Open Group, The Open Group Architectural Framework (TOGAF) Version
8.1, published in December 2003, http://www.opengroup.org/architecture/togaf8/index8.htm
; accessed 2004.
27
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY
US Government (2002), Federal Information Security Management Act of 2002 (Title III of E-Gov),
H.R. 2458-48, SEC. 301, Information Security, http://csrc.nist.gov/policies/FISMAfinal.pdf .
Vattenfall AB (2005), website: http://www.vattenfall.com, accessed August 1, 2005
Veriscan (2005), Veriscan Rating®, http://www.veriscan.se, accessed June 16, 2005.
Weiss, J. (2001), “Electronic security technology roadmap [for electric utilities]”, Power
Engineering Society Winter Meeting, 2001, IEEE Volume 1, 2001.
Wood J. (1990), “European Harmonised IT Security Evaluation Criteria”, Proceedings of the
6th International Conference on the Application of Standards for Open Systems, USA, 1990.
Yin, R.K. (1996), Case Study Research: Design and Methods, 2nd ed., Sage Publications, 1996.
Zachman, J. (1987), “A Framework for Information Systems Architecture,” IBM Systems
Journal, Vol. 26, No 3, 1987.
ZIFA (2004), The Zachman Institute for Framework Advancement website, website:
http://www.zifa.com, accessed April 1, 2004.
28