Author(s)

Joseph Elias Mbowe¹, Irina Zlotnikova¹, Simon S. Msanjila², George S. Oreku³

¹School of Computational Science and Communication Engineering, The Nelson Mandela African Institution of Science and Technology, Arusha, Tanzania.
²Faculty of Science and Technology, Mzumbe University, Morogoro, Tanzania.
³Faculty of Economics, North West University, Vanderbijlpark, South Africa.

The security breaches of sensitive information have remained difficult to solve due to increased malware programs and unauthorized access to data stored in critical assets. As risk appetite differ from one organization to another, it prompts the threat analysis tools be integrated with organization’s information security policy so as to ensure security controls at local settings. However, it has been noted that the current tools for threat assessment processes have not encompassed information security policy for effective security management (i.e. confidentiality, integrity and availability) based on organization’s risk appetite and culture. The information security policy serves as a tool to provide guidance on how to manage and secure all business operations including critical assets, infrastructure and people in the organization. This guidance (e.g. usage and controls) facilitates the provisions for threat assessment and compliance based on local context. The lack of effective threat assessment frameworks at local context have promoted the exposure of critical assets such as database servers, mails servers, web servers and user smart-devices at the hand of attackers and thus increase risks and probability to compromise the assets. In this paper we have proposed a conceptual framework for security threat assessment based on organization’s information security policy. Furthermore, the study proposed the policy automation canvas for provision of a methodology to alert the security managers what possible threats found in their organizations for quick security mitigation without depending on security expertise.

Critical Asset, Information Security, Information Security Policy, Threat Analysis, Threat Assessment, Security Threat Visualization

Mbowe, J. , Zlotnikova, I. , Msanjila, S. and Oreku, G. (2014) A Conceptual Framework for Threat Assessment Based on Organization’s Information Security Policy. Journal of Information Security, 5, 166-177. doi: 10.4236/jis.2014.54016.