TITLE:
A Conceptual Framework for Threat Assessment Based on Organization’s Information Security Policy
AUTHORS:
Joseph Elias Mbowe, Irina Zlotnikova, Simon S. Msanjila, George S. Oreku
KEYWORDS:
Critical Asset, Information Security, Information Security Policy, Threat Analysis, Threat Assessment, Security Threat Visualization
JOURNAL NAME:
Journal of Information Security,
Vol.5 No.4,
September
29,
2014
ABSTRACT: The security breaches of
sensitive information have remained difficult to solve due to increased malware
programs and unauthorized access to data stored in critical assets. As risk
appetite differ from one organization to another, it prompts the threat
analysis tools be integrated with organization’s information security policy so
as to ensure security controls at local settings. However, it has been noted
that the current tools for threat assessment processes have not encompassed
information security policy for effective security management (i.e.confidentiality, integrity and
availability) based on organization’s risk appetite and culture. The
information security policy serves as a tool to provide guidance on how to
manage and secure all business operations including critical assets,
infrastructure and people in the organization. This guidance (e.g. usage and
controls) facilitates the provisions for threat assessment and compliance based
on local context. The lack of effective threat assessment frameworks at local
context have promoted the exposure of critical assets such as database servers,
mails servers, web servers and user smart-devices at the hand of attackers and
thus increase risks and probability to compromise the assets. In this paper we
have proposed a conceptual framework for security threat assessment based on
organization’s information security policy. Furthermore, the study proposed the
policy automation canvas for provision of a methodology to alert the security
managers what possible threats found in their organizations for quick security
mitigation without depending on security expertise.