INFORMATION SECURITY MANAGEMENT SYSTEM - A Case Study in a Brazilian Healthcare Organization

Ribas, Carlos Eduardo; Burattini, Marcelo Nascimento; Massad, Eduardo; Yamamoto, Jorge Kazuo

doi:10.5220/0003728201470151

Cited by 1 publication

(1 citation statement)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• the prioritisation of different ISec areas, i.e. a scoring scheme that assigns a value to each control and defines a weight index for different ISec domains [43][44][45];…”

Section: The Isp 10×10m Modelmentioning

confidence: 99%

A real-world information security performance assessment using a multidimensional socio-technical approach

2020

View full text Add to dashboard Cite

Measuring the performance of information security is an essential part of the information security management system within organisations. Studies in the past mainly focused on establishing qualitative measurement approaches. Since these can lead to ambiguous conclusions, quantitative metrics are being increasingly proposed as a useful alternative. Nevertheless, the literature on quantitative approaches remains scarce. Thus, studies on the evaluation of information security performance are challenging, especially since many approaches are not tested in organisational settings. The paper aims to validate the model used for evaluating the performance of information security management system through a multidimensional socio-technical approach, in a real-world settings among medium-sized enterprises in Slovenia. The results indicate that information security is strategically defined and compliant, however, measures are primarily implemented at technical and operational levels, while its strategic management remains underdeveloped. We found that the biggest issues are related to information resources and risk management, where information security measurement-related activities proved to be particularly problematic. Even though enterprises do possess certain information security capabilities and are aware of the importance of information security, their current practices make it difficult for them to keep up with the fast-paced technological and security trends.

show abstract

“…• the prioritisation of different ISec areas, i.e. a scoring scheme that assigns a value to each control and defines a weight index for different ISec domains [43][44][45];…”

Section: The Isp 10×10m Modelmentioning

confidence: 99%