single-dr.php

JDR Vol.12 No.5 pp. 1060-1072
doi: 10.20965/jdr.2017.p1060
(2017)

Paper:

Improvement of Verification of a Model Supporting Decision-Making on Information Security Risk Treatment by Using Statistical Data

Ritsuko Aiba and Takeshi Hiromatsu

Institute of Information Security
2-14-1 Tsuruya-cho Kanagawa-ku, Yokohama 221-0835, Japan

Corresponding author

Received:
December 3, 2016
Accepted:
July 18, 2017
Online released:
September 27, 2017
Published:
October 1, 2017
Keywords:
information security, risk treatment, risk acceptance value, information security measures, budget of organization for information security
Abstract

This paper introduces previous studies that propose a model supporting decision-making on information security risk treatment by the top management of an organization and its assessment using statistical data. The reason that statistical data are used to assess the model is that the data necessary for information security risk treatment are not generally disclosed for security reasons. A verification using actual data is generally difficult.

This paper therefore proposes improvements to the assessment of the model using statistical data. A method to calculate the values used in the model, closer to the actual data is proposed to have more effective results by the model.

References
  1. [1] R. Kawasaki (Aiba) and T. Hiromatsu, “Proposal of a Model Supporting Decision-Making on Information Security Risk Treatment,” World Academy of Science, Engineering and Technology, International Science Index, Economics and Management Engineering, Vol.1, No.4, 218, 2014.
  2. [2] R. Kawasaki, “Doctor thesis: Proposal of a model supporting organizational information security risk treatment and its applicability study – Structure and operation of a model which adapts to ISO/IEC 27001:2013 and ISO/IEC 27002:2013,” Institute of Information Security, Thesis No.28, 2015.
  3. [3] R. Kawasaki and T. Hiromatsu, “Verification of a Model Supporting Decision-Making on Information Security Risk Treatment by Using Statistical Data,” Economy, trade and industry statistics study, Vol.43, No.3, pp. 32-52, 2015.
  4. [4] The Ministry of Economy, Trade and Industry, “The Actual Conditions Survey on 2014 of Information Processing,” 2015, http://www.meti.go.jp/statistics/zyo/zyouhou/result-2/h26jyojitsu.html [accessed August 1, 2017]
  5. [5] ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls.
  6. [6] JIS Q 27002:2014 – Information technology – Security techniques – Code of practice for information security controls.

*This site is desgined based on HTML5 and CSS3 for modern browsers, e.g. Chrome, Firefox, Safari, Edge, IE9,10,11, Opera.

Last updated on Oct. 20, 2017