| | SLO | ENG | Cookies and privacy

Bigger font | Smaller font

Show document

Title:Večkriterijski model učinkovitosti informacijske varnosti v organizacijah : doktorska disertacija
Authors:Prislan, Kaja (Author)
Bernik, Igor (Mentor) More about this mentor... New window
Files:.pdf DOK_Prislan_Kaja_2016.pdf (5,02 MB)
 
Language:Slovenian
Work type:Dissertation (m)
Typology:2.08 - Doctoral Dissertation
Organization:FVV - Faculty of Criminal Justice and Security
Abstract:Informatizacija poslovnih procesov spreminja koncepte zagotavljanja organizacijske varnosti. V doktorski disertaciji pojasnimo, kako v sodobnem poslovnem svetu pristopiti k upravljanju informacijske varnosti, kakšen je njen vpliv na poslovni uspeh in kako presoditi njeno zrelost. V situaciji, ko se evolucija informacijskih groženj odvija ob boku težkih gospodarskih razmer, je namreč veliko organizacij nesposobnih obvladovanja informacijskih tveganj in hkrati slediti tehnološkim trendom. Ugotovitve doktorske disertacije predstavljajo pristop k zagotavljanju tega ravnovesja, uporabne pa so za lastnike podjetij, managerje, strokovni kader in ostalo zainteresirano javnost. Ugotavljamo, da je upravljanje informacijske varnosti omejeno predvsem zaradi slabe informacijske podpore pri načrtovanju. Tiste organizacije, ki ne ugotavljajo izhodiščne situacije in presojajo uspešnosti ter učinkovitosti varnosti, ne morejo doseči skladnosti med operativnimi ukrepi, varnostnimi potrebami ter organizacijsko strategijo. V ospredje razprave zato postavljamo presojanje kakovosti informacijske varnosti. To področje proučujemo skozi prizmo poslovne funkcije, izhodišče pa predstavljajo priporočila iz področja varovanja informacijskih tehnologij, sledijo teorije sistemov, preprečevanja groženj/kriminalitete, managementa ter organizacije. Glavni rezultat je interdisciplinarni model ocenjevanja informacijsko varnostne kompetentnosti organizacij. V procesu razvijanja celovitega pristopa k presoji stanja informacijske varnosti, smo identificirali ukrepe, ki v stroki veljajo za uspešne in učinkovite. Z raziskavo izvedeno med strokovnjaki v Sloveniji, smo analizirali veljavnost izbranih ukrepov in njihov vpliv na kakovost informacijske varnosti. Glede na priporočila je v začetnih fazah treba najprej poskrbeti za represivno-nadzorne in logične kontrole, v nadaljevanju pa za strateške, socialne, organizacijske, normativne in okoljske vidike. Rezultat raziskave je odločitveno orodje, sestavljeno iz desetih faktorjev in 100 unikatno uteženih indikatorjev merjenja. Z uporabo modela se organizacije razvrstijo v enega izmed šestih razredov učinkovitosti, kjer so podana priporočila za izboljšanje stanja. Z namenom evalvacije uporabnosti predlagane rešitve smo z dodatno raziskavo model praktično testirali. Implementirali smo ga v majhen vzorec srednje-velikih organizacij in ugotovili, da je v teh organizacijah informacijska varnost v začetnih razvojnih fazah. Z izjemo fizičnih, tehničnih in logičnih kontrol, so najvplivnejši kriteriji najmanj razviti, izmed vseh področij pa se največje težave kažejo pri izvajanju analiz informacijskih tveganj. Ob upoštevanju tehnološkega konteksta organizacij, s katerim smo normirali indeksirane rezultate, se je pokazalo, da 25 % organizacij skrbi samo za osnovne vidike, 40 % sodi v srednji nivo, 35 % pa lahko ocenimo kot dobre prakse. Glede na razvitost ukrepov je 60 % proučevanih organizacij v reaktivni drži, generalno pa večina razvija približno polovico ukrepov v modelu. S primerjavo enot smo ugotovili, kateri faktorji ločujejo učinkovite organizacije od neučinkovitih, z analizo korelacij pa razvili priporočila za nadaljnje ukrepe. Evalvacija je pokazala tudi, da je model uporaben za sprejemanje odločitev pri internih evalvacijah – študije primerov ali analize splošnega stanja na večjih vzorcih.
Keywords:informacijska varnost, informacijske grožnje, varnostni management, varnostni ukrepi, učinkovitost, merjenje učinkovitosti, odločitveni modeli, doktorske disertacije
Year of publishing:2016
Year of performance:2016
Place of performance:[Ljubljana
Publisher:K. Prislan]
Number of pages:373 str.
Source:[Ljubljana
UDC:004.056:005.934(043.3)
COBISS_ID:3295210 Link is opened in a new window
NUK URN:URN:SI:UM:DK:DV1UVIYQ
Views:1909
Downloads:322
Metadata:XML RDF-CHPDL DC-XML DC-RDF
Categories:Misc.
:
  
Average score:(0 votes)
Your score:Voting is allowed only for logged in users.
Share:AddThis
AddThis uses cookies that require your consent. Edit consent...

Hover the mouse pointer over a document title to show the abstract or click on the title to get all document metadata.

Secondary language

Language:English
Title:MULTI-CRITERIA MODEL FOR EFFECTIVE INFORMATION SECURITY IN ORGANISATIONS
Abstract:In the course of this thesis, we aim to resolve three questions: how to approach information security management effectively and efficiently; what is the impact of this security function on overall business success; and how to prove security maturity through performance measurements. In today’s corporate world, many organisations are challenged by their inability to successfully manage information security risks while trying to keep up with the trends of technological development. The findings of this doctoral dissertation deliver an answer that is intended for those who are interested in how to systematically advance information security in a manner that contributes to functional balance. We hypothesise and prove that information security management currently lacks proper information support. Organisations that are not capable to perform analytics of security performance, cannot achieve compliance between the operational measures, security needs, and organisational strategy. Since the area has been studied through the lens of business functions, the starting points for developing a solution were based on the recommendations of IT professionals, followed by the system, threat prevention, and organisational theories. Observations made within security literature and research, legislation, and standards suggest that there are ten key areas that should be addressed when trying to manage the information security risks. We identified numerous preventive and reactive technical and management oriented security measures that should be incorporated to a security system. In the scope of initial research conducted among security experts, we analysed the validity and significance of those security measures for information security performance. The obtained data made it possible to weigh the variables in terms of their impact. The final outcome is a decision-making tool (10×10 information security performance model) which consists of ten critical success factors and 100 unique, weighted key performance indicators. In applying this model, the organisation is categorised through six levels of maturity that determine which measures should be developed for improvement. We also aimed to validate the utility of the proposed approach, so the second research applied the 10×10 model to a small sample of organisations. We learned that information security in those organisations remains in its initial development stages. With the exception of physical, technical and logical controls, the most influential criteria are the least developed. In fact, the biggest problems are reflected in the management and analysis of information risks. These controls include a variety of approaches to measurement of information security, which confirms the significance of the study undertaken. Taking account of the technological context of the organisations, the graph of the situation shows that 25% of the units only catered to their most basic security needs, 40% made it to the intermediate level, and 35% were recognised as good practices. The results showed that most of these organisations develop only half of recommended security measures in the model. By benchmarking the organisations, we identified which factors separate efficient organisations from inefficient ones and by analysing correlations between factors, we developed recommendations for further development. The most important impact of this study is that the presented model makes an original contribution to social science as well as to the field of IT security. It reaches beyond the limitations of previous studies that merely focused on isolated information security dimensions which are, in fact, interconnected. The added value of this study is seen in the development process, as the model also considers the opinion of experts, while proving its practicality and validity. It is useful for decision-making in the context of internal evaluations or analyses of the overall situation in larger samples.
Keywords:information security, security management, governance, effectiveness and efficiency, assessment, performance measurement model, decision model


Comments

Leave comment

You have to log in to leave a comment.

Comments (0)
0 - 0 / 0
 
There are no comments!

Back
Logos of partners University of Maribor University of Ljubljana University of Primorska University of Nova Gorica