- Volume 13 Issue 1
Risk management is recognized as a significant element in Information Security Management while the failure mode and effects analysis (FMEA) is widely used in risk analysis in manufacturing industry. This paper aims to present the development work of the Information Security FMEA Circle (InfoSec FMEA Circle) which is used to support the risk management framework by modifying traditional FMEA methodologies. In order to demonstrate the "appropriateness" of the InfoSec FMEA Circle for the purposes of assessing information security, a case study at Hong Kong Science and Technology Parks Corporation (HKSTP) is employed. The "InfoSec FMEA Circle" is found to be an effective risk assessment methodology that has a significant contribution to providing a stepwise risk management implementation model for information security management.
Risk Management;Information Security;FMEA
- Baker, W. H. and Wallace, L. (2007), Is information security under control? Investigating quality in information security management, IEEE Security and Privacy, 5(1), 36-44. https://doi.org/10.1109/MSP.2007.11
- Barlette, Y. and Fomin, V. V. (2008), Exploring the suitability of IS security management standards for SMEs, Proceedings of the 41st Hawaii International Conference on System Sciences, Waikoloa, HI, 1-10.
- Baskerville, R. (1991), Risk analysis: an interpretive feasibility tool in justifying information systems security, European Journal of Information Systems, 1(2), 121-130. https://doi.org/10.1057/ejis.1991.20
- Brenner, J. (2007), ISO 27001: Risk management and compliance, Risk Management, 54(1), 24-29.
- British Standards Institution (2006), BS EN 60812:2006 Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA).
- British Standards Institution (2008), BS 31100:2008 Risk management - Code of practice.
- British Standards Institution (2011), BS 31100:2011 Risk management - Code of practice and guidance for the implementation of BS ISO 31000.
- Broderick, J. S. (2006), ISMS, security standards and security regulations, Information Security Technical Report, 11(1), 26-31. https://doi.org/10.1016/j.istr.2005.12.001
- Chin, K. S., Chan, A., and Yang, J. B. (2008), Development of a fuzzy FMEA based product design system, International Journal of Advanced Manufacturing Technology, 36(7-8), 633-649 https://doi.org/10.1007/s00170-006-0898-3
- Chin, K. S., Wang, Y. M., Poon, G. K. K., and Yang, J. B. (2009), Failure mode and effects analysis using a group-based evidential reasoning approach, Computers and Operations Research, 36(6), 1768-1779. https://doi.org/10.1016/j.cor.2008.05.002
- Humphreys, E. (2008), Information security management standards: compliance, governance and risk management, Information Security Technical Report, 13(4), 247-255. https://doi.org/10.1016/j.istr.2008.10.010
- Fomin, V. V., de Vries H. J., Barlette, Y., and Montpellier, F. (2008), ISO/IEC 27001 Information Systems Security Management Standard: exploring the reasons for low adoption, Proceedings of the 3rd European Conference on Management of Technology, Nice, France.
- Fung, C. M. (2004), The implementation procedures for information security management (access control) in BS 7799/ISO 17799, M. S. Thesis, Department of Manufacturing Engineering and Engineering Management, City University of Hong Kong, China.
- Halliday, S., Badenhorst, K., and Von Solms, R. (1996), A business approach to effective information technology risk analysis and management, Information Management and Computer Security, 4(1), 19-31. https://doi.org/10.1108/09685229610114178
- Institute of Risk Management (2002), A Risk Management Standard, Institute of Risk Management, London.
- International Organization for Standardization (2000), ISO/IEC 17799:2000 Information technology - Code of practice for information security management.
- International Organization for Standardization (2002), ISO/IEC Guide 73:2002 Risk management - Vocabulary - Guidelines for use in standards.
- International Organization for Standardization (2005), ISO/IEC 27001:2005, Information technology - Security techniques - Information security management system-Requirements.
- International Organization for Standardization (2009), ISO 31000:2009, Risk management - Principles and guidelines.
- International Organization for Standardization (2011), ISO/IEC 27005:2011 Information technology - Security techniques - Information security risk management.
- Kwok, L. F. and Longley, D. (1999), Information security management and modeling, Information Management and Computer Security, 7(1), 30-39. https://doi.org/10.1108/09685229910255179
- Lai, L. K. H., Chin, K. S., and Tsang, A. H. C. (2010), Risk management of information security: information security FMEA circle, Proceedings of the 8th Asia Network for Quality (ANQ) Congress, New Delhi, India, paper HK01.
- Standards Association of Australia (1999), AS/NZS 4360: 1999 Risk management.
- Misra, S. C., Kumar, V., and Kumar, U. (2007), A strategic modeling technique for information security risk assessment, Information Management and Computer Security, 15(1), 64-77. https://doi.org/10.1108/09685220710738787
- Segismundo, A. and Miguel P. A. C. (2008), Failure mode and effects analysis (FMEA) in the context of risk management in new product development: a case study in an automotive company, International Journal of Quality and Reliability Management, 25(9), 899-912. https://doi.org/10.1108/02656710810908061
- Spinellis, D., Kokolakis, S., and Gritzalis, S. (1999), Security requirements, risks and recommendations for small enterprise and home-office environments, Information Management and Computer Security, 7(3), 121-128. https://doi.org/10.1108/09685229910371071
- Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E. (2006), Formulating information systems risk management strategies through cultural theory, Information Management and Computer Security, 14(3), 198-217. https://doi.org/10.1108/09685220610670378
- von Ahsen, A. (2008), Cost-oriented failure mode and effects analysis, International Journal of Quality and Reliability Management, 25(5), 466-476. https://doi.org/10.1108/02656710810873871
- Wang, Y. M., Chin, K. S., Poon, G. K. K., and Yang, J. B. (2009), Risk evaluation in failure mode and effects analysis using fuzzy weighted geometric mean, Expert Systems with Applications, 36(2), 1195-1207. https://doi.org/10.1016/j.eswa.2007.11.028