Event-driven method of measuring effectiveness of information security controls in software development environments

DOI: 10.31673/2409-7292.2024.030004

Authors

  • А. М. Павликевич, (Pavlykevych A. М.) Lviv Polytechnic National University, Lviv
  • М. В. Дзьобан, (Dzioban M. V.) SoftServe Inc., Lviv

DOI:

https://doi.org/10.31673/2409-7292.2024.030004

Abstract

With in growing cost of cybersecurity incidents, proper allocation of resources for information security controls (ISCs) becomes critical for every organization. This paper describes practical approach to measuring ISCs effectiveness within software development environments (SDEs) using method independent from control type and design and based on security events: an externally measured effects of control malfunctions. This together with suggested approach to calculating aggregated score for SDEs protection against categories of threats allows to develop actionable risk assessment (RA) framework for SDEs. Paper provides example of building such information security RA into overall SDE risk management framework. Proposed SDE RA methodology was implemented using Microsoft Power BI platform for analytics, with principal data supplied from SIEM (metrics on control effectiveness and adoption), ITSM (data on control implementation statis and assets per project), application used to conduct SDE RA assessments and risk options assignment. This paper demonstrates use of unified effectiveness measurement method for SDE ISCs based on security event and incident management (SIEM) as well as method of consolidating these measurements into high level metrics used to evaluate overall security of specific SDE or entire group of SDE owned by the organization. Method offers new approach for collecting meaningful benchmarking data from stakeholders without formal Information Security education and providing results, which can be directly used by non-IS professionals to drive management decisions within the organization.

Keywords: information security controls (ISC), cybersecurity, risk management, software development environments.

 

References
  1. Backhouse, J., & Dhillon, G. (1996). Structures of responsibility and security of information systems. European Journal of Information Systems, 5(1), 2–9. https://doi.org/10.1057/ejis.1996.7
  2. Barnard, L. (2000). A Formalized Approach to the Effective Selection and Evaluation of Information Security Controls. Computers & Security, 19, 185–194. https://doi.org/10.1016/S0167-4048(00)87829-3
  3. Baskerville, R. (1993). “Information Systems Security Design Methods: Implications for Information Systems Development.” ACM Comput. Surv., 25, 375–414. https://doi.org/10.1145/162124.162127
  4. Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information security in organizations. Information Systems Journal, 16, 293–314. https://doi.org/10.1111/j.1365-2575.2006.00219.x
  5. Digital Press Briefing with Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies. (2023, October 18). United States Department of State. https://www.state.gov/digital-press-briefing-with-anne-neuberger-deputy-national-security-advisor-for-cyber-and-emerging-technologies/
  6. Global Risks Report. (2023, January 11). World Economic Forum. https://www.weforum.org/publications/global-risks-report-2023/
  7. International Organization for Standardization. (2022a). Information security, cybersecurity and privacy protection—Information security controls (27002; Version 3). https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27002:ed-3:v2:en
  8. International Organization for Standardization. (2022b). Information security, cybersecurity and privacy protection—Information security management systems—Requirements (27001; Version 3). https://www.iso.org/standard/27001
  9. Joint Task Force. (2020). Security and Privacy Controls for Information Systems and Organizations (SP 800-53; Version 5). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-53r5
  10. Kalaf, O. & ElafAyyedJebur. (2015). IT Auditing to Assure a Secure Cloud Computing for Enterprise Applications. International Journal of Engineering Research and General Science, 3, 4.
  11. Otero, A., Otero, C., & Abrar, Q. (2010). A Multi-Criteria Evaluation of Information Security Controls Using Boolean Features. International Journal of Network Security & Its Applications, 2. https://doi.org/10.5121/ijnsa.2010.2401
  12. Software Assurance Maturity Model (SAMM) (2.0). (2020). https://owaspsamm.org/model/
  13. Souppaya, M., Scarfone, K., & Dodson, D. (2022). Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (800–218; 1.1). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-218
  14. van de Haar, H. (2003). A model for deriving information security control attribute profiles. Computers & Security, 22, 233–244. https://doi.org/10.1016/S0167-4048(03)00311-0
  15. Veiga, A., & Eloff, J. (2007). An Information Security Governance Framework. IS Management, 24, 361–372. https://doi.org/10.1145/1655168.1655170
  16. Vulnerability and Threat Trends Report. (2023). Skybox Security. https://www.skyboxsecurity.com/resources/report/vulnerability-threat-trends-report-2023/

Downloads

Published

2024-09-24

Issue

No. 3 (2024)

Section

Articles