Industrial Engineering and Management Systems

Korean Institute of Industrial Engineers (대한산업공학회)
권호 표지
DOI QR코드

DOI QR Code

Development of a Failure Mode and Effects Analysis Based Risk Assessment Tool for Information Security

  • Lai, Lotto Kim Hung (Hong Kong Science and Technology Parks Corporation) ;
  • Chin, Kwai Sang (Department of Systems Engineering and Engineering Management, City University of Hong Kong)
  • Received : 2013.11.14
  • Accepted : 2014.02.25
  • Published : 2014.03.30
Download PDF
⟨ Previous Next ⟩

Abstract

Risk management is recognized as a significant element in Information Security Management while the failure mode and effects analysis (FMEA) is widely used in risk analysis in manufacturing industry. This paper aims to present the development work of the Information Security FMEA Circle (InfoSec FMEA Circle) which is used to support the risk management framework by modifying traditional FMEA methodologies. In order to demonstrate the "appropriateness" of the InfoSec FMEA Circle for the purposes of assessing information security, a case study at Hong Kong Science and Technology Parks Corporation (HKSTP) is employed. The "InfoSec FMEA Circle" is found to be an effective risk assessment methodology that has a significant contribution to providing a stepwise risk management implementation model for information security management.

Keywords

References

  1. Baker, W. H. and Wallace, L. (2007), Is information security under control? Investigating quality in information security management, IEEE Security and Privacy, 5(1), 36-44. https://doi.org/10.1109/MSP.2007.11
  2. Barlette, Y. and Fomin, V. V. (2008), Exploring the suitability of IS security management standards for SMEs, Proceedings of the 41st Hawaii International Conference on System Sciences, Waikoloa, HI, 1-10.
  3. Baskerville, R. (1991), Risk analysis: an interpretive feasibility tool in justifying information systems security, European Journal of Information Systems, 1(2), 121-130. https://doi.org/10.1057/ejis.1991.20
  4. Brenner, J. (2007), ISO 27001: Risk management and compliance, Risk Management, 54(1), 24-29.
  5. British Standards Institution (2006), BS EN 60812:2006 Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA).
  6. British Standards Institution (2008), BS 31100:2008 Risk management - Code of practice.
  7. British Standards Institution (2011), BS 31100:2011 Risk management - Code of practice and guidance for the implementation of BS ISO 31000.
  8. Broderick, J. S. (2006), ISMS, security standards and security regulations, Information Security Technical Report, 11(1), 26-31. https://doi.org/10.1016/j.istr.2005.12.001
  9. Chin, K. S., Chan, A., and Yang, J. B. (2008), Development of a fuzzy FMEA based product design system, International Journal of Advanced Manufacturing Technology, 36(7-8), 633-649 https://doi.org/10.1007/s00170-006-0898-3
  10. Chin, K. S., Wang, Y. M., Poon, G. K. K., and Yang, J. B. (2009), Failure mode and effects analysis using a group-based evidential reasoning approach, Computers and Operations Research, 36(6), 1768-1779. https://doi.org/10.1016/j.cor.2008.05.002
  11. Fomin, V. V., de Vries H. J., Barlette, Y., and Montpellier, F. (2008), ISO/IEC 27001 Information Systems Security Management Standard: exploring the reasons for low adoption, Proceedings of the 3rd European Conference on Management of Technology, Nice, France.
  12. Fung, C. M. (2004), The implementation procedures for information security management (access control) in BS 7799/ISO 17799, M. S. Thesis, Department of Manufacturing Engineering and Engineering Management, City University of Hong Kong, China.
  13. Halliday, S., Badenhorst, K., and Von Solms, R. (1996), A business approach to effective information technology risk analysis and management, Information Management and Computer Security, 4(1), 19-31. https://doi.org/10.1108/09685229610114178
  14. Humphreys, E. (2008), Information security management standards: compliance, governance and risk management, Information Security Technical Report, 13(4), 247-255. https://doi.org/10.1016/j.istr.2008.10.010
  15. Institute of Risk Management (2002), A Risk Management Standard, Institute of Risk Management, London.
  16. International Organization for Standardization (2000), ISO/IEC 17799:2000 Information technology - Code of practice for information security management.
  17. International Organization for Standardization (2002), ISO/IEC Guide 73:2002 Risk management - Vocabulary - Guidelines for use in standards.
  18. International Organization for Standardization (2005), ISO/IEC 27001:2005, Information technology - Security techniques - Information security management system-Requirements.
  19. International Organization for Standardization (2009), ISO 31000:2009, Risk management - Principles and guidelines.
  20. International Organization for Standardization (2011), ISO/IEC 27005:2011 Information technology - Security techniques - Information security risk management.
  21. Kwok, L. F. and Longley, D. (1999), Information security management and modeling, Information Management and Computer Security, 7(1), 30-39. https://doi.org/10.1108/09685229910255179
  22. Lai, L. K. H., Chin, K. S., and Tsang, A. H. C. (2010), Risk management of information security: information security FMEA circle, Proceedings of the 8th Asia Network for Quality (ANQ) Congress, New Delhi, India, paper HK01.
  23. Misra, S. C., Kumar, V., and Kumar, U. (2007), A strategic modeling technique for information security risk assessment, Information Management and Computer Security, 15(1), 64-77. https://doi.org/10.1108/09685220710738787
  24. Segismundo, A. and Miguel P. A. C. (2008), Failure mode and effects analysis (FMEA) in the context of risk management in new product development: a case study in an automotive company, International Journal of Quality and Reliability Management, 25(9), 899-912. https://doi.org/10.1108/02656710810908061
  25. Spinellis, D., Kokolakis, S., and Gritzalis, S. (1999), Security requirements, risks and recommendations for small enterprise and home-office environments, Information Management and Computer Security, 7(3), 121-128. https://doi.org/10.1108/09685229910371071
  26. Standards Association of Australia (1999), AS/NZS 4360: 1999 Risk management.
  27. Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E. (2006), Formulating information systems risk management strategies through cultural theory, Information Management and Computer Security, 14(3), 198-217. https://doi.org/10.1108/09685220610670378
  28. von Ahsen, A. (2008), Cost-oriented failure mode and effects analysis, International Journal of Quality and Reliability Management, 25(5), 466-476. https://doi.org/10.1108/02656710810873871
  29. Wang, Y. M., Chin, K. S., Poon, G. K. K., and Yang, J. B. (2009), Risk evaluation in failure mode and effects analysis using fuzzy weighted geometric mean, Expert Systems with Applications, 36(2), 1195-1207. https://doi.org/10.1016/j.eswa.2007.11.028

Cited by

  1. The consistency analysis of failure mode and effect analysis (FMEA) in information technology risk assessment vol.6, pp.1, 2014, https://doi.org/10.1016/j.heliyon.2020.e03161