Supplementing ISRM models by KRI implementation

Özçakmak, Fuat
Cybersecurity efforts should be spent effectively and timely with regard to where and when they are needed because of the resource requirements. In order to secure Information Technology (IT) systems, The Information Systems Risk Management (ISRM) standards like ISO 27000, NIST 800 series and COBIT 5 frameworks are used as best practices. These standards use a diversity of metrics to monitor the Information Security Management System (ISMS). However, large amounts of money, time and human resources are needed to detect, measure and interpret all. Moreover, these standards do not deal with the resources allocated and senior managements’ concern. To avoid these concerns, Key Risk Indicator (KRI) based risk monitoring can help a significant decrease in the required resources and increase the risk monitoring effectiveness. In this study, a new KRI implementation model that can facilitate risk management, figure out costs, benefits and address stakeholders' concerns, for ISRM standards is proposed.


Technology foresight and modeling: Turkish cybersecurity foresight 2040
Çifci, Hasan; Çakır, Serhat; Department of Science and Technology Policy Studies (2019)
Foresight is a systematic and multidisciplinary process with proper methodology combinations for identifying technological, economic and social areas to prioritize investments and research to realize medium or long-term future strategies by using various resources from organizational to international level. Cybersecurity is the protection of cyber systems from cyber-attacks and providing integrity, confidentiality, and availability of those systems. In this thesis, information about technology foresight and...
Attack Tree Based Information Security Risk Assessment Method Integrating Enterprise Objectives with Vulnerabilities
Karabey, Bugra; Baykal, Nazife (2013-05-01)
In order to perform the analysis and mitigation efforts related with the information security risks there exists quantitative and qualitative approaches, but the most critical shortcoming of these methods is the fact that the outcome mainly addresses the needs and priorities of the technical community rather than the management. For the enterprise management, this information is essentially required as a decision making aid for the asset allocation and the prioritization of mitigation efforts, so, ideally t...
A Conceptual Model for a Metric Based Framework for the Monitoring of Information Security Tasks’ Efficiency
Sönmez, Ferda Özdemir (Elsevier BV; 2019)
Information Security Governance Systems are not adequate to measure the effectiveness and efficiency of security tasks for the enterprises. Although some of the systems offer ways for measurement, they still need the definition of measurement objectives and metrics. This study proposes a conceptual framework mode which has human and tool/process related metrics. This system also allows the collection of evidence data for security-related tasks and ways to motivate the security staff to provide a more produc...
An assessment model for web-based information system effectiveness
Tokdemir, Gül; Bilgen, Semih; Department of Information Systems (2009)
Information System (IS) effectiveness assessment is an important issue for the organizations as IS have become critical for their survival. With the incorporation of Internet technologies into the business environment, it is now more difficult to measure IS effectiveness, because Internet provides a borderless, non-stop, flexible communication medium. Assessing the effectiveness of web-based information systems (WIS) is vital for survival and competitive advantage which is a complicated subject since there ...
A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions
Sonmez, Ferda Ozdemir; Günel Kılıç, Banu (2021-09-01)
Types and complexity of information security related vulnerabilities are growing rapidly and present numerous challenges to the enterprises. One of the key challenges is to identify the optimal set of precautions with limited budget. Despite the fact that majority of enterprises have a budget constraint for installing and maintaining the protection systems, the majority of the previous work only focus on prioritization of security targets and do not consider the preventative actions and budget constraints. ...
Citation Formats
F. Özçakmak, “Supplementing ISRM models by KRI implementation,” Thesis (M.S.) -- Graduate School of Social Sciences. Science and Technology Policy Studies., Middle East Technical University, 2019.