تعداد نشریات | 161 |
تعداد شمارهها | 6,532 |
تعداد مقالات | 70,502 |
تعداد مشاهده مقاله | 124,118,659 |
تعداد دریافت فایل اصل مقاله | 97,224,721 |
Identifying Organizational Information Security Risks Using Fuzzy Delphi | ||
Journal of Information Technology Management | ||
مقاله 10، دوره 7، شماره 1، تیر 2015، صفحه 163-184 اصل مقاله (387.42 K) | ||
نوع مقاله: Research Paper | ||
شناسه دیجیتال (DOI): 10.22059/jitm.2015.53555 | ||
نویسندگان | ||
Parisa Mousavi* 1؛ Reza Yousefizenouz2؛ Akbar Hasanpoor2 | ||
1MSc. Student, Information Technology Management, Faculty of Accounting and Management, Kharazmi University of Tehran | ||
2Assistant Prof., Faculty of Accounting and Management, Kharazmi University, Tehran, Iran | ||
چکیده | ||
Most organizations need to information systems to survive and thrive. Therefore, they should seriously protect their information assets. Creating structured and justifiable exchanges between cost, security and mission control systems security risks is essential. This is important in the planning and development of such systems. Initial appropriate decisions can reduce costs and increase ease of control risk. The first step in the risk management process is the identification of risk. The purpose of this study is identifying the most important enterprise information security risks. This study is application and view research method is descriptive. In this study, a model is presented to identify information security risks, according to ISO 27002 and cobit 4 and study the documents and using by fuzzy Delphi method and opinions of experts, which include 10 of the IT professionals of the Bank, have been presented. In this template 6 factors and 20 subfactors of information security risk factors have been identified for the Bank. | ||
کلیدواژهها | ||
Fuzzy Delphi؛ information security؛ risk identifying؛ Risk Management | ||
عنوان مقاله [English] | ||
شناسایی ریسکهای امنیت اطلاعات سازمانی با استفاده از روش دلفی فازی در صنعت بانکداری | ||
نویسندگان [English] | ||
پریسا موسوی1؛ رضا یوسفی زنوز2؛ اکبر حسن پور2 | ||
1کارشناسارشد مدیریت فناوری اطلاعات، دانشکدۀ مدیریت و حسابداری، دانشگاه خوارزمی، تهران، ایران | ||
2استادیار گروه مدیریت، دانشکدۀ مدیریت و حسابداری، دانشگاه خوارزمی، تهران، ایران | ||
چکیده [English] | ||
بیشتر سازمانها برای بقا و پیشرفت به سیستمهای اطلاعاتی نیاز دارند، در نتیجه باید بهطور جدی به حفاظت از داراییهای اطلاعاتی خود بپردازند. ایجاد تبادلات ساختارمند و توجیهپذیر بین هزینه، امنیت و مأموریت برای کنترل ریسکهای سیستمهای امنیتی، ضروری است. این امر در برنامهریزی و توسعۀ چنین سیستمهایی از اهمیت ویژهای برخوردار است. مدیریت ریسک و تصمیمگیری مناسب اولیه، میتواند ضمن کاهش هزینهها، سهولت کنترل ریسک را افزایش دهد. اولین گام در فرایند مدیریت ریسک، شناسایی ریسک است. هدف این پژوهش، شناسایی مهمترین ریسکهای امنیت اطلاعات سازمانی است. این پژوهش حاضر از دید هدف کاربردی است و از دیدگاه روش انجام پژوهش، توصیفی شمرده میشود. در این پژوهش برای شناسایی ریسکهای امنیت اطلاعات سازمانی، از طریق مطالعۀ اسنادی و بهکمک روش دلفی فازی و نظر خبرگان شامل 10 متخصص فناوری اطلاعات بانک، الگویی بر اساس استاندارد ایزو 27002 و چارچوب کوبیت 4 ارائه شده است. در این الگو شش شاخص و 20 زیرشاخص ریسک امنیت اطلاعات سازمانی برای بانک شناسایی شد. | ||
کلیدواژهها [English] | ||
امنیت اطلاعات, دلفی فازی, ریسک, شناسایی ریسک | ||
مراجع | ||
Avalincharsooghi, S. Doostari, M. Yazdianvarjani, A. & Mahdaviardestani, A. (2013). Use of artificial neural networks in the information security risk assessment. Journal of Electronic & Cyber Defense, 1(1): 1-14. (in Persian)
Biglarian, P. (2012). Compilation of information security evaluation criteria's (Case Study: Exchange Organization of Tehran). Master Thesis, Azahra, Iran. (in Persian) Broderick, J. S. ISMS. (2006). security standards and security regulations. Information Security Technical Report.
BS 7799-2, BS ISO/IEC27001. (2005). Information technology-Security techniques-Information security management systems. Available in: http://www.iso.org /iso/catalogue_ detail?csnumber=42103.
BS ISO/IEC27005. (2008). Information technology-Security techniques-Information security risk management. Available in: http://www.iso.org/iso/catalogue_ detail? csnumber=42107.
Cheng, CH. & Hsue, Y. (2002). Evaluating the best mail battle tank using fuzzy decision theory. European Journal of Operational Research, 142 (1): 174-186.
Chin, K.S., Tang, D.W., Wong, Sh. Y., Wang, H. (2009). Assessing new product development project risk by Bayesian network with a systematic probability generation methodology. Expert Systems with Applications, 36 (6): 9879-9890.
Crossler, R., Johnston, A., Lowry, P., Warkentin, M., Baskerville, R. & Qing, H. (2013). Future directions for behavioural information security research. Computers & security, 32: 90-101.
Feng, N., Jiannan Wang, H. & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information Sciences, 256: 57-73.
GE Xiao, Y., Yuan,Y., & Lu Li, L. (2011). An Information Security Maturity Evaluation Model. Procedia Engineering, 24: 335 – 339.
Ghazanfari, M., Fathian, M. & Raeissafari, M. (2008). COBIT framework useful tool for measuring the maturity of IT governance in organizations (public banks in case study). The Association Information and Communication Technology of Iran, 1 (1&2): 55-64. (in Persian)
Houmb, S., Franqueira, V. & Erlend A. (2010). Quantifying security risk level from CVSS estimates of frequency and impact. The Journal of Systems and Software, 83(9): 1622-1634.
Iesavi, H. (2011). Evaluation of operational risks related to information security in the modern banking system. Master Thesis, Gilan, Iran. (in Persian)
IT Governance Institute, (2007). CobiT 4.1: Control Objectives, Management Guidelines, Maturity Models.
Jafarnejad, A. & yousefizenouz, R. (2008). The risk Ranking fuzzy Model in the drilling project of Petropars. Journal of Industrial Management of Tehran University, 1(1): 21-38. (in Persian)
Jamali, GH., Hashemi, M. (2012). Assessment of risk factors on the bank's IT projects Bushehr techniques using fuzzy Dematel. Journal of Information Technology Management, 3(9): 21-40. (in Persian)
Karimi, Z. (2006). Conceptual Model of information security risk assessment. (Case Study: Bank Sepah). Master Thesis, Azahra, Iran. (in Persian)
Lo, Ch. & Chen, W. (2012). Hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39: 247-257.
Malekalkalami, M. (2013). Evaluating the performance of information security management at the central libraries of public universities in Tehran, according to the international standard-ISO / IEC. Journal of Information Processing and Management, 28 (4): 895-916. (in Persian)
Mirbaha, M. (2008). IT Governance in Financial Services and Manufacturing, Industrial Information and Control Systems at the Royal Institute of Technology ITGI. Master Thesis, Stockholm, Sweden.
Mireskandari, M. (2010). Information Security Management System and the necessity of its use in organizations. Processor magazine. 11(107 ): 30-39. (in Persian) Niekerk, J.F. & Solms, R. (2010). Information security culture: A management perspective. Computers & security, 29(4): 476 -486.
Ozkan, S. & Karabacak, B. (2010). Collaborative risk method for information security management practices: A case context within Turkey. International Journal of Information Management, 30: 567-572.
Saleh, M. & Alfantookh, A. (2011).A new comprehensive framework for enterprise information security risk management. Computing and Informatics, 9: 107-118.
Sanayeei, A. Ghazifard, A. & Sobhanmanesh, F. (2011). Factors affecting the development of identification technology by radio frequency in Electronic supply chain management. Journal of New Marketing Research, 1(1): 41-70. (in Persian)
Shafieinikabadi, M., Jafarian, A. & Jalilibolhasani, A. (2010). Impact of information security management on the integrity of organizational processes in the supply chain. Journal of Information Processing and Management, 27(2): 27-44. (in Persian)
Shahrivari, SH. (2011). Providing the model of information security governance maturity for supply chain management. Master Thesis, Tarbiyat modares, Iran. (in Persian)
Shaw, N. E., Burgess, T. F. & Mattos, C. D. (2005). Risk assessment of option performance for new product and process development projects in the chemical industry: A case study. Journal of Risk Research, 8(7-8): 693-711.
Standard Institute and Industrial Research of Iran. (2008). IT- security technologies- and information security management procedures. (in Persian)
Sungho, K, S., Jang, J.L. & Kim, S. (2007). Common defects in information security management system of Korean companies. The Journal of Systems and Software, 80(10):1631-1638.
Taghva,M., izadi,M. (2013). Security investigate in security system developed using service-oriented architecture. Journal of Information Technology Management of Tehran University, 5(3): 25-42. (in Persian)
Wu, DD., Kefan, X., Gang, C. & Ping, G. (2010). A risk analysis model in concurrent engineering product development. Journal of Risk Analysis, 30 (9): 1440-1453.
yuan, T. & Chen, P. (2012). Data Mining Applications in E-Government Information Security. Procedia Engineering, 29: 235–240.
Yue, W.T., Cakanyildirim, M., Ryu, Y.U., & Liu, D. (2007).Network externalities, layered protection and IT security risk management. Decision Support Systems, 44(1): 1-16.
| ||
آمار تعداد مشاهده مقاله: 5,139 تعداد دریافت فایل اصل مقاله: 4,854 |