Nowe podejścia w zarządzaniu ryzykiem dla systemów informacyjnych organizacji

• Autorzy: Fray I. E. , Pejaś J. , Hyla T.

Warianty tytułu

EN

New approach to risk management for an organization's information systems

• Języki publikacji: PL

Abstrakty

PL

W artykule przedstawiono nowe podejście do zarządzania ryzykiem w systemach informacyjnych zgodne z wymaganiami norm ISO/IEC. Proponowane podejście ma na celu zautomatyzowanie procesu podejmowania decyzji w sytuacjach, gdy oszacowanie ryzyka nie spełnia przyjętych przez organizację kryteriów tzw. postępowania z ryzykiem. W artykule zaproponowano także mechanizm wdrażania głównych procedur postępowania z ryzykiem (unikanie, ograniczenie, przeniesienie czy akceptowanie ryzyka) będący podprocesu zarządzania ryzykiem.

EN

The paper presents a new approach to risk management information systems compliant with the requirements of ISO/IEC. The proposed approach is designed to automate the decision-making process in situations where the risk assessment does not meet the criteria of so called risk treatment adopted by the organization. The paper also proposes a mechanism for the implementation of the main procedures of risk (avoidance, reduction, transfer or acceptance of risk) which is the sub-process of risk management.

Słowa kluczowe

PL

analiza ryzyka; zarządzanie ryzykiem; system informacyjny

EN

risk analysis; risk management; information system

• Wydawca: Wydawnictwo SIGMA-NOT
• Czasopismo: Przegląd Elektrotechniczny
• Rocznik: 2015
• Tom: R. 91, nr 11
• Strony: 186--190
• Opis fizyczny: Bibliogr. 23 poz., rys.

Twórcy

autor

Fray I. E.

• Zachodniopomorski Uniwersytet Technologiczny w Szczecinie, Katedra Inżynierii Oprogramowania, ul. Żołnierska 52, 71-210 Szczecin

autor

Pejaś J.

• Zachodniopomorski Uniwersytet Technologiczny w Szczecinie, Katedra Inżynierii Oprogramowania, ul. Żołnierska 52, 71-210 Szczecin

autor

Hyla T.

• Zachodniopomorski Uniwersytet Technologiczny w Szczecinie, Katedra Inżynierii Oprogramowania, ul. Żołnierska 52, 71-210 Szczecin

Bibliografia

• [1] Datta, A.: Information Technology Capability, Knowledge Assets and Firm Innovation: A Theoretical Framework for Conceptualizing the Role of Information Technology in Firm Innovation. International Journal of Strategic Information Technology and Applications. 2(2011) 9-26
• [2] Raduan, C. R., Jegak, U., Haslinda, A., Alimin, I.I.: A Conceptual Framework of the Relationship Between Organizational Resources, Capabilities, Systems, Competitive Advantage and Performance. Research Journal of International Studies. 12(2009) 45-58
• [3] Van Kleef, J.A.G., Roome, N.J.: Developing capabilities and competence for sustainable business management as innovation: a research agenda. Journal of Cleaner Production. 15(2007) 38-51
• [4] Bhatnagar, A., Ghose, S.: Segmenting consumers based on the benefits and risks of Internet shopping. Journal of Business Research. 57 (2004) 1352–1360
• [5] Byeong-Joon, M.: Consumer adoption of the internet as an information search and product purchase channel: some research hypotheses. Int. J. Internet Marketing and Advertising. 1(2004) 104-118
• [6] Bumsuk, J., Ingoo, H., Sangjae L.: Security threats to Internet: a Korean multi-industry investigation. Information & Management. 38(2001) 487–498
• [7] Posthumus, S., Solms, R.: A framework for the governance of information security. Computers & Security. 23(2004) 638–646
• [8] Baker, W. H., Wallace, L.: Is Information Security Under Control?: Investigating Quality in Information Security Management. Security & Privacy, IEEE. 5(2007) 36 – 44
• [9] Yeh, Q-J., Chang, A., J-T.: Threats and countermeasures for information system security: A cross-industry study. Information & Management. 44(2007) 480–491
• [10] Ezingeard, J. N., Bowen, S. M.: Triggers of change in information security management practices. Journal of General Management. 32(2007) 53-72
• [11] Whitman, M. E., Mattord, H.: Principles of Information Security. 3rd ed., course technology, Boston, US (2009)
• [12] Mellado, D., Blanco, C., Sánchez, L. E., Medina, E. F.: A systematic review of security requirements engineering. Computer Standards & Interfaces. 32(2010) 153–165
• [13] Méthode Harmonisée d'Analyse de Risques (MEHARI): Club de la Sécurité de l'Information Français, France (2010)
• [14] G. Stoneburner, A. Goguen, A. Feringa (2002) NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg, US
• [15] Bundesamt für Sicherheit in der Informationstechnik (2008) BSI-Standard 100-2: IT-Grundschutz Methodology, Bonn, Deutsche
• [16] Risk Analysis and Management Method (CRAMM): Central Computing and Telecommunications Agency. United Kingdom (1987)
• [17] Artur Rot (2008) IT Risk Assessment: Quantitative and Qualitative Approach, Proceeding of the Word Congress on Engineering and Computer Science, WCECS 2008, San Francisco, USA
• [18] ISOIEC 27005 (2008) Information technology _ Security techniques _ Information security risk management. International Organization for Standardization, Genève, Suisse
• [19] EBIOS (2004) Expression des Besoins et Identification des Objectifs de Securite. DCSSI, France
• [20] El Fray, I., Kurkowski, M., Pejaś, J., Mackow, W.: A New Mathematical Model for Analytical Risk Assessment and Prediction in IT Systems. Control and Cybernetics 41(2012) 1-28
• [21] Moeller, R.: IT Audit, Control, and Security. John Wiley & Sons, Inc., Hoboken, New Jersey, US (2010)
• [22] Risk Analysis and Management Method (CRAMM): Central Computing and Telecommunications Agency. United Kingdom (1987)
• [23] El Fray, I., A comparative study of risk assessment methods, MEHARI & CRAMM with a new formal model of risk assessment (FoMRA) in information systems. Computer Information Systems and Industrial Management. Springer Berlin Heidelberg, 428-442