Add Thesis

Dynamic Risk Management in Information Security

A socio-technical approach to mitigate cyber threats in the financial sector

Written by Johan Lundberg

Paper category

Master Thesis


Computer Science




Thesis: Risk management in information security According to the International Organization for Standardization (2009), risk is simply defined as "the impact of uncertainty on objectives". Risk management is described as "coordinated activities to direct and control the organization in terms of risk." The "risk management process" is defined as "the systematic application of management policies, procedures and practices to communication, consultation, background establishment, and the identification, analysis, evaluation, processing, monitoring and review of risks." (International Organization for Standardization, 2009 year). In other words, Information Security Risk Management (ISRM) is the process of managing all types of risks associated with the use of data in the digital environment. Dealing with the risks of the three main stepping stones that may endanger information security, confidentiality, integrity, and availability are important parts of this process (National Institute of Standards and Technology, 2017). The ultimate goal is to manage and reduce risks, and ultimately coordinate all identified risks with the organization's risk level. To achieve this goal, the International Organization for Standardization (ISO) created the ISO/IEC 27005:2018 Information Security Risk Management (ISRM) standard document as part of the ISO 27000 series. ISO standards provide guidance, involving risk assessment, risk handling, risk acceptance, risk reporting, risk monitoring and risk review recommendations to achieve information asset protection (International Organization for Standardization, 2018b). Information Security Risk Management (ISRM) consists of three basic components (Dhillon, 2018) that my model aims to address; 1. risk assessment, 2. risk mitigation, and 3. risk assessment. The ISRM process is described as: ●Risk Assessment "Risk Assessment" is the process by which an organization or individual identifies risks and evaluates them to determine the potential impact of risks if they are not dealt with. Risk assessment is important for recommending strategies to reduce risk. ●Risk mitigation The "risk mitigation" process is the next step after the "risk assessment". Mitigation focuses on the organization's priority, implementation, and maintenance of appropriate risk levels for risk assessment. Finally, "risk assessment" is an ongoing process that ignores The entire risk management to determine whether the current risk management is successful, or whether any improvement is needed to better implement it. However, it is important to remember that information security risk management alone cannot solve all the security challenges an organization may face. For Forrisk management to achieve the best performance, it needs to be implemented in the work process from the beginning and become part of daily work (Dhillon, 2018). 2.2 Dynamic Information Security Risk Management The Dynamic Information Security Risk Management Model (DISRM) should be able to monitor and mitigate social and technical threats. When monitoring the current social threats in the network security field that may cause damage to the organization, the model should be able to provide appropriate countermeasures with the help of network security expertise, and update risk management procedures accordingly. The model should also be able to monitor current technical threats that may cause damage to the information assets in the organization, involving violations of the confidentiality, integrity, and availability of data (Dhillon, 2018), and automatically mitigate these threats. Another important goal of DISRM is to re-prioritize the organization to protect sensitive information from leakage while minimizing the impact on the organization's daily workflow. After the successful implementation of the dynamic information security risk management method, it should be used as an effective information security mitigation technology, and its potential should be fully utilized from the combination of social technology to ensure the best protection of information assets (Dhillon, 2018 ). In summary, the definition of dynamic information security risk management is as follows: "Dynamic information security risk management is a coordinated activity that identifies and mitigates socio-technical threats to information security in a continuous and adaptive manner." Until today, the financial sector is still quite limited. Published papers dealing with general dynamic or adaptive risk management topics currently tend to focus on the technical aspects of preventing cyber attacks, such as Gonzalez et al. (2018) "Dynamic Risk Management Response System for Dealing with Cyber ​​Threats" and "Quantitative Risk Management" : A Labassi et al. (2015) survey on adaptive methods of information and communication system risk management, but few people pay attention to dynamic information security risk management except Martin Lundgrens (2020). Other solutions that deal with dynamic risk management Models and theories involve Microsoft's patented solutions for dynamic risk management and threat identification. "Dynamic Risk Management" (Bahl, 2007) was created by Pradeep Bahl in 2007. Since then, the paper has been carried out many times since its initial publication Update and revision. This article looks at dynamic risk management in operating systems from a technical point of view by using monitoring and automatic responses based on the extent of hard-coded values. However, this risk management model does not consider the social aspects of information security. Read Less