KNOWLEDGE ITEMS AS PRECONDITIONS FOR IMPROVING MATURITY The list of interventions presented in Chapter 3 forms a frame of reference for mid-market

organisations in order to practically increase business information security maturity. A carefully selected list of interventions presents those interventions that are most effective and easy to implement for a market that, according to the performed survey, struggles with the enforcement of essential interventions. By making use of a combination of ISO best practices and for example the COBIT maturity model organisations have insights into the interventions they have applied as well as those they need to apply in order to achieve a certain maturity level. Translating the most important conclusions of the research into mid-market specific recommendations in order to increase their security maturity, by applying a framework (of interventions, suggested maturity model, organisational preconditions) the research primarily recommends that mid-market organisations:

− Identify applicable (mid-market) laws and legislation.

− Perform risk and impact analysis in order to justify the implementation of necessary

interventions in order to achieve the desired security maturity level.

− Apply relevant norms in order to comply with law, legislation or regulations or a framework

that is derived from these norms, for example COBIT.

− Involve management in assessing the business impact of not having these essential

interventions in place.

− Increase the awareness of security throughout the organisations since human error is

the main cause of insecurity. Train and educate with a focus on correct perceptions about security on the technical as well as the business side of the organisation.

− Measure and monitor all potential technical and organisational vulnerabilities (security

assessments) as a continuous process in order to be in control and achieve the desired level of security maturity.

− Continuously maintain knowledge and skills that are essential to stay “in control.” − Besides these seven knowledge items, the final results of this empirical exploratory

research on assessing, selecting and prioritising a core set of security interventions can function as requirements for the artefact.

CONTRIBUTION ARGUMENTS

After compiling the list of interventions we could now justify the choices for setting requirements. And we articulated the contribution argument. This is an argument that an artefact that satisfies the requirements would contribute to a stakeholder goal in the problem context.

ARTEFACT REQUIREMENT CANDIDATES

The design research question: “Which core interventions do managers find effective in order to

enhance the BIS maturity level?” can now be answered. Firstly, management interventions based

on ISO27K were investigated. Secondly, the experts ordered these practices and, thirdly, they were discussed, enriched and ranked. By doing so, I and the experts compiled a core set of MBIS interventions. Secondly these interventions were validated by the target group (stakeholders) to create commitment and increase the validity and reliability of the research. The final list of core interventions is presented in sequence in a flow diagram to indicate the maturity level. This flow diagram is used in the next section of this DS research project when developing the artefact requirements.

Case 3: Defining a BIS maturity assessment Method Intended

effect Side effect (knowledge) Stakeholder Goal Artefact re-quirement Context as-sumption Contribution argument -Through literature research and GSS the stake- holder group discussed and ranked a core set of management interventions relevant for MBIS. This set was validated and priori- tised by the stakeholder target group through a survey. -Validating and ranking BIS man- agement interventions though ex- perts. -Established new insights and a struc- tured list that was validated by the stake- holder group. -Create com- mitment with the stake- holder Group -Validated BoK literature from ISO27K -New insights for the experts. -New insights for the stake- holders. -Insight into relevant knowl- edge items to consider in the MBIS process. -Have notion and form mean- ing through par- ticipation in the survey research -collectively establish a core set of BIS management interventions -Via a prioritised set of MBIS interventions to measure and maintain MBIS. -A prioritised key set of MBIS interventions that can function as questionnaire to measure and maintain MBIS. -Increase com- mitment by the stakeholders/ target group -Increase in awareness by stakeholders (such as regula- tors), directors and managers. Shown by the response of the participants. -Knowledge over the BIS maturity posi- tion (current situation) of the organisation and ‘to be’ situ- ation.

Provide stake- holders with assessment crite- ria to assess the organisation BIS maturity and provide knowl- edge and mean- ing items (7 preconditions, in order to manage the MBIS pro- cess).

Figure 39: Maturing Business Information Security assessment tree. Level 5 Optimized Level 4 Managed and Measureable Level 3 Defined Level 2 Repeatable but inuitive Level 1 (Ad-Hoc) Level 0 (Non-Existing)

Informal (cral) Security Policy in place Core interventions

enforced Business and IT security

domain is harmonized in achieve secure business goals

Yes/No

All core interventions are in place and continous monitored for improvement

Responsible and accountable IS people

are assigned IS the security police

documented and applicable to entire organisation or just to IT

Formal Security Policy in Place mandated by business management Management involvement Start Yes/No Reporting on business risks is done Yes/No To IT To All Yes/No Yes/No Yes/No Yes/No Yes/No

6.2.2.4 CASE 4: DEFINING BISG METRICS AS ARTEFACT REQUIREMENTS

BACKGROUND AND INTRODUCTION

To overcome the gap between security professionals and boards in terms of knowledge and language common ground is necessary. Lord Kelvin26 _{insightfully observed that}

“measurement is vital to deep knowledge and understanding in physical science.” Hence,

common ground on essential elements of BIS is needed to gain a certain degree of understanding and consensus. In 2009 a successful contribution to bridging the gap between management and operations was made in the field of Security Metrics by NIST [273]. NIST addressed the necessity of quantifying security for three reasons: 1. Strategic

support, i.e. in the decision-making process boards need to rely on facts such as historical

data, trends and numeric developments. 2. Quality assurance, for example using metrics in the software lifecycle development, user access management (i.e. the number of over- privileged users). 3. Tactical oversight for monitoring and reporting the security posture of IT systems. NIST also stress the importance of rigorously developing this premature field of security metrics: “Advancing the state of scientifically sound, security measures

and metrics (i.e., a metrology for information system security) would greatly aid the design, implementation, and operation of secure information systems.” In this research project we

explored two major items. One was the metrics per level of the organisation; i.e. operational metrics (operations), tactical (management) and at the strategic level governance and executive management. We explored whether there were adequate metrics, new insights and knowledge that needed consideration in further research. Another item was to explore whether these items are suitable for adopting in the artefact, mainly to measure the MBIS process. As mentioned before, maturity is a process which requires continuous attention and monitoring. So we formulated the main research question as follows: “Which metrics are

effective for governance, management and operational level in order to measure the MBIS process?”

RESEARCH METHOD TO ANSWER KNOWLEDGE AND DESIGN QUESTIONS