arrow Conference on Computer and Communications Security
arrow Proceedings of the 2nd ACM Conference on Computer and communications security
November 2 - 4, 1994, Fairfax, VA USA

access SIGs conferences

Security modelling for organisations
Pages 241-250

Alison Anderson, Dennis Longley and Lam For Kwok

metadata:   abstract index terms  
rule rule rule rule
full text:   pdf 1047 KB

back to top
blue HR


Information security officers of large organisations have the responsibility, inter alia, to advise senior management on the current level of organisational risk and to overview the operation of effective security systems within the organisation.

Current developments in risk analysis methodologies and system security certification, e.g. ITSEC, can provide security officers with information on the current level of organisational risk and the effectiveness of security systems. However these activities are commonly undertaken as large one-off projects. Hence they do not provide the methodologies or tools that allow security officers to respond to the often ad hoc demands made upon them.

This paper deals with the development of a security model for use by information security officers, either as a method of monitoring the implementation of internal security policy, or as a preparatory step before seeking certification. The model comprises three main groups of security information: information system environment, information systems and information system assets. The model serves to indicate the current state of security in the organisation. A threat to the system environment can be traced through to its potential organisational impact, taking into account the current defences in the information processing systems.

The two major areas of research in the project lie in the estimation of security effectiveness from threat countermeasure diagrams, and the means of inferring business impacts from the interrelationships amongst information processing assets.

Current work is directed to the implementation of the model in a hypertext and an object oriented paradigm.

back to top
blue HR


Categories and Subject Descriptors:
Computing Milieux -Management of Computing and Information Systems - Security and Protection (K.6.5); Software -Operating Systems - Security and Protection (D.4.6);

General Terms:
Management, Security, Theory

blue HR