Publication type: Conference paper
Type of review: Peer review (publication)
Title: Progress in Guttman scaling of IT security objectives
Authors: Mock, Ralf Günter
Kollmann, Eva
Ballhaus, Corin
Aeschlimann, Philipp
Proceedings: Reliability, risk and safety : back to the future
Pages: 522
Pages to: 529
Conference details: European Safety and Reliability Conference (ESREL 2010), Rhodes, Greece, 5-9 September 2010
Issue Date: 2010
Publisher / Ed. Institution: Taylor & Francis
Publisher / Ed. Institution: London
ISBN: 9780415604277
Language: English
Subjects: Audit; Tool; IT security; Risk assessment
Subject (DDC): 004: Computer science
Abstract: Business constraints usually result in heuristic and biased approaches of risk analyses, e.g., checklists, at IT-driven corporations. As a corporation's management will not accept complex or extensive mathematical approaches, the only way is to improve questioning within the risk analysis framework. The paper follows the idea of Guttman scaling as presented at ESREL 2009: a FMEA structures the risk analysis approach whereas the Code of Practice (ISO/IEC 27002) gives a limited set of recommendations with regard to Information Security (IS) management. Finally, the Guttman scaling of questions about the fulfilment of recommendations results in a ranked list of staggered IS management measurements, i.e., the total fulfilment of an IS objective will result in an expected low frequency of IS management failures. The paper pictures the improvements and developments of Guttman Scaling of IT security objectives. Progress has been made in re-wording and completing the list of Guttman questions with regard to ISO/IEC 27002. Special consideration was taken to enquire only a single attribute per question. The statistical analysis of the final matrix of measurements with regard to the Code's Objectives uses hierarchical clustering methods and results are shown as dendrograms. The set of Guttman questions is further simplified in order to meet business context. Experts at the computing centre of the University of Technology Zurich (HSZ-T) test the reworked methodology in a case study. Pro and cons are discussed.
Fulltext version: Published version
License (according to publishing contract): Licence according to publishing contract
Departement: School of Engineering
Organisational Unit: Institute of Applied Information Technology (InIT)
Appears in collections:Publikationen School of Engineering

Files in This Item:
There are no files associated with this item.

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.