Development of metamodel for information security risk management

Abstract

Nowadays, information technology and information system have been used widely in many fields such as in business, education, marketing, transportation, medical and many other fields. In information technology and system field, a security aspect plays a vital role and thus become a challenging issue. Thus security should be ready installed and resistance to various numbers of potential attacks. In Information Security and Information Technology, it is important to decide what countermeasures that could potentially harm the organization from achieving their business objectives. Reducing risk to an acceptable level is among the main target of the risk management process. On other hand, the main reasons to fail in Information Security Risk Management (ISRM) is the complexity and inflexibility of the existing models. Domain modulars usually spend a lot of times to understand the nature of the domain which they desire to model. Even though there are many existing ISRM models appears, but to find a suit model which could provide a straight guideline to the ISRM users based on their own problems are limited. To solve this issue, this project follows seven steps to create a generic metamodel which can describe the semantics of ISRM models and its solutions through one unified model. Then validates ISRM by three validation techniques; Frequency-based Selection, Face validity and Tracing technique. Through the metamodel various risk management problems faced by different levels of ISRM users can be solved based on the problem attributes such as, risk determination specific to a firewall vulnerability problems, risk assessment for an information security project management. Directly, this can help many users/newcomers to this domain to easy understand the concepts required for their own information security risk problem.