Development of Information System for Evaluation of Risk and Readiness of Cyber Security



Similar documents
Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

ISO Information Security Management Systems Foundation

Cybersecurity Awareness. Part 1

The Analysis and Evaluation of Security Readiness in ICT Infrastructure for Supporting e-learning in Institute of Physical Education

Development of Knowledge Management System for Broadening English Reading Skill on Mobile Phone

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Lessons from Defending Cyberspace

The Danish Cyber and Information Security Strategy

US Cyber Marathon. David Ambrose, Chief Security Officer and Chief Privacy Officer Bureau of the Fiscal Service U.S. Department of the Treasury

INTRODUCTION TO NETWORK SECURITY. Nischit Vaidya, CISSP Instructor

OCIE CYBERSECURITY INITIATIVE

REPUBLIC OF TURKEY. Ministry of Transport, Maritime Affairs and Communications. National Cyber Security Strategy and Action Plan

Cyber security in an organization-transcending way

Network & Information Security Policy

VENDOR MANAGEMENT. General Overview

Cyber Stability 2015 Geneva, 09 July African Union Perspectives on Cybersecurity and Cybercrime Issues.

Introduction to Cybersecurity Overview. October 2014

Combating Cyber Risk in the Supply Chain

2 Gabi Siboni, 1 Senior Research Fellow and Director,

The Ministry of Information & Communication Technology MICT

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

EFL LEARNERS PERCEPTIONS OF USING LMS

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Information Ethics in Malaysia Paperless Hospital

Information Systems and Tech (IST)

Ekachai Naowanich, Namon Jeerungsuwan. King Mongkut's University of Technology North Bangkok, Thailand. The Asian Conference on Education 2013

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Cyber Security Governance in Open Distance Learning

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Cyber Security Strategy for Germany

Module: Introduction. Professor Trent Jaeger Fall CSE543 - Introduction to Computer and Network Security

Cyberspace Situational Awarness in National Security System

FIVE NON-TECHNICAL PILLARS OF NETWORK INFORMATION SECURITY MANAGEMENT

Ohio Supercomputer Center

Observation and Findings

Global IT Security Risks

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Cyberprivacy and Cybersecurity for Health Data

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE PERIOD

Factors Affecting Knowledge Management of State Academic Libraries in Thailand to Prepare for the ASEAN Community

SCAC Annual Conference. Cybersecurity Demystified

WORKPLACE VIOLENCE POLICY

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Panel on Emerging Cyber Security Technologies. Robert F. Brammer, Ph.D., VP and CTO. Northrop Grumman Information Systems.

Why Encryption is Essential to the Safety of Your Business

Qatar Computer Emergency Team

Cybersecurity Awareness for Executives

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Code of Virginia, 1950, as amended, Sections , :1, , , and

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

ITS425: Ethical Hacking and Penetration Testing

Logging In: Auditing Cybersecurity in an Unsecure World

ITS425: Ethical Hacking and Penetration Testing

Internet threats: steps to security for your small business

Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

CSC574 - Computer and Network Security Module: Introduction

The Bureau of Public Service System PERFORMANCE EVALUATION FORM

Federal Bureau of Investigation s Integrity and Compliance Program

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

National Cyber Security Policy -2013

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

AN ANALYSIS OF TECHNICAL SECURITY CONTROL REQUIREMENTS FOR DIGITAL I&C SYSTEMS IN NUCLEAR POWER PLANTS

Security Defense Strategy Basics

Global Corporate IT Security Risks: 2013

Defensible Strategy To. Cyber Incident Response

Security Management. Keeping the IT Security Administrator Busy

Utica College. Information Security Plan

LogRhythm and NERC CIP Compliance

HP Laptop & Apple ipads

Secure by design: taking a strategic approach to cybersecurity

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

OLYMPIC COLLEGE POLICY

The Policy Approaches to Strengthen Cyber Security in the Financial Sector (Summary) July 2, 2015 Financial Services Agency

County of San Mateo Health System

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

CERT.AZ description as per RfC 2350

ISM527 - Cyber Security Management

Today s Global Cyber Security Status and Trustworthy Systems That Leverage Distrust Amongst Sovereigns

Transcription:

Development of Information System for Evaluation of Risk and Readiness of Cyber Security Wiparat Pathakkhinang Siam Technology College, Thailand wiparatkataa@yahoo.com Assoc. Prof. Dr. Prasong Praneetpolgrang Sripatum University, Thailand prasongspu@gmail.com Abstract - This research study aims to risk and readiness analysis on cyber security propose risk and readiness model on cyber security and information system development for appraisal on organizational cyber security. The researchers used a case study of Siam Technology College. The data were collected from the sample groups which were lecturers and officers performing their ICT duties. According to the results of this research, the cyber readiness elements comprised of 7 aspects, namely, 1. on cyber security strategy, 2. on rules and regulations in association with the cyber security, 3. on cyber security coordination and maintenance center, 4. on cyber crime prevention, 5. on manpower development of cyber security, 6. on budgets supporting basic and applied researches, and 7. on cooperation with other agencies. The risk appraisal model consisted of 4 aspects, namely, 1. on determining the risk management topics, 2. on risk analysis, 3. on planning for risk reduction, and 4. reporting and appraisal. Additionally, upon appraisal of Siam Technology College based upon the aforementioned models, the readiness on organizational cyber security is in the readiest level; meanwhile, the risk analysis on organizational cyber security is in the low risk level. Keywords - Cyber Security, Risk Management, Readiness I. INTRODUCTION Using technology also provide the risk of information threat and related information system vulnerabilities, which could be used as a channel for the several forms of crimes, including both using internet to commit crimes directly called "computer crime" and using internet as a medium to commit various crimes. Therefore, public authorities and private sectors and citizens should be aware of the severity of the impact and damage that may occur. They should maintain the security to protect, prevent, or deal with the cyber security, which will cause the enterprise system to be compromised or attacked, and cause the security to be threatened. From the priority issues, the risk and readiness analysis and the conceptual model for the creation of indicators should be done in order to evaluate the risks and the availability of the cyber security and develop the information systems of the organizations, to reduce the upcoming cyber threats that are likely to occur with the organization, and to enhance the further overview. II. RISK MANAGEMENT Risk is a measurement of capabilities to operate the purpose of the work successfully under the decision, budget, deadline, and the existed technical limitations. For example, managing a project as a set of activity to operate any issue in the future by using the 70

Wiparat Pathakkhinang and Assoc. Prof. Dr. Prasong Praneetpolgrang limited resources successfully under the limited time. Because the project is scheduled for future operations, so the risk may occur at any time due to the uncertainty and limitation of the resources used in the project. Thus, the project managers must manage the project risks in order to reduce the problem within the project and to be able to work successfully according to the expected goals effectively and efficiently. Risk management is the management of risk in several processes, including specifying, risk analysis, risk evaluation, taking care, examination, and the control of the risks associated with the activities, functions and working processes to reduce the organization s damages from the risks as much as possible due to the threat that organizations face during a time known as the accident. A. Security Security, or in other words might mean stability or safety are adopted widely as general word used in everyday life. However, some people often discuss the word security along with the word safety. Security is an important word for the military, as well as for the administration country, and for the international politics. The definition of "security" is really broad, and it can be from the individual security, the group security, the state security, and the international security. However, the basic meaning of security is to feel free from threats, anxiety, or danger. So, security is the mental state of a person, whether the political leaders of the country, or the general citizens who feel safe from any harm from others. Therefore, it can be said that The security of the state means the state (or state leaders and citizens) believed that the state itself safe from the fear of being threatened by any other state or international organization. B. Cyber Security Nowadays, the number of online users has increased due to many factors, such as the rise of portable devices or cheaper service charges, so the cyber security is important in order to prevent the harm from online world that may affect the online users and assets (data). The cyber security means the protecting process to enable the organizations to reduce all forms of risk and damage that may affect the cyber security physically and electronically. Cyber security is a way to maintain confidentiality, accuracy, availability, application security, computer network security used for storage, access, processing, and distributing information, also to maintain internet security and information technology security, as well as prevention of crime from attack, subverting, espionage and accidents. The word cyber security is often used together with the word safety security. Although, there is an overlap of the meaning between cyber security and safety security, but both two have small differences of concepts. Moreover, there is a description explained that the cyber security is conducted within the confines of the traditional data security, which is not only to protect information resources, but also to protect other assets, including the person as well. According to the cyber security, the human factor is often consistent with the role of humans in the cyber security process. This factor has additional dimensions, for example, human is the target of cyber attacks, or is involved in the attacks without knowing it. These additional dimensions have ethical meaning for society, such as protecting weak groups and children, which is also a social responsibility. C. National Cyber Security Policy National Cyber Security Policy Framework is divided into eight strategies, including 1) integrating management of national cyber security; 2) building the capacity to deal with emergency situations related to the cyber security; 3) protecting the important information infrastructure of the country; 4) cooperating between public and private sectors to maintain the cyber security; 5) creating the awareness and knowledge of cyber security; 6) developing the regulations and laws to maintain cyber security; 7) Research and development for cyber security maintenance; and 8) coordinating the international cooperation to strengthen the cyber security. 71

Development of Information System for Evaluation of Risk and Readiness of Cyber Security III. METHODOLOGIES A. Population and Sample The population of this research consisted of instructors and personnel in Siam Technology College. The sample of this study consisted of 35 information technology officers in Siam Technology College. B. Research Instruments The research instrument was the questionnaire. 35 copies of questionnaires were distributed to 35 samples. The response rate was 100.00%. C. Data Analysis This study was quantitative research. Data were collected from the questionnaire and analyzed by statistics including mean and standard deviation (S.D.). IV. RESEARCH RESULTS A. The Levels of Readiness of Cyber Security From the study, the levels of readiness of cyber security can be explained by separating into 7 aspects as shown in Table I. TABLE I REPRESENTS THE LEVELS OF READINESS OF CYBER SECURITY From Table I, the information can be described in detail by each of the seven aspects to separate the results of each aspect as follows. 1. Cyber Security Strategy: The level of readiness of cyber security strategy is very ready by the mean = 4.19, showing that the organization has defined a policy and strategy of security, and has announced its personnel to be aware of the cyber security strategy, as well as has provided the person who responsible for the issue. 2. Personnel: The level of readiness of personnel security is moderate ready by the mean = 2.91, showing that the staffs of the Institute of Physical Education have agreed that the organization should establish the criteria for personnel selection, employment, work delivery, and property inspection, rights cancellation, trainings, as well as raise the personnel s awareness of the security to the moderate level. 3. The coordination center for cyber security: The level of readiness of the coordination center for cyber security is very ready by the mean = 3.96, showing that the organization has the coordination centers or responds to the emergency notification of cyber threats, has the coordination for the exchange of information and software between agencies, and has the information control for the information that is sent through email SMS and others. 4. The cyber crime prevention: The level of readiness of the cyber crime prevention is very ready by the mean = 3.99, showing that the organization has strict policies for information protection, has information systems to prevent the information from unauthorized access or inappropriate usage, has personnel who detect and deal with the threats, and has the notifications for users to be aware of the impacts from threats, as well as restrict the access to information based on the information protection policies. 72

Wiparat Pathakkhinang and Assoc. Prof. Dr. Prasong Praneetpolgrang 5. Personnel development for cyber security: The level of readiness of the personnel development for cyber security is very ready by the mean = 4.13, showing that the organization has developed its personnel by off-site training or field study for cyber security, so that the personnel of the organization will understand their own role, duties and responsibilities, as well as raise the awareness, educate, and remind all staff about the cyber security. 6. Budgetary support for basic research and application-oriented research: The level of readiness of the budgetary support for basic research and application-oriented research is very ready by the mean = 3.88, showing that the organization supports the basic research and application-oriented research for cyber security, provides the budget supports for research articles publication, and provides the budget supports for organizing the seminars on cyber security. 7. Collaboration with other agencies: The level of readiness of the collaboration between agencies is very ready by the mean = 4.09, showing that the organization is ready to collaborate with the external institutions for security, and establishes the security centers to exchange information between other agencies, also provides person to coordinate and responsible for the cyber security. B. Risk Evaluation Model of Cyber Security for Siam Technology College The risk evaluation model of cyber security for Siam Technology College can be described in detail in the steps below. Fig 1. The Risk Evaluation Model of Cyber Security for Siam Technology College. 1. Context Establishment for example, job title, tasks, workflow, workplace, tool, personnel, criteria for risk evaluation, criteria for impact, criteria for risk acceptance, etc. 2. Risk analysis is a process used to identify risks, risk analysis and guidelines or control measurement to prevent or minimize the risk in order to achieve the following aims of the organization. Risk analysis includes information as property, networks, software, hardware, information, and the internal and external threats. 3. Risk reducing plan is an operation to manage or deal with risks by planning the risk management step by step to minimize the risks. 4. Report and Evaluation complete the report and evaluation is to prevent the organization from the changes of its defined objectives, to maintain, to review the risks, and to carry out the risk evaluation continuously. The risk evaluation of cyber security has taken steps to make a diagram defining the risk evaluation process clearly. V. CONCLUSIONS In order to study and analyze the risks and readiness of Cyber security for Siam Technology College, the results found that the overall level of readiness of the cyber security for Siam Technology College is very ready. 73

Development of Information System for Evaluation of Risk and Readiness of Cyber Security In order to present the risk and readiness evaluation model of cyber security for Siam Technology College, the results of the risk evaluation model of cyber security for Siam Technology College by using the average and the standard deviation found that the overall level of risk of the implementation for Siam Technology College is at the low risk level. VI. SUGGESTIONS [8] ITU-T X.1200-X.1299, Series X: Data Networks. Open System Communications and Security. <http://www.itu.int/itu- D/cyb/cybersecurity/docs/ITU NationalCybersecurityStrategy Guide.pdf>. Accessed 15 June 2014. [9] Rossouw von Solms. (2013). From information security to cyber security. Computers& Security. International standards that take into consideration of the research: There are several security standards and risk management standards that can be applied with regard to the consistency with the vision, mission and strategy of the organization. REFERENCES (Arranged in the order of citation in the same fashion as the case of Footnotes.) [1] Ministry of Information and Communication Technology. Information Technology and Communication Policy Framework of Thailand. during B.E. 2554 to B.E. 2563, 1 st, B.E. 2554. [2] Ministry of Information and Communication Technology. (2007). ICT-Security National Master Plan. [3] Ministry of Information and Communication Technology. (2007). Cyber Security Policy Framework. [4] Meehingong, T. (2013). Model of Realtime Adaptive Intrusion Detection for Cyber Security Maintenance Based On Knowledge of Cyber Security. [5] Klahan, N. (2012). Application for Information Security Evaluation in Suphanburi Local Government. [6] Thailand Computer Emergency Response Team (ThaiCERT). (2012). Cybersecurity is out Mission. [7] CHEANG, S. (2009). Conceptual Model for Cybersecurity Readiness Assessment for Public Institutions In Developing Country: Cambodia. IEEE Xplore Digital Library. 74

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information