Dynamic Risk Management in Information Security
A socio-technical approach to mitigate cyber threats in the financial sectorAuthor: Johan Lundberg
(860817)
Semester: VT20
Thesis, Master of Science, 30 credits Subject: Informatics
Örebro University School of Business Supervisor: Ella Kolkowska
Abstract
In the last decade, a new wave of socio-technical cyber threats has emerged that is targeting both the technical and social vulnerabilities of organizations and requires fast and efficient threat mitigations. Yet, it is still common that financial organizations rely on yearly reviewed risk management methodologies that are slow and static to mitigate the ever-changing cyber threats. The purpose of this research is to explore the field of Dynamic Risk Management in Information Security from a socio-technical perspective in order to mitigate both types of threats faster and dynamically to better suit the connected world we live in today. In this study, the Design Science Research methodology was utilized to create a Dynamic Information Security Risk Management model based on functionality requirements collected through interviews with professionals in the financial sector and structured literature studies. Finally, the constructed dynamic model was then evaluated in terms of its functionality and usability. The results of the evaluation showed that the finalized dynamic risk management model has great potential to mitigate both social and technical cyber threats in a dynamic fashion.
Keywords: Dynamic Information Security Risk Management Model, DISRMM, Dynamic Risk
Management, Adaptive Risk Management, Socio-Technical, Sociotechnical, Social Triggers, Technical Triggers, Information Security, Usability, SEO, Search Engine Optimization, SEAR-Evasion, SEAR Evasion Approach, Dynamic, Risk Management, Socio-technical Threats, Risk Management Finance, Technical Risk Management Finance, Social Risk Management Finance, Socio-technical Model, Design Science Research.
Acknowledgments
As I am writing the last sentences of my thesis, I look back and reminisce over all the late nights of studies over the past years leading up to this moment. How much I have learned by unconventionally deciding to attend university at an age close to thirty, and shortly after realizing it was one of the best decisions I ever made. Learning about Information Security, IT-security, and Socio-Technical aspects on an advanced level has been everything I hoped for and more. On another note, I also realized how frustrating research can be, and at the same time how sweet the sudden realization and relief is after a breakthrough hits at four in the morning, proving that the quote I once heard on my favorite television show Scrubs, “Nothing in this world that’s worth having comes easy” continues to hold up even to this day.
First and foremost, I want to thank my parents, my father Glenn, and my mother Pia, who always supported me with their guidance and love throughout the adventures in my life. My siblings for the support when their brother suddenly decided to move halfway across the country to pursue his dreams in another city, my relatives and my girlfriend for all your love and support. A special mention to my beloved grandmothers: Mormor Greta (1923-2013) and Farmor Dagny (1931-2017) jag klarade det! ☺
I dedicate this master thesis to the research in dynamic risk management as gratitude to the education I have been given over the years at both Linnaeus University (2015-2018) and Örebro University (2018-2020). I especially want to express my gratitude towards my research supervisor, Ella Kolkowska, at Örebro University for her kindness, for always being available, and for providing great feedback that helped me grow as a researcher. I want to thank examiner Shang Gao at Örebro University for providing me with valuable insights to reach my greatest potential in thesis writing.
I would also like to thank the staff at Örebro University School of Business for believing in me and providing highly educational lectures during my time in Örebro. I want to thank my classmates from Örebro University for their excellent teamwork during our studies in the new Information Security Management master’s program. Moreover, I want to show my gratitude to Kommuninvest for their professional ideas and feedback that made this thesis possible, for helping me achieve one of my greatest accomplishments up to this day.
Finally, I want to thank all the other people not mentioned here who have supported me directly or indirectly throughout the years. Tack så mycket!
Johan Lundberg
ABSTRACT ... 2
ACKNOWLEDGMENTS ... 3
1. INTRODUCTION ... 7
2. RELATED RESEARCH ... 9
2.1 RISK MANAGEMENT IN INFORMATION SECURITY ... 9
2.2 DYNAMIC INFORMATION SECURITY RISK MANAGEMENT ... 10
2.3 EXISTING APPROACHES FOR DYNAMIC RISK MANAGEMENT ... 11
3. RESEARCH METHOD ... 13
3.1 CASE SETTINGS ... 13
3.2 DESIGN SCIENCE RESEARCH ... 14
3.3 HOW DESIGN SCIENCE RESEARCH WAS USED IN THE STUDY ... 15
3.4 THE FIVE PHASES OF THE DESIGN SCIENCE RESEARCH ... 15
PHASE 1A.AWARENESS OF PROBLEM /PROBLEM IDENTIFICATION... 15
PHASE 2A:SUGGESTION ... 16 PHASE 3A:DEVELOPMENT ... 18 PHASE 4A:EVALUATION ... 19 PHASE 5A:CONCLUSION ... 20 3.5 DATA COLLECTION ... 20 3.5.1 LITERATURE REVIEW ... 20 3.5.3 INTERVIEWS ... 23 4. RESULTS ... 26
PHASE 1B:AWARENESS OF PROBLEM ... 26
PHASE 2B:SUGGESTION ... 27
PHASE 3B:DEVELOPMENT ... 28
4.1 THE DYNAMIC INFORMATION SECURITY RISK MANAGEMENT MODEL ... 29
4.2 WALKTHROUGH OF THE DYNAMIC INFORMATION SECURITY RISK MANAGEMENT PROCESS STEPS ... 32
4.2.1 STEP A–DYNAMICALLY TRIGGERED ALARM ... 32
4.2.2 STEP B–THE RISK ANALYSIS ... 32
4.2.3 STEP C–THE RISK EVALUATION ... 33
4.2.4 STEP D–COMMUNICATING WITH TEAM LEADERS ... 34
4.2.5 STEP E–COMMUNICATING WITH TEAMS ... 34
4.2.6 STEP F–TEAM LEADERS FEEDBACK (EVALUATION OF WORK PROCESS) ... 35
4.2.7 STEP G–UPDATING THE ROUTINES ... 35
4.2.8 STEP H–UPDATING THE SYSTEM ... 35
PHASE 4B:EVALUATION ... 38
PHASE 5B:CONCLUSION ... 45
5.1.THEORETICAL CONTRIBUTIONS ... 46 5.2.PRACTICAL IMPLICATIONS ... 47 6. LIMITATIONS ... 49 7. CONCLUSION ... 50 7.1 FUTURE RESEARCH ... 50 REFERENCES ... 51 APPENDICES ... 56
APPENDIX 1: “EVALUATION POLL” ... 56
List of Definitions & Acronyms
Name Meaning
AR Action Research.
Black hat A cracker/hacker with bad intentions.
CIO Chief Information Officer.
CISO Chief Information Security Officer.
DDoS Distributed Denial of Service Attack.
DISRMM Dynamic Information Security Risk
Management Model.
DRMM Dynamic Risk Management Model.
DSR Design Science Research.
HIPAA Health Insurance Portability and
Accountability Act.
IS Information Security.
ISO International Organization for
Standardization.
ISRM Information Security Risk Management.
NIST National Institute of Standards and
Technology.
1. Introduction
An increasing amount of enterprises around the world are starting to see the benefits of digitalization (Barrett et al, 2015). But with great opportunities, there is also a great threat, when companies at the same time as embracing digitalization, also expose themselves to become targets of emerging cyber attacks (Gerber & Sons, 2015, FBI, 2016, Schirrmacher et al, 2018). Cyber attacks can be defined as “an attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network.” (Dictionary, 2020a). The main reason behind these cyber attacks is thought to be intelligence gathering performed by hackers trying to steal sensitive information from organizations. This goal is motivating 96% of all identified hacker groups who perform the targeted attacks, with the financial services industry facing the highest cost of cybercrime (Symantec, 2019).
In 2019, Boston Consulting Group (2019), one of the world's largest strategy consulting firms reported that cyber attacks have been targeting the financial sector 300 times more than other companies over the last years. This shows that there is an urgent need to protect financial organizations from impending cyber attacks targeting sensitive financial data. Kommuninvest, a financial organization in Sweden, which was used as the case-setting in this study, also reinforces the need of continuous risk management to mitigate such cyber attacks in a fast and efficient way. A common way to mitigate the damages of cyber attacks is done by relying on Information Security Risk Management (ISRM). ISRM is simply defined as the art of protection and retaining the Confidentiality, Integrity, and Availability of Information (International Organization for Standardization, 2018a:2018b, Whitman & Mattord, 2014, Dhillon, 2018). Yet attacks are still increasing, targeting organizations and digital services (Schirrmacher et al, 2018). The development of attacks proves that the currently existing models to mitigate information security risks are not sufficient enough to battle the growing threats of cybercriminals.
At the time of writing the current ways of risk management are built on a static foundation occurring on a pre-set time frame, normally once or twice a year (Information Systems Audit and Control Association, 2010; Bergström E, 2020). Risk management is rooted in calculations of the possibility of risk and potential damage (International Organization for Standardization, 2018b). The term “risk” refers to the “effect of uncertainty on objectives” (International Organization for Standardization, 2009) which has the potential for unauthorized use, disruption, modification, or destruction of information. However, while the data which is used to calculate possible risks and their priority was relevant in the past to battle threats in a less connected world, it is problematic in today's world when most devices nowadays are connected to the internet and the reality around us is changing faster than ever before (Raghavendra, 2018 & Afonasova et al, 2019).
It is suggested by researchers in the field that “Information security risk management process should be started to be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organizational and social challenges.” (Lundgren & Bergström, 2019a). Solving the social challenges alone, however, is insufficient to battle the complex characteristics of cyber threats today, which is further enforced by Dhillon (2018) who states that the social and the technical aspects are tightly bound and interconnected in information security, and by Mujinga et al (2017) who raises the importance of having a “holistic
view of information security that addresses a combination of technical and social problems” to manage cyber threats. In this study, the term “technical” describes technological threats to a system without regard for user behavior, and the term “social” describes human threats to a system with user behavior properties in consideration (Ferreira et al, 2014; Mujinga et al, 2017).
In order to make information security risk management less static and thus more dynamic while keeping the holistic view of both social and technical perspectives in mind, this study aims to develop a Dynamic Risk Management model (DRMM) with a set of guidelines for dynamic identification and mitigation of information security risks in the financial sector. In the context of this research, the term “dynamic” refers to continuous adjustment to new changes (Lundgren & Bergström, 2019b), whereas “static” refers to a fixed or stationary condition (Dictionary, 2020b). The model will be created using Design Science Research (Hevner, 2004, Vaishnavi & Kuechler, 2004) and although it is intended for the financial sector it should also be easily adjusted to fit any organization who wants to regularly evaluate risks to provide relevant priorities and determine their actions of defense.
The existing research on dynamic risk management is lacking as the currently published papers focus exclusively on either the technical aspects or the social aspects to prevent cyber threats. Among these papers we can find the work of Gonzalez et al (2018), Labassi et al (2015), Bahl (2007), and Lundgren (2020) which are further discussed under Chapter 2 – Related Research. This shows that there is a research gap in the field of dynamic risk management within the field of information security from a combined social and technical approach to mitigate cyber threats. Altogether, these findings have led to the research question of this study:
“How to develop a dynamic Information Security Risk Management model for the financial sector, that takes into consideration the social and technical aspects?”. Answering this research question will fill in the research gap on dynamic risk management in information security, and could teach us more on how to protect our information better, as cyber attacks in the last decade have continued to be more sophisticated, going from targeting mostly technical flaws to an increased focus on social threats as well (C.S. Institute, 2010).
2. Related Research
This chapter describes the related research & theories used in the paper related to the research question in order to build a foundation. Core concepts are explained to aid understanding.
2.1 Risk management in Information Security
According to the International Organization for Standardization (2009), A risk is defined simply as the “effect of uncertainty on objectives”. Risk Management is described as the “Coordinated activities to direct and control an organization with regard to risk”. Whereas the ‘Risk Management Process’ is defined as “Systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.” (International Organization for Standardization, 2009).
In other words, Information Security Risk Management (ISRM) is the process to manage all types of risks concerning the usage of data in a digital environment. Handling risks that potentially could jeopardize the information security three major steppingstones, Confidentiality, Integrity and Availability is an important part of this process (National Institute of Standards and Technology, 2017). The ultimate goal is to manage and mitigate risks to eventually harmonize all the identified risks with the organizational risk level. To achieve this goal, the International Standards Organization (ISO) created the ISO/IEC 27005:2018 Information Security Risk Management (ISRM) standard documentation as a part of the ISO 27000 series. The ISO standard provides guidance, involving advice on risk assessment, risk treatment, risk acceptance, risk reporting, risk monitoring, and risk review to achieve information asset protection (International Organization for Standardization, 2018b).
Information security risk management (ISRM) consists of three essential components (Dhillon, 2018) that my model aims to address; 1. Risk Assessment, 2. Risk Mitigation, and 3. Risk Evaluation. The ISRM processes are described as;
● Risk Assessment
The ‘risk assessment’ is the process where the organization or individual identifies a risk and evaluates it to determine the potential impact the risk might cause if not being handled. The risk assessment is important to recommend risk-reducing strategies.
● Risk Mitigation
The ‘risk mitigation’ process is the next step after ‘Risk Assessment’, where mitigation revolves around prioritizing, implementing, and maintaining an adequate risk level in the organization.
● Risk Evaluation
Finally, the ‘risk evaluation’ is an on-going process that overlooks the entire risk management to conclude whether or not the current risk management is successful, or if it requires any improvements to perform better.
However, it is important to keep in mind that Information Security Risk Management alone cannot solve all security challenges an organization may face. For risk management to have optimal performance it needs to be implemented in the work process from the very start and become a part of the daily work (Dhillon, 2018). Failure to do so could lead to a constant security threat with a lot of expensive backtracking and fixes to follow.
2.2 Dynamic Information Security Risk Management
A Dynamic Information Security Risk Management Model (DISRM) should be able to monitor and mitigate both social and technical aspect threats. When monitoring current social aspect threats in the cybersecurity landscape that could potentially cause damage to the organization, the model should be able to provide proper countermeasures with the help of cybersecurity expertise and update the risk management routines accordingly. The model should also be able to monitor current technical aspect threats that could potentially cause harm to the information assets in the organization, with regards to breaching the Confidentiality, Integrity, and Availability of the data (Dhillon, 2018), and mitigate those threats automatically.
Another important goal of the DISRM is to re-prioritize the organization to protect sensitive information from getting compromised with as little effect on the organizational everyday work processes as possible. The dynamic information security risk management approach should act, when implemented successfully, as an efficient information security mitigation technique and achieve its full potential from a combined socio-technical approach to ensure the best possible protection of information assets (Dhillon, 2018).
Altogether this could be comprised into a definition of dynamic information security risk management as follows: “Dynamic Information Security Risk Management is the coordinated activities to identify and mitigate socio-technical threats to information security in a continuous and adaptable manner.”
The general research about Dynamic Risk Management in the financial sector has been rather limited up to this day. The papers published that have touched the topic about general dynamic or adaptive risk management are currently trending a heavy focus on the technical aspects to prevent cyber attacks such as ‘Dynamic risk management response system to handle cyber threats’ by Gonzalez et al (2018) and ‘Quantitative Risk Management: a Survey of Adaptive Approaches to Risk Management for Information and Communication Systems’ by Labassi et al (2015), but very few besides Martin Lundgrens (2020), “Making the Dead Alive: Dynamic Routines in Risk Management” has focused on Dynamic Information Security Risk Management.
Other solutions, models, and theories to handle dynamic risk management involve Microsoft patented solutions for dynamic risk management and identification of threats. ‘Dynamic Risk Management’ (Bahl, 2007) was created by Pradeep Bahl back in 2007. Since then the paper has received many updated revisions after the original publication. The article looks at dynamic risk management in operating systems, from a technical standpoint by using monitoring and
automatic responses based on how hardcoded values are being exceeded. This risk management model does not, however, take into consideration the social aspects of Information Security such as insider threats caused by employee behavior.
There are also general suggestions on how to improve organizational information security risk management (Beebe & Rao, 2010) and a dynamic risk management paper on automatic access control frameworks to mitigate insider threats (Baracaldo & Joshi, 2013). The latter described yet another technical solution on how to identify and mitigate insider threats to restrict their access.
This means that there is progress in the field of technical dynamic risk management to some extent. The technical area has been explored and some solutions have been tried, but the social aspects in dynamic risk management have very little research up to the current date, which is only touched upon by Lundgren (2020) who focuses on dynamic routines in risk management. The only area that is researched even less is the combination of both social and technical (socio-technical) aspects of information security in the field of dynamic risk management, where no prior published scientific research on the topic could be found.
Since the chain is no stronger than its weakest link, and one cannot be guaranteed without the other, it is of great importance to address both the technical and social aspects when working with information security, as been highlighted by many researchers in the scientific field of informatics, such as Dhillon (2018), and Lundgren (2020).
2.3 Existing approaches for Dynamic Risk Management
Based on existing research, there are currently several models for dynamic risk management which are presented below:
Table 1. Existing Models
Name of the model Author Approach
Dynamic Risk Management Response System
G.Gonzalez et al (2018) Technical Detection,
generating mitigation strategy of technical character to aid system administrator in decision making progress.
Dynamic Risk Management Bahl (2017) / Microsoft Technical - Dynamic risk management in operating systems, from a technical standpoint by using monitoring and automatic responses based on how hardcoded values are being exceeded.
Adaptive risk management and access control framework
(Baracaldo & Joshi, 2013) Technical – “Adapts to suspicious changes in users’ behavior by removing privileges when users’ trust falls below a certain
threshold” Dynamic Routines in Risk
Management
Martin Lundgren (2020) Social - user feedback of routines making the static routines in risk management more dynamic.
These findings indicate that most of the models in dynamic risk management are technical, which is contradictory to the current trends in cybersecurity which are mostly of social nature. Cybercriminals have since many years transformed to be using mainly social engineering, such as spear phishing, as their primary infection vector, with a 65% usage rate and 96% of the groups driven by malicious intent to perform their intelligence gathering (Symantec, 2019). Attacks like these infect the already authorized users and will therefore make it harder to detect in comparison to a traditional hacking attack forcefully gaining access and alerting the intrusion systems. Due to this, preventive social aspects are left to avoid getting organizational sensitive data from getting stolen. Besides lacking the obvious social aspect of Information Security and being heavily technical focused, Labassi et al (2015) conclude that the current risk management models in information systems are not simple enough for decision-makers to interpret. Furthermore, there is no easy-to-understand, simple core framework with high usability in risk management to be used daily.
3. Research Method
This section describes how I used Design Science Research to conduct the study. The method was chosen based on the characteristics of the case, including company involvement. The chapter is structured in the following fashion. The first section (3.1) describes the case setting of which the study was conducted. The second section (3.2) Design Science Research (DSR) explains why the method is suitable for the study when creating a Dynamic Risk Management Modell. The third section (3.3) describes how DSR was utilized in the study. The fourth section (3.4) explains how the DSR cycles were executed. Finally, the fifth and final section (3.5) describes the evaluation criteria used to evaluate the process & results.
3.1 Case settings
During the study a financial organization, Kommuninvest was used as an input during Design Science Research iterations to make sure that the Dynamic Risk Management model would be usable in a real setting beyond the conceptual design. Kommuninvest is a Swedish local government funding agency established in 1986. The agency offers financial solutions to municipalities and regions located in Sweden. There are currently 278 Swedish municipalities and 12 regions signed up as members and owners of Kommuninvest, reaching from Umeå in the north, to Växjö in the south (Kommuninvest, 2020a;2020d). The agency currently has 60 employees and their headquarters are located in the center of the city Örebro. As of 2019, Kommuninvest surpassed lending over 400 billion Swedish crowns to its members to finance different projects around the country (Kommuninvest, 2020c). Kommuninvest has earned the highest possible credit score with a AAA rating validated by Moody’s Credit Opinion in February 2020 & Standard & Poor's Research Update in December 2019 (Kommuninvest, 2020b).
Although this study is focused on Kommuninvest, a company specialized in the financial sector, the goal of this study is to create a flexible information security risk management model that can be easily modified to suit different needs. In this way, the model could adapt to a wide range of different sectors that work with sensitive data, such as the healthcare industry, the school sector, the military, and research facilities across the globe to improve their risk management’s speed and efficiency.
3.2 Design Science Research
Figure 1. Design Science Research (Vaishnavi & Kuechler, 2004)
Design Science Research (Hevner, 2004, Gregor & Jones, 2007, Vaishnavi & Kuechler, 2004) is a research method consisting of both a process of activities and an output product called the artefact. ‘The term artefact is used to describe something that is artificial, or constructed by humans, as opposed to something that occurs naturally’ (Gregor & Jones, 2007). These artefacts can be constructions of technical, social, or socio-technical characteristics, such as Decision support tools, methods for evaluation, and governance strategies (Gregor & Hevner, 2013). The goal of my thesis is to utilize the design science research approach to construct an artefact that can aid continuous threat detection & risk evaluation to mitigate threats of cybercrime in the financial sector.
The selection to use the Design Science Research (Hevner, 2004, Gregor & Jones, 2007, Vaishnavi & Kuechler, 2004) methodology to create the artifact was made because it allows the model to be built from both empirical data gathered from a real organization in the financial sector as well as theoretical data from current research. In comparison to Action Research (Avison, Baskerville, & Myers, 2001, McKay & Marshall, 2001), whose purpose mainly is to understand a reality in organizational contexts, the purpose of Design Science Research is to solve a problem by creating and evaluating a whole new solution. Furthermore, another key difference that led to the choice of Design Science Research in favor of Action Research is how the conclusion step is performed in each methodology. The conclusion phase in the Action Research process is based on specifying learning and identifying general findings, whereas Design Science Research is focusing more on theoretical and practical implications and future research proposals which is more relevant when developing a completely new artifact such as a dynamic risk management model.
There are several different approaches to conduct Design Science Research. This study follows the Design Science Research methodology by Vaishnavi & Kuechler, (2004) meaning that the process is divided into 5 phases: Awareness of Problem, Suggestion, Development, Evaluation, and Conclusion. In comparison, Peffer et al’s (2008) Design Science Research approach consist
of six steps: Problem Identification and Motivation, Define the objectives for a solution, Design and development, Demonstration, Evaluation, and Communication. Peffer et al’s (2008) Design Science Research approach were not feasible to implement in the context of this study because of its fourth phase, “Demonstration”, which requires a practical simulation of the artifact which is not possible in this case. After consulting the different methodologies for Design Science Research, it became evident that the most suitable methodology to use in this study was Vaishnavi & Kuechler (2004).
3.3 How Design Science Research was used in the study
The artefact which is about to be created using the Design Science Research methodology by Vaishnavi & Kuechler, (2004) is a dynamic risk management model that is aimed to address the flaws with current static risk management methods being used today. The Dynamic Risk Management model is built on an artificial foundation, hence being an artificial phenomenon (Gregor & Jones, 2007). Additionally, Design Science Research methodology both creates and evaluates artefacts that are focused on solving identified organizational problems (Hevner et al, 2004), of which cyber threats targeting the financial organization clearly is, according to multiple sources focusing on security research the last decade (Viera & Seghal,2018; CIA,2016; Gerber & Sons,2015; Symantec, 2019).
In order to design a reliable artifact, two iterations of the Design Science Research methodology were made as follows. First, criteria were collected from the financial organization, then a tentative design was created, during the evaluation phase this tentative design was deemed insufficient by the financial organization which led to a second iteration with a sufficient designed artifact as a result.
Next, the following subsection 3.4 The five phases of Design Science Research present how each phase of the Design Science Research was conducted.
3.4 The five phases of the Design Science Research
In the following phases of DSR, each phase number is accompanied by an “a” when referring to the methodology of what has been done in the phase, and accompanied by a “b” in “Chapter 4 – Results” when referring to the outcome of each respective phase, in order to easily distinguish them from each other.
Phase 1a. Awareness of Problem / Problem Identification
The “Awareness of Problem” phase aims to understand and identify the problem which is going to be investigated. This awareness may come from multiple sources such as new developments
within the industry or problems found within related material to the field of study (Vaishnavi & Kuechler, 2004). The output of this phase could either be a formal or informal proposal for a new research effort.
The way the problem awareness began was when the financial organization (Kommuninvest) reached out and described that there was a need for a continuous risk management process to mitigate both internal and external cyber threats targeting the information- and IT-security within the financial sector. If not addressed properly, these threats could potentially cause a great deal of economic damage to the financial sector. This was further enforced by Boston Consulting Group (2019), one of the world's largest strategy consulting firms reported that cyber attacks have been targeting the financial sector 300 times more than other companies over the last years.
In order to better understand the problem, an analysis was performed and motivated in relation to existing literature in the context of risk management. Afterward, interviews were conducted with representatives from the financial organization using the interview guidelines for semi-structured interviews presented by Oates (2006) and Bryman (2011). The interviews together with the literature reviews are explained thoroughly in Chapter 3.5 - Data Collection”.
Using the newfound data gathered from the interviews we continued the literature study and found that there was indeed a clear research gap within the Dynamic Risk Management field of Information Security in the financial sector. Furthermore, the interview and literature study contributed to the construction of a comprehensive list of the requirements that needed to be fulfilled in order to solve the identified problem. This means that the final evaluation criteria will be based on the requirement from the financial organization together with the requirements found in related literature.
Finally, this phase was used as a way to gather more understanding of the field of dynamic risk management within the financial sector (Patel & Davidson, 2003), and thus it was possible to construct a research proposal that could both solve the identified problem for the financial sector as well as fill the existing research gap in dynamic risk management.
Phase 2a: Suggestion
The “Suggestion” phase is aimed at creating a tentative design based on either an existing or new artefact (Vaishnavi & Kuechler, 2004).
Based on the requirements collected from the interviews and the literature during Phase 1 “Awareness of Problem” it became evident that both the social aspects and the technical aspects needed to be covered by the model to ensure the best possible information security to the financial sector. To create a tentative design of the model, a visual representation of common threats related to the social and technical aspects of information security was sketched. This was done to provide an overview of how both of the aspects should be covered by the final model later presented in Chapter 4 - Results.
Figure 2. Including aspects of the design of the Dynamic Risk Management Model (DRMM) solution
The white ‘Social Aspects’ tower is presenting some of the general social aspect threats targeting most organizations including those in the financial sector, threatening the confidentiality, integrity, and availability of information assets based on Dhillon (2018) and Verizon (2019) Insider Threat Report.
The black “Technical Aspects” tower is presenting some of the general technical aspect threats targeting most organizations including those in the financial sector, affecting the confidentiality, integrity, and availability of information assets based on Dhillon (2018), and Symantec (2019) Internet Security Threat Report.
The gray “The Dynamic Risk Management Model” tower in the middle is the Dynamic Risk Management Model, supporting dynamic threat detection (Threat Detection), mitigating the social threats (Social Aspect Threat Mitigation) and the technical threats (Technical Aspect Threat Mitigation) by embracing an adaptive solution that can also be improved after each mitigated threat.
Finding appropriate standards to base the model on was done by analyzing the established European ISO standards to get an overview of the selection of available standards on Information Security, Risk management in Information Security, and the Financial Sector that could be implemented in the tentative design of the model.
Finally, the technical mitigation part of the dynamic risk management model was partly inspired by the concept of existing model “Adaptive risk management and access control framework” by Baracaldo & Joshi (2013) which dynamically adapts to suspicious users’ behavior and changes their privileges automatically. On the other hand, the social aspect threat mitigations were relying on a collaboration with a 3rd party consisting of cyber security specialists whose main focus are social threats and whose responsibility is to report the found threats to the financial organization.
Phase 3a: Development
The “Development” phase is used to further develop the tentative design, focusing mainly on the state of practice, where the novelty lies primarily within the design (Vaishnavi & Kuechler, 2004). The novelty contributed to this research is to develop a Dynamic Information Security Risk Management Model. It is important to note that several types of risk management models already exist (International Organization for Standardization, 2018b; Shedden et al., 2010; Visintine, 2003; Whitman and Mattord, 2014) but none of them are dynamic, therefore, the contribution lies in developing a dynamic model rather than another static model. What makes the model dynamic is the fact that it supports mitigation of socio-technical threats on a continuous basis as opposed to traditional risk management that occurs once or twice a year, and even up to once every third year (Information Systems Audit and Control Association, 2010; Bergström E, 2020).
First, when designing the artifact (The Dynamic Information Security Risk Management model) several sources were used as graphical inspiration to the model, among these were Dhillon (2018), Vaishnavi & Kuechler (2004), Lundgren (2020), ISO 27001(International Organization for Standardization, 2018a), and ISO 27005(International Organization for Standardization, 2018b), which enabled me to illustrate the model in a fashion that was both comprehensible and scientifically accepted. Similar to how Hevner (2010) argues that Peffers et al. (2008) design science research approach helps researchers to present their artifact with reference to a commonly accepted and understood framework rather than justifying the research paradigm each time, I also used commonly accepted design choices and frameworks in order to make my model as legitimate as possible.
Furthermore, it was necessary to ensure that the design was in harmony with the requirements that were previously identified during the repeated literature studies, and the interviews performed with representatives of the financial organization Kommuninvest. The design also follows the ISO 27005 Risk Management standard (International Organization for Standardization, 2018b) in order to not contradict the established standards in the information security risk management field, but also to ensure its compatibility with future research.
The model consists of different components. Each component is described using definitions inspired by ISO 27001(International Organization for Standardization, 2018a), ISO 27005(International Organization for Standardization, 2018b), NIST, (National Institute of Standards and Technology, 2017), Swedish Institute for Standards (2015), Myndigheten för samhällsskydd och beredskap (2020) recommendations, as well as ISO 20022 Financial services (International Organization for Standardization, 2013). The purpose of this is for the reader to have enough background to understand how the model works. The components were then presented in a step-by-step process walkthrough describing the intended use of the model to dynamically mitigate threats before they become severe risks to the financial sector.
In order to develop a fast and efficient dynamic model, the triggers that would activate the model had to be divided into social aspect triggers and technical aspect triggers. The social and technical aspects are strongly intertwined but at the same time, they both have unique characteristics and thus need to be mitigated differently (Dhillon, 2018).
For this reason, a decision was taken after consulting information security experts within the financial sector to assign a 3rd party cyber security firm the responsibility to do continuous detection of social aspect threats since these are of human nature and can simply not be fully transformed into technical aspect threats and then become automated. However, the technical aspect threats can be detected automatically by the organization itself by using sophisticated threat detection tools.
Overall, the model was designed with simplicity and usability (Nielsen 1993; 1994) in mind to ease the evaluation of the model after implementation in the financial sector. Moreover, the complexity in the model lies in utilizing the findings from repeated literature studies on several different standards in order to create a model suitable to the financial audience but at the same time being futureproof and adaptable to other sectors because of its dynamic nature.
Phase 4a: Evaluation
The evaluation phase is used to evaluate the constructed artefact based on the criteria given in Phase 1, expressed in the proposal. Any deviations must be noted and explained (Vaishnavi & Kuechler, 2004). Results about the model in this phase and any other additional information must be brought together and deployed for another iterative Phase2-Suggestion if necessary.
The evaluation of the artifact, The Dynamic Information Security Risk Management model went through two iterations. In the 1st iteration, the first design was presented to an expert in the financial sector during an online meeting. At the time the model was identical to the initial tentative design. The presentation was made to ensure that the overall design would fill the requirements of a dynamic model in the financial industry. This iteration provided valuable feedback on the strengths of the model in its current form as well as what could be added into the 2nd iteration.
The 2nd iteration of the evaluation phase was performed online during a Microsoft Teams meeting due to the Covid-19 pandemic. Together with two representatives from the financial organization (Kommuninvest), who had received 3 days before the meeting the new improved Dynamic Risk Management Model, together with the description of the model components and the walkthrough of the process steps, and an evaluation poll.
The poll was made in Google forms and sent to the CIO and CISO of the financial organization to evaluate the artifact, and the questions revolved around whether or not the requirements identified in Phase 1 “Awareness of problem” were met, in regards to the dynamic information security risk management model design. The reason for the poll was to assess whether the model was usable in the context of a financial organization. Google forms were chosen as a platform due to its competitive price point (it was free) compared to traditional postal polls (Splitvision Research, 2018). Furthermore, this platform was also chosen because of its ease-of-use for participants to answer the poll as well as its easy-to-interpret visual overview of the poll answers for researchers. The poll contained twelve questions and can be read in its entirety in section Appendix 1 “Evaluation Poll”.
The evaluation of usability – User Feedback poll
Despite the time constraints of the thesis which meant that the model could not be implemented in the financial organization before the evaluation, an additional evolution poll was created to measure the usability of the process among its users (Usability – User Feedback) once the model has been implemented in the organizational setting. The term “usability” refers to the “extent to which a system, product or service can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use” (International Organization for Standardization, 2018c). The poll is built as a modified version of Lundberg et al’s (2018) poll to measure usability among a targeted group. The reason this poll was chosen for the user feedback is because it is based on both the Technology Acceptance Model (Davis, 1989; Davis, Bagozzi, & Warshaw, and Nielsen’s (1993:1994) concept of usability, which enables the poll to be used on a regular basis to capture and validate the performance and usability of the work process, while also following Nielsen’s (1994) key element suggestions of continuous feedback to improve the design, hence making the model dynamic. The poll can be found in section Appendix 2 “Usability - User Feedback”.
Phase 5a: Conclusion
The concluding phase is used to put an end to my research cycle and conclude my research with a clear description of its knowledge contribution (Vaishnavi & Kuechler, 2004).
This is the final phase of the Design Science Research (DSR). I started my method by analyzing the research problem’s different dimensions during DSR Phase 1a “Awareness of Problem” and then created a research proposal which then became the foundation for the tentative design in DSR Phase 2a “Suggestion”. Next, in Phase 3a “Development” I further refined the tentative design with regards to additional feedback from the financial organization as well as consulting the literature requirements again to ensure that the final artifact would meet all necessary criteria. The artifact was then evaluated in Phase 4a “Evaluation” by professionals from the financial sector to validate that all requirements were met and assess its practical usage in the financial sector.
3.5 Data Collection
The data collection methods that were used throughout the study are literature reviews and semi-structured interviews, which will be presented in the following subchapters.
3.5.1 Literature review
To understand the area of Dynamic Risk Management within the field of information security management, a literature review was conducted. The purpose of the literature review was to understand different aspects of the identified problem and see if there existed any previous dynamic risk management models for information security. The review was aimed to illustrate the research field by describing the past research conducted, the current research, as well as the trends in the dynamic risk management field (Bryman, 2011).
The approach in the literature review was to conduct a structured literature review to discover information about the field of dynamic risk management. In order to have a structured approach in the literature review Oates (2006) was used as a baseline, which includes seven activities: “Searching”, “Obtaining”, “Assessing”, “Reading”, “Critically Evaluating”, “Recording”, and “Writing a critical review”.
Figure 3. Structured Literature Review, Seven Activities (Oates, 2006)
The first step “Searching” in the structured literature review was performed by using search keywords together with the snowball selection method to find relevant literature about dynamic and adaptable risk management using primarily Örebro University’s library database Primo. The snowball selection method means that the author is looking at the references of the articles to cite them or follow-up the sources in order to find more relevant material to the study (Oates, 2006). After finding relevant keywords using the snowball selection method, the literature study proceeded by delving deeper into the research topic by using mainly Google Scholar and Researchgate because of their popularity and because they offered the possibility to search across a large selection of published papers from different sources. The sources of which the papers were found included: IEEE Xplore, MIS Quarterly, Journal of Strategic Information Systems, Journal of AIS, and Computer & Security, the reason for selecting these sources is because the most relevant scientific papers were presented when using the keywords found in the next paragraph. The web search engines that were used to expand the search further were: Google, DuckDuckGo, Bing, and Yahoo. The inclusion criteria to make a selection between all the search results included but were not limited to: scientific papers, books, ISO-standards, and articles within the field of cyber security and the finance sector mainly conducted within the last decade.
The following search terms were used: “Information Security Management”, “Dynamic Risk Management”, “Dynamic Risk Management Information Security”, “Dynamic Risk Management Literature Review”, ”Information Security Risk Management ISO”, “Information Security ISO”, “Dynamic Information Security Risk Management”, “Adaptive Risk Management”, “DSR”, “Design Science Research”, “Social Threats”, “Technical Threats” and “Finance ISO Series”, “Dynamic Finance Model”, “Finance Risk Management Standard”.
The goal of using these search terms was to find scientific papers, but in some cases, this was not possible since the research field is so narrow. This meant that the search had to be expanded by
looking at sources outside of academia, for example using public threat reports published by well-established cyber security firms in order to obtain statistical data about cyber threats.
A decision was made to use different search engines in order to go beyond the search engines’ algorithms that typically return the tailored search results to the user. Search engine results are of two types, “organic search” which is returned by search engine's algorithms, and “sponsored search” which is advertisements (Zhang & Cabage, 2017). Relying on just one search engine such as Google could lead to missed opportunities in the data obtaining process, when the search engine algorithms activate. The influence of search engine algorithms is generally great for most web searches since they are returning tailored search results that are relevant to the casual user, based among other things on previous search history and page rankings.
The problem, however, is that the algorithms responsible for filtering the search results and data are not flawless and could inadvertently filter the search results relevant to this study about dynamic risk management. Another issue when relying on just one search engine is that some website administrators have been using legitimate Search Engine Optimization (SEO) techniques or illegitimate “black hat” techniques, such as “double posting” of web content in order to manipulate the search algorithms of the current search engine to display their content as most relevant to the user (Aswani et al, 2018), which in worst case can affect the entire outcome of this research study. This issue was addressed by keeping the Search Engine Algorithms Results (SEAR) in mind by using different search engines to trigger different outcomes from the search results. In the context of this study, this effort to gather unbiased search results is defined as the SEAR-evasion Approach.
The second step “Obtaining” was performed by collecting the found research from the previous step and either by downloading or bookmarking the papers, books, and websites that were concluded useful in the study. Some documents needed to be requested directly from the author, for example, the doctoral thesis “Making the dead alive” by Lundgren (2020) who was contacted through both e-mailed and calls since his research paper contained valuable insights in dynamic risk management and had not been published at the time of writing. Besides Lundgren (2020) dynamic framework model, four technical-oriented dynamic risk management models were identified, but no general or specialized socio-technical dynamic risk management models could be found.
In the third step “Assessing” the obtained articles were assessed according to Oates's (2006) recommendations by verifying the authors' credibility, checking if they have published before, and their publishing dates. Especially in articles, it is important to check how long the journal the paper is published in has been operating in the field. These are the main checks performed.
In the fourth step “Reading” the obtained papers were read according to the recommendations of Oates (2006). Abstracts were skimmed through, as well as introductions and conclusions of the papers, and then organized based on their focus and relevance. This step was relevant to have easy accessibility during the writing process as it is of importance to often consult the literature during the writing of this thesis.
In the fifth step “Critically Evaluating” the articles obtained were critically evaluated according to recommendations by Oates (2006) to make sure that they were relevant to the topic the research was addressing. This way it was possible to remove papers that were not relevant to the study or the ones who contained critical omissions.
In the sixth step “Recording” Sources of the obtained papers were recorded according to recommendations by Oates (2006). The sources were carefully noted that later were to be used in the thesis. The details of these sources including author names, titles, year of publication, and website if relevant can be found in the “References” section at the end of this paper.
The seventh step “Writing a critical review” by Oates (2006) could not be implemented fully but it was possible to create “a matrix that maps which papers cover which different concepts” (Oates, 2006), in this case, the papers covering different types of Dynamic Risk Management models.
3.5.3 Interviews
To better understand the problem and to collect requirements for the solution from a financial organization, an interview was conducted with the CISO of Kommuninvest and the CIO of Kommuninvest as these people worked with information security at that financial organization. Due to the time restraints the CISO and CIO had, a decision was made to perform the interviews with them together at the same time rather than separately. Having a dialogue with both of them at the same time enabled full insight into the way a financial organization works with sensitive information assets.
The decision to use a semi-structured interview approach was made. This means that the author has a list of themes to be covered and questions to ask, yet depending on the flow of the conversation there might be additional questions (Oates, 2006). It was decided that this would be the best approach considering the nature of this dynamic area to have the interview a bit more open and at the same time following a set theme. Because I am not familiar with the area it would be difficult to formulate structured questions, and there would be a high chance that I miss important aspects.
Approaching the interview with semi-structured interviews instead of a structured one helped the organization to provide answers to the interview questions as well as having the chance to add issues they thought were relevant to keep into consideration. Considering that all fieldwork such as data collection is context-dependent (Walsham, 1995) it is of great importance to enable the organization to add relevant issues, otherwise, the final artefact based on the study might not be useful to the financial sector.
In total there was one semi-structured interview conducted at the Kommuninvest office together with both CISO and CIO about the research problem and what requirements would be necessary to solve it. The initial plan was to perform several other interviews at site but due to the Covid-19 pandemic, the rest of the interviews were held online through Microsoft Teams, totally adding up to more than 5 additional meetings regarding the problems the financial sector experienced. The 6 questions prepared for the interviews were the following:
Table 2. The questions.
No. Interview Questions - Dynamic Risk Management Model (DRMM)
Q1 What type of model/process is currently missing? Q2 What main features would a good DRMM have?
Q3 How does the organization currently identify external/internal threats? Q4 How often are the organization's cyber threat mitigation tasks re-prioritized? Q5 Does current 3rd party collaboration enrich the security?
Q6 What measures are used to review the security of 3rd party?
The purpose of each question from ‘Table 2. The Questions’ are explained below.
Q1 – This question was necessary to understand if the solution to the static ways of working would
be a written text documentation process or a more graphical oriented Dynamic Risk Management model.
Q2 – Asking about the main features to be presented in the Dynamic Risk Management Model
was necessary to identify a realistic solution connected to the real world's needs, not only theory based on literature. I needed to understand what type of issues the model would have to solve including the expectations about its usability.
Q3 – This question was necessary to know which approach the solution was going to take.
Depending on the way of threat detection, the model outcome could be quite different, considering good information security can only be fully realized once technology and human work together (Dhillon, 2018).
Q4 – This question is to understand how static the risk management process is at the moment and
to gather more information about what the bottleneck in the flow of decisions is. By looking at how often the financial organization re-prioritizes their work it is possible to get insights on how futureproof the artifact needs to be.
Q5 – The question about 3rd party collaboration is necessary to see whether or not there is a possibility to involve a 3rd party in the Dynamic Risk Management Model solution.
Q6 – The final question is whether or not the organization reviews the security of their
collaborating partners considering a lot of high-profile companies have been breached through 3rd party intrusion attacks, such as Uber and Target (Plachkinova & Maurer, 2018).
The answers from the six questions helped to clarify the requirements needed to build a satisfying dynamic information security risk management model usable in the financial sector.
Ethical Considerations
The topic of Dynamic Risk Management within Information Security is not free of friction. Therefore, while performing my data collection at the financial organization, it was necessary to make sure that questions only covered what was needed to be able to conduct the study and to not cause any discomfort for the parties involved.
In order to make sure the research was conducted ethically, the four fundamental principles of the European Code of Conduct for Research Integrity (All European Academies, 2019) was followed.
Reliability – Safeguarding the quality of the research, which is reflected in the design, methods,
and use of resources I made during the thesis and especially at evaluation.
Honesty - Developing the artefact, implementing and scrutinizing the published research, and
reporting and informing others about the research in an open, fair, complete, and objective way.
Respect – For research participants, society, cultural heritage, and the environment by having
online meetings with a clear agenda focusing on the model.
Accountability – for the researcher, from idea to publication, for education and supervision.
Considering that the case-setting involved a financial organization, special considerations were taken during Phase 1a “Awareness of Problem” when performing the semi-structured interviews to protect the data that was shared. It is the researcher’s responsibility that the shared data won’t get leaked or misunderstood.
4. Results
In the following phases of DSR, each phase number is accompanied by a “b” when referring to the outcome of each respective phase.
Phase 1b: Awareness of Problem
The understanding of the problem based on the literature review is presented in the Introduction and related research sections, where it is shown that the problem is experienced by both the financial industry in general and Kommuninvest. Furthermore, the problem is not fully covered in any existing research within the information security field.
As previously mentioned, the goal of the model is to primarily target the financial sector, but it should also be able to adapt to a wide range of other sectors that work with sensitive data, such as the healthcare industry, the school sector, the military, and research facilities across the globe to improve their risk management’s speed and efficiency.
During the semi-structured interviews with Kommuninvest, 7 requirements were identified. Also, during the literature reviews, 2 requirements were identified, adding up to a total of 9 requirements the model should follow to be both functional and useful. The requirements were sorted into a table “Table 3. Requirements to Dynamic Risk Management Model” and categorized by requirement type. The type of requirement could be of Social nature or Technical nature or a combination of both.
Table 3. Requirements to Dynamic Risk Management Model
Req # No. Identified Requirements Type
Req 01. Continuous threat and risk detection & assessment Social
Req 02. Identification - of affected components Social
Req 03. Fast priorities - to avert threats Social
Req 04. Identify threats - External and internal in the organization Social / Technical Req 05. Identify malicious events - External and internal in the organization Social / Technical Req 06. Fast response – Short ways from identification to a decision of
action
Social Req 07. Response system which alerts CISO and IT-Security in case of
anomalies
Technical
Req 08. User-friendly design Social
Req 09. Futureproof design – Adaptable to different sectors Social / Technical The purpose of each Requirement from ‘Table 3. Requirements to Dynamic Risk Management Model’ is explained below.
Req 01 – The model needs to have continuous reliable risk detection and a possibility to address
Req 02 – IF a breach happens, it is of great importance that there is a competent solution in place
that is possible to identify which components are affected. This could be both social and technical components.
Req 03 – Once a threat is detected the organization must be able to re-organize fast to mitigate the
threat. Not wait until the next meeting.
Req 04 & Req 05 – Identify Malicious events – These events can happen both by being infected
by a computer virus (Technical) or by a staff member accidentally clicking on an infected link (Social). These types of situations must be identified and mitigated.
Req 06 – Fast Response – When a threat is detected, a decision of action must be able to be taken
rather fast. This requires the organization to be adaptable to the new situation (Social).
Req 07 – It is not humanly possible to guard systems manually around the clock, which means
that there has to be an automatic control in place that detects any anomalies and report to IT-security and CISO for maximum threat response efficiency.
Req 08 – A user-friendly design is important in order to assure high usability to the end-user
(Nielsen 1993:1994). Making the model easy to understand and use when mitigating threats.
Req 09 – The design needs to be futureproof in order to ensure that it can be continuously improved
(Dhillon, 2018; Nielsen 1993:1994) as requirements in the financial sector may change with time.
Phase 2b: Suggestion
The tentative design that I have created based on the requirements collected in earlier phases is presented below.
The Tentative Design
Initially, the DRMM model and its process consisted of 3 core blocks and 2 sub-teams. The 3rd party, The organization response team, and the “Team Lead”, together with two sub-teams.
• The first block of the tentative design sketch “3rd party external, Domestic detection of
risks & threats” acts as the input-variables to the model. The 3rd party cybersecurity partner
organization is specialized in information security threats. They scan the surroundings to detect any suspicious activity that could become a risk to the organization and reports the weekly threat report to the next block, the “Organizational Response Team”.
• The second block of the tentative design sketch “Organizational Response Team (CISO & IT-Security, internal coverage)” consists of CISO and IT-Security, they receive the weekly threat report from the 3rd party and evaluate which assets that might be affected in case of threat realization. After evaluation of the risk is done, a mitigation strategy is built with the expertise of CISO and IT-Security and presented to the third block, “Meeting Teamlead”.
• The third block of the tentative design sketch “Meeting Team lead (map affected components & make a decision)”. The “Team lead” consists of the leaders of each team in the organization. The affected team is receiving the mitigating actions from the “Organizational Response Team” and distribute the information to the entire team at the very next meeting. In urgent situations, a critical meeting can be called upon by the team lead.
• The fourth and fifth block of the tentative design sketch “Sub-Team 1” & “Sub-Team 2” consists of all the team members in each sub-team, exemplified by Team 1” & “Sub-Team 2”. The teams can consist of anywhere from 1-1000 people. The mitigation strategy is still the same. They receive the information from the team lead and start to implement the mitigating actions.
The graphical tentative model sketch of DRMM above was created to build a visual presentation that could be presented to Kommuninvest to evaluate if it covered all relevant requirements. A graphical model was used instead of plain text since it would help the organization to gain a holistic view of the current approach, an appropriate way to gather feedback according to Dhillon (2018).
Phase 3b: Development
During the development phase, the list of requirements previously established during Phase 1a “Awareness of Problem” was used together with the feedback received from the financial organization Kommuninvest. The artifact created is presented in Chapter 4.1 - The Dynamic Information Security Risk Management Model.
4.1 The Dynamic Information Security Risk Management Model
The Dynamic Information Security Risk Management Model is described in this chapter beginning with the description of the components the model consists of. Next, a step-by-step guide on how the models process is intended to be used with general guidelines explained. Finally, two fictive scenarios are presented to illustrate the process, one with a social aspect threat, and the other with a technical aspect threat, both initializing the model before being mitigated by it.
Figure 5. Dynamic Information Security Risk Management Model
The final design of the Dynamic Information Security Risk Management Models process consists of three phases, First the Dynamic Identification of Threat, secondly The Risk Analysis & Evaluation phase, and third The Risk Treatment phase. Each phase has its own blocks & actions related to the phase.
The dynamic identification of threat has one block consisting of 2 types of threat triggers, which are the Social Aspect Trigger & the Technical Aspect Trigger.
The Risk Analysis & Evaluation phase consists of four blocks, Team Leaders who manage all teams in the organization, and the Organizational Response Team, which team consists of Chief Information Security Officer (CISO) and the IT-Security staff. The next blocks in this phase are
Risk Analysis and the Risk Evaluation block which both are controlled by actions from the Organizational Response Team.
The Risk Treatment phase consists of 3 blocks, Teams controlled by the Team Leaders, Routines controlled by action from CISO, and System controlled by action from IT-Security.
Each arrow describes an action and is marked with a letter, starting from A to H to easily illustrate each action between the blocks in the different phases. Each block and action will be portrayed in Chapter 4.2 - Walkthrough of The Dynamic Information Security Risk Management Process Steps. The entire model consists of 8 blocks in total and 8 action-lines, one for each action between the blocks.
Description of the Dynamic Identification of Threat phase components:
The Dynamic threat components consist of different aspects of the social or technical sphere. These can either proactive, which means that they are identified before the threat has been realized. They can also be reactive, which means that they are responding to a threat that has been realized. The division into four different elements aids focused mitigation actions, priority, and speed.
The Technical Aspects Triggers consists of 2 elements:
• Proactive Technology, The Proactive technology consists of a technological detection system that discovers anomalies in form of suspicious behavior in the system and sends a warning to the “Organizational Response Team” that there is a risk of a potential cyber threat. The term “proactive” is used because the threat has not been realized yet.
• Reactive Technology, The Reactive Technology consists of the intrusion detection system, that sends an alarm to the “Organizational Response Team” in case of an actual detected attack is happening. Hence the term “reactive”.
The Social Aspect Triggers include 2 elements:
• Proactive Social, The Proactive Social consists of the collaboration with a cybersecurity partner, which could be an internal or external organization (3rd party). The cybersecurity partner is specialized in the detection of possible information security threats. They scan the surroundings to detect any suspicious activity that could become a risk to the organization and reports the findings to the next block, the “Organizational Response Team”. The term “proactive” is used because the threat has the potential to be realized but has not happened yet.
• Reactive Social, The Reactive Social consists of reports of social threat that already is happening, hence the term “reactive”. For example, someone from staff alarms the CISO
