Towards data-driven decision support for organizational IT security audits
-
Michael Brunner
Michael Brunner holds an MSc in Computer Science from the University of Innsbruck, Austria. He is currently working as a research assistant at the University of Innsbruck, where he works on his PhD focusing on risk-driven workflows in information security and information security risk management. In addition, he investigates the unification of security and safety aspects for cyber-physical systems in the automotive domain as part of an international research project.
,
Christian Sillaber
Christian Sillaber is a postdoctoral researcher at the University of Innsbruck. He holds a PhD in computer science and a law degree from the University of Innabruck, Austria. Current research projects focus on compliance and governance in decentralized cryptocurrencies, privacy management and enforcement in systems at scale and the role of technology in regulatory compliance. He is a member of multiple working groups on Blockchain standardization and privacy and executive committee member of the GI working group on legal informatics.
Lukas Demetz is lecturer at the University of Applied Sciences FH Kufstein Tirol for “Web Business & Technology” and “Web Communication & Information Systems”. He holds a PhD in Information Systems and a MSc in Computer Science both from the University of Innsbruck. Before, Lukas worked as a research assistant at the Department of Information Systems, Production and Logistics Management at the University of Innsbruck. His research focuses on information security and cloud computing.
Markus Manhart holds a PhD in Information Systems from the University of Innsbruck, Austria. He worked as a scientific project assistant at the Information Systems Unit of the University of Innsbruck, School of Management, from 2010 until 2016 and was involved in the EU FP7 research projects “PoSecCo” and “Learning Layers”. His primary research focus was on knowledge protection in business networks. He currently works as Salesforce Consultant at Apracor GmbH in Innsbruck.
Ruth Breu is head of the Institute of Computer Science of the University of Innsbruck, Austria, and leads the Quality Engineering research group. Her research interests include software engineering, information security, enterprise architecture management, requirements engineering, and model engineering. She received a habilitation (postdoctoral qualification) in computer science from Technische Universität München.
Abstract
As the IT landscape of organizations increasingly needs to comply with various laws and regulations, organizations manage a plethora of security-related data and have to verify the adequacy and effectiveness of their security controls through internal and external audits. Existing Governance, Risk and Compliance (GRC) approaches provide little support for auditors or are tailored to the needs of auditors and do not fully support required management activities of the auditee. To address this gap and move towards a holistic solution, a data-driven approach is proposed. Following the design science research paradigm, a data-driven approach for audit data management and analytics that addresses organizational needs as well as requirements for audit data analytics was developed. We contribute workflow support and associated data models to support auditing and security decision making processes. The evaluation shows the viability of the proposed IT artifact and its potential to reduce costs and complexity of security management processes and IT security audits. By developing a model and associated decision support workflows for the entire IT security audit lifecycle, we present a solution for both the auditee and the auditor. This is useful to developers of GRC tools, vendors, auditors and organizational decision makers.
About the authors
Michael Brunner holds an MSc in Computer Science from the University of Innsbruck, Austria. He is currently working as a research assistant at the University of Innsbruck, where he works on his PhD focusing on risk-driven workflows in information security and information security risk management. In addition, he investigates the unification of security and safety aspects for cyber-physical systems in the automotive domain as part of an international research project.
Christian Sillaber is a postdoctoral researcher at the University of Innsbruck. He holds a PhD in computer science and a law degree from the University of Innabruck, Austria. Current research projects focus on compliance and governance in decentralized cryptocurrencies, privacy management and enforcement in systems at scale and the role of technology in regulatory compliance. He is a member of multiple working groups on Blockchain standardization and privacy and executive committee member of the GI working group on legal informatics.
Lukas Demetz is lecturer at the University of Applied Sciences FH Kufstein Tirol for “Web Business & Technology” and “Web Communication & Information Systems”. He holds a PhD in Information Systems and a MSc in Computer Science both from the University of Innsbruck. Before, Lukas worked as a research assistant at the Department of Information Systems, Production and Logistics Management at the University of Innsbruck. His research focuses on information security and cloud computing.
Markus Manhart holds a PhD in Information Systems from the University of Innsbruck, Austria. He worked as a scientific project assistant at the Information Systems Unit of the University of Innsbruck, School of Management, from 2010 until 2016 and was involved in the EU FP7 research projects “PoSecCo” and “Learning Layers”. His primary research focus was on knowledge protection in business networks. He currently works as Salesforce Consultant at Apracor GmbH in Innsbruck.
Ruth Breu is head of the Institute of Computer Science of the University of Innsbruck, Austria, and leads the Quality Engineering research group. Her research interests include software engineering, information security, enterprise architecture management, requirements engineering, and model engineering. She received a habilitation (postdoctoral qualification) in computer science from Technische Universität München.
References
1. Accorsi, R. (2011). Business process as a service: Chances for remote auditing. In Computer Software and Applications Conference Workshops (COMPSACW), 2011 IEEE 35th Annual (pp. 398–403). IEEE.10.1109/COMPSACW.2011.73Suche in Google Scholar
2. Accorsi, R., & Stocker, T. (2012). On the exploitation of process mining for security audits: the conformance checking case. In Proceedings of the 27th Annual ACM Symposium on Applied Computing (pp. 1709–1716). ACM.10.1145/2245276.2232051Suche in Google Scholar
3. Alles, M. G., Kogan, A., & Vasarhelyi, M. A. (2018). Putting continuous auditing theory into practice: Lessons from two pilot implementations. Continuous Auditing: Theory and Application (pp. 247–270). Emerald Publishing Limited.10.1108/978-1-78743-413-420181011Suche in Google Scholar
4. Bachlechner, D., Thalmann, S., & Maier, R. (2014). Security and compliance challenges in complex IT outsourcing arrangements – A multi-stakeholder perspective. Computers & Security, 40, 38–59.10.1016/j.cose.2013.11.002Suche in Google Scholar
5. Bachlechner, D., Thalmann, S., & Manhart, M. (2014). Auditing service providers: supporting auditors in cross-organizational settings. Managerial Auditing Journal, 29(4), 286–303.10.1108/MAJ-05-2013-0861Suche in Google Scholar
6. Barthelemy, J., & Geyer, D. (2004). The determinants of total it outsourcing: An empirical investigation of French and German firms. Journal of Computer Information Systems, 44(3), 91–97.10.1080/08874417.2004.11647586Suche in Google Scholar
7. Bowen, P. L., Cheung, M.-Y. D., & Rohde, F. H. (2007). Enhancing IT governance practices: A model and case study of an organization’s efforts. International Journal of Accounting Information Systems, 8(3), 191–221.10.1016/j.accinf.2007.07.002Suche in Google Scholar
8. Brunner, M., Sillaber, C., & Breu, R. (2017). Towards Automation in Information Security Management Systems. In Software Quality, Reliability and Security (QRS), 2017 IEEE International Conference on (pp. 160–167). IEEE.10.1109/QRS.2017.26Suche in Google Scholar
9. Carlin, A., & Gallegos, F. (2007). IT audit: A critical business process. Computer, 40(7), 87–89.10.1109/MC.2007.246Suche in Google Scholar
10. Chou, D. C. (2015). Cloud computing: A value creation model. Computer Standards & Interfaces, 38, 72–77.10.1016/j.csi.2014.10.001Suche in Google Scholar
11. Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., & Molina, J. (2009). Controlling data in the cloud: outsourcing computation without outsourcing control. In Proceedings of the 2009 ACM workshop on Cloud computing security (pp. 85–90). ACM.10.1145/1655008.1655020Suche in Google Scholar
12. Davis, F. D. (1989). Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. MIS Quarterly, 13(3), 319–340.10.2307/249008Suche in Google Scholar
13. Dhillon, G., Syed, R., & de Sá-Soares, F. (2017). Information security concerns in IT outsourcing: Identifying (in) congruence between clients and vendors. Information & Management, 54(4), 452–464.10.1016/j.im.2016.10.002Suche in Google Scholar
14. Ferrer, A. J., Hernandez, F., Tordsson, J., Elmroth, E., Ali-Eldin, A., Zsigri, C., et al.(2012). OPTIMIS: A holistic approach to cloud service provisioning. Future Generation Computer Systems, 28(1), 66–77.10.1016/j.future.2011.05.022Suche in Google Scholar
15. Francis, J. R. (2011). A Framework for Understanding and Researching Audit Quality. AUDITING: A Journal of Practice & Theory, 30(2), 125–152.10.2308/ajpt-50006Suche in Google Scholar
16. Ghose, A., & Koliadis, G. (2007). Auditing business process compliance. In International Conference on Service-Oriented Computing (pp. 169–180). Springer, Berlin, Heidelberg.10.1007/978-3-540-74974-5_14Suche in Google Scholar
17. Golder, S. A., & Huberman, B. A. (2016). Usage patterns of collaborative tagging systems. Journal of Information Science, 32(2), 198–208.10.1177/0165551506062337Suche in Google Scholar
18. Gorla, N., & Somers, T. M. (2014). The impact of IT outsourcing on information systems success. Information & Management, 51(3), 320–335.10.1016/j.im.2013.12.002Suche in Google Scholar
19. Herath, H. S. B., & Herath, T. C. (2014). IT security auditing: A performance evaluation decision model. Decision Support Systems, 57, 54–63.10.1016/j.dss.2013.07.010Suche in Google Scholar
20. Hertzum, M., & Jacobsen, N. E. (2001). The evaluator effect: A chilling fact about usability evaluation methods. International Journal of Human-Computer Interaction, 13(4), 421–443.10.1207/S15327590IJHC1304_05Suche in Google Scholar
21. Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in Information Systems research, MIS Quarterly, 28(1), 75–105.10.1007/978-1-4419-5653-8_2Suche in Google Scholar
22. Kalaiprasath, R., Elankavi, R., & Udayakumar, R. (2017). Cloud Security and Compliance – A Semantic Approach in End to End Security. International Journal on Smart Sensing and Intelligent Systems, 10(4), 482–494.10.21307/ijssis-2017-265Suche in Google Scholar
23. Katzan, H. (2011). Cloud Computing, I-Service, And IT Service Provisioning. Journal of Service Science (JSS), 1(2), 57.10.19030/jss.v1i2.4296Suche in Google Scholar
24. Lacity, M. C., Khan, S. A., & Willcocks, L. P. (2009). A review of the IT outsourcing literature: Insights for practice. The Journal of Strategic Information Systems, 18(3), 130–146.10.1093/oxfordhb/9780199580583.003.0022Suche in Google Scholar
25. Lin, F., Guan, L., & Fang, W. (2010). Critical Factors Affecting the Evaluation of Information Control Systems with the COBIT Framework: A Study of CPA Firms in Taiwan. Emerging Markets Finance & Trade, 46(1), 42–55.10.2753/REE1540-496X460105Suche in Google Scholar
26. March, S. T., & Smith, G. F. (1995). Design and Natural-Science Research on Information Technology. Decision Support Systems, 15(4), 251–266.10.1016/0167-9236(94)00041-2Suche in Google Scholar
27. Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud computing – The business perspective. Decision Support Systems, 51(1), 176–189.10.1109/HICSS.2011.102Suche in Google Scholar
28. Moeller, R. R. (2010). IT Audit, Control, and Security. John Wiley & Sons.10.1002/9781118269138Suche in Google Scholar
29. Racz, N., Weippl, E., & Seufert, A. (2011). Governance, risk & compliance (GRC) software-an exploratory study of software vendor and market research perspectives. In System Sciences (HICSS), 2011 44th Hawaii International Conference on (pp. 1–10). IEEE.10.1109/HICSS.2011.215Suche in Google Scholar
30. Radovanović, D., Radojević, T., Lučić, D., & Šarac, M. (2010, May). IT audit in accordance with Cobit standard. In MIPRO, 2010 Proceedings of the 33rd International Convention (pp. 1137–1141). IEEE.Suche in Google Scholar
31. Ridley, G., Young, J., & Carroll, P. (2004). COBIT and its Utilization: A framework from the literature. In System Sciences, 2004. Proceedings of the 37th Annual Hawaii International Conference on (pp. 8). IEEE.10.1109/HICSS.2004.1265566Suche in Google Scholar
32. Rosário, T., Pereira, R., & da Silva, M. M. (2013). IT Audit Management Architecture and Process Model. In International Conference on Business Information Systems (pp. 187–198). Springer, Berlin, Heidelberg.10.1007/978-3-642-38366-3_16Suche in Google Scholar
33. Schermann, M., Dongus, K., Yetton, P., & Krcmar, H. (2016). The role of Transaction Cost Economics in Information Technology Outsourcing research: A meta-analysis of the choice of contract type. The Journal of Strategic Information Systems, 25(1), 32–48.10.1016/j.jsis.2016.02.004Suche in Google Scholar
34. Sillaber, C., Brunner, M., & Breu, R. (2013, June). Towards an Architecture for Collaborative Cross–Organizational Security Requirements Management. In International Conference on Business Information Systems (pp. 199–210). Springer, Berlin, Heidelberg.10.1007/978-3-642-38366-3_17Suche in Google Scholar
35. Thalmann, S., Bachlechner, D., Demetz, L., & Maier, R. (2012). Challenges in cross-organizational security management. In System Science (HICSS), 2012 45th Hawaii International Conference on (pp. 5480–5489). IEEE.10.1109/HICSS.2012.148Suche in Google Scholar
36. Varshney, V. K., Narendra, N. C., Bhamidipaty, A., & Nagar, S. (2008, July). Compliance measurement framework (CMF). In Services-Part I, 2008. IEEE Congress on (pp. 65–66). IEEE.10.1109/SERVICES-1.2008.7Suche in Google Scholar
37. Wang, B., Li, B., & Li, H. (2012). Oruta: Privacy-preserving public auditing for shared data in the cloud. In Cloud Computing (CLOUD), 2012 IEEE 5th International Conference on (pp. 295–302 ). IEEE.10.1109/CLOUD.2012.46Suche in Google Scholar
38. Wang, C., Ren, K., & Wang, J. (2016). Secure Optimization Computation Outsourcing in Cloud Computing: A Case Study of Linear Programming. IEEE Transactions on Computers, 65(1), 216–229.10.1109/TC.2015.2417542Suche in Google Scholar
39. Wang, W., Chen, L., & Zhang, Q. (2015). Outsourcing high-dimensional healthcare data to cloud with personalized privacy preservation. Computer Networks, 88, 136–148.10.1016/j.comnet.2015.06.014Suche in Google Scholar
© 2018 Walter de Gruyter GmbH, Berlin/Boston
Artikel in diesem Heft
- Frontmatter
- Editorial
- Data driven decision support
- Thematic Issue: Data-Driven Decision Support
- Predictive analytics for data driven decision support in health and care
- An intelligent decision support system for readmission prediction in healthcare
- Towards data-driven decision support for organizational IT security audits
- Gone in 30 days! Predictions for car import planning
- Decision making support in security forces command centers at open air music festivals: Localization of resources and sharing information
- Research Paper
- Decentralized decision making in adaptive multi-robot teams
Artikel in diesem Heft
- Frontmatter
- Editorial
- Data driven decision support
- Thematic Issue: Data-Driven Decision Support
- Predictive analytics for data driven decision support in health and care
- An intelligent decision support system for readmission prediction in healthcare
- Towards data-driven decision support for organizational IT security audits
- Gone in 30 days! Predictions for car import planning
- Decision making support in security forces command centers at open air music festivals: Localization of resources and sharing information
- Research Paper
- Decentralized decision making in adaptive multi-robot teams
