Identifying Security Risk Modules in Information Systems
InSITE 2016 • 2016 • pp. 041-051
We develop a two-stage model for identifying IT system modules with high security risks. In the first phase, we identify the subsystems that pose the highest risk and which require further investigation. In the next phase, we identify the high-security-risk modules using a more detailed approach. The output of this model helps managers decide on how to invest efficiently in improving the security of their IT system. We describe an application of this model to an IT system in an academic institution in Israel. In the first phase, three of ten subsystems are found to be very risky. In the next phase, we highlight the critical modules within those subsystems. The results of our application in the academic institution indicate that security breaches for the purpose of cheating are a greater threat than other types of security issues.
Information security, risk management, academic institutions, composite risk factor, information technology systems
20 total downloads