Article Preview
TopIntroduction
The invasion of the internet and the evolution of computing paradigms as cloud computing, expose organizations to cyber security issues. It is due to new vulnerabilities and potential threats that suddenly penetrate the system and disrupt its functionalities (Abercrombie et al., 2009). Thus, organizations devote an important part of their financial benefits to buy advanced security controls and implement security mechanisms in order to avoid security problems and respect security features namely integrity, availability and confidentiality. Referring to recent estimates of Gartner Survey, the spending on information security services and products expected to grow from 86, 4 billion in 2017 to 98 billion in 2018 (Gartner, 2019). According to EY Global Information Security Survey (GISS), more than three-quarters (87%) of organizations do not yet have a sufficient budget to provide the levels of cyber security and resilience they want (Kessel, 2019). Hence, implementing expensive security products is not the right solution to decrease the rising of attacks and protect the enterprise itself. Security management and international security standards as ISO 27000 series should be applied in enterprises to assess security risks and decrease business investments (Humphreys, 2008). In the security field, these two requirements help security decision makers to better understand security concepts and their relationships as well as security risk assessment models and their benefits.
National Institute of Standards and Technology (NIST) introduces risk management as “the process of identifying risk, assessing risk, and reduce risk to an acceptable level” (Stoneburner et al., 2002). This process enables to analyze security threats and mitigate security losses of information systems. In fact, security risk assessment as a major part of an Information Security Management System (ISMS) (Shameli-Sendi et al., 2016) estimates the risk caused by security issues in order to evaluate the security in organizational information systems (Meriah & Rabai, 2018). The risk concept presents the security harm, damage, injury or loss, which is provoked by external or internal vulnerabilities (Garzia & Lambardi, 2018). According to Jouini et al. (2018), risk assessment models focus on identifying potential threats and vulnerabilities, analyzes inherent business risks and provides measures, processes and controls to decrease the impact of these risks to business operations. These assessments help managers to develop mitigation plans, balance the economic and operational costs of security countermeasures and protect the assets and systems that support their organizations’ mission (Fenz & Neubauer, 2009).
Managing security risks properly represent one of the relevant challenges in each organization. The major problem is the lack of complete information about the security issues, as well as the required controls to address them (Straub, 1998; Meriah & Rabai, 2019). In this context, security management standards as ISO 27000 series introduced as guidelines that provides several security policies, rules and controls enable to assess business security and improve the security management process in information systems (Humphreys, 2008). Referring to Fenz et al. (2016), these standards are widely incorporated in enterprises to identify potential threats, adapt the appropriate control and ensure the security compliance in general.
As examples of international security standards: