探讨保障上下文在系统安全保障评估中的作用:一个概念模型

IF 1.6 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Information and Computer Security Pub Date : 2023-10-03 DOI:10.1108/ics-06-2023-0101

Shao-Fang Wen, Basel Katt

{"title":"探讨保障上下文在系统安全保障评估中的作用:一个概念模型","authors":"Shao-Fang Wen, Basel Katt","doi":"10.1108/ics-06-2023-0101","DOIUrl":null,"url":null,"abstract":"Purpose Security assurance evaluation (SAE) is a well-established approach for assessing the effectiveness of security measures in systems. However, one aspect that is often overlooked in these evaluations is the assurance context in which they are conducted. This paper aims to explore the role of assurance context in system SAEs and proposes a conceptual model to integrate the assurance context into the evaluation process. Design/methodology/approach The conceptual model highlights the interrelationships between the various elements of the assurance context, including system boundaries, stakeholders, security concerns, regulatory compliance and assurance assumptions and regulatory compliance. Findings By introducing the proposed conceptual model, this research provides a framework for incorporating the assurance context into SAEs and offers insights into how it can influence the evaluation outcomes. Originality/value By delving into the concept of assurance context, this research seeks to shed light on how it influences the scope, methodologies and outcomes of assurance evaluations, ultimately enabling organizations to strengthen their system security postures and mitigate risks effectively.","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"34 1","pages":"0"},"PeriodicalIF":1.6000,"publicationDate":"2023-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Exploring the role of assurance context in system security assurance evaluation: a conceptual model\",\"authors\":\"Shao-Fang Wen, Basel Katt\",\"doi\":\"10.1108/ics-06-2023-0101\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Purpose Security assurance evaluation (SAE) is a well-established approach for assessing the effectiveness of security measures in systems. However, one aspect that is often overlooked in these evaluations is the assurance context in which they are conducted. This paper aims to explore the role of assurance context in system SAEs and proposes a conceptual model to integrate the assurance context into the evaluation process. Design/methodology/approach The conceptual model highlights the interrelationships between the various elements of the assurance context, including system boundaries, stakeholders, security concerns, regulatory compliance and assurance assumptions and regulatory compliance. Findings By introducing the proposed conceptual model, this research provides a framework for incorporating the assurance context into SAEs and offers insights into how it can influence the evaluation outcomes. Originality/value By delving into the concept of assurance context, this research seeks to shed light on how it influences the scope, methodologies and outcomes of assurance evaluations, ultimately enabling organizations to strengthen their system security postures and mitigate risks effectively.\",\"PeriodicalId\":45298,\"journal\":{\"name\":\"Information and Computer Security\",\"volume\":\"34 1\",\"pages\":\"0\"},\"PeriodicalIF\":1.6000,\"publicationDate\":\"2023-10-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information and Computer Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1108/ics-06-2023-0101\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Computer Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/ics-06-2023-0101","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

目的安全保证评估(SAE)是一种公认的评估系统安全措施有效性的方法。然而，在这些评估中经常被忽略的一个方面是执行评估的保证上下文。本文旨在探讨保证上下文在系统sae中的作用，并提出了一个将保证上下文集成到评估过程中的概念模型。设计/方法/方法概念模型强调保证上下文的各种元素之间的相互关系，包括系统边界、涉众、安全问题、法规遵从性和保证假设以及法规遵从性。通过引入所提出的概念模型，本研究提供了一个将保证上下文纳入sae的框架，并提供了如何影响评估结果的见解。独创性/价值通过深入研究保证上下文的概念，本研究试图阐明它如何影响保证评估的范围、方法和结果，最终使组织能够加强其系统安全状态并有效地减轻风险。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Exploring the role of assurance context in system security assurance evaluation: a conceptual model

Purpose Security assurance evaluation (SAE) is a well-established approach for assessing the effectiveness of security measures in systems. However, one aspect that is often overlooked in these evaluations is the assurance context in which they are conducted. This paper aims to explore the role of assurance context in system SAEs and proposes a conceptual model to integrate the assurance context into the evaluation process. Design/methodology/approach The conceptual model highlights the interrelationships between the various elements of the assurance context, including system boundaries, stakeholders, security concerns, regulatory compliance and assurance assumptions and regulatory compliance. Findings By introducing the proposed conceptual model, this research provides a framework for incorporating the assurance context into SAEs and offers insights into how it can influence the evaluation outcomes. Originality/value By delving into the concept of assurance context, this research seeks to shed light on how it influences the scope, methodologies and outcomes of assurance evaluations, ultimately enabling organizations to strengthen their system security postures and mitigate risks effectively.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Information and Computer Security COMPUTER SCIENCE, INFORMATION SYSTEMS-

CiteScore

4.60

自引率

7.10%

发文量

期刊介绍： Information and Computer Security (ICS) contributes to the advance of knowledge directly related to the theory and practice of the management and security of information and information systems. It publishes research and case study papers relating to new technologies, methodological developments, empirical studies and practical applications. The journal welcomes papers addressing research and case studies in relation to many aspects of information and computer security. Topics of interest include, but are not limited to, the following: Information security management, standards and policies Security governance and compliance Risk assessment and modelling Security awareness, education and culture User perceptions and understanding of security Misuse and abuse of computer systems User-facing security technologies Internet security and privacy The journal is particularly interested in receiving submissions that consider the business and organisational aspects of security, and welcomes papers from both human and technical perspective on the topic. However, please note we do not look to solicit papers relating to the underlying mechanisms and functions of security methods such as cryptography (although relevant applications of the technology may be considered).