Συνεργατική πολυκριτηριακή διαχείριση ασφάλειας πληροφοριακών συστημάτων

Ντούσκας, Θεόδωρος Ν.

Doctoral Thesis

Author

Ντούσκας, Θεόδωρος Ν.

Date

2013-03-26

Abstract

Information Security Management is an important governance and administration procedure aiming at the protection of an organization from internal and external risks that could negatively affect the achievement of its operational objectives. Current Information and Communication Systems (ICS) are characterized by growing complexity, distribution, interference and dependency with other ICS and by the plethora of the hosted electronic services. They are called to serve simultaneously several users (internal users, partners and customers), having to face the fierce competition, the economic crisis, and a growing number of different types of spatial and temporal attacks. On the other hand, small and medium sized enterprises (SMEs), where the impacts of the economic crisis are more visible, not having the financial resources and the necessary expertise to become harmonized with security standards, become the weak links for the domestic and the global economy. The existing risk management methodologies and tools are not capable to meet the needs of today's reality. It is essential to enhance the risk management methodologies in order to meet the security needs of today's ICS, implemented in automated, collaborative tools, making them an important asset for their governance. Realizing these weaknesses and needs, this Ph.D. thesis proposes to view the problem of analyzing and managing risk as a multicriteria decision making problem involving many users (managers, administrators, members of the security team and end users) who are asked to solve the following complex decision problems: categorise the importance for the organisation (impact level) of its ICS assets, i.e., physical infrastructure (data centres, computer rooms and buildings), networks, servers, software, services and ICS participants, prioritise the ICS threats (potential causes of unwanted incidents which may result in harm to ICS, prioritise vulnerabilities (weaknesses of an ICS asset(s) that may be exploited by a threat(s), estimate the threat and vulnerability levels, and select the appropriate countermeasures. Each of the above decision problems involves multiple criteria and objectives of conflicting nature including security (integrity, availability and confidentiality), business, cost, technological and legal with respect to all the ICS participants' experiences and preferences. Specifically, by combining multi-criteria group decision-making methodologies a collaborative, multi-criteria risk management methodology (STORM-RM) is proposed, which aims to gather knowledge (which is dispersed among organization users), reducing the time-consuming questionnaires and interviews and saving resources.