Abstract
As organizations increasingly operate, compete, and cooperate in a global context, business processes are also becoming global to propagate the benefits from coordination and standardization across geographical boundaries. In this context, security has gained significance due to increased threats, as well as legislation and compliance issues. This article presents a framework for assessing the security of Internet technology components that support a globally distributed workplace. Four distinct information flow and design architectures are identified based on location sensitivities and placements of the infrastructure components. Using a combination of scenarios, architectures, and technologies, the article presents the framework of a development tool for information security officers to evaluate the security posture of an information system. To aid managers in better understanding their options to improve security of the system, we also propose a three-dimensional representation, based on the framework, for embedding solution alternatives. To demonstrate its use in a real-world context, the article also applies the framework to assess a globally distributed workforce application at a northeast financial institution.
- Agrawal, M., Kuo, C.-J., Nam, K., and Rao, H. R. 2003. Electronic commerce infrastructure. Encyclopedia of Information Systems, H. Bidgoli, ed. Academic Press, 29--46.Google Scholar
- Ahituv, N. 1980. A systematic approach toward assessing the value of an information system. MIS Q. 4, 61--75.Google Scholar
Digital Library
- Alberts, C. and Dorofee, A. 2002. Managing Information Security Risks, The OCTAVE Approach. Addison Wesley Longman. Google Scholar
Digital Library
- Axelrod, W. 2007. Analyzing risks to determine a new return on security investment. Managing Information Assurance in Financial Services, H.R. Rao et al. eds., Idea Group, Hershey, PA, 6--36.Google Scholar
- Bass, L., Clements, P., and Kazman, R. 2003. Software Architecture in Practice. Addison Wesley Longman. Google Scholar
Digital Library
- Broadbent, M., Weill, P., and Clair, D. S. 1999. The implications of information technology infrastructure for business process redesign. MIS Q. 23, 159--182. Google Scholar
Digital Library
- Campbell, H. 1998. Risk assessment: Subjective or objective? Eng. Sci. Edu. J. 7, 57--63.Google Scholar
Cross Ref
- Department of Defense. 1984. Procedures for performing failure mode effects and criticality analysis. http://www.fmeainfocentre.com/handbooks/milstd1629.pdf.Google Scholar
- Department of Homeland Security. 2006. Homeland Security Advisory System.Google Scholar
- Earl, M. J. 2002. The risks of outsourcing IT. Sloan Manag. Rev. 37, 26--32.Google Scholar
- Ekanayaka, Y., Currie, W., and Seltsikas, P. 2002. Delivering enterprise resource planning systems through ASPs. J. Logistics Inf. Manag. 15, 192--203.Google Scholar
Cross Ref
- Elky, S. 2006. An introduction to information system risk management. SANS Institute, 16.Google Scholar
- Emmerich, W. 2002. Distributed component technologies and their software engineering implications. In Proceedings of the International Conference on Software Engineering, Orlando, FL, ACM, 537--546. Google Scholar
Digital Library
- Feller, W. 1950. An Introduction to Probability Theory and its Applications. John Wiley and Sons, New York.Google Scholar
- Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD.Google Scholar
- Freeman, J. W., Darr, T. C., and Neely, R. B. 1997. Risk assessment for large heterogeneous systems. In Proceedings of the Computer Security Applications Conference, 44--53. Google Scholar
Digital Library
- Gokhale, S. and Trivedi, K. S. 2002. Reliability prediction and sensitivity analysis based on software architecture. In Proceedings of the International Symposium on Software Reliability Engineering (ISSRE'02), Annapolis, MD. Google Scholar
Digital Library
- Goseva-Popstojanova, K., Mathur, A. P., and Trivedi, K. S. 2001. Comparison of architecture-based software reliability models. In Proceedings of the 12th IEEE International Symposium on Software Reliability Engineering (ISSRE'01), Hong Kong. Google Scholar
Digital Library
- Goseva-Popstojanova, K. and Trivedi, K. S. 2001. Architecture based approach to reliability assessment of software systems. Perform. Eval. 45. Google Scholar
Digital Library
- Gupta, M., Rao, H. R., and Upadhyaya, S. 2004. Electronic banking and information assurance issues: Survey and synthesis. J. Organiz. End User Comput. 16, 1--21.Google Scholar
Cross Ref
- Hagel III, J. and Brown, J. S. 2001. Your next IT strategy. Harvard Bus. Rev., 105--113.Google Scholar
- Im, G. P. and Baskerville, R. L. 2005. A longitudinal study of information system threat categories: The enduring problem of human error. ACM SIGMIS Database 36, 68--79. Google Scholar
Digital Library
- International Security Technology (IST Inc) 2000. Managing risks using CORA.Google Scholar
- Jarvenpaa, S. and Leidner, D. Communication and trust in global virtual teams. Organiz. Sci. 10, 791--815. Google Scholar
Digital Library
- Karabacak, B. and Sogukpinar, I. ISRAM: Information security risk analysis method. Comput. Secur. 24, 147--159.Google Scholar
- Kumamoto, H. and Henley, E., 1996. Probabilistic Risk Assessment for Engineers and Scientists. IEEE.Google Scholar
- Kuzmanovic, A., Dumitriu, D., Knightly, E., Stoica, I., and Zwaenepoel, W. 2005. Denial-of-service resilience in peer-to-peer file sharing systems. In Proceedings of the ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems. Google Scholar
Digital Library
- Lao, G. and Wang, L. 2007. Security risk management strategy of financial services institutions. Managing Information Assurance in Financial Services, In H. R. Rao et al. eds. Idea Group, Hershey, PA.Google Scholar
- Markowitz, H. M. 1991. Portfolio Selection: Efficient Diversification of Investments. Blackwell.Google Scholar
- McIlroy, M. D. 1968. Mass-Produced software components. In Proceedings of the North Atlantic Treaty Organisation (NATO) Conference on Software Engineering, Garmisch-Partenkirchen, NATO Science Commitee, 138--150.Google Scholar
- Microsoft. 2006. Security Risk Management Guide. Microsoft, Redmond, WA.Google Scholar
- Neumann, P. G. 1995. Computer-Related Risks. ACM, New York. Google Scholar
Digital Library
- Pawlowski, S., Robey, D., and Raven, A. 2000. Supporting shared information systems: Boundary objects, communities, and brokering. In Proceedings of the 21st International Conference on Information Systems (ICIS), Brisbane, Australia, 329--338. Google Scholar
Digital Library
- Sahajpal, G., Agrawal, M., Kishore, R., and Rao, H. R. 2006. Business process offshoring to India: An overview. Outsourcing, In A. Heinzl et al. eds.Google Scholar
- Seshasai, S., Malter, A. J., and Gupta, A. 2006. The use of information systems in collocated and distributed teams: A test of the 24-hour knowledge factory. In Proceedings of the SSRN eLibrary, SSRN.Google Scholar
- Sharma, V. S. and Trivedi, K. S. 2005. Architecture based analysis of performance, reliability and security of software systems. In Proceedings of the 5th ACM International Workshop on Software and Performance (WOSP), Palma de Mallorca, Spain. Google Scholar
Digital Library
- Shaw, M. and Garlan, D. 1996. Software Architecture: Perspectives on an Emerging Discipline. Prentice-Hall, Upper Saddle River, NJ. Google Scholar
Digital Library
- Sitkin, S. B. and Pablo, A. L. Reconceptualizing the determinants of risk behavior. Academ. Manag. Rev. 17, 9--38.Google Scholar
- Stolen, K., Braber, D., F, L., and Aagedal, J. 2002. Model-Based risk assessment—The CORAS approach.Google Scholar
- Stoneburner, G., Goguen, A., and Feringa, A. 2002. Risk management guide for information technology systems, National Institute for Standards and Technology, Gaithersburg, MD, 55.Google Scholar
- Tanna, G., Gupta, M., Rao, H. R., and Upadhyaya, S. 2005. Information assurance metric development framework for electronic bill presentment and payment systems using transaction and workflow analysis. Decision Support Syst. 41, 242--261. Google Scholar
Digital Library
- Tygar, J. D. and Whitten, A. 1996. WWW electronic commerce and Java trojan horses. In Proceedings of the Second USENIX Workshop on Electronic Commerce. Google Scholar
Digital Library
- Weidenhaupt, K., Pohl, K., Jarke, M., and Haumer, P. 1998. Scenarios in system development: Current practice. IEEE Softw. 34--45. Google Scholar
Digital Library
Index Terms
Security analysis of Internet technology components enabling globally distributed workplaces—a framework
Recommendations
A framework for automating security analysis of the internet of things
The Internet of Things (IoT) is enabling innovative applications in various domains. Due to its heterogeneous and wide-scale structure, it introduces many new security issues. To address this problem, we propose a framework for modeling and assessing ...
Information security governance framework
WISG '09: Proceedings of the first ACM workshop on Information security governanceMany companies, especially Japanese companies, have implemented information security with bottom up approach, starting from implementing piece by piece security controls. As increase the number of information security incidents and spread its impact, ...
Security Analysis and Framework Design in 4G System
IMCCC '13: Proceedings of the 2013 Third International Conference on Instrumentation, Measurement, Computer, Communication and ControlIn this paper we analyze the security character of 4G system that develops quickly. After that we study the security threat in 4G system including mobile terminal threat, wireless network threat, wireless application threat and so on. This paper ...






Comments