A conceptual framework for the automated assessment of IT security risks based on enterprise architecture

Masterarbeit, 2020
86 Seiten, Note: 1.0

Informatik - IT-Security

Leseprobe

1 Introduction

2 Theoretical Foundations

2.1 Enterprise Architecture Management

2.2 IT Security

2.3 Information Security Risk Management

2.4 Common Vulnerability Scoring System

2.5 Intersection of Risk Management and Enterprise Architecture

3 Research Design

3.1 Design Science Research

3.2 Literature Review

3.3 Case Study

3.4 Expert Interview

3.5 Unified Modeling Language

3.6 Artifact Evaluation

3.7 Summary of the Research Design

4 Requirements Analysis

4.1 Regulatory Environment in Germany

4.2 Derivations from Literature

4.3 Requirements from Expert Interviews

5 Conception of the ERA Framework

5.1 ERA Process

5.2 ERA Model

5.3 Use Case Scenarios

6 Case Study: Dashboard Artifact for TestBank Inc.

6.1 Development of the Dashboard Artifact

6.2 First Iteration of the Evaluation

6.3 Second Iteration of the Evaluation

7 Conclusion

7.1 Summary of the Results

7.2 Limitations

7.3 Future Research

Objectives & Research Topics

The objective of this thesis is to develop an assessment framework that enables an automated, comprehensive view of existing IT security risks within the enterprise architecture, thereby reducing the complexity of traditional, silo-based risk management approaches.

Design and implementation of the Enterprise Architecture Management Risk Assessment (ERA) framework.
Integration of IT security risk management with enterprise architecture management principles.
Prototypical development of an interactive dashboard solution for risk visualization.
Empirical evaluation using expert interviews and usability surveys within a banking sector case study.

Excerpt from the Book

5.2.6 Aggregate values to ERA scores on each layer (2b)

Finally, the risk values are aggregated at the respective levels to so-called ERA scores in order to obtain a comprehensive view of the risks within the enterprise.

To determine the ERA score for assets at the technology level, each technology is assigned the maximum value of the CVSS base score of its existing vulnerabilities. In addition, for each technology, the total number of vulnerabilities that threaten this asset is displayed. The formula for the calculation of the ERA score on technology level is: ∀ Technology x ∈ Model: E(x) = max( ∀ v ∈ V(x): C(v) ) (With: E(x) = ERA score of technology x; C(v) = CVSS base score of vulnerability v; V(x) = vulnerabilities of technology x)

To compute the ERA scores for assets at application and process level, the ERA score is multiplied by the impact score for each asset on which an asset x is dependent. The maximum of these multiplications forms the Interim ERA score for the asset x. The formula for the calculation of the interim ERA score on application level or process level is: ∀ Asset x ∈ Model: E’(x) = max( ∀ y ∈ Y ∧ d(x,y) == true: E(y) * IS(x,y) ) (With: E’(x) = interim ERA score of asset x; IS(x,y) = impact score from y on x; d(x,y) = x is dependent on y; Y = list of all applications and processes)

To determine the ERA score for assets at application or process level, the interim ERA score of the asset x must be multiplied by a multiplier for protection needs. This multiplier is 1.0 for standard protection needs, 1.25 for high protection needs and 1.5 for very high protection needs. The ERA score must not exceed 10. The formula for the calculation of the ERA score on application level or process level is: ∀ Asset x ∈ Model: E(x) = min( E’(x) * M(x), 10) (With: E(x) = ERA score of asset x; E’(x) = interim ERA score of asset x; M(x) = multiplier for protection requirements)

Summary of Chapters

1 Introduction: Discusses the motivation for integrating enterprise architecture and risk management to mitigate complex IT security threats, stating the research objective and thesis structure.

2 Theoretical Foundations: Provides an overview of enterprise architecture management, IT security, information security risk management, and the CVSS industry standard.

3 Research Design: Introduces the Design Science Research (DSR) paradigm as the foundation for the thesis, outlining methods like literature review, case studies, and expert interviews.

4 Requirements Analysis: Identifies legal requirements in Germany and gathers functional and non-functional requirements for the proposed artifact through expert input.

5 Conception of the ERA Framework: Details the proposed ERA framework, including its process model (top-down modeling and bottom-up assessment) and its calculation model.

6 Case Study: Dashboard Artifact for TestBank Inc.: Describes the prototypical implementation of the ERA framework in a banking environment, including system design and two iterations of evaluation.

7 Conclusion: Summarizes the thesis findings, discusses limitations regarding the framework's scope, and suggests directions for future research.

Keywords

Enterprise Architecture Management, IT Security, Risk Management, Risk Assessment, ERA Framework, Dashboard Prototype, Design Science Research, CVSS, Cybersecurity, Enterprise Architecture, Information Security, Vulnerability Assessment, IT Risk, Case Study, Banking Sector

Frequently Asked Questions

What is the core focus of this research?

The research focuses on overcoming the limitations of silo-based IT risk management by integrating it with enterprise architecture management (EAM) to achieve a comprehensive, automated view of organizational IT security risks.

What are the primary thematic fields covered?

The work covers enterprise architecture management, IT security frameworks, information security risk assessment, and the design and implementation of dashboard-based software artifacts.

What is the main objective of the thesis?

The primary goal is to develop an automated assessment framework (the ERA framework) that enables stakeholders to identify, monitor, and assess IT security risks across different layers of an enterprise architecture.

Which research methodology is applied?

The thesis utilizes the Design Science Research (DSR) paradigm, employing iterative development and evaluation through literature reviews, expert interviews, and a real-world case study.

What does the main body of the work address?

The main body details the theoretical background, the requirements gathering process, the specific design of the ERA framework, and the technical development of a dashboard prototype validated through two evaluation cycles.

Which keywords define this work?

Key terms include Enterprise Architecture Management, IT security risk assessment, ERA framework, DSR, dashboard development, vulnerability analysis, and EAM-based risk integration.

How does the ERA framework calculate risk?

The framework uses an automated, bottom-up aggregation logic based on CVSS scores of technologies, multiplied by dependency impact scores and adjusted by organizational protection requirement multipliers.

What is the significance of the dashboard prototype?

The prototype demonstrates the practical utility and feasibility of the ERA framework, providing a visual tool for stakeholders to analyze interdependencies and risk scores within their IT landscape.

Ende der Leseprobe aus 86 Seiten - nach oben

Details

Titel: A conceptual framework for the automated assessment of IT security risks based on enterprise architecture
Hochschule: Freie Universität Berlin
Note: 1.0
Autor: Tim Huse (Autor:in)
Erscheinungsjahr: 2020
Seiten: 86
Katalognummer: V1117635
ISBN (eBook): 9783346482037
Sprache: Englisch
Anmerkungen: The appendix is not included for copyright reasons
Schlagworte: Enterprise Architecture IT Risk Management IT Security ERA Framework
Produktsicherheit: GRIN Publishing GmbH
Preis (Ebook): US$ 42,99

Arbeit zitieren: Tim Huse (Autor:in), 2020, A conceptual framework for the automated assessment of IT security risks based on enterprise architecture, München, Page::Imprint:: GRINVerlagOHG, https://www.diplomarbeiten24.de/document/1117635