ارائه الگویی برای مدیریت مخاطرات امنیت اطلاعات در راستای یکپارچه‌سازی با مدل‌های فرآیند کسب‌وکار در بانک‌ها و مؤسسات اعتباری

نوع مقاله : مقاله پژوهشی

نویسندگان

1 دانشجوی دکتری، گروه مدیریت فناوری اطلاعات، دانشکده مدیریت، واحد همدان، دانشگاه آزاد اسلامی، همدان، ایران

2 استادیار،گروه مدیریت فناوری، دانشکده مدیریت و اقتصاد، واحد علوم و تحقیقات، دانشگاه آزاد اسلامی، تهران، ایران

3 دانشجوی دکتری، گروه مدیریت فناوری اطلاعات، دانشکده مدیریت، واحد بین‌المللی کیش، دانشگاه آزاد اسلامی، کیش، ایران

چکیده

فرآیند های کسب ‌وکار سنگ بنای بانک‌ها و مؤسسات مالی در نظر گرفته می‌شوند، اما به طور فزاینده ای در کانون توجه حملات قرار می گیرند. در جهت کاهش حملات سایبری به خصوص حملاتی که دربرگیرنده فرایندهای حیاتی کسب‌ وکار هستند، باید در طراحی فرآیند های کسب ‌وکار، مخاطرات امنیت اطلاعات در نظر گرفته شود. در این مقاله، الگویMARISMA-BP (MARISMA برای کسب‌وکار) پیشنهاد شده که یک الگوی برای ارزیابی و مدیریت مخاطرات امنیت اطلاعات برای مدل‌های فرآیند کسب‌وکار است. برای نشان دادن قابلیت کاربرد الگوی پیشنهادی، الگوی MARISMA-BP برای یک سناریوی فرآیند کسب‌ و کار در بانک اعمال شده است. براساس یافته‌های الگوی MARISMA-BP، تلاقی این مراحل و استراتژی‌ های مدیریت مخاطرات امنیت اطلاعات با فرآیند های کسب‌وکار در بانک‌ها و مؤسسات مالی، به ارتقاء امنیت اطلاعات و کاهش مخاطرات کمک می ‌کند و در نهایت به افزایش اعتماد مشتریان و سایر ذی ‌نفعان درونی و بیرونی و پایداری کسب‌وکار منجر می ‌شود.

کلیدواژه‌ها

مراجع

      -        Pérez-Álvarez JM, Maté A, Gómez-López MT, Trujillo J. Tactical businessprocess-decision support based on KPIs monitoring and validation. Comput Ind 2018;102:23–39. http://dx.doi.org/10.1016/j.compind.2018.08.001.
-    Micro T. Business process compromise (BPC). Tech. Rep., California, USA: Trend Micro Forward-Looking Threat Research (FTR) Team; 2017, Accessed: 2023-25-07.
-    Lord Remorin RF, Matsukawa B. Tracking trends in business email compromise (BEC) schemes. Tech. Rep., California, USA: Trend Micro Forward-Looking Threat Research (FTR) Team; 2018, Accessed: 2023-25-07.
-    Ross R, Pillitteri V, Graubart R, Bodeau D, McQuaid R. Developing cyber resilient systems: a systems security engineering approach. Tech. Rep., Maryland, USA: National Institute of Standards and Technology; 2019, http://dx.doi.org/10. 6028/NIST.SP.800-160v2r1.
-    NIST Special Publication 800-37. Risk management framework for information systems and organizations: A system life cycle approach for security and privacy. Tech. Rep., Gaithersburg, MD: National Institute of Standards and Technology; 2018, http://dx.doi.org/10.6028/NIST.SP.800-37r2.
-    Bakhtina M, Matulevičius R, Seeba M. Tool-supported method for privacy analysis of a business process model. J Inf Secur Appl 2023;76:103525. http: //dx.doi.org/10.1016/j.jisa.2023.103525, URL https://www.sciencedirect.com/ science/article/pii/S2214212623001096.
-    Shameli-Sendi A. An efficient security data-driven approach for implementing risk assessment. J Inf Secur Appl 2020;54:102593. http://dx.doi.org/10.1016/j.jisa.2020.102593, URL https://www.sciencedirect.com/science/article/pii/S2214212620307614.
-    Turskis Z, Goranin N, Nurusheva A, Boranbayev S. Information security risk assessment in critical infrastructure: A hybrid MCDM approach. Informatica (Ljubl) 2019;30(1):187 211. http://dx.doi.org/10.15388/Informatica.2019.203.
-    Sun H, Xie X. Threat evaluation method of warships formation air defense based on AR(p)-DITOPSIS. J Syst Eng Electron 2019;30(2):297. http://dx.doi.org/10. 21629/JSEE.2019.02.09.
-    Suriadi S, Weiss B, Winkelmann A, ter Hofstede A, Adams M, Conforti R, Fidge C, Rosa ML, Ouyang C, Pika A, Rosemann M, Wynn M. Current research in risk-aware business process management - overview, comparison, and gap analysis. Communications of the Association for Information Systems 2014;34:933–84. http://dx.doi.org/10.17705/1CAIS.03452, URL http://eprints. qut.edu.au/50606/.
-    Varela-Vaca AJ, Parody L, Gasca RM, Gomez-Lopez MT. Automatic verification and diagnosis of security risk assessments in business process models. IEEE Access 2019;7:26448–65. http://dx.doi.org/10.1109/ACCESS.2019.2901408.
-    Griffor E, Wollman D, Greer C. Framework for cyber-physical systems: Volume 1, overview. Tech. Rep., Gaithersburg, MD: National Institute of Standards andTechnology; 2017, http://dx.doi.org/10.6028/NIST.SP.1500-201.
-    Wulff A, Wunck C. Integration of business process management and big data technologies. In: International conference on industrial engineering and operations management. 2016, p. 8–10. http://dx.doi.org/10.46254/AN06. 20160061.
-    Janiesch C, Koschmider A, Mecella M, Weber B, Burattin A, Di Ciccio C, et al. The internet of things meets business process management: A manifesto. IEEE Syst Man Cybern Mag 2020;6(4):34–44. http://dx.doi.org/10.1109/MSMC.2020.3003135.
-    Bazan P, Estevez E. Industry 4.0 and business process management: state of the art and new challenges. Bus Process Manag J 2021;28(1):62–80. http: //dx.doi.org/10.1108/bpmj-04-2020-0163.
-    Pan L, Tomlinson A. A systematic review of information security risk assessment. Int J Saf Secur Eng 2016;6(2):270–81. http://dx.doi.org/10.2495/SAFE-V6-N2- 270-281.
-    Marcinkowski B, Kuciapski M. A business process modeling notation extension for risk handling. In: Cortesi A, Chaki N, Saeed K, Wierzchoń S, editors. Computer information systems and industrial management. Berlin, Heidelberg: Springer Berlin Heidelberg; 2012, p. 374–81. http://dx.doi.org/10.1007/978-3-642-33260-9_32.
-    Abioye TE, Arogundade OT, Misra S, Adesemowo K, Damasevicius R. Cloud-based business process security risk management: A systematic review, taxonomy, and future directions. Computers 2021;10(12). http://dx.doi.org/10.3390/ computers10120160.
-    Aleksandrov MN, Vasiliev VA, Aleksandrova SV. Implementation of the riskbased approach methodology in information security management systems. In: 2021 international conference on quality management, transport and information security, information technologies (IT QM IS). 2021, p. 137–9. http://dx.doi.org/ 10.1109/ITQMIS53292.2021.9642767.
-    Alshawabkeh M, Li X, Sullabi M. New information security risk management framework as an integral part of project life cycle. In: Proceedings of the 2019 5th international conference on humanities and social science research (ICHSSR 2019). Paris, France: Atlantis Press; 2019, p. 133–9. http://dx.doi.org/10.2991/ ichssr-19.2019.24.
-    Javaid MI, Iqbal MMW. A comprehensive people, process and technology (PPT) application model for information systems (IS) risk management in small/medium enterprises (SME). In: 2017 international conference on communication technologies (ComTech). 2017, p. 78–90. http://dx.doi.org/10.1109/ COMTECH.2017.8065754.
-    Alhawari S, Karadsheh L, Nehari Talet A, Mansour E. Knowledge-Based Risk Management framework for Information Technology project. Int J Inf Manage 2012;32(1):50–65. http://dx.doi.org/10.1016/j.ijinfomgt.2011.07.002.
-    Zambon E, Etalle S, Wieringa RJ, Hartel P. Model-based qualitative risk assessment for availability of IT infrastructures. Softw Syst Model 2011;10(4):553–80. http://dx.doi.org/10.1007/s10270-010-0166-8.
-    Argyropoulos N, Mouratidis H, Fish A. Enhancing secure business process design with security process patterns. Softw Syst Model 2020;19(3):555–77. http://dx. doi.org/10.1007/S10270-019-00743-Y/FIGURES/16, URL https://link.springer.com/article/10.1007/s10270-019-00743-y.
-    Adebukola, A. A., Navya, A. N., Jordan, F. J., Jenifer, N. J., & Begley, R. D. (2020). Cyber security as a threat to health care. Journal of Technology and Systems, 4(1), 32-64.
-    Samuel O,D, Adedolapo Omotosho, Odunayo Josephine Akindote, Abimbola Oluwatoyin Adegbite4, & Sarah Kuzankah Ewuga ,CYBERSECURITY RISK ASSESSMENT IN BANKING: METHODOLOGIES AND BEST PRACTICES, Computer Science & IT Research Journal, Volume 4, Issue 3, December 2023 ,DOI: 10.51594/csitrj.v659
-    Rosado DG, Moreno J, Sánchez LE, Santos-Olmo A, Serrano MA, Fernández- Medina E. MARISMA-BiDa pattern: Integrated risk analysis for big data. Comput Secur 2021;102:102155. http://dx.doi.org/10.1016/j.cose.2020.102155.
-    Rosado DG, Santos-Olmo A, Sánchez LE, Serrano MA, Blanco C, Mouratidis H, et al. Managing cybersecurity risks of cyber-physical systems: The MARISMA-CPS pattern. Comput Ind 2022;142:103715. http://dx.doi.org/10.1016/j.compind. 2022.103715.
-    E. Indriasari, H. Prabowo, F. Gaol, and B. Purwandari, "Digital Banking: Challenges, Emerging Technology Trends, and Future Research Agenda," Int. J. E Bus. Res., vol. 18, pp. 1-20, 2022, doi: 10.4018/ijebr.309398.
-    B. Balkan, "Impacts of Digitalization on Banks and Banking," in Digital Transformation in Industry, pp. 33-50, 2021, doi: 10.1007/978-981-33-6811-8_3.
-    M. Tashtamirov, "Financial Innovation and Digital Technology in the Banking System: An Institutional Perspective," SHS Web of Conferences, 2023, doi: 10.1051/shsconf/202317202004.
-    L. Wewege, J. Lee, and M. Thomsett, "Disruptions and Digital Banking Trends," Journal of Applied Finance and Banking, vol. 10, pp. 1-2, 2020.
-    R. Sebti, "BANKING IN THE DIGITAL AGE: ISSUES AND CHALLENGES," RIMAK International Journal of Humanities and Social Sciences, 2022, doi: 10.47832/2717-8293.18.12.
-    S.B Nuthalapati, “AI-Enhanced Detection and Mitigation of Cybersecurity Threats in Digital Banking”, 2023, Doi: 10.53555/kuey.v29i1.6908.
-    S.O. Dawodu, A.Omotosho, O. J. Akindote ,A.O.Adegbite, S.K.Ewuga, “Current Research in Risk-aware Business Process Management―Overview, Comparison, and Gap Analysis”, Volume 4, Issue 3, P.220-243, December 2023,DOI: 10.51594/csitrj.v659
-    Magerit. Magerit_v3: Methodology for information systems risk analysis and management. Tech. Rep., Ministry of Public Administration; 2012, URL https://administracionelectronica.gob.es/pae_Home/pae_Documentacion/pae_Metodolog/pae_Magerit.html.
-    Caralli RA, Stevens JF, Young LR, Wilson WR. Introducing octave allegro: Improving the information security risk assessment process. Tech. Rep., Pittsburgh PA, USA: Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst; 2007,http://dx.doi.org/10.1184/R1/6574790.v1.
-    Klipper S. ISO/IEC 27005. In: Information security risk management: risikomanagement mit ISO/IEC 27001, 27005 und 31010. Wiesbaden: Vieweg+Teubner; 2022, p. 63–97. http://dx.doi.org/10.1007/978-3-8348-9870-8_3.
-    ISO/IEC 21827:2008. Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model® (SSE-CMM®). Tech. Rep., International Organization for Standardization & International Electrotechnical Commission; 2008, https://www.iso.org/standard/44716.html.
-    De Haes S, Van Grembergen W, Joshi A, Huygh T. COBIT as a framework for enterprise governance of IT. In: Enterprise governance of information technology:achieving alignment and value in digital organizations. Cham: Springer International Publishing; 2020, p. 125–62. http://dx.doi.org/10.1007/978-3-030-25918-1_5.
-    Ross M, Jara AJ, Cosenza A. Baseline security recommendations for IoT in the context of critical information infrastructures. Tech. Rep., (November). European Union Agency For Network And Information Security; 2017, http://dx.doi.org/10.2824/03228.
-    NIST Special Publication 800-37. Risk management framework for information systems and organizations: A system life cycle approach for security and privacy. Tech. Rep., Gaithersburg, MD: National Institute of Standards and Technology;2018, http://dx.doi.org/10.6028/NIST.SP.800-37r2.
-    ISO/IEC 27002:2022. Information security, cybersecurity and privacy protection — Information security controls. Tech. Rep., https://www.iso.org/standard/75652.html: International Organization for Standardization & International Electrotechnical Commission; 2022.
-    ISO/IEC 27002:2022 - "Information security, CyberSecurity and Privacy Protection- Information Security Control”, https://www.iso.org/standard/75652.html.
-    NIST Special Publication 800-53rev5. Security and privacy controls for information systems and organizations. Tech. Rep., National Institute of Standards and Technology; 2020, http://dx.doi.org/10.6028/NIST.SP.800-53r5.
-    Goettelmann E, Dahman K, Gateau B, Dubois E, Godart C. A security risk assessment model for business process deployment in the cloud. In: 2014 IEEE international conference on services computing. 2014, p. 307–14. http://dx.doi. org/10.1109/SCC.2014.48.
-    Hariyanti E, Djunaidy A, Siahaan DO. A conceptual model for information security risk considering business process perspective. In: 2018 4th international conference on science and technology. ICST, 2018, p. 1–6. http://dx.doi.org/10.1109/ICSTC.2018.8528678.
-    Santos-Olmo A, Sánchez L, Rosado D, Fernández-Medina E, Piattini M. Applying the action-research method to develop a methodology to reduce the installation and maintenance times of information security management systems. Future Internet 2016;8(3):36. http://dx.doi.org/10.3390/fi8030036, URL http://www.mdpi.com/1999-5903/8/3/36.
-    ISO/IEC TR 15443-1:2012. Information technology – Security techniques – Aframework for IT security assurance – Part 1: Overview and framework. 2012,URL https://www.iso.org/standard/59138.html.
-    Vilarinho S, Mira da Silva M. Risk management model in ITIL. In: Cruz-Cunha MM, Varajão Ja, Trigo A, editors. Sociotechnical enterprise information systems design and integration. Hershey, PA, USA: IGI Global; 2013, p. 207–14.http://dx.doi.org/10.4018/978-1-4666-3664-4.ch013.
-    Cebula J, Popeck M, Young L. A taxonomy of operational cyber security risks version 2. Tech. Rep. CMU/SEI-2014-TN-006, Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University; 2014, http://dx.doi.org/10. 1184/R1/6571784.v1.
-    Marinos L. ENISA threat taxonomy: A tool for structuring threat information. Initial report. Tech. Rep., (January):European Union Agency For Network And Information Security; 2016, p. 1–24, URL https://www.enisa.europa.eu/topics/threat-risk-management/threats-andtrends/ enisa-threat-landscape/threat-taxonomy/view.
-    Marinos L, Lourenço M. ENISA threat landscape report 2018: 15 top cyberthreats and trends. European Union Agency for Network and Information Security (ENISA); 2019, URL https://www.enisa.europa.eu/publications/enisathreat-landscape-report-2018/at_download/fullReport.
-    Barnum MS. Common attack pattern enumeration and classification (CAPEC) schema. Tech. Rep., Dulles, VA: Department of Homeland Security; 2008, URL https://capec.mitre.org/documents/documentation/CAPEC_Schema_Description_v1.3.pdf.
-    Hacks S, Lagerström R, Ritter D. Towards automated attack simulations of BPMN-based processes. In: 2021 IEEE 25th international enterprise distributed object computing conference. EDOC, 2021, p. 182–91. http://dx.doi.org/10. 1109/EDOC52215.2021.00029.
-    Cherdantseva Y, Hilton J. A reference model of information assurance amp; security. In: 2013 international conference on availability, reliability and security. 2013, p. 546–55. http://dx.doi.org/10.1109/ARES.2013.72.
-    Salnitri M, Dalpiaz F, Giorgini P. Designing secure business processes with SecBPMN. Softw Syst Model 2017;16(3):737–57. http://dx.doi.org/10.1007/ s10270-015-0499-4.
-    Chinosi M, Trombetta A. BPMN: An introduction to the standard. Comput Stand Interfaces 2012;34(1):124–34. http://dx.doi.org/10.1016/j.csi.2011.06.002.
-    Aagesen G, Krogstie J. BPMN 2.0 for modeling business processes. In: vom Brocke J, Rosemann M, editors. Handbook on business process management 1: introduction, methods, and information systems. Berlin, Heidelberg: Springer Berlin Heidelberg; 2015, p. 219–50. http://dx.doi.org/10.1007/978-3-642-45100-3_10.
-    Zarour K, Benmerzoug D, Guermouche N, Drira K. A systematic literature review on BPMN extensions. Bus Process Manag J 2019;26(6):1473–503. http://dx.doi.org/10.1108/BPMJ-01-2019-0040.
-    Salnitri M, Dalpiaz F, Giorgini P. Designing secure business processes with SecBPMN. Softw Syst Model 2017;16(3):737–57. http://dx.doi.org/10.1007/s10270-015-0499-4.
-    Antunes P, Mourão H. Resilient Business Process Management: Framework and services. Expert Syst Appl 2011;38(2):1241–54. http://dx.doi.org/ 10.1016/j.eswa.2010.05.017, URL https://linkinghub.elsevier.com/retrieve/pii/S0957417410004288.
-    Zahoransky RM, Koslowski T, Accorsi R. Toward resilience assessment in business process architectures. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8696 LNCS, Springer Verlag; 2014, p. 360–70. http://dx.doi.org/10.1007/978-3- 319-10557-4_39/COVER, URL https://link.springer.com/chapter/10.1007/978- 3-319-10557-4_39
مطالعات مدیریت بحران
دوره 17، شماره 1
فصلنامه بهار
خرداد 1404
صفحه 123-171

فایل ها

سابقه مقاله

  • تاریخ دریافت: 12 دی 1403
  • تاریخ بازنگری: 15 اردیبهشت 1404
  • تاریخ پذیرش: 29 اردیبهشت 1404

هم رسانی

ارجاع به این مقاله

آمار