A new comprehensive framework for enterprise information security risk management

Abstract

With the wide spread use of e-transactions in enterprises, information security risk management (ISRM) is becoming essential for establishing a safe environment for their activities. This paper is concerned with presenting a comprehensive ISRM framework that enables the effective establishment of the target safe environment. The framework has two structural dimensions; and two procedural dimensions. The structural dimensions include: ISRM “scope” and ISRM “assessment criteria” while the procedural dimensions include: ISRM “process” and ISRM “assessment tools”. The framework uses the comprehensive STOPE (strategy, technology, organization, people, and environment) view for the ISRM scope; while its assessment criteria is considered to be open to various standards. For the procedural dimensions, the framework uses the widely known six-sigma DMAIC (define, measure, analyze, improve, and control) cycle for the ISRM process; and it considers the use of various assessment tools. It is hoped that the framework would be widely used in the future as an open reference for ISRM.