Information security risk assessment using survival analysis technique for the Malaysian public sector data centers
The increase in information security threats and the resulting demand for more robust online services necessitates that the Malaysian Government takes relevant measures to better protect its Critical National Information and Communications Technology Infrastructure (CNII) to ensure business and serv...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2021
|
| Subjects: | |
| Online Access: | http://eprints.utm.my/106998/1/Inthrani%20ShammugamPFTIR2021.pdf http://eprints.utm.my/106998/ http://dms.library.utm.my:8080/vital/access/manager/Repository/vital:156360?site_name=GlobalView&query=Information+security+risk+assessment+using+survival+analysis+technique+for+the+Malaysian+public+sector+data+centers&queryType=vitalDismax |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | The increase in information security threats and the resulting demand for more robust online services necessitates that the Malaysian Government takes relevant measures to better protect its Critical National Information and Communications Technology Infrastructure (CNII) to ensure business and services continuity. Thus, the Malaysian Public Sector needs to adopt a suitable risk assessment methodology to effectively protect the critical Information and Communication Technology (ICT) assets, primarily housed in data centers. However, selecting a suitable risk assessment methodology out of the plethora currently available is a challenge as the majority only provide very high level guidelines and most use the qualitative approach, which gives inaccurate results, needs repetitive efforts, is tedious, and time consuming. This research aims to develop a comprehensive method, covering all critical ICT assets systematically with standard detailed guidelines of risk assessment approach to identify, analyse as well as evaluate the risks associated with data centers. The proposed risk assessment approach will use the survival analysis technique, which is proven to be a reliable and effective method in predicting potential hazards of covariates accurately, for the subjects under observation and in compliance with the international standards ISO27005: Information Security Risk Management and ISO27001: Information Security Management System Requirements. The study employed the exploratory sequential mixed methods design methodology for the overall data collection, where qualitative and quantitative data were collected in Phase 1 and Phase 2 respectively. In Phase 2, the study took advantage of the medical research design approach and adopted the retrospective cohort study to collect historical data related to data center security incidents over two years, in a selected organization, and applied the survival analysis technique to analyse the collected data using the Cox Proportional Hazard model and the Counting Process layout format as well as the R statistical method, which led to the identification of 20 information security threats. The survival analysis technique was tested for its reliability using data sets of different sizes and was validated as the results had negligible disparity. These results were also consistent with two previous studies in two different environments, a health care system in a traditional environment and a cloud computing environment with a similarity in identifying information security threats of 91% and 69% respectively. The proposed risk assessment approach using the survival analysis technique was applied in a prominent organization and successfully identified the potential threats, their risk levels and significances, which helped them to prioritise the risks as well as focus on the important mitigation plans and optimise the resources. Thus, this study is expected to significantly contribute in identifying and mitigating risks associated with data centers, and safeguarding the government’s critical ICT assets effectively. In addition, the study has successfully identified the potential information security threats often encountered by the Malaysian Public Sector data centers. This will help the ICT security officers to implement suitable control measures to prevent any untoward incident or minimise the adverse impact to ensure a safe and secured environment to conduct business and service delivery in their organizations. The study also enhances the risk assessment body of knowledge with a thoroughly researched, developed and tested risk assessment methodology to assess and predict potential information security risks for the data center environment. |
|---|