The Classification of Information Assets and Risk Assessment: An Exploratory Study using the Case of C-Bank

The Classification of Information Assets and Risk Assessment: An Exploratory Study using the Case of C-Bank

Patrick S. Chen (Department of Information Management, Tatung University, Taipei, Taiwan), David C. Yen (School of Economics and Business, SUNY at Oneonta, Oneonta, NY, USA) and Shu-Chiung Lin (Department of Information Management, Tatung University, Taipei, Taiwan)
Copyright: © 2015 |Pages: 29
DOI: 10.4018/JGIM.2015100102
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Many information systems' incidents result from inadequate protection of information assets. Assets classification and risks assessment procedures will no doubt help to identify the associated risks related to information systems for a better security control. In the banking industry, prior research and studies are rather lacking due to the nature of maintaining confidentiality. The purpose of this study is to develop an approach to classify information assets of financial institutions and also assess their corresponding risks. Delphi method was adopted and questionnaires based on the guidelines of the well-recognized standard of ISO/IEC 27001 were developed subsequently. A total of 99 information assets subject to security breaches are chosen for risks assessment and a panel of seven experts is invited to complete questionnaires. Consequently, a model for calculating the risk index is proposed according to an exponential scale ranging over 9 grades. The results reveal that three types of information assets exposed to a high level of risk warrant special protection. The experts also make some security enhancement suggestions for the assets with a risk grade ? 6. Aiming to enrich research literature on the risks assessment of information assets in the banking industry, the results of this study can provide a valuable reference for both academia and security practitioners.
Article Preview

1. Introduction

In today’s information age, information technology (IT) security is becoming increasingly important since most activities that formerly took place in the work place have been changed to the cyberspace (Coles and Hodgkinson, 2008). Most companies in general and the financial institutions in particular, have deployed various information technologies and applications to carry out their operations and adopted a comprehensive security measure to protect their systems (Chen, Kataria, and Krishna, 2011). In addition, degraded security applied to protect the information assets can lead to serious problems such as financial loss, suspended operation, and declining trust, and consequently it tends to leave the organization in high risk. For this reason, information asset security is such an important topic that deserves a special attention.

In recent years we have seen numerous occurrences of information security incidents, many of which involved with the attempts to acquire banking information for illegal profits and hence, lead to increased business risk and lost revenues (Salmela, 2008). For example, in 2008, Heartland Payment Systems in USA was hit by data security breach to disclose credit card data through malware and 94 million credit card accounts were affected (Acohido, 2009). The TJX security breach may be another compelling case to justify and support the need of information systems asset classification and risk assessment (Haggerty, 2008). The information hackers managed to have accessed the in-store kiosks, and used USB drives to load the software onto those terminals and transformed them into remote terminals that connected to TJX’s intranet. Form this case, it brings forth a serious issue about the lacking of secured, physical in-site IT assets.

As information security incidents keep pouring in, information system risk assessment has been a topic of research interest (Budgen, 1992; Chen, Kataria, and Krishna, 2011; Keil, Cule, Lyytinen, and Schmidt, 1998; Yang, Shieh, and Tzeng, 2011; Chen, Lin, Li, and Shi, 2008). Classification of information assets may be regarded as the first step for a successful risk control. According to a specific publication 800-53 developed by the National Institute of Standards and Technology (NIST), the domain of risk management may begin with the categorization of information systems. But, the classification of information assets in the financial industry is seldom mentioned in the current research literature. To bridge this gap, this study attempts to develop a methodology for classifying information assets and modeling their associated risks in the financial industry based on well-defined security standards in this subject field.

To analyze information security risks, both quantitative and qualitative methods should be developed accordingly (Karabacak and Sogukpinar, 2005). This study performs an in-depth investigation to classify various information assets and conduct the assessment of the associated risks related to the assets. Useful measures that can be adopted to improve security control in handling high-risk assets are suggested to avoid the recurrence of incidents. Further, the Delphi method is employed to collect and analyze data to examine the case of a representative middle-scale domestic bank, C-Bank (use of acronym for confidentiality) with a total deposit of about US$100 billion. To lead the discussion, the computing environment of the C-Bank is introduced in Figure 1, which shows that the only entry to access the bank’s intranet is via a T3 connection.

Figure 1.

Computing environment of C-Bank

In terms of the contribution of this study, it may include, but not limit to the following 3 items.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 26: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 25: 4 Issues (2017)
Volume 24: 4 Issues (2016)
Volume 23: 4 Issues (2015)
Volume 22: 4 Issues (2014)
Volume 21: 4 Issues (2013)
Volume 20: 4 Issues (2012)
Volume 19: 4 Issues (2011)
Volume 18: 4 Issues (2010)
Volume 17: 4 Issues (2009)
Volume 16: 4 Issues (2008)
Volume 15: 4 Issues (2007)
Volume 14: 4 Issues (2006)
Volume 13: 4 Issues (2005)
Volume 12: 4 Issues (2004)
Volume 11: 4 Issues (2003)
Volume 10: 4 Issues (2002)
Volume 9: 4 Issues (2001)
Volume 8: 4 Issues (2000)
Volume 7: 4 Issues (1999)
Volume 6: 4 Issues (1998)
Volume 5: 4 Issues (1997)
Volume 4: 4 Issues (1996)
Volume 3: 4 Issues (1995)
Volume 2: 4 Issues (1994)
Volume 1: 4 Issues (1993)
View Complete Journal Contents Listing