IT Security Risk Management Model for Handling IT-Related Security Incidents: The Need for a New Escalation Approach

IT Security Risk Management Model for Handling IT-Related Security Incidents: The Need for a New Escalation Approach

Gunnar Wahlgren, Stewart James Kowalski
Copyright: © 2018 |Pages: 23
DOI: 10.4018/978-1-5225-5583-4.ch005
(Individual Chapters)
No Current Special Offers


Managing IT-related security incidents is an important issue facing many organizations in Sweden and around the world. To deal with this growing problem, the authors have used a design science approach to develop an artifact to measure different organizations' capabilities and maturity to handle IT-related security incidents. In this chapter, an escalation maturity model (artifact) is presented, which has been tested on several different Swedish organizations. The participating organizations come from both the private and public sectors, and all organizations handle critical infrastructure, which can be damaged if an IT-related security incident occurs. Organizations had the opportunity to evaluate the actual model itself and also to test the model by calculating the organization's escalation capability using a query package for self-assessment.
Chapter Preview

In this work, the term IT security risk is used to distinguish it from other business risks like investment risk, credit risk, market risk, and environmental risk. The National Institute of Standards and Technology (NIST) (2002) has proposed the following definition of risk: “Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization” (p. 8). Given this definition, IT security risks are then defined as an adverse event affecting the IT systems of an organization.

All organizations today have some kind of information system (IS) based on information technology (IT). Organizations are exposed to different threats from both inside and outside. These threats can be avoided with the help of countermeasures of different kinds. However, it is difficult to justify spending effort on countermeasures for an IT system that has little business impact for the organization. To find the right mix of countermeasures to assist organizations, several IT security risk management methods and tools have been developed.

Complete Chapter List

Search this Book: