Abstract
Information security risk management is a business principle that is becoming
more important for organisations due to external factors such as governmental
regulations. Since due diligence regarding information security risk management
(ISRM) is necessitated by law, organisations have to ensure that risk information
is adequately communicated to the appropriate parties.
Organisations can have numerous managerial levels, each of which has specific
functions related to ISRM. The approaches of each level differ and this makes a
cohesive ISRM approach throughout the organisation a daunting task.
This task is compounded by strategic and tactical level management having
specific requirements imposed on them regarding risk management. Tactical level
management has to meet these requirements by instituting processes that can
deliver on what is required. Processes in turn should be executed by operational
level management. However, the available approaches of each managerial level
make it impossible to communicate and consolidate information from the lower
organisational levels to top level management due to the differing terminology,
concepts and scope of each approach.
This dissertation addresses the ISRM communication challenge through a
systematic and structured solution. ISRM and related concepts are defined to
provide a solid foundation for ISRM communication. The need for and institutions
that impose risk management requirements are evaluated. These requirements
are used to guide the solution for ISRM communication.
At strategic level, governmental requirements from various countries are
evaluated. These requirements are used as the goals of the communication
processes. Different approaches at tactical and operational level are evaluated to
determine if they can meet the strategic level requirements. It was found that the
requirements are not met by most of the evaluated approaches.
The Bornman Framework for ISRM Methodology Evaluation (BFME) is presented.
It allows organisations to evaluate ISRM methodologies at operational level
against the requirements of strategic management. This framework caters for the
ability of ISRM methodologies to be adapted to organisational requirements.
Developed scales allow for a qualitative comparison between different
methodologies.
The BFME forms the basis of the Bornman Framework for ISRM Information
Communication (BFIC). This communication framework communicates the status
of each ISRM component. This framework can be applied to any ISRM
methodology after it has been evaluated by the BFME.
The Bornman Risk Console (BRC) provides a practical implementation of the
BFIC. The prototype utilises an existing ISRM methodology’s approach and
provides decision-enabling risk information to top level management.
By implementing the BRC and following the processes of the BFME and BFIC the
differences in the approaches at each managerial level in different organisational
structures are negated. These frameworks and prototype provide a holistic
communication framework that can be implemented in any organisation.
Prof. L. Labuschagne