Document Type : Research Paper

Authors

1 Assistant Professor, Department of Industrial Management, Faculty of Economics, Management and Administrative Sciences, Semnan University, Semnan, Iran. (shafiei@semnan.ac.ir)

2 MA, Department of Industrial Management, Faculty of Economics, Management and Administrative Sciences, Semnan University, Semnan, Iran.

3 Ph.D. Student, Department of Industrial Management, Faculty of Economics, Management and Administrative Sciences, Semnan University, Semnan, Iran.

Abstract

The study conducted with aim of ranking each aspect of information security risk management. At the first stage, the dimensions and characteristics of each have been identified based on the research literature and expert opinions. In order to rank the factors under study using a hybrid approach using FEMA and Gray theory, 50 questionnaires collected among IT, soft ware, and network experts that choosed based on researchers’ judgement and accessible one. According to the results, the security of communications was ranked first. Infrastructure of hard ware and network, human factors, security management, access to information and systems and the development of secure information systems were ranked second to sixth, respectively.Therefore, it is recommended that organizations set up an independent security department within the organization. Also, providing a list of all the information assets of the organization and specifying control and strategic goals in the area of information security in the organization can be useful for organizations. Moreover, if the organization has several branches and need internet connection, preferably communications are available as VPN. In addition, if organizations have web automation for outside usage, the site should be licensed with SSL and https protocol.

Keywords

آرام، م. (1388).  بررسی و سنجش مؤلفه‌های مؤثر بر مدیریت امنیت اطلاعات در فناوری اطلاعات شرکت گاز پارس جنوبی. پایان­نامه کارشناسی­ارشد: دانشگاه شهید بهشتی.
الهی، ش. طاهری، م؛ و حسن­زاده، ع. (1387). ارائه چارچوبی برای عوامل انسانی مرتبط در امنیت سیستم­های اطلاعاتی. پژوهش­های مدیریت در ایران، 61، 1-22.
پورمند، ع. (1385). استانداردی برای مدیریت امنیت اطلاعات. ماهنامه تدبیر،  175.
حریری، ن؛ و نظری، ز. (1391). امنیت اطلاعات در کتابخانه­های دیجیتال ایران. کتابداری و اطلاع­رسانی، 16(2)، 90-61.
حبیبی، ا. (1397). تحلیل خاکستری و تئوری خاکستری. فصلنامه بازاریابی پارس مدیر، 4(12)، 24-41.
حقیقی، ن. (1379). روش­های تجزیه تحلیل عوامل شکست و آثار آن (FMEA). نشر ساپکو. دوره 22، شماره 81، 169-127.
زنده‌دل نوبری، ب. ارائه مدلی جهت رتبه­بندی سازمان­ها بر مبنای اندازه­گیری و شناسایی میزان بلوغ امنیت اطلاعات در آن‌ها. پایان­نامه کارشناسی ارشد دانشگاه آزاد اسلامی واحد علوم تحقیقات 1389.
سادوسکای، ج. (1384). راهنمای امنیت فناوری اطلاعات. ترجمه میردامادی، شجاعی و صمدی. تهران: دبیرخانه شورای عالی اطلاع­رسانی.
طاهری، م. (1386).  ارائه چهارچوبی برای نقش عوامل انسانی در امنیت سیستم­های اطلاعاتی. پایان­نامه کارشناسی ارشد: دانشگاه تربیت مدرس.
محمودزاده، الف؛ و رجبی، م. (1385). مدیریت امنیت در سیستم­های اطلاعاتی. فصلنامه علوم مدیریت ایران، 1(4)، 78-112.
مهدی، م. و وکیلی، ن. (1397). الگوی امکان‌سنجی و استقرار اثربخش سیستم مدیریت امنیت اطلاعات بر مبنای روش فراترکیب. مطالعات مدیریت کسب‌وکار هوشمند، 7 (26)، 71-99.
Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: the OCTAVE approach. Addison-Wesley Longman Publishing Co., Inc.
Da Veiga, A., & Martins, N. (2015). Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security, 49, 162-176.
Feng, N., & Li, M. (2011). An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 11(7), 4332-4340.
Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information sciences, 256, 57-73.
Flores, W. R., & Ekstedt, M. (2016). Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Computers & security, 59, 26-44.
Guo, K. H. (2013). Security-related behavior in using information systems in the workplace: A review and synthesis. Computers & Security, 32, 242-251.
Gusmão, A. P. H., e Silva, L. C., Silva, M. M., Poleto, T., & Costa, A. P. C. S. (2016). Information security risk analysis model using fuzzy decision theory. International Journal of Information Management, 36(1), 25-34.
Kuzma, J. (2010). European digital libraries: Web security vulnerabilities. Library Hi Tech, 28(3), 402-413.
Li, G. D., Yamaguchi, D., & Nagai, M. (2007). A grey-based decision-making approach to the supplier selection problem. Mathematical and computer modelling, 46(3-4), 573-581.
Mahabi, V. (2010). Information Security Awareness: System Administrators and End-User Perspectives at Florida State University. A Dissertation submitted to the School of Library and Information studies, Florida State University; 2010.
Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Skourlas, C., & Giannakopoulos, G. (2014). The human factor of information security: Unintentional damage perspective. Procedia-Social and Behavioral Sciences, 147, 424-428.
Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management, 52(1), 123-134.
Öğütçü, G., Testik, Ö. & Chouseinoglou, O. (2016). Analysis of personal information security behavior and awareness. Computers & Security, 56, 83-93.
Said A.R., Abdullah H., Uli J., & Mohamed Z.A. (2014). Relationship between organizational characteristics and information security knowledge management implementation. Procedia-Social and Behavioral Sciences, 123: 433-43.
Shamala, P., Ahmad, R., & Yusoff, M. (2013). A conceptual framework of info structure for information security risk assessment (ISRA). Journal of Information Security and Applications, 18(1), 45-52.
Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14-30.
Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H. J. (2009). The impact of information richness on information security awareness training effectiveness. Computers & Education, 52(1), 92-100.
Silva, M. M., de Gusmão, A. P. H., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2014). A multidimensional approach to information security risk management using FMEA and fuzzy theory. International Journal of Information Management, 34(6), 733-740.
Vicente, E., Mateos, A., & Jiménez-Martín, A. (2014). Risk analysis in information systems: a fuzzification of the MAGERIT methodology. Knowledge-Based Systems, 66, 1-12.
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for information security risk management. Computers & security, 44, 1-15.
 
 
آ