{"title":"识别和测量信息安全故障- ISO/IEC 27001:2013控制基于GDPR处罚案例分析排名","authors":"M. Suorsa, P. Helo","doi":"10.1080/19393555.2023.2270984","DOIUrl":null,"url":null,"abstract":"This paper identifies the failures and impacts of information security, as well as the most effective controls to mitigate information security risks in organizations.Root cause analysis was conducted on all year 2020 GDPR penalty cases (n = 81) based on misconduct as defined in GDPR article 32: “security of processing.” ISO/IEC 27,001 controls were used as failure identifiers in the analysis. As a result, this study presents both the most frequent and most expensive information security failures and correspondingly ranks and presents the correlation of the controls observed in the analysis. From a theoretical perspective, our study contributes by bridging the gap between regulation and information security and introduces a statistical method to analyze the GDPR penalty cases, and provides previously unreported findings about information security failures and their respective solutions. From a practical perspective, the results of our study are useful for organizations which aspire to manage information security more effectively in order to prevent the most typical and expensive information security failures. Organizations, as well as auditors implementing and assuring the ISO 27001, may use our results as a guideline whereby controls should be applied and verified first in sequential order based on their impact and interdependence","PeriodicalId":103842,"journal":{"name":"Information Security Journal: A Global Perspective","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Information security failures identified and measured – ISO/IEC 27001:2013 controls ranked based on GDPR penalty case analysis\",\"authors\":\"M. Suorsa, P. Helo\",\"doi\":\"10.1080/19393555.2023.2270984\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper identifies the failures and impacts of information security, as well as the most effective controls to mitigate information security risks in organizations.Root cause analysis was conducted on all year 2020 GDPR penalty cases (n = 81) based on misconduct as defined in GDPR article 32: “security of processing.” ISO/IEC 27,001 controls were used as failure identifiers in the analysis. As a result, this study presents both the most frequent and most expensive information security failures and correspondingly ranks and presents the correlation of the controls observed in the analysis. From a theoretical perspective, our study contributes by bridging the gap between regulation and information security and introduces a statistical method to analyze the GDPR penalty cases, and provides previously unreported findings about information security failures and their respective solutions. From a practical perspective, the results of our study are useful for organizations which aspire to manage information security more effectively in order to prevent the most typical and expensive information security failures. Organizations, as well as auditors implementing and assuring the ISO 27001, may use our results as a guideline whereby controls should be applied and verified first in sequential order based on their impact and interdependence\",\"PeriodicalId\":103842,\"journal\":{\"name\":\"Information Security Journal: A Global Perspective\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-10-18\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information Security Journal: A Global Perspective\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1080/19393555.2023.2270984\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Security Journal: A Global Perspective","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1080/19393555.2023.2270984","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Information security failures identified and measured – ISO/IEC 27001:2013 controls ranked based on GDPR penalty case analysis
This paper identifies the failures and impacts of information security, as well as the most effective controls to mitigate information security risks in organizations.Root cause analysis was conducted on all year 2020 GDPR penalty cases (n = 81) based on misconduct as defined in GDPR article 32: “security of processing.” ISO/IEC 27,001 controls were used as failure identifiers in the analysis. As a result, this study presents both the most frequent and most expensive information security failures and correspondingly ranks and presents the correlation of the controls observed in the analysis. From a theoretical perspective, our study contributes by bridging the gap between regulation and information security and introduces a statistical method to analyze the GDPR penalty cases, and provides previously unreported findings about information security failures and their respective solutions. From a practical perspective, the results of our study are useful for organizations which aspire to manage information security more effectively in order to prevent the most typical and expensive information security failures. Organizations, as well as auditors implementing and assuring the ISO 27001, may use our results as a guideline whereby controls should be applied and verified first in sequential order based on their impact and interdependence
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
