| Popis: |
Business constraints usually result in heuristic and biased approaches of risk analyses, e.g., checklists, at IT-driven corporations. As a corporation's management will not accept complex or extensive mathematical approaches, the only way is to improve questioning within the risk analysis framework. The paper follows the idea of Guttman scaling as presented at ESREL 2009: a FMEA structures the risk analysis approach whereas the Code of Practice (ISO/IEC 27002) gives a limited set of recommendations with regard to Information Security (IS) management. Finally, the Guttman scaling of questions about the fulfilment of recommendations results in a ranked list of staggered IS management measurements, i.e., the total fulfilment of an IS objective will result in an expected low frequency of IS management failures. The paper pictures the improvements and developments of Guttman Scaling of IT security objectives. Progress has been made in re-wording and completing the list of Guttman questions with regard to ISO/IEC 27002. Special consideration was taken to enquire only a single attribute per question. The statistical analysis of the final matrix of measurements with regard to the Code's Objectives uses hierarchical clustering methods and results are shown as dendrograms. The set of Guttman questions is further simplified in order to meet business context. Experts at the computing centre of the University of Technology Zurich (HSZ-T) test the reworked methodology in a case study. Pro and cons are discussed. |
