A new comprehensive framework for enterprise information security risk management

With the wide spread use of e-transactions in enterprises, information security risk management (ISRM) is becoming essential for establishing a safe environment for their activities. This paper is concerned with presenting a comprehensive ISRM framework that enables the effective establishment of the target safe environment. The framework has two structural dimensions; and two procedural dimensions. The structural dimensions include: ISRM “scope” and ISRM “assessment criteria”, while the procedural dimensions include: ISRM “process” and ISRM “assessment tools”. The framework uses the comprehensive STOPE (strategy, technology, organization, people, and environment) view for the ISRM scope; while its assessment criteria is considered to be open to various standards. For the procedural dimensions, the framework uses the widely known six-sigma DMAIC (define, measure, analyze, improve, and control) cycle for the ISRM process; and it considers the use of various assessment tools. It is hoped that the framework would be widely used in the future as an open reference for ISRM.

► We present a conceptual information security risk management framework that could integrate the key risk management methods.
► The structural dimensions of the framework include: “scope” and “assessment criteria” that support its depth and breadth.
► The procedural dimensions of the framework include: “process” and “assessment tools” that used to enhance its functionality.
► The framework uses the STOPE (strategy, technology, organization and environment) view for its scope dimension.
► It also depends on the six-sigma DMAIC (define, measure, analyze, improve and control) model for its process dimension.