Designing a Security Sensitive Self-assessment Framework
Name
Maria Pibilota Murumaa
Abstract
The Estonian Information Security Standard (E-ITS) development has brought the need to evaluate organisation’s information security state. However, collecting data about security measures must be handled securely. This thesis aims to design a security sensitive Self-Assessment Framework (SAF) for collecting answers to F4SLE (Framework for Security Level Evaluation).
To propose the SAF design, a similar tool comparison, requirement analysis, and three design iterations were performed. The final design included a web-based user interface for collecting aggregated results and server-based administrative functionality for benchmark calculations and visualisation. In addition, a limited version of the SAF was implemented to conduct a pilot in Estonia and the Czech Republic.
The SAF validation consists of two parts. Firstly, threat analysis is conducted to evaluate the framework’s security posture and identify additional requirements. Secondly, the pilot participants are asked to assess the framework to validate design decisions.
The proposed security sensitive SAF design can be generalised to other 4-level self-assessment tools. The framework is suitable for conducting threat audits or validating newly developed risk assessment frameworks.
Funded by the European Union under Grant Agreement No. 101087529. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Research Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.
To propose the SAF design, a similar tool comparison, requirement analysis, and three design iterations were performed. The final design included a web-based user interface for collecting aggregated results and server-based administrative functionality for benchmark calculations and visualisation. In addition, a limited version of the SAF was implemented to conduct a pilot in Estonia and the Czech Republic.
The SAF validation consists of two parts. Firstly, threat analysis is conducted to evaluate the framework’s security posture and identify additional requirements. Secondly, the pilot participants are asked to assess the framework to validate design decisions.
The proposed security sensitive SAF design can be generalised to other 4-level self-assessment tools. The framework is suitable for conducting threat audits or validating newly developed risk assessment frameworks.
Funded by the European Union under Grant Agreement No. 101087529. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Research Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.
Graduation Thesis language
English
Graduation Thesis type
Master - Cyber Security
Supervisor(s)
Mari Seeba, Tarmo Oja
Defence year
2023