Abstract
Performing a Risk Analysis has long been considered necessary security practice for organisations, however surveys indicate that Small and Medium Enterprises do not tend to undertake one. Some of the main reasons behind this have been found to be the lack of funds, expertise and awareness within such organisations, this paper describes a methodology that aims to assess these issues and be appropriate for the needs of this SMEs by utilising a protection profiles and threat trees approach to perform the assessment instead of lengthy questionnaires and incorporating other elements such as financial considerations and creation of a security policy.
Key words
Download to read the full chapter text
Chapter PDF
5. References
Blakely, B., 2002, Consultants can offer remedies to lax SME security, TechRepublic, 6 February 2002, http://techrepublic.com.com/5100-6329-1031090.html
Briney, A. and Prince, F., 2002, 2002 Information Security Magazine Survey, does size matter?, Information Security Magazine, September 2002, http://www.infosecuritymag.com/2002/sep/2002survey.pdf.
British Standards Institution, 2000, Information technology. Code of practice for information security management. BS ISO/IEC 17799:2000. 15 February 2001. ISBN 0 580 36958 7.
Brake, J., 2003, Small business security needs for the changing face of small business, Micro and Home Business Association, 14 August 2003, http://www.security.iia.net.au/downloads.
Chong, C. K., 2003, Managing Information Security for SMEs. May 2003, Information Technology Standards Committee, http://www.itsc.org.sg/standards_news/2002-05/kinchong-security.ppt.
Cisco Systems Inc., 2005, Cisco IOS Security Architecture, 5 May 1995, http://www.cisco.com/warp/public/614/9.html.
Commoncriteria, 2003, What is a Protection Profile (PP)?, http://www.commoncriteria.org/protection_profiles/pp.html.
Danchev, D., 2003, Building and implementing a successful information security policy, http://www.windowsecurity.com.
Dimopoulos, V., Furnell, S., Barlow, I. and Lines, B., 2004a, Factors affecting the adoption of IT risk analysis, Proceedings of the Third European Conference on Information Warfare and Security (ECIW 2004), Egham, UK, 28–29 June 2004.
Dimopoulos, V., Furnell, S., Jennex, M. and Kritharas, I., 2004b, Approaches to IT security in small and medium enterprises, Proceedings of The 2nd Australian Information Security Management Conference 2004 (InfoSec04), Perth, Western Australia, 25 November 2004.
Dimopoulos, V. and Furnell, S.M., 2005, Effective IT security for small and medium enterprises, Proceedings of the 4 th Security Conference, Las Vegas, USA, 30–31 March 2005.
DTI. (2004) Information Security Breaches Survey 2004. Department of Trade & Industry, April 2004. URN 04/617.
Hamilton, C., 2004, Are you at risk? How to assess threats & your ability to respond, Virgo Publishing, Inc., 2004, http://www.publicvenuesecurity.com/articles/3blfeat3.html.
Heare, S., 2001, Data center physical security checklist December 2001, SANS, http://www.sans.org/rr/paper.php?id=416.
Hurd, D., 2000, Security checklist for small business, http://www.itsecurity.com/papers/nai.htm.
Jennex, M.E. and Addo, T., 2004, SMEs and knowledge requirements for operating hacker and security tools. IRMA 2004 Conference, New Orleans, Louisiana, 23–26 May 2004.
Jones, H., 2002, Small firms warned over hackers, British Broadcasting Company, BBC News, 9 November 2002, http://news.bbc.co.uk/l/hi/technology/2428983.stm.
Loukis, E., and Spinellis, D., 2002, Information systems security in the Greek public sector, Information Management and Computer Security, 2002 http://www.dmst.aueb.gr/dds/pubs/jrnl/2000-IMCS-pubsec/html/ispa.html.
Meyer, K., Schaeffer, S., and Baker, D., 1995, Addressing threats in World Wide Web technology, 11th Annual Computer Security Applications Conference, IEEE Computer Society Press, pp123–132
NCC, 2000, Business Information Security Survey 2000. National Computing Centre, http://www.ncc.co.uk/ncc/.
Shaw, G., 2002, Effective security risk analysis, April 2002, http://www.itsecurity.com/papers/insight2.htm.
Suppiah-Shandre, H., 2002, Security — top priority for all, SME IT Guide, International Data Group, Singapore, February 2002, http://smeit.com.sg.
Symantec, 2005, Symantec Internet Security Threat Report Trends for July 04–December 04, Volume VII, March 2005, http://www.symantec.com.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Dimopoulos, V., Furnell, S. (2005). A Protection Profiles Approach to Risk Analysis for Small and Medium Enterprises. In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_17
Download citation
DOI: https://doi.org/10.1007/0-387-31167-X_17
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29826-9
Online ISBN: 978-0-387-31167-8
eBook Packages: Computer ScienceComputer Science (R0)