Enterprise Engineering in Business Information Security

  • Yuri Bobbert
  • Hans MulderEmail author
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 334)


Implementing and maintaining Business Information Security (BIS) is cumbersome. Frameworks and models are used to implement BIS, but these are perceived as complex and hard to maintain. Most companies still use spreadsheets to design, direct and monitor their information security improvement plans. Regulators too use spreadsheets for supervision. This paper reflects on ten years of Design Science Research (DSR) on BIS and describes the design and engineering of an artefact which can emancipate boards from silo-based spreadsheet management and improve their visibility, control and assurance via an integrated dash-boarding and reporting tool. Three cases are presented to illustrate the way the artefact, of which the realisation is called the Securimeter, works. The paper concludes with an in-depth comparison study acknowledging 91% of the core BIS requirements being present in the artefact.


  1. 1.
    Ponemone: Cost of Data Breach Study: Global Analysis, Ponemon Institute LLC, United States (2016)Google Scholar
  2. 2.
    Ponemon Institute: Business Case for Data Protection, Ponemon Institute LLC (2009)Google Scholar
  3. 3.
    Cashell, B., Jackson, W., Jickling, M., Webel, B.: The Economic Impact of Cyber-Attacks, Congressional Research Service, The Library of Congress, United States (2004)Google Scholar
  4. 4.
    ITGI: Information Risks: Who’s Business are they?, United States: IT Governance Institute (2005)Google Scholar
  5. 5.
    Alberts, C.J., Dorofee, A.: OCTAVE Method Implementation Guide version 2.0, Carnegie Mellon University Software Engineering Institute, Pittsburgh, Pennsylvania, (2001)Google Scholar
  6. 6.
    Stonenburner, G., Goguen, A., Feringa, A.: NIST Special publications 800-27 Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology, Gaithersburg (2002)Google Scholar
  7. 7.
    ISF, IRAM: Information Risk Assessment Methodology 2, Information Security Forum (2016).
  8. 8.
    Hubbard, D.: The Failure of Risk Management. Wiley, Hoboken (2009)Google Scholar
  9. 9.
    ENISA: Principles and Inventories for Risk Management/Risk Assessment methods and tools, Brussel: European Network and information Security Agency (ENISA) (2006)Google Scholar
  10. 10.
    Yaokumah, W., Brown, S.: An empirical examination of the relationship between information security/business strategic alignment and information security governance. J. Bus. Syst., Governance Ethics 2(9), 50–65 (2014)Google Scholar
  11. 11.
    Zitting, D.: Are You Still Auditing in Excel?. Sarbanes Oxley Compliance Journal (2015).
  12. 12.
    Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Comput. Secur. 2014–43, 90–110 (2014)CrossRefGoogle Scholar
  13. 13.
    Van Niekerk, J., Von Solms, R.: Information security culture; A management perspective. Comput. Secur. 29, 476–486 (2010)CrossRefGoogle Scholar
  14. 14.
    Seale, C.: Researching Society and Culture, 2nd edn. Sage Publications, Thousand Oaks (2004). ISBN 978-0-7619-4197-2Google Scholar
  15. 15.
    Bobbert, Y.: Use of DEMO as a methodology for business and security alignment. Platform for Information Security, pp. 22–26 (2009).
  16. 16.
    ISO/IEC27001:2013, ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC, Geneva (2013)Google Scholar
  17. 17.
    Cherdantseva, Y., Hilton, J.: A reference model of information assurance & security. In: IEEE proceedings of ARES, vol. SecOnt workshop, Regensburg, Germany (2013)Google Scholar
  18. 18.
    GOV.UK: The Security Policy Framework (SPF), Statement of Assurance questionnaire in Excel - Gov.ukGoogle Scholar
  19. 19.
    Halkyn, ISO27001 Self Assessment Checklist hits record downloads, 19 February 2015Google Scholar
  20. 20.
    von Solms, S., von Solms, R.: Information Security Governance. Springer, New York (2009). ISBN 978-0-387-79983-4CrossRefGoogle Scholar
  21. 21.
    ITGI: COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT. IT Governance Institute, United States of America (2007). ISBN 1-933284-80-3Google Scholar
  22. 22.
    Koning, E.: Assessment Framework for DNB Information Security Examination, De Nederlandsche Bank, Amsterdam (2014)Google Scholar
  23. 23.
    Volchkov, A.: How to measure security rom a governance perspective. ISACA J. 5, 44–51 (2013)Google Scholar
  24. 24.
    Papazafeiropoulou, A.: Understanding governance, risk and compliance information systems the experts view. Inf. Syst. Front. 18, 1251–1263 (2016)CrossRefGoogle Scholar
  25. 25.
    Deloitte: Spreadsheet Management, Not what you figured (2009)Google Scholar
  26. 26.
    Bobbert, Y.: Defining a research method for engineering a Business Information Security artefact. In: Proceedings of the Enterprise Engineering Working Conference (EEWC) Forum, Antwerp (2017)Google Scholar
  27. 27.
    Bobbert, Y.: Porters’ elements for a business information security strategy. ISACA J. 1, 1–4 (2015)Google Scholar
  28. 28.
    Dietz, J.: Enterprise Ontology. Springer, Heidelberg (2006). Scholar
  29. 29.
    MBZK: Baseline Informatiebeveiliging Rijksdienst 2017, Den haag: Ministerie van Binnenlandse Zaken en Koninkrijksrelaties (2017)Google Scholar
  30. 30.
    Bobbert, Y., Mulder, J.: Governance practices and critical success factors suitable for business information security. In: International Conference on Computational Intelligence and Communication Networks, India (2015)Google Scholar
  31. 31.
    Wieringa, R.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014). Scholar
  32. 32.
    Bobbert, Y., Mulder, J.: Group support systems research in the field of business information security; a practitioners view. In: 46th Hawaii International Conference on System Science, Hawaii US (2013)Google Scholar
  33. 33.
    De Vreede, G., Briggs, R.O., Van Duin, R., Enserink, B.: Athletics in electronic brainstorming; asynchronous electronic brainstorming in very large groups. In: Proceedings of the 33rd Hawaii International Conference on System Sciences (2000)Google Scholar
  34. 34.
    Recker, J.: Scientific Research in Information Systems. Springer, Australia (2013). Scholar
  35. 35.
    Asch, S.: Effects of group pressure upon the modification and distortion of judgment. In: Guetzkow, H. (ed.) Groups, Leadership and Men, Carnegie Press, Pittsburgh (1951)Google Scholar
  36. 36.
    den Hengst, M., Adkins, M., Keeken, S., Lim, A.: Which facilitation functions are most challenging: a global survey of facilitators, Delft University of Technology, Delft (2005)Google Scholar
  37. 37.
    Vreede, G., Boonstra, J., Niederman, F.: What is effective GSS facilitation? A qualitative inquiry into participants’ perceptions. In: Proceedings of the 35th Hawaii International Conference on System Sciences, Delft University of Technology, Netherlands (2002)Google Scholar
  38. 38.
    Vreede, G., Vogel, D., Kolfschoten, G., Wien, J.: Fifteen years of GSS in the field: a comparison across time and national boundaries. In: Proceedings of the 36th Hawaii International Conference on System Sciences, HICSS 2003 (2003)Google Scholar
  39. 39.
    Kolfschoten, G., Mulder, J., Proper, H.: De fata morgana van Group Support Systemen. Informatie 4(5), 10–14 (2016)Google Scholar
  40. 40.
    Argyris, C.: Double-loop learning, teaching, and research. Acad. Manag. 1(2), 206–218 (2002)MathSciNetGoogle Scholar
  41. 41.
    Bobbert, Y., Mulder, J.: A research journey into maturing the business information security of mid market organizations. Int. J. IT/Bus. Align. Gov. 1(4), 18–39 (2010)CrossRefGoogle Scholar
  42. 42.
    Mari, G.: Cyber Security; Facts or Fiction, Antwerp Management School, 14 November 2016.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Radboud UniversityNijmegenNetherlands
  2. 2.University of AntwerpAntwerpBelgium
  3. 3.Antwerp Management SchoolAntwerpBelgium

Personalised recommendations