Keywords: Enterprise Information systems; information security; risN .... state organizations and private companies have attempts to provide compliance with TS.
Available online at www.sciencedirect.com
ScienceDirect Procedia Computer Science 100 (2016) 979 – 986
&RQIHUHQFH�RQ�(17(5SULVH�,QIRUPDWLRQ�6\VWHPV���,QWHUQDWLRQDO�&RQIHUHQFH�RQ�3URMHFW� 0$1DJHPHQW���&RQIHUHQFH�RQ�+HDOWK�DQG�6RFLDO�&DUH�,QIRUPDWLRQ�6\VWHPV�DQG�7HFKQRORJLHV�� &(17(5,6���3URM0$1���+&LVW�������2FWREHU�����������
(QWHUSULVH�LQIRUPDWLRQ�V\VWHPV�ZLWKLQ�WKH�FRQWH[W�RI�LQIRUPDWLRQ� VHFXULW\��D�ULVN�DVVHVVPHQW�IRU�D�KHDOWK�RUJDQL]DWLRQ�LQ�7XUNH\� ùDKLND�(UR÷OXD��7ROJD�dDNPDND � a
Hacettepe University, Department of Information Management, Ankara 06800, Turkey
$EVWUDFW� (QWHUSULVH�LQIRUPDWLRQ�V\VWHPV�LPSOHPHQWHG�LQ�WKH�RUJDQL]DWLRQV�DUH�FULWLFDO�DVVHWV�WR�SURYLGH�FRPSHWLWLYH�DGYDQWDJH�LQ�FKDQJLQJ� VHFWRUDO� FRQGLWLRQV� DQG� FRQWLQXLW\� RI� EXVLQHVV� SURFHVVHV� DQG� PDQDJHPHQW� RI� HQWHUSULVH� UHVRXUFHV�� ,Q� WKLV� UHJDUG�� LQIRUPDWLRQ� VHFXULW\�DSSURDFKHV�DQG�DVVHVVPHQW�WHFKQLTXHV�DUH�XVHG�WR�H[DPLQH�WKH�PDWXULW\�OHYHO�RI�HQWHUSULVH�DQG�GHWHUPLQH�WKH�ULVNV�DQG� SRWHQWLDO�VROXWLRQV�IRU�HQWHUSULVH�LQIRUPDWLRQ�V\VWHPV��7KLV�VWXG\�DLPV�WR�PHDVXUH�LQIRUPDWLRQ�V\VWHPV�LQ�WHUPV�RI�LQIRUPDWLRQ� VHFXULW\�DQG�ULVNV��2Q�WKH�RWKHU�KDQG��LW�LV�DOVR�DLPHG�WR�GHVFULEH�WKH�SRWHQWLDO�HIIHFWV�RI�DVVHVVPHQW�WHFKQLTXHV�DQG�WRROV�IRU�VWDWH� RUJDQL]DWLRQV�WR�PDQDJH�WKHLU�FULWLFDO�DVVHWV��,Q�RUGHU�WR�DFKLHYH�WKHVH�DLPV��LQIRUPDWLRQ�V\VWHPV�RI�RQH�RI�WKH�ODUJH�VFDOH�KHDOWK� VHFWRU�RUJDQL]DWLRQV�LQ�7XUNH\�ZHUH�DVVHVVHG�YLD�DQ�LQWHUQDWLRQDO�DVVHVVPHQW�WRRO�WKDW�LV�DGDSWHG�WR�7XUNLVK�FRQGLWLRQV�LQ�VRPH� SDUWV�OLNH�OHJDO�UHJXODWLRQV��7KH�UHVXOWV�REWDLQHG�WKURXJK�DVVHVVPHQW�WRRO�SURYLGH�WKH�FXUUHQW�PDWXULW\�OHYHO�RI�WKH�RUJDQL]DWLRQ� DQG�UHPDUN�WKH�SRLQWV�WKDW�VKRXOG�EH�LPSURYHG�IRU�WKH�VHFXULW\�RI�LQIRUPDWLRQ�V\VWHPV�DQG�WKH�FULWLFDO�FRPSRQHQWV�VXFK�DV�ULVNV�� SURFHVVHV��SHRSOH��,7�UHOLDQFH�DQG�WHFKQRORJ\�� � ������7KH�$XWKRUV��3XEOLVKHG�E\�(OVHYLHU�%�9�� © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). 3HHU�UHYLHZ�XQGHU�UHVSRQVLELOLW\�RI�6FL.$���$VVRFLDWLRQ�IRU�3URPRWLRQ�DQG�'LVVHPLQDWLRQ�RI�6FLHQWLILF�.QRZOHGJH�� Peer-review under responsibility of the organizing committee of CENTERIS 2016 Keywords:�(QWHUSULVH�,QIRUPDWLRQ�V\VWHPV��LQIRUPDWLRQ�VHFXULW\��ULVN�DVVHVVPHQW�
�
�
�&RUUHVSRQGLQJ�DXWKRU��7HO����������������������ID[��������������������� E-mail address:�WFDNPDN#KDFHWWHSH�HGX�WU�
1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the organizing committee of CENTERIS 2016 doi:10.1016/j.procs.2016.09.262
Şahika Eroğlu and Tolga Çakmak / Procedia Computer Science 100 (2016) 979 – 986
980
���,QWURGXFWLRQ� ,QIRUPDWLRQ� V\VWHPV�� DV� RQH� RI� WKH� NH\� EXVLQHVV� IXQFWLRQV� IRU� HQWHUSULVHV�� VXSSRUW� EXVLQHVV� SURFHVVHV� ZLWK� WHFKQRORJLFDO�VROXWLRQV�SURYLGLQJ�FRVW�DQG�WLPH�HIILFLHQF\��7KH\�DUH�DOVR�XVHG�E\�HQWHUSULVHV�WR�SURYLGH�FRPSHWLWLYH� DGYDQWDJH��WR�LPSOHPHQW�LQQRYDWLRQV�DQG��WR�FRQWURO�ZRUN�IORZ�PRVWO\�YLD�HOHFWURQLF�HQYLURQPHQW��$V�D�UHVXOW�RI�WKH� LQFUHDVLQJ�XVH�RI�HOHFWURQLF�HQYLURQPHQW�LQ�EXVLQHVV�SURFHVVHV��LW�LV�SRVVLEOH�WR�VD\�WKDW�WKHUH�DUH�VRPH�SRWHQWLDO�ULVNV� LQ�GDLO\�EXVLQHVV�UHODWHG�WUDQVDFWLRQV�DV�LW�LV�LQ�SK\VLFDO�DSSURDFKHV��,Q�RUGHU�WR�SURYLGH�VHFXULW\�RI�FULWLFDO�DVVHWV�� HQWHUSULVHV� DVVHVV� WKHLU� LQIRUPDWLRQ� V\VWHPV� ZLWK� VRPH� WHFKQLTXHV� DQG� WRROV�� 7KHVH� DVVHVVPHQWV� DOVR� VXSSRUW� GHWHFWLRQV�RI�SRWHQWLDO�ULVNV�DQG�PHDVXUHV�WR�FUHDWH�VROXWLRQV��$FFRUGLQJ�WR�LQIRUPDWLRQ�VHFXULW\�DVVHVVPHQWV��WRGD\�� HQWHUSULVHV� LPSURYH� WKHLU� VHUYLFH� TXDOLW\�� LQFUHDVH� WKHLU� YDOXHV�� DQG� HIILFLHQWO\� PDQDJH� EXVLQHVV� SURFHVVHV�� 2Q� WKH� RWKHU� KDQG�� LQIRUPDWLRQ� VHFXULW\� FRQWDLQV� UHPDUNDEOH� FRPSRQHQWV� WKDW� VKRXOG� EH� HIILFLHQWO\� DVVHVVHG� IRU� DOO� HQWHUSULVHV�� ,QIRUPDWLRQ� VHFXULW\� DVVHVVPHQWV� DQG� GHWHFWLRQ� RI� ULVNV� DUH� VLJQLILFDQW� IDFWRUV� IRU� SUHVHUYDWLRQ� RI� LQIRUPDWLRQ�DVVHWV��LQWHJUDWHG�HQWHUSULVH�PDQDJHPHQW��DQG�VXVWDLQDELOLW\�RI�LQIRUPDWLRQ�V\VWHPV��$V�D�UHIOHFWLRQ�RI� V\VWHP� TXDOLW\�� WKH� PDQDJHPHQW� RI� HQWHUSULVH� LQIRUPDWLRQ� VHFXULW\� VKRXOG� EH� FDUULHG� RXW� FDUHIXOO\� >�@�� 6WXGLHV� LQGLFDWH�WKDW�LQIRUPDWLRQ�V\VWHPV�DV�RQH�RI�WKH�FULWLFDO�DVVHWV�RI�HQWHUSULVHV�DQG�WKH\�DVVHVVHG�LQ�WHUPV�RI�VHFXULW\�DQG� ULVN� IDFWRUV�� $GGLWLRQDOO\�� WKH� FXUUHQW� OHYHOV� RI� WKHP� DQG� WKHLU� FRPSRQHQWV� VKRXOG� EH� DQDO\]HG� E\� VHQLRU� GHFLVLRQ� PDNHUV�>�@�� � 7KLV� VWXG\� HYDOXDWHV� ULVNV� DQG� VHFXULW\� DSSOLFDWLRQV� RI� D� ODUJH� VFDOH� VWDWH� RUJDQL]DWLRQ� LQ� 7XUNH\� VHUYLQJ� LQ� WKH� KHDOWK�VHFWRU�E\�DQ�LQWHUQDWLRQDO�DVVHVVPHQW�WRRO�DOVR�XVHG�LQ�GLIIHUHQW�ILHOGV��L�H��HGXFDWLRQ�DQG�GHIHQVH�VHFWRUV ��$V� D�FDVH�VWXG\��WKH�FXUUHQW�OHYHO�RI�,7�UHOLDQFH��SHRSOH��SURFHVVHV��ULVN�PDQDJHPHQW�DSSOLFDWLRQV�DQG�WHFKQRORJ\�XVHG� IRU�EXVLQHVV�SURFHVVHV�RI�WKH�KHDOWK�RUJDQL]DWLRQ�LQ�7XUNH\�DUH�PHDVXUHG�LQ�WKH�HQG�RI�WKH�VWXG\�� ���,QIRUPDWLRQ�6HFXULW\�$SSURDFKHV�LQ�(QWHUSULVH�,QIRUPDWLRQ�6\VWHPV� 0DQ\� RUJDQL]DWLRQV� IURP� GLIIHUHQW� VHFWRUV� XVH� LQIRUPDWLRQ� WHFKQRORJLHV� ZKLOH� SHUIRUPLQJ� WKHLU� EXVLQHVV� SURFHVVHV��,QIRUPDWLRQ�V\VWHPV��IURP�GHFLVLRQ�VXSSRUW�PHFKDQLVPV�WR�GRFXPHQW�PDQDJHPHQW�V\VWHPV��SOD\�D�YLWDO� UROH�IRU�PDQDJHPHQW�RI�ZRUN�IORZ�DPRQJ�WKH�XQLWV�RI�RUJDQL]DWLRQ��'XH�WR�FRUUHVSRQGLQJO\�FKDQJLQJ�RUJDQL]DWLRQDO� QHHGV�DQG�DWWHPSWV�WR�SURYLGH�FRPSHWLWLYH�DGYDQWDJH��RUJDQL]DWLRQV�ZHUH�WULJJHUHG�WR�XVH�RI�HQWHUSULVH�LQIRUPDWLRQ� V\VWHPV�� 3ODFHG� LQ� D� FULWLFDO� SDWK� RI� RUJDQL]DWLRQDO� VWUXFWXUH�� LQIRUPDWLRQ� V\VWHPV� KDYH� UHTXLUHG� HIIHFWLYH� VHFXULW\� PDQDJHPHQW�LVVXHV�LQFOXGLQJ�ULVN�DQDO\VLV�DQG�DVVHVVPHQWV��,Q�WKH�OLJKW�RI�WKLV�LQIRUPDWLRQ��LQIRUPDWLRQ�VHFXULW\��LV� GHILQHG� DV� ³WKH� SURWHFWLRQ� � RI� � WKH� � FRQILGHQWLDOLW\�� � LQWHJULW\� � DQG� � DYDLODELOLW\� � RI� � LQIRUPDWLRQ� � DQG� � LWV� � FULWLFDO�� HOHPHQWV���LQFOXGLQJ��WKH�VRIWZDUH��DQG��KDUGZDUH��WKDW��XVH���VWRUH���SURFHVV��DQG��WUDQVPLW��WKDW�LQIRUPDWLRQ��WKURXJK�� WKH� � DSSOLFDWLRQ� RI� � SROLF\�� WHFKQRORJ\�� HGXFDWLRQ� DQG� DZDUHQHVV� >�@´� DQG� LW� LV� VHHQ� DV� D� FXUUHQW� UHVHDUFK� DUHD� IRU� RUJDQL]DWLRQV�IRU�WKRVH�HYDOXDWH�LQIRUPDWLRQ�V\VWHPV�LQ�D�FHQWUDO�SRVLWLRQ�IRU�EXVLQHVV�SURFHVVHV��� ,Q�OLQH�ZLWK�WKH�GHYHORSPHQWV�UHODWHG�WR�LQIRUPDWLRQ�VKDULQJ�RSSRUWXQLWLHV��LW�LV�SRVVLEOH�WR�LQIHU�WKDW�WKHUH�LV�DQ� LQFUHDVH� LQ� F\EHUFULPH� UDWHV�� 7KLV� LV� DOVR� UHYHDOV� IDFWRUV� WKDW� WKUHDW� EXVLQHVV� SURFHVVHV� DQG� SHUVRQDO� LQIRUPDWLRQ� VHFXULW\� >�@�� ,Q� WKLV� UHJDUG� VDIHW\� LVVXHV� IRU� HQWHUSULVH� LQIRUPDWLRQ� V\VWHPV� DQG� RWKHU� FULWLFDO� DVVHWV� EHFRPH� HYHQ� PRUH� LPSRUWDQW� IRU� DOPRVW� HYHU\� VHFWRU� RI� EXVLQHVV� OLIH� >�@�� 'XH� WR� WKH� GHYHORSPHQW� RI� WHFKQRORJLFDO� WRROV� DQG� RSSRUWXQLWLHV�DQG�UDLVH�RI�FRPSOH[�VWUXFWXUHV��DQG�JURZLQJ�WKUHDWV��LQIRUPDWLRQ�VHFXULW\�DSSURDFKHV�KDYH�HPHUJHG� IRU� HQWHUSULVH� LQIRUPDWLRQ� V\VWHPV�� ,W� LV� VHHQ� WKDW� WKHUH� DUH� PDQ\� VWXGLHV� FDUULHG� RXW� LQ� WKH� OLWHUDWXUH� UHODWHG� WR� SURWHFWLRQ�DQG�VHFXULW\�RI�LQIRUPDWLRQ�DVVHWV�DQG�FRPSOH[LW\�RI�LQIRUPDWLRQ�V\VWHPV�� 6LJQLILFDQWO\��LQ�VWXGLHV�FRQGXFWHG�RQ�WKH�VDIHW\�RI�WKH�HQWHUSULVH�LQIRUPDWLRQ�V\VWHPV��LW�LV�UHSRUWHG�WKDW�WKH�UROH� RI�ULVN�DVVHVVPHQWV�DQG�WKH�VFRSH�RI�WKHVH�DVVHVVPHQW�VKRXOG�EH�XQGHUVWRRG�E\�WKH�,7�VHFWRU�DQG�WKHVH�DVVHVVPHQWV� VKRXOG�FRYHU�DOO�DVSHFWV�RI�WKH�,7�JRYHUQDQFH�LQFOXGLQJ�KDUGZDUH�DQG�VRIWZDUH��HPSOR\HH�DZDUHQHVV�WUDLQLQJV��DQG� EXVLQHVV�SURFHVVHV�>�@�� :H� FDQ� SRVVLEO\� VD\� WKDW� RUJDQL]DWLRQV� LQFUHDVLQJO\� EHFRPH� PRUH� GHSHQGHQW� RQ� WHFKQRORJLFDO� LQIRUPDWLRQ� V\VWHPV�� $FFRUGLQJO\�� WKH\� VKRXOG� EH� PRUH� VHQVLWLYH� IRU� WKH� ULVNV� DQG� WKH\� VKRXOG� XVH� DVVHVVPHQW� WHFKQLTXHV� DQG� PHWKRGV�WR�GHWHFW�ULVNV�DQG�GHFUHDVH�WKHLU�YXOQHUDELOLW\�IRU�FULWLFDO�LQIRUPDWLRQ�DVVHWV�RZQHG�E\�WKH�RUJDQL]DWLRQ��,W V� FOHDU� WKDW� YXOQHUDELOLWLHV� RU� HUURUV� RQ� LQIRUPDWLRQ� V\VWHPV� OHDGV� WR� VHULRXV� EXVLQHVV� FULVLV� DQG� ORVV� RI� UHSXWDWLRQ�� 7KHUHIRUH��WKH�LQIRUPDWLRQ�VHFXULW\�PDQDJHPHQW�SROLFLHV�DQG�VWUDWHJLHV�IRU�RUJDQL]DWLRQDO�LQIRUPDWLRQ�DVVHWV�EHFRPH�
Şahika Eroğlu and Tolga Çakmak / Procedia Computer Science 100 (2016) 979 – 986
FUXFLDO��,QIRUPDWLRQ�VHFXULW\�SROLF\�LV�WKH�VHW�RI�UXOHV��VWDQGDUGV��SUDFWLFHV��DQG�SURFHGXUHV�WKDW�DQ�RUJDQL]DWLRQ�FDQ� HPSOR\�WR�PDLQWDLQ�D�VHFXUH�,7�V\VWHP�>�@��$V�GHVFULEHG�LQ�WKH�OLWHUDWXUH�WKHVH�SROLFLHV�FRQVWLWXWH�DQ�LPSRUWDQW�SDUW� RI�LQIRUPDWLRQ�VHFXULW\�V\VWHPV�IRU�VXVWDLQDELOLW\�DQG�SURWHFWLRQ�RI�RUJDQL]DWLRQDO�LQIRUPDWLRQ�DVVHWV���2UJDQL]DWLRQV� KDYH�PDQ\�UHDVRQV�IRU�WDNLQJ�IDUVLJKWHG�LQIRUPDWLRQ�VHFXULW\�PHDVXUHV��,Q�WKLV�FRQWH[W�LW�LV�VWDWHG�WKDW�WKHUH�LV�D�QHHG� IRU�OHJDO�DQG�UHJXODWRU\�VWXGLHV�WR�SURWHFW�VHQVLWLYH�RU�SHUVRQDO�GDWD�DQG�WR�PRWLYDWH�RUJDQL]DWLRQV�IRU�HYDOXDWLRQ�WKHLU� FULWLFDO� LQIRUPDWLRQ� DVVHWV�� $FFRUGLQJ� WR� -RKDQVVRQ�� (NVWHGW� DQG� -RKQVRQ� >�@�� WKHUH� DUH� YDULRXV� ULVN� DVVHVVPHQWV� FRQGXFWHG�LQ�,7�VHFXULW\�DQG�WKHVH�DVVHVVPHQWV�KDYH�GLIIHUHQW�ULJRU��VFRSH�DQG�PHWKRGV�EXW�DOO�RI�WKHP�FUHDWHG�IRU� WKH�VDPH�DLP�� 7KDW�LV�WR�LGHQWLILFDWLRQ�RI�ULVNV�DQG�GHFUHDVH�WKHLU�YXOQHUDELOLW\�WR�DFFHSWDEOH�OHYHO�IRU�LQIRUPDWLRQ� DVVHWV�>�@�� ,W�LV�VWDWHG�WKDW�V\VWHPV�IRU�LQIRUPDWLRQ�DVVHWV�RI�RUJDQL]DWLRQV�VKRXOG�EH�FRQILJXUHG�LQ�WHUPV�RI�IRXU�GLPHQVLRQV�� 7KHVH� DUH� WHFKQLFDO� �KDUGZDUH� DQG� VRIWZDUH �� SK\VLFDO� �PHGLD�� EXLOGLQJ�� HTXLSPHQW�� HWF� �� RUJDQL]DWLRQDO� �,7� DOLJQPHQW�� VWUXFWXUH�� FRUSRUDWH� JRYHUQDQFH�� OHJDO�� HWF� � DQG� PDQDJHULDO� �SROLFLHV�� SURFHGXUHV�� HWF� � DVSHFWV� >�@�� $GGLWLRQDOO\�� LW� LV� NQRZQ� WKDW� WR� SURYLGH� LQIRUPDWLRQ� VHFXULW\� PDQDJHPHQW�� ZKLFK� GHILQHV� HVWDEOLVKPHQW� RI� WKH� QHFHVVDU\�FRQWURO�HQYLURQPHQW�IRU�VXSSRUWLQJ�LQIRUPDWLRQ�LQWHJULW\��VHFXULW\�DQG�DYDLODELOLW\��� ,W� LV� VHHQ� WKDW� GLIIHUHQW� PHWKRGV� DQG� VWDQGDUGV� >�@� ZHUH� GHYHORSHG� LQ� WKH� ILHOG� RI� LQIRUPDWLRQ� VHFXULW\� DQG� ULVN� DVVHVVPHQW��,Q�WKLV�FRQWH[W��VXFK�LQWHUQDWLRQDOO\�DFFHSWHG�VWDQGDUGV�UXOHV�,62��������,62��������&2%,7��3&,��62;� DQG�%$6(/�,,�PDNH�ULVN�PDQDJHPHQW�DV�PDQGDWRU\�SURFHVV�IRU�RUJDQL]DWLRQV�� ,W� LV� DOVR� VHHQ� WKDW� VWDWH� RUJDQL]DWLRQV� DQG� SULYDWH� FRPSDQLHV� KDYH� DWWHPSWV� WR� SURYLGH� FRPSOLDQFH� ZLWK� 76� ,62�,(&�������,QIRUPDWLRQ�6HFXULW\�VWDQGDUG�LQ�UHFHQW�\HDUV�ZLWK�WKH�DLP�RI�LPSOHPHQWLQJ�DQ�HIILFLHQW�,QIRUPDWLRQ� 6HFXULW\� 0DQDJHPHQW� 6\VWHP�� 76� ,62�,(&� ������ DV� D� FHUWLILFDWLRQ� IRU� RUJDQL]DWLRQ� ZLWK� LWV� VDIH� LQIRUPDWLRQ� HQYLURQPHQW� HQVXUHV� WKH� LPSOHPHQWDWLRQ� RI� LQIRUPDWLRQ� VHFXULW\� PDQDJHPHQW� V\VWHP�� DQG� JXDUDQWHH� WKDW� LWV� XVH�� PRQLWRULQJ�� DVVHVVPHQWV�� PDLQWHQDQFH� DQG� GHYHORSPHQW� E\� WKH� RUJDQL]DWLRQ� LQ� D� VWDQGDUGL]HG� VWUXFWXUH�� 7KH� PRVW� LPSRUWDQW�VWHS�WR�PHHW�VXFK�UHTXLUHPHQWV�LV�ULVN�DVVHVVPHQWV��+RZHYHU��WKHUH�LV�QRW�DQ\�UHFRPPHQGDWLRQ�DERXW�ULVN� DVVHVVPHQWV�WHFKQLTXHV�LQ�76�,62�,(&��������LW�LV�VHHQ�DV�D�PDQGDWRU\�DSSOLFDWLRQ�LQ�WKH�VWDQGDUG�>�@��2QH�RI�WKH� PRVW� LPSRUWDQW� FRPSRQHQWV� RI� LQIRUPDWLRQ� VHFXULW\� VWXGLHV� LV� ULVN� DVVHVVPHQWV�� ,W� LV� DOVR� FRQILUPHG� WKDW� WKH� ULVN� PDQDJHPHQW� ZLWK� WKH� FUHDWLRQ� RI� DQ� LQIRUPDWLRQ� VHFXULW\� SROLF\� LV� WKH� ILUVW� VWHS� RI� WKH� PDQDJHPHQW� SURFHVVHV� IRU� LQIRUPDWLRQ� VHFXULW\� SURJUDP� >��@�� 'HILQHG� DV� WKH� VHW� RI� SURFHVVHV� WR� PLQLPL]H� H[LVWLQJ� ULVNV�� ULVN� PDQDJHPHQW� LQYROYHV�ULVN�DQDO\VLV��ULVN�DVVHVVPHQWV�DQG�PHDVXUHPHQWV�DQG�HYDOXDWLRQ�RI�WKUHDWV�DQG�FRQWUROV�>��@�,Q�WKH�OLJKW�RI� WKLV� LQIRUPDWLRQ�� LW� LV� SRVVLEOH� WR� VD\� WKDW� LGHQWLILFDWLRQ� RI� ULVNV� IRU� WKH� LQIRUPDWLRQ� V\VWHPV� WKDW� VXSSRUW� WR� PDQDJHPHQW� RI� HQWHUSULVH� LQIRUPDWLRQ� DVVHWV� DQG� GHFUHDVH� RI� WKHLU� YXOQHUDELOLW\� WR� DQ� DFFHSWDEOH� OHYHO� FRQVLVW� WKH� IXQGDPHQWDOV� RI� LQIRUPDWLRQ� VHFXULW\� DSSURDFKHV�� 7KH� SRWHQWLDO� ULVNV� DQG� DFWLRQV� FDQ� DOVR� EH� GHWHUPLQHG� YLD� ULVN� DVVHVVPHQWV�DQG�WKH\�FDQ�EH�DQDO\]HG�DQG�GHFLVLRQV�FDQ�EH�PDGH�DFFRUGLQJ�WR�VXFK�UHVXOWV��� 5LVN�DVVHVVPHQWV�DUH�DOVR�GHVFULEHG�LQ�PDQ\�VWXGLHV�DQG�JXLGHV�SXEOLVKHG�E\�DXWKRULW\�RUJDQL]DWLRQV��$V�RQH�RI� WKHVH� JXLGHOLQHV�� *XLGHOLQH� IRU� 5LVN� 0DQDJHPHQW� IRU� ,QIRUPDWLRQ� 6HFXULW\� SXEOLVKHG� E\� 1,67� GHILQHV� ULVN� DVVHVVPHQW� XQGHU� WKH� QLQH� VWHSV�� 7KHVH� DUH� V\VWHP� FKDUDFWHUL]DWLRQ�� LGHQWLILFDWLRQ� RI� WKUHDWV� DQG� EXJV�� FRQWURO� DQDO\VLV�� DQDO\VLV� RI� WKH� WKUHDWV� OLNHO\� WR� RFFXU�� LPSDFW� DQDO\VLV�� FDOFXODWLRQ� RI� ULVNV�� FRQWURO� UHFRPPHQGDWLRQV�� GRFXPHQWDWLRQ� RI� UHVXOWV� >��@�� 2Q� WKH� RWKHU� KDQG�� DQRWKHU� VWXG\� GHVFULEHV� HQWHUSULVH� VHFXULW\� ULVN� DVVHVVPHQW� LQFOXGHV�FRVW�MXVWLILFDWLRQ��SURGXFWLYLW\��EUHDNLQJ�EDUULHUV��VHOI�DQDO\VLV�DQG�FRPPXQLFDWLRQ�FRPSRQHQWV�>�@��,Q�WKH� FRQWH[W� RI� WKH� VWXGLHV�� LW� LV� SRVVLEOH� WR� VD\� WKDW� ULVN� DVVHVVPHQW� ZKLFK� LV� FRQGXFWHG� ZLWK� WKH� DLP� RI� SURYLGLQJ� LQIRUPDWLRQ� VHFXULW\� RI� HQWHUSULVH� V\VWHPV� DUH� QRW� RQO\� VLJQLILFDQW� IRU� WKH� V\VWHP� GHVLJQ� EXW� DOVR� LPSRUWDQW� IRU� RUJDQL]DWLRQDO�VHFXULW\��LGHQWLW\�DQG�FXOWXUH��� 5LVN�PDQDJHPHQW�SROLFLHV�DQG�UHODWHG�GRFXPHQWV�KDYH�D�YLWDO�UROH�IRU�GHWHUPLQLQJ��DQDO\]LQJ�DQG�IROORZLQJ�ULVNV� LQ� RUJDQL]DWLRQV�� ,Q� WKLV� UHJDUG�� FUHDWLQJ� DZDUHQHVV� DQG� SROLFLHV� UHODWHG� WR� LQIRUPDWLRQ� VHFXULW\� DSSOLFDWLRQV� IRU� FULWLFDO� DVVHWV� RI� RUJDQL]DWLRQV� DUH� VHHQ� LPSRUWDQW� DSSURDFKHV� IRU� RUJDQL]DWLRQV�� 0RUHRYHU�� ,7� ULVN� ILHOGV� DUH� DOVR� GHVFULEHG� LQ� WKH� VWXGLHV�� $FFRUGLQJ� WR� RQH� RI� WKHVH� VWXGLHV�� ,7� ULVN� ILHOGV� LQYROYH� PDQDJHPHQW� DQG� VWUDWHJ\� ULVNV�� VNLOOV�DQG�WHFKQRORJLFDO�GHYHORSPHQW�ULVNV��DUFKLWHFWXUDO�ULVNV�EXVLQHVV�FRQWLQXLW\�ULVNV��FRPSOLDQFH�ULVNV��UHVRXUFH� ULVNV�� VXSSRUW� PHFKDQLVP� ULVNV�� WKLUG� SDUW\� UHODWLRQV�� SURMHFW� GHYHORSPHQW� ULVNV�� FKDQJH� UHDOL]DWLRQ� ULVNV� WUXVW� DQG� FXVWRPHU�UHODWLRQV��LQIRUPDWLRQ�ULVNV��LQIUDVWUXFWXUH�ULVNV�DQG�RQOLQH�DQG�ZHE�DVVHWV�>��@�� � ,QIRUPDWLRQ� VHFXULW\� DVVHVVPHQWV� ZLWK� ULVN� DVVHVVPHQWV� DUH� JHQHUDOO\� FRQGXFWHG� WR� GHVFULEH� H[LVWLQJ� VHFXULW\� DUFKLWHFWXUH�DQG�LWV�UHFHQW�VWDWXV��7KH�DLP�RI�VXFK�VWXGLHV�DUH�GHILQHG�DV�HYDOXDWLRQ�RI�WKUHDWV�DQG�ULVNV�DJDLQVW�WKH� LQIRUPDWLRQ� V\VWHPV� DQG� UHODWHG� DVVHWV�� $VVHVVPHQWV� FHUWLI\� DOO� LPSOHPHQWHG� DSSOLFDWLRQV� DQG� DFFHSWDEOH� OHYHOV� RI�
981
Şahika Eroğlu and Tolga Çakmak / Procedia Computer Science 100 (2016) 979 – 986
982
RUJDQL]DWLRQV�>��@��5DPDFKDQGUDQ�VWDWHV�WKDW�FXUUHQW�VWDWXV�RI�RUJDQL]DWLRQV�FDQ�EH�GHWHUPLQHG�E\�DVVHVVPHQWV�WKDW� FRYHU� DOO� OHYHOV� RI� VHFXULW\� DUFKLWHFWXUHV� LQFOXGLQJ� GDWD�� DSSOLFDWLRQ� DQG� LQIUDVWUXFWXUH� DUFKLWHFWXUHV�� 6LPLODUO\�� DQRWKHU� VWXG\� UHIOHFWV� WKDW� VHFXULW\� DVVHVVPHQWV� FRQVLVWV� RI� EXVLQHVV� LPSDFW� DQDO\VLV�� WKUHDWV� DQG� YXOQHUDELOLW\� LGHQWLILFDWLRQ�DQG�SROLF\�FRQWHQW�DQDO\VLV�>������@�� 5LVN�PDQDJHPHQW�DSSOLFDWLRQV�DUH�VWDWHG�DV�RQH�RI�WKH�NH\�IXQFWLRQV�RI�,7�JRYHUQDQFH�DQG�WKHLU�PDLQ�IXQFWLRQ� GHILQHG� DV� SURYLGLQJ� D� VDIH� HQYLURQPHQW� IRU� EXVLQHVV� SURFHVVHV�� ,W� LV� DOVR� H[SODLQHG� WKDW� ULVN� PDQDJHPHQW� DSSOLFDWLRQV� DQG� DVVHVVPHQWV� DUH� LPSRUWDQW� WRROV� IRU� ZHOO�GHVLJQHG� V\VWHPV� DQG� WKH\� KDYH� HIIHFWV� RQ� WKH� LPSOHPHQWDWLRQ�RI�VXVWDLQDEOH�DQG�VDIH�HQYLURQPHQWV�IRU�EXVLQHVV�SURFHVVHV�DV�ZHOO�>��@���� ���0HWKRGRORJ\� 7KLV� VWXG\� DLPV� WR� HYDOXDWH� LQIRUPDWLRQ� UHODWHG� IXQFWLRQV�� V\VWHPV�� DQG� VHFXULW\� DQG� SULYDF\� LVVXHV� RI� D� KHDOWK� RUJDQL]DWLRQ�ZKLFK�LV�RQH�RI�WKH�ODUJH�VFDOH�RUJDQL]DWLRQV�LQ�7XUNH\��%DVHG�RQ�WKH�LQIRUPDWLRQ�VHFXULW\�DVVHVVPHQW� GHILQLWLRQ� RI� 8�6�� 'HSDUWPHQW� RI� &RPPHUFH�� 1DWLRQDO� 6WDQGDUGV� DQG� 7HFKQRORJ\� �1,67 �� SURFHVVHV�� SROLFLHV�� HQWLWLHV��ULVN�PDQDJHPHQW�DQG�SHRSOH�ZHUH�DQDO\]HG�LQ�WKH�VWXG\��,Q�WKLV�UHJDUG��UHVHDUFK�TXHVWLRQV�RI�WKH�VWXG\�DV� IROORZV�� x�:KDW�LV�WKH�LQIRUPDWLRQ�VHFXULW\�OHYHO�RI�WKH�KHDOWK�RUJDQL]DWLRQ�LQ�WHUPV�RI�LWV�FULWLFDO�DVVHWV�LQ�EXVLQHVV� SURFHVVHV"� x�:KLFK� DVSHFWV� RI� ULVN� DVVHVVPHQW� DQG� LQIRUPDWLRQ� VHFXULW\� DSSOLFDWLRQV� DUH� UHTXLUHG� WR� LPSURYH� LQ� WKH� KHDOWK�RUJDQL]DWLRQ"�� �,Q�WKH�OLJKW�RI�UHVHDUFK�TXHVWLRQV��,QIRUPDWLRQ�6HFXULW\�$VVHVVPHQW�7RRO�IRU�6WDWH�$JHQFLHV�ZDV�HPSOR\HG�DV�D� UHVHDUFK� LQVWUXPHQW� DQG� GDWD� FROOHFWLRQ� WRRO� LQ� WKH� VWXG\�� 7KLV� WRRO� XVHG� DQG� DGRSWHG� LQ� PDQ\� ILHOGV� VXFK� DV� HGXFDWLRQ��GHIHQVH�LQGXVWU\�DQG�RWKHU�VWDWH�RUJDQL]DWLRQV�FRQVLVWV�RI�ILYH�/LNHUW�VFDOH�TXHVWLRQV��HDFK�TXHVWLRQ�KDV� RSWLRQV�IURP���WR�� �IRU�HDFK�VHFWLRQ�ZLWK�DQ�H[SODQDWLRQ�DUHD�DERXW�WKH�UHVSRQVHV��2SWLRQV�JLYHQ�LQ�WKH�DVVHVVPHQW� WRRO� IRU� HDFK� TXHVWLRQ� ZHUH� FRQVWUXFWHG� WR� GHVFULEH� FXUUHQW� VLWXDWLRQ� RI� WKH� DQDO\]HG� RUJDQL]DWLRQ�� 7KHVH� RSWLRQV� JHQHUDOO\� DUH� ³QRW� LPSOHPHQWHG´�� ³SODQQLQJ� VWDJHV´�� ³SDUWLDOO\� LPSOHPHQWHG´�� ³FORVH� WR� FRPSOHWLRQ´� DQG� ³FRPSOHWHG´��%H\RQG�WKH�GHVFULEHG�GDWD�FROOHFWLRQ�WHFKQLTXHV��LQWHUYLHZLQJ�DQG�REVHUYDWLRQ�WHFKQLTXHV�ZHUH�XVHG� WR�REWDLQ�GHHSHU�UHVXOWV�LQ�WKH�VWXG\��$FFRUGLQJ�WR�SURYLGHG�REMHFWLYHV�RI�WKH�VWXG\��DSSOLFDWLRQV�ZHUH�PHDVXUHG�DQG� TXDOLWDWLYH�DQG�TXDQWLWDWLYH�GDWD�ZHUH�JDWKHUHG�E\�WKH�DVVHVVPHQW�WRRO�DV�D�UHVXOW�RI�WKH�LQWHUYLHZV�ZLWK�H[SHUWV�ZKR� DUH� UHVSRQVLEOH� IRU� LQIRUPDWLRQ� VHFXULW\� DQG� LQIRUPDWLRQ� V\VWHPV� RI� WKH� KHDOWK� RUJDQL]DWLRQ�� )LQGLQJV� WKDW� ZHUH� UHSRUWHG�DFFRUGLQJ�WR�WLWOHV�JLYHQ�LQ�WKH�DVVHVVPHQW�WRRO��UHYHDOHG�WKH�PDWXULW\�OHYHO�RI�KHDOWK�RUJDQL]DWLRQ�� ���)LQGLQJV� )LQGLQJV� REWDLQHG� IURP� WKH� ,QIRUPDWLRQ� 6HFXULW\� $VVHVVPHQW� 7RRO� IRU� 6WDWH� $JHQFLHV� DUH� SUHVHQWHG� LQ� WKLV� VHFWLRQ�� 7KH� VHFWLRQ� WLWOHV�� VXFK� DV� RUJDQL]DWLRQDO� UHOLDQFH� RQ� ,7�� ULVN� PDQDJHPHQW�� SURFHVVHV�� SHRSOH� DQG� WHFKQRORJ\��ZHUH�XVHG�WR�UHSRUW�ILQGLQJV�DQG�WKH\�ZHUH�FDWHJRUL]HG�DFFRUGLQJ�WR�WKHVH�WLWOHV��0RUHRYHU��VWDWHPHQWV� JLYHQ�LQ�WKH�DVVHVVPHQW�WRRO�ZHUH�FODVVLILHG�E\�WKHLU�FRPPRQ�DWWULEXWHV�DQG�FRQWHQW�LQ�VRPH�FDVHV��,Q�WKH�HQG�RI�WKLV� VHFWLRQ��DOO�FDWHJRULHV�ZHUH�HYDOXDWHG�DFFRUGLQJ�WR�VFRULQJ�WRRO�RI�WKH�UHVHDUFK�LQVWUXPHQW�� 4.1. Organizational Reliance on IT ,Q� WKH� ILUVW� VHFWLRQ� RI� WKH� DVVHVVPHQW� WRRO�� RUJDQL]DWLRQDO� UHOLDQFH� RI� WKH� KHDOWK� RUJDQL]DWLRQ� ZDV� PHDVXUHG�� $FFRUGLQJ�WR�ILQGLQJV��WKH�EXGJHW�RI�WKH�RUJDQL]DWLRQ�LV�LQ�PHGLXP�OHYHO�E\������ELOOLRQ�WR����PLOOLRQ��$GGLWLRQDOO\�� WKH�KHDOWK�RUJDQL]DWLRQ�LV�DPRQJ�WKH�ODUJH�VFDOH�RUJDQL]DWLRQV�LQ�7XUNH\�ZLWK�LWV�PRUH�WKDQ����WKRXVDQG�)7(�� )LQGLQJV�LQGLFDWH�WKDW�WKH�,7�UHOLDQFH�RI�KHDOWK�RUJDQL]DWLRQ�LV�LQ�YHU\�KLJK�OHYHO�LQ�WHUPV�RI�SURYLGLQJ�VHUYLFHV�� YDOXH�RI�WKH�LQIRUPDWLRQ�VWRUHG�LQ�HOHFWURQLF�HQYLURQPHQWV��HIIHFWV�RI�V\VWHP�GRZQWLPH�RQ�RSHUDWLRQV��RUJDQL]DWLRQDO� FKDQJH�DQG�LGHQWLW\��UHODWLRQV�ZLWK�WKLUG�SDUWLHV��QHZ�RSHUDWLRQDO�SURFHVVHV��VHQVLWLYLW\�IRU�LQIRUPDWLRQ�VHFXULW\�DQG� SULYDF\�LVVXHV�DQG�SROLWLFDO�VHQVLWLYLWLHV��+RZHYHU��,7�UHOLDQFH�RI�WKH�RUJDQL]DWLRQ�LV�GHVFULEHG�DV�KLJK�DERXW�OHYHO�RI� UHJXODWLRQV�RQ�LQIRUPDWLRQ�VHFXULW\�DQG�SULYDF\��DQG�GHSHQGHQF\�RQ�PXOWL�VLGHG�RSHUDWLRQV�E\�H[SHUWV���
Şahika Eroğlu and Tolga Çakmak / Procedia Computer Science 100 (2016) 979 – 986
4.2. Risk Management 5LVN�PDQDJHPHQW�FRPSRQHQW�RI�WKH�DVVHVVPHQW�WRRO�SURYLGHV�QLQH�TXHVWLRQV�WR�GHVFULEH�LQIRUPDWLRQ�VHFXULW\�DQG� SULYDF\� LVVXHV� RI� WKH� KHDOWK� RUJDQL]DWLRQ�� 7KHVH� TXHVWLRQV� DUH� FODVVLILHG� XQGHU� WKH� WKUHH� JURXSV� LQ� RUGHU� WR� REWDLQ� GHHSHU� UHVXOWV�� 7KHVH� JURXSV� DUH� LQIRUPDWLRQ� VHFXULW\� DQG� SULYDF\� VWUDWHJ\�� LGHQWLILFDWLRQ� RI� ULVNV�� DQG� PRQLWRULQJ� ULVNV�DQG�OHJDO�IUDPHZRUN�� )LQGLQJV� LQ� WKLV� VHFWLRQ� ILUVWO\� UHIOHFW� WKDW� WKH� FXUUHQW� VLWXDWLRQ� RI� WKH� KHDOWK� RUJDQL]DWLRQ� DERXW� KDYLQJ� D� GRFXPHQWHG�LQIRUPDWLRQ�VHFXULW\�DQG�SULYDF\�SROLF\�DQG�WKH�H[SHUWV�ZKR�UHVSRQGHG�RXU�VWXG\�PDUNHG�WKLV�TXHVWLRQ� DV� FORVH� WR� FRPSLODWLRQ�� )XUWKHUPRUH�� WKH� FRQWHQW� RI� WKH� LQIRUPDWLRQ� VHFXULW\� DQG� SULYDF\� SROLF\� LV� DOVR� DQDO\VHG� ZLWK�DQRWKHU�/LNHUW�VFDOH�TXHVWLRQ��,Q�WKLV�UHJDUG��WKLV�SROLF\�SDUWLDOO\�FRQWDLQV�VWDWHPHQWV�UHODWHG�WR�PHDVXULQJ�ULVNV� HIIHFWLYHO\�DQG�PDQDJH�WKHP�LQ�DQ�DFFHSWDEOH�OHYHO��6LPLODUO\��LW�LV�VHHQ�WKDW�WKH�SROLF\�LV�LQ�LQVXIILFLHQW�OHYHO�DERXW� SODQV�UHODWHG�WR�ULVN�PHDVXUHPHQW�� 7KH�VWURQJHVW�SRLQW�RI�WKH�KHDOWK�RUJDQL]DWLRQ�LQ�WKLV�VHFWLRQ�RI�UHVHDUFK�LQVWUXPHQW�LV�UHODWHG�WR�ULVN�LGHQWLILFDWLRQ� LVVXHV�� $QDO\VLV� VKRZ� WKDW� WKH� KHDOWK� RUJDQL]DWLRQ� KDV� FRQGXFWHG� ULVN� DVVHVVPHQW� VWXG\� LQ� RUGHU� WR� GHVFULEH� ULVNV� DERXW�VHQVLWLYH�DVVHWV�ZLWKLQ�WZR�\HDUV��,W�LV�DOVR�XQGHUVWRRG�LQ�WKH�ILQGLQJV�WKDW�FULWLFDO�DVVHWV�DQG�UHODWHG�IXQFWLRQV�� DQG�YXOQHUDELOLWLHV�DQG�WKUHDGV�ZHUH�FRPSOHWHO\�GHVFULEHG�LQ�WKH�RUJDQL]DWLRQ��3OXV��WKH�FRVW�DQDO\VLV�ZHUH�FDUULHG� RXW�DERXW�WKH�ORVV�RI�FULWLFDO�DVVHWV�� 7KH�ODVW�SDUW�RI�WKLV�VHFWLRQ�LV�DERXW�WKH�ILQGLQJV�UHODWHG�WR�PRQLWRULQJ�ULVNV�DQG�OHJDO�IUDPHZRUN��$FFRUGLQJ�WR� DQDO\VLV��OHJDO�IUDPHZRUN�UHODWHG�WR�LQIRUPDWLRQ�VHFXULW\�LVVXHV�ZDV�FRPSOHWHO\�IROORZHG�E\�WKH�KHDOWK�RUJDQL]DWLRQ�� 2Q� WKH� RWKHU� KDQG�� XSGDWHV� DQG� UHQRYDWLRQV� RI� LQIRUPDWLRQ� VHFXULW\� SROLF\� ZHUH� SDUWLDOO\� FDUULHG� RXW� LQ� WKH� RUJDQL]DWLRQ��,W�ZRXOG�QRW�EH�ZURQJ�WR�VD\�WKDW�WKLV�LV�DQ�LQVXIILFLHQF\�VXFK�D�ODUJH�VFDOH�KHDOWK�VHFWRU�RUJDQL]DWLRQ�� 4.3. People 7KH�WKLUG�FRPSRQHQW�RI�WKH�DVVHVVPHQW�WRROV�LV�UHODWHG�WR�SHRSOH�ZKR�ZRUN�DV�)7(�LQ�WKH�KHDOWK�RUJDQL]DWLRQ��,Q� WKLV�UHJDUG��WKH�DQDO\VLV�LQYROYH�WKH�ILQGLQJV�EDVHG�RQ�WKH�VWDWHPHQWV�DERXW�TXDOLILFDWLRQV��UROHV�DQG�UHVSRQVLELOLWLHV�� WUDLQLQJV��DQG�SROLFLHV�DQG�ZRUNIORZ��7KH�UHVXOWV�REWDLQHG�IURP�WKH�DQDO\VLV�DERXW�WKLV�SDUW�RI�WKH�DVVHVVPHQW�WRRO� DUH�GLVSOD\HG�DW�)LJXUH���� $QDO\VLV� LQGLFDWH� WKDW� TXDOLILFDWLRQV� RI� SHRSOH� DUH� LQ� PHGLXP� OHYHOV�� ,Q� WKLV� SRLQW�� LW� FDQ� EH� GHVFULEHG� DV� DQ� RSSRUWXQLW\�WKDW�WKHUH�DUH�LQIRUPDWLRQ�VHFXULW\�H[SHUWV�DQG�VWDII�LQ�WKH�RUJDQL]DWLRQ��,Q�FRQWUDVW��ORZ�TXDOLILFDWLRQV�RI� HPSOR\HHV� DQG� ODFN� RI� DXWKRULW\� LQ� WKHVH� ILHOGV� DUH� GHVFULEHG� DV� UHPDUNDEOH� ILQGLQJV� IRU� WKH� VWXG\�� 2Q� WKH� RWKHU� KDQG��WKH�RUJDQL]DWLRQ�KDV�PRVW�RI�WKH�UHVRXUFHV�WKDW�FRPSO\�ZLWK�LQIRUPDWLRQ�VHFXULW\�DQG�SULYDF\�VWDQGDUGV�DQG� UHJXODWLRQV�� )LQGLQJV�VKRZ�WKDW�DOPRVW�DOO�UHVSRQVLELOLWLHV�FRPSOHWHO\�FDUULHG�RXW�E\�WKH�RUJDQL]DWLRQ��,W�LV�DOVR�VHHQ�WKDW�RQO\� EXVLQHVV�FRQWLQXLW\�DQG�GLVDVWHU�UHFRYHU\�SODQV�DUH�LQ�SODQQLQJ�VWDJHV�LQ�WKH�RUJDQL]DWLRQ�� � � � � � � � � � � � � � )LJ�����7KH�UROH�RI�SHRSOH�LQ�WHUPV�RI�,QIRUPDWLRQ�6HFXULW\�DSSURDFKHV�LQ�KHDOWK�RUJDQL]DWLRQ�
983
984
Şahika Eroğlu and Tolga Çakmak / Procedia Computer Science 100 (2016) 979 – 986
� $V�LV�GLVSOD\HG�LQ�)LJXUH����WUDLQLQJV�UHODWHG�WR�LQIRUPDWLRQ�VHFXULW\�DQG�SULYDF\�VKRXOG�EH�GHYHORSHG��$FFRUGLQJ� WR� H[SHUWV�� LQIRUPDWLRQ� VHFXULW\� DQG� SULYDF\� WUDLQLQJV� DUH� SDUWLDOO\� LQ� VXVWDLQDEOH� VWUXFWXUH�� +RZHYHU�� LW� FDQ� EH� GHVFULEHG�DV�D�VLJQLILFDQW�VWHS�WKDW�LQIRUPDWLRQ�VHFXULW\�DQG�SULYDF\�WUDLQLQJV�DUH�PRVWO\�SURYLGHG�LQ�WKH�RUJDQL]DWLRQ� 7KH�ZHDNHVW�SRLQW�RI�WKH�RUJDQL]DWLRQ�LQ�WKLV�VHFWLRQ�LV�UHODWHG�WR�SROLFLHV�DQG�EXVLQHVV�SURFHVVHV��)LQGLQJV�UHIOHFW� WKDW� LQIRUPDWLRQ� VHFXULW\� XQLWV� PRVWO\� DUH� LQ� FROODERUDWLRQ� ZLWK� RWKHU� XQLWV� RI� WKH� RUJDQL]DWLRQ�� 1HYHUWKHOHVV�� LQIRUPDWLRQ�VHFXULW\�XQLWV�PRVWO\�GHOLYHU�UHSRUWV�WR�VHQLRU�PDQDJHPHQW�XQLWV��,W�LV�DOVR�HYDOXDWHG�DV�D�GLVDGYDQWDJHG� VLWXDWLRQ�WKDW�EXVLQHVV�XQLWV�DQG�VHQLRU�PDQDJHPHQW�SROLFLHV�DUH�LQ�SODQQLQJ�VWDJHV�LQ�WKH�RUJDQL]DWLRQ�� 4.4. Processes ,QIRUPDWLRQ� VHFXULW\� SURFHVVHV� ZHUH� SURYLGHG� XQGHU� ILYH� WLWOHV� E\� WKH� DVVHVVPHQW� WRRO�� 7KHVH� DUH� VHFXULW\� WHFKQRORJ\� VWUDWHJ\��SROLF\� GHYHORSPHQW� DQG� HQIRUFHPHQW�� LQIRUPDWLRQ� VHFXULW\� DQG�SURFHGXUHV�� SK\VLFDO� VHFXULW\�� DQG� VHFXULW\� SURJUDP� DGPLQLVWUDWLRQ�� 7KH� PHDQ� YDOXHV� IRU� HDFK� WLWOH� REWDLQHG� IURP� WKH� KHDOWK� RUJDQL]DWLRQ� DUH� GLVSOD\HG�LQ�)LJXUH���� � � � � � � � � � � � � � � � � )LJ�����5HVXOWV�UHODWHG�WR�LQIRUPDWLRQ�VHFXULW\�SURFHVVHV�LQ�KHDOWK�RUJDQL]DWLRQ�
)LJXUH���LOOXVWUDWHV�WKDW�WKH�ORZHVW�PHDQ�YDOXH�DPRQJ�WKH�LQIRUPDWLRQ�VHFXULW\�SURFHVV�FRPSRQHQWV�LV�UHODWHG�WR� LQIRUPDWLRQ� VHFXULW\� SROLF\� DQG� SURFHGXUHV�� $FFRUGLQJ� WR� ILQGLQJV�� VRPH� WRSLFV� DUH� LQ� SODQQLQJ� VWDJH� IRU� WKH� LQIRUPDWLRQ� SROLF\� GRFXPHQW�� 7KHVH� WRSLFV� DUH� GDWD� WUDQVPLVVLRQ�� LQWHURSHUDELOLW\�� ORJ� UHSRUWV� DQG� UHVSRQVHV�� SK\VLFDO� VHFXULW\� DQG� FRQWUROV�� VHFXULW\� UHSRUWV�� LQYHVWLJDWLRQV� RQ� VHFXULW\� LQIULQJHPHQWV�� 2Q� WKH� RWKHU� KDQG�� UHVSRQVLELOLWLHV�RI�HPSOR\HHV��XVH�RI�FRPSXWHU��HPDLO��LQWHUQHW�DQG�LQWHUQHW�SROLFLHV�DUH�SDUWLDOO\�LPSOHPHQWHG�LQ�WKH� LQIRUPDWLRQ� SROLF\� GRFXPHQW� RI� WKH� RUJDQL]DWLRQ�� 2WKHUZLVH�� DFFHVVLELOLW\� RI� SHUVRQDO� GDWD�� DFFHVV� PDQDJHPHQWV�� GDWD�FODVVLILFDWLRQ��VWRUDJH�DQG�GLVSRVLWLRQ�LVVXHV�DUH�PRVWO\�GHVFULEHG�LQ�WKH�LQIRUPDWLRQ�VHFXULW\�SROLF\�GRFXPHQW�� 6HFXULW\�SURJUDP�DGPLQLVWUDWLRQ�LVVXHV�DUH�DOVR�LOOXVWUDWHG�DV�ORZHU�OHYHOV�LQ�)LJXUH����,Q�WKLV�FRQWH[W��WKH�KHDOWK� RUJDQL]DWLRQ� LV� LQ� SODQQLQJ� VWDJHV� DERXW� WKH� UHQRYDWLRQ� RI� LQIRUPDWLRQ� VHFXULW\� DQG� SULYDF\� SURJUDP� IRU� DOO� XQLWV�� 6LPLODUO\�� XVDJH� RI� LQIRUPDWLRQ� VHFXULW\� SURJUDP� E\� HYHU\� XQLW� LQGHSHQGHQWO\� RU� SHULRGLFDOO\� LV� SDUWLDOO\� LPSOHPHQWHG� LQ� WKH� RUJDQL]DWLRQ�� )XUWKHUPRUH�� WKH� KHDOWK� RUJDQL]DWLRQ� LV� FORVH� WR� FRPSOHWH� SURFHVVHV� VXFK� DV� LQYHQWRU\�RI�SK\VLFDO�DQG�ORJLFDO�QHWZRUN�DVVHWV��FRQILJXUDWLRQ�PDQDJHPHQW��UHSRUWLQJ�VHFXULW\�SHUIRUPDQFH�YDOXHV�� 3URFHVVHV�DQG�SROLFLHV�DERXW�LQIRUPDWLRQ�VHFXULW\�DQG�SULYDF\�LVVXHV�DUH�FRPSOHWHO\�WHVWHG�E\�WKH�RUJDQL]DWLRQ�� )LQGLQJV� UHYHDO� WKDW� SURFHVVHV� DERXW� XSGDWHV� LQ� VHFXULW\� DUFKLWHFWXUH� DQG� FRPSOLDQFH� ZLWK� QHZ� XSGDWHV� DUH� FRPSOHWHO\�FDUULHG�RXW�E\�WKH�RUJDQL]DWLRQ��0DQDJHPHQW�RI�LQIRUPDWLRQ�VHFXULW\�VWUDWHJ\��VHFXULW\�SURFHVVHV�UHODWHG� WR�QHZ�V\VWHPV��WLPH� PDQDJHPHQW��UHYLHZ�DQG�FODVVLILFDWLRQ�SURFHVVHV�DQG�GRFXPHQWHG�FRQILJXUDWLRQ�VHWWLQJV�DUH�
Şahika Eroğlu and Tolga Çakmak / Procedia Computer Science 100 (2016) 979 – 986
985
PRVWO\� FRPSOHWHG� LQ� WKH� RUJDQL]DWLRQ�� 2Q� WKH� RWKHU� KDQG�� SDWFK� PDQDJHPHQW� LV� SDUWLDOO\� LPSOHPHQWHG� E\� WKH� RUJDQL]DWLRQ�� 7KH�KHDOWK�RUJDQL]DWLRQ�LV�LQ�KLJK�OHYHOV�DERXW�SK\VLFDO�VHFXULW\��SROLF\�GHYHORSPHQW�DQG�HQIRUFHPHQW�LVVXHV��,Q� WKLV� FRQWH[W�� SURFHGXUHV� UHODWHG� WR� VKDULQJ� VHQVLWLYH� LQIRUPDWLRQ� DVVHWV� ZLWKLQ� WKH� VFRSH� RI� SK\VLFDO� VHFXULW\� DUH� SDUWLDOO\�LPSOHPHQWHG��,W�FDQ�DOVR�EH�GHVFULEHG�DV�D�GHILFLHQF\�IRU�WKH�RUJDQL]DWLRQ�WKDW�H[FHSWLRQDO�FRQGLWLRQV�DUH� SDUWLDOO\�VWDWHG�LQ�WKH�SROLF\�GRFXPHQWV��)XUWKHUPRUH��ILQDQFLDO�DQDO\VLV�IRU�SROLF\�XSGDWHV��ULVN�LGHQWLILFDWLRQ�DQG� SULYDF\�LVVXHV�DUH�DOPRVW�FRPSOHWHG�LQ�WKH�RUJDQL]DWLRQ�� 4.5. Technology 7KH�ODVW�VHFWLRQ�RI�WKH�DVVHVVPHQW�WRRO�LV�DERXW�WHFKQRORJ\�DSSOLFDWLRQV�RI�WKH�KHDOWK�RUJDQL]DWLRQ��,Q�WKLV�FRQWH[W�� LW� LV� VHHQ� WKDW� WKH� RUJDQL]DWLRQ� PRVWO\� FRYHUV� WHFKQRORJ\� UHTXLUHPHQWV�� )LQGLQJV� VKRZ� WKDW� IROORZLQJ� LVVXHV� DUH� FRPSOHWHG�LQ�WKH�RUJDQL]DWLRQ�� x� 6SHFLILF�SURWHFWLRQ�IRU�GRPDLQ�QDPHV�DQG�UHODWHG�VHUYHUV��VXFK�DV�'16��'+&3 � x� 6SHFLILF�SURWHFWLRQ�IRU�UHPRWH�DFFHVV�VHUYLFHV�DQG�XVHUV�� x� 3URWHFWLRQ�RI�ZHE�EDVHG�VHUYHUV�DQG�ILUHZDOO�OD\HUV� x� &RQWURO�OD\HUV�EHWZHHQ�HQG�WLHUV� x� 3HULRGLF�VFDQQLQJ�RI�QHWZRUNV��V\VWHPV�DQG�SURFHVVHV�IRU�WKUHDGV�DQG�LQWHJULW\�RI�LPSOHPHQWDWLRQ� x� 5HDO�WLPH�PRQLWRULQJ�DQWLYLUXVHV�DQG�PDOZDUHV�DQG�DEQRUPDO�EHKDYLRUV�� x� /RJ�UHFRUGV�RI�KDUGZDUH�FRQILJXUDWLRQ�FKDQJHV�DQG�VRIWZDUH�FRQILJXUDWLRQ�DQG�DXWKHQWLFDWLRQ�SURFHVVHV� /DVW�EXW�QRW�OHDVW��SURWHFWLRQ�RI�SDVVZRUGV�DQG�PDQDJHPHQW��,'�YDOLGDWLRQ�VWUXFWXUHV��DFFHVV�PDQDJHPHQW��DFWLRQ� UHSRUWV�LVVXHV�DUH�FORVH�WR�FRPSLODWLRQ�LQ�WKH�KHDOWK�RUJDQL]DWLRQ��$GGLWLRQDOO\��LW�LV�VHHQ�WKDW�VHVVLRQ�PDQDJHPHQW�� DQWLYLUXV�PDQDJHPHQW��XSGDWHV�DQG�SDWFKHV�IRU�RSHUDWLQJ�V\VWHPV�VKRXOG�EH�LPSURYHG�LQ�WKH�OLJKW�RI�ILQGLQJV�� 4.6. General Overview ,Q�DGGLWLRQ�WR�VSHFLILF�ILQGLQJV�GHWDLOHG�SUHYLRXV�VHFWLRQV�RI�WKH�VWXG\��WKH�KHDOWK�RUJDQL]DWLRQ�DQDO\]HG�LQ�WHUPV� RI�JHQHUDO�RYHUYLHZ��,Q�WKLV�UHJDUG��WKH�JHQHUDO�RYHUYLHZ�RI�FRPSRQHQWV�LV�VXPPDUL]HG�LQ�)LJXUH���� $FFRUGLQJ� WR� ILQGLQJV� SUHVHQWHG� LQ� )LJXUH� ��� ,7� UHOLDQFH� RI� WKH� KHDOWK� RUJDQL]DWLRQ� LV� KLJKHU� WKDQ� RWKHU� FRPSRQHQWV��3OXV��ULVN�PDQDJHPHQW�DQG�WHFKQRORJ\�DSSOLFDWLRQV��������YH������ �DUH�RWKHU�KLJK�OHYHO�FRPSRQHQWV� RI� WKH�RUJDQL]DWLRQ��3URFHVVHV� DQG� SHRSOH� ������� DQG� ������ �DUH� WKH�ORZHVW� FRPSRQHQWV�RI� WKH�RUJDQL]DWLRQ� LQ� WHUPV�RI�LQIRUPDWLRQ�VHFXULW\�DQG�SULYDF\�DVVHVVPHQW�� � � � � � � � � � � )LJ�����*HQHUDO�RYHUYLHZ�RI�LQIRUPDWLRQ�VHFXULW\�FRPSRQHQWV��
$V�D�UHVXOW�RI�WKH�SRLQWV�REWDLQHG�IURP�WKH�DVVHVVPHQW�WRRO��WKH�VFRUH�RI�WKH�KHDOWK�RUJDQL]DWLRQ�ZDV�FDOFXODWHG�DV� ����SRLQWV��$FFRUGLQJ�WR�DVVHVVPHQW�WRRO��WKH�KHDOWK�RUJDQL]DWLRQ�LV�LQ�JRRG�OHYHO�DQG�LWV�,7�UHOLDQFH�LV�LQ�YHU\�KLJK� OHYHO��
Şahika Eroğlu and Tolga Çakmak / Procedia Computer Science 100 (2016) 979 – 986
986
���&RQFOXVLRQ� 7KUHDWV�WKDW�DUH�PDLQO\�EDVHG�RQ�WKH�EXJV�LQ�LQIRUPDWLRQ�V\VWHPV�QHJDWLYHO\�DIIHFW�EXVLQHVV�SURFHVVHV�DQG�DOVR� RUJDQL]DWLRQDO�LGHQWLW\� DQG� FXOWXUH�� 7KH\� FDQ� DOVR� FDXVH� WR� ORVV�RI�RUJDQL]DWLRQDO� YDOXHV� DQG� WKHLU� VHUYLFH� TXDOLW\�� 2UJDQL]DWLRQV� XVH� ULVN� DVVHVVPHQW� WHFKQLTXHV� LQ� RUGHU� WR� LGHQWLI\� H[LVWLQJ� DQG� SRWHQWLDO� ULVNV�� GHFUHDVH� WKHLU� YXOQHUDELOLWLHV� DQG� SURYLGLQJ� VHFXUH� HQYLURQPHQWV� IRU� LQIRUPDWLRQ� DVVHWV�� 5HVXOWV� REWDLQHG� IURP� ULVN� DVVHVVPHQWV� HQOLJKWHQ�WKH�FXUUHQW�PDWXULW\�OHYHOV�RI�RUJDQL]DWLRQV�DQG�WKH\�DOVR�VXSSRUW�WKH�GHFLVLRQ�PDNLQJ�SURFHVVHV�WR�PDQDJH� ULVNV�LQ�DQ�DFFHSWDEOH�OHYHO�IRU�XQLWV��5LVN�DVVHVVPHQWV�FDQ�DOVR�EH�VWDWHG�DV�D�JXLGH�IRU�LQFUHDVLQJ�SURGXFWLYLW\�DQG� VXVWDLQDELOLW\� RI� LQIRUPDWLRQ� V\VWHPV�� $V� D� UHVXOW� RI� WKH� ULVN� DVVHVVPHQW� VWXG\� FRQGXFWHG� LQ� 7XUNLVK� KHDOWK� RUJDQL]DWLRQ�IROORZLQJ�UHVXOWV�ZHUH�REWDLQHG�LQ�WKH�VWXG\��� x� 7KH�KHDOWK�RUJDQL]DWLRQ�LV�ORFDWHG�LQ�ODUJH�VFDOH�VWDWH�DJHQFLHV�DQG�LWV�RUJDQL]DWLRQDO�UHOLDQFH�RQ�,7�LV�LQ� YHU\� KLJK� OHYHO�� ,Q� WKLV� FRQWH[W� LW� LV� VHHQ� WKDW� LPSRUWDQW� SDUW� RI� EXVLQHVV� SURFHVVHV� LV� FDUULHG� RXW� YLD� HOHFWURQLF�HQYLURQPHQW�� x� +LJK�GHSHQGHQFH�RI�WKH�RUJDQL]DWLRQ�RQ�WHFKQRORJ\�DOVR�UHTXLUHV�KDYLQJ�WKH�RSSRUWXQLWLHV�UHODWHG�WR�XVDJH� RI�KLJK�WHFKQRORJ\��,Q�WKLV�FRQWH[W�WKH�WHFKQRORJLF�FDSDELOLW\�RI�WKH�RUJDQL]DWLRQ�LV�LQ�KLJKHVW�OHYHOV�DPRQJ� WKH�RWKHU�FRPSRQHQWV�� x� ,W�LV�XQGHUVWRRG�WKDW�WKH�IDFWRUV�ZKLFK�WKH�RUJDQL]DWLRQ�LV�LQ�ZHDN�OHYHOV�DUH�UHODWHG�WR�SHRSOH�ZKR�LV�XVHG� WKH� V\VWHPV�� $W� WKLV� SRLQW� WKH� RUJDQL]DWLRQ� VLJQLILFDQWO\� QHHGV� WR� DSSOLFDWLRQV�DQG� WUDLQLQJV� VXSSRUWLQJ� WR� LPSURYH�VWDII�FRPSHWHQFLHV� x� ,Q�WHUPV�RI�SURFHGXUHV��LW V�XQGHUVWRRG�WKDW�WKH�RUJDQL]DWLRQ�QHHGV�WR�LPSURYH�LWV�LQIRUPDWLRQ�VHFXULW\� SROLF\�LQ�WKH�VHQVH�RI�FRQWHQW��)URP�WKLV�SRLQW�RI�YLHZ�RUJDQL]DWLRQDO�SROLF\�GRFXPHQW�VKRXOG�EH�GHYHORSHG� E\�FRYHULQJ�WHFKQLFDO�VSHFLILFDWLRQV�DQG�H[FHSWLRQDO�FRQGLWLRQV�� /DVWO\��LQ�DGGLWLRQ�WR�DERYH�PHQWLRQHG�FRQGLWLRQV��WKH�KHDOWK�RUJDQL]DWLRQ�LV�LQ�³*RRG´�OHYHO�DFFRUGLQJ�WR�VFRULQJ� VHFWLRQ� RI� WKH� DVVHVVPHQW� WRRO�� ,W� LV� DOVR� VHHQ� LQ� WKH� UHVXOWV� WKDW� WKH� RUJDQL]DWLRQ� LV� LQ� VWURQJ� OHYHOV� LQ� WHUPV� RI� LQIUDVWUXFWXUH� DQG� WHFKQLFDO� DWWULEXWHV� RI� LQIRUPDWLRQ� V\VWHPV�� +RZHYHU�� FRPSRQHQWV� UHODWHG� WR� PDQDJHPHQW� RI� LQIRUPDWLRQ�V\VWHPV��VXFK�DV�SHRSOH��SROLFLHV�DQG�SURFHGXUHV�VKRXOG�EH�LPSURYHG�E\�QHZ�UHJXODWLRQV�DQG�GHFLVLRQV� WR�LQFUHDVH�HIILFLHQF\�RI�EXVLQHVV�SURFHVVHV��� 5HIHUHQFHV� ���-RKDQVVRQ�(��(NVWHGW�0��-RKQVRQ�3��$VVHVVPHQW�RI�HQWHUSULVH�LQIRUPDWLRQ�VHFXULW\���7KH�LPSRUWDQFH�RI�LQIRUPDWLRQ�VHDUFK�FRVW��Proceedings of the Annual Hawaii International Conference on System Sciences��������������� ���(NVWHGW�0��-RKQVRQ�3��/LQGVWURࡇP�$��*DPPHOJDࡈUG�0��-RKDQVVRQ�(��3OD]DROD�/��6LOYD�(��/LOLHVNRࡇOG�-���&RQVLVWHQW�HQWHUSULVH�VRIWZDUH�V\VWHP� DUFKLWHFWXUH�IRU�WKH�&,2��$�XWLOLW\�FRVW�DSSURDFK��Proceedings of the 37th annual Hawaii International Conference on System Sciences (HICSS)� ������ ��� .KRR� %�� +DUULV� 3�� +DUWPDQ� 6�� ,QIRUPDWLRQ� VHFXULW\� JRYHUQDQFH� RI� HQWHUSULVH� LQIRUPDWLRQ� V\VWHPV�� DQ� DSSURDFK� WR� OHJLVODWLYH� FRPSOLDQW�� International Journal of Management & Information Systems ����������� ���+HQNR÷OX�7��
