Learn More
Current proposals for combining action research and design science start with a concrete problem in an organization, then apply an artifact to improve the problem, and finally reflect on lessons learned. The aim of these combinations is to reduce the tension between relevance and rigor. This paper proposes another way of using action research in design(More)
—Today, companies are required to be in control of their IT assets, and to provide proof of this in the form of independent IT audit reports. However, many companies have outsourced various parts of their IT systems to other companies, which potentially threatens the control they have of their IT assets. To provide proof of being in control of outsourced IT(More)
—Information systems require awareness of risks and a good understanding of vulnerabilities and their exploitations. In this paper, we propose a novel approach for the systematic assessment and analysis of confidentiality risks caused by disclosure of operational and functional information. The approach is model-driven integrating information assets and the(More)
—Security evaluation according to ISO 15408 (Common Criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a Common Criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk(More)
Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement ―good-enough security‖ but need to be able to justify their security investment plans. Currently companies achieve this by means of checklist-based security assessments, but these methods are(More)
—Confidentiality is a critical aspect in todays Risk Assessment (RA) practices for many industrial organizations. Assessing confidentiality risks is challenging and the result of a confidentiality RA is still largely based on the subjective opinion of the risk assessor(s). The presence of cross-organization cooperations (e.g. outsourcing), makes a(More)
  • 1