Generative Control Theory for Information Security
Increasing information security losses, coupled with more closely regulated security risk disclosure, are raising the importance of information security standards for identifying control gaps and for implementing appropriate and effective information security controls. Despite the growing importanc...
| Main Authors: | , |
|---|---|
| Format: | Journal Article |
| Published: |
The Information Institute
2014
|
| Online Access: | http://www.jissec.org/Contents/V10/N1/jissec-v10n1-raymond-p41-ci/?searchterm=Generative Control Theory for Information Security http://www.jissec.org/Contents/V10/N1/jissec-v10n1-raymond-p41-ci/?searchterm=Generative Control Theory for Information Security http://hdl.handle.net/20.500.11937/11009 |
| id |
curtin-20.500.11937-11009 |
|---|---|
| recordtype |
eprints |
| spelling |
curtin-20.500.11937-110092017-01-30T11:22:16Z Generative Control Theory for Information Security Raymond, B. Baskerville, Richard Increasing information security losses, coupled with more closely regulated security risk disclosure, are raising the importance of information security standards for identifying control gaps and for implementing appropriate and effective information security controls. Despite the growing importance and variety of information security standards, and the large amount of resources involved in their adoption, there remains a lack of theoretical development in this area. The objective of this paper is to develop a better understanding of information security controls defined in standards, by analyzing and comparing their control sets. Our analysis of control sets in two prominent information security standards led to the discovery of a new class of controls - generative controls – which was not previously recognized in the information security literature, and also to the proposition of a new classification scheme with simple metrics for analyzing control sets in standards. This discovery serves as a building block for the proposition of a new theory called ‘generative control theory’ (GCT) for information security. This theory, together with its underlying concepts, explain how the presence of generative controls defined in standards allows them to be applicable to a large number of widely differing organizations, and thereby assures the implementation of appropriate and effective information security controls in those organizations. It also explains the implications of the presence of generative controls in standards for practitioners, researchers and compliance auditors. For example, generative controls present a higher risk of creative compliance. Finally, this study provides recommendations regarding the design, implementation and audit of controls as defined in standards. 2014 Journal Article http://hdl.handle.net/20.500.11937/11009 http://www.jissec.org/Contents/V10/N1/jissec-v10n1-raymond-p41-ci/?searchterm=Generative Control Theory for Information Security http://www.jissec.org/ The Information Institute restricted |
| repository_type |
Digital Repository |
| institution_category |
Local University |
| institution |
Curtin University Malaysia |
| building |
Curtin Institutional Repository |
| collection |
Online Access |
| description |
Increasing information security losses, coupled with more closely regulated security risk disclosure, are raising the importance of information security standards for identifying control gaps and for implementing appropriate and effective information security controls. Despite the growing importance and variety of information security standards, and the large amount of resources involved in their adoption, there remains a lack of theoretical development in this area. The objective of this paper is to develop a better understanding of information security controls defined in standards, by analyzing and comparing their control sets. Our analysis of control sets in two prominent information security standards led to the discovery of a new class of controls - generative controls – which was not previously recognized in the information security literature, and also to the proposition of a new classification scheme with simple metrics for analyzing control sets in standards. This discovery serves as a building block for the proposition of a new theory called ‘generative control theory’ (GCT) for information security. This theory, together with its underlying concepts, explain how the presence of generative controls defined in standards allows them to be applicable to a large number of widely differing organizations, and thereby assures the implementation of appropriate and effective information security controls in those organizations. It also explains the implications of the presence of generative controls in standards for practitioners, researchers and compliance auditors. For example, generative controls present a higher risk of creative compliance. Finally, this study provides recommendations regarding the design, implementation and audit of controls as defined in standards. |
| format |
Journal Article |
| author |
Raymond, B. Baskerville, Richard |
| spellingShingle |
Raymond, B. Baskerville, Richard Generative Control Theory for Information Security |
| author_facet |
Raymond, B. Baskerville, Richard |
| author_sort |
Raymond, B. |
| title |
Generative Control Theory for Information Security |
| title_short |
Generative Control Theory for Information Security |
| title_full |
Generative Control Theory for Information Security |
| title_fullStr |
Generative Control Theory for Information Security |
| title_full_unstemmed |
Generative Control Theory for Information Security |
| title_sort |
generative control theory for information security |
| publisher |
The Information Institute |
| publishDate |
2014 |
| url |
http://www.jissec.org/Contents/V10/N1/jissec-v10n1-raymond-p41-ci/?searchterm=Generative Control Theory for Information Security http://www.jissec.org/Contents/V10/N1/jissec-v10n1-raymond-p41-ci/?searchterm=Generative Control Theory for Information Security http://hdl.handle.net/20.500.11937/11009 |
| first_indexed |
2018-09-06T18:48:17Z |
| last_indexed |
2018-09-06T18:48:17Z |
| _version_ |
1610885048805883904 |