Security Risk Management Framework for ISO/IEC 27050 Standard

Abstract

The purpose of the research is to add value for users to the recently released international standards and guidelines for Electronic Discovery (eDiscovery) by providing a security risk evaluation framework for users. At present, the eDiscovery guidelines ignore security risks and are populated by technical assistance for eDiscovery. The use of these guidelines without a security risk evaluation framework puts the users and the information at risk of disclosure and damage. The intention is to design an effective security risk evaluation framework and then test it through scenarios and expert feedback.

The Design Science Research Methodology (DSRM) is selected and adapted to guide this study and to systematically shape and improve the framework artefact. The research is primarily theoretical research that seeks to design a risk mitigation solution for eDiscovery investigators. The DSRM is enhanced by adopting sub-methods to fill gaps in the overarching methodology for systematically modelling the risks and quantifying the risks in eDiscovery practices as described in the ISO/IEC 27050 standard. The research is designed to follow three iterations for the theoretical design of an artefact, the testing, and the quality improvement.

The benefit of the research is for legal businesses and government departments where the adoption of eDiscovery standards and guidelines is mandatory. The current ISO/IEC 27050 standard does not have any sort of security risk framework. This research aims to fill the gap by designing a novel framework and guidelines for use. The added value of the proposed framework model is a shift from a requirements standard control approach towards an action-oriented and referenced approach. The proposed framework will be used to evaluate the ability of organisations to meet the objectives of security risk management when using the ISO/IEC 27050 standard. The proposed security risk framework discussed in this research will enhance their capability to manage a secure eDiscovery process. Selecting a fit-for-purpose framework is a challenge for most organisations. This research suggests the use of Artefact 3 as a practical guideline. Organisations might choose an integrated framework by mapping specific controls between two or more frameworks (e.g., use a combination of ISO/IEC 27050 and other security standards) to meet their compliance requirements and business needs. However, eDiscovery has specific security requirements that are not adequately defined in more general standards and guidelines. ISO/IEC currently offers 46 related security standards. The amount of information may be excessive when it comes to ready and active policies and procedures to assure safe eDiscovery practices. This research introduces Artefact 3 as a proposed solution to address this problem.

The research derives the following questions from the literature to guide the artefact development and to fill a research gap.

Research Question: What framework aligns the current ISO/IEC 27050 standard with the ISO security risk evaluation framework in a cost-effective way? • SQ1: What are the main limitations and weaknesses of the current ISO/IEC 27050 standard in the context of risk management processes? • SQ2: What design components improve the risk identification capabilities of the current ISO/IEC 27050 standard? • SQ3: What steps are necessary to integrate the new artefact with the current ISO/IEC 27050 standard?

Feedback for experts on the proposed framework indicates that approximately two-thirds finds its components clear and relevant, while the majority considering it as useful for their workplace. Approximately 80% believe it aligns with international security risk management standards and will enhance risk management. However, 20% express concerns regarding both clarity and usability. Additionally, less than half of the feedback suggests the need for improvements, while 75% recommend specific adjustments to the artefact components.

In general, the proposed framework model’s added value was evaluated through industry-specific usability testing. Expert feedback on Artefact 2 provided valuable insights into its perceived value during practical application. Subsequently, this feedback was meticulously analysed, leading to the incorporation of necessary modifications into Artefact 2 to better align with these insights. Artefact 3 now awaits piloting real-world testing in various contexts, with a focus on assessing its broader practical utility.

The thesis is structured in a standard format with seven chapters, a references list, and appendices.