Generic security templates for information system security arguments: mapping security arguments within healthcare systems

He, Ying (2014) Generic security templates for information system security arguments: mapping security arguments within healthcare systems. PhD thesis, University of Glasgow.

Full text available as:
Download (6MB) | Preview
Printed Thesis Information:


Industry reports indicate that the number of security incidents happened in healthcare organisation is increasing. Lessons learned (i.e. the causes of a security incident and the recommendations intended to avoid any recurrence) from those security incidents should ideally inform information security management systems (ISMS). The sharing of the lessons learned is an essential activity in the “follow-up” phase of security incident response lifecycle, which has long been addressed but not given enough attention in academic and industry.

This dissertation proposes a novel approach, the Generic Security Template (GST), aiming to feed back the lessons learned from real world security incidents to the ISMS. It adapts graphical Goal Structuring Notations (GSN), to present the lessons learned in a structured manner through mapping them to the security requirements of the ISMS. The suitability of the GST has been confirmed by demonstrating that instances of the GST can be produced from real world security incidents of different countries based on in-depth analysis of case studies.

The usability of the GST has been evaluated using a series of empirical studies. The GST is empirically evaluated in terms of its given effectiveness in assisting the communication of the lessons learned from security incidents as compared to the traditional text based approach alone. The results show that the GST can help to improve the accuracy and reduce the mental efforts in assisting the identification of the lessons learned from security incidents and the results are statistically significant. The GST is further evaluated to determine whether users can apply the GST to structure insights derived from a specific security incident. The results show that students with a computer science background can create an instance of the GST.

The acceptability of the GST is assessed in a healthcare organisation. Strengths and weaknesses are identified and the GST has been adjusted to fit into organisational needs. The GST is then further tested to examine its capability to feed back the security lessons to the ISMS. The results show that, by using the GST, lessons identified from security incidents from one healthcare organisation in a specific country can be transferred to another and can indeed inform the improvements of the ISMS.

In summary, the GST provides a unified way to feed back the lessons learned to the ISMS. It fosters an environment where different stakeholders can speak the same language while exchanging the lessons learned from the security incidents around the world.

Item Type: Thesis (PhD)
Qualification Level: Doctoral
Keywords: The Generic Security Template, security incident, healthcare, goal structuring notations, information security management system
Subjects: H Social Sciences > HD Industries. Land use. Labor > HD61 Risk Management
Q Science > QA Mathematics > QA76 Computer software
Z Bibliography. Library Science. Information Resources > ZA Information resources > ZA4050 Electronic information resources
Colleges/Schools: College of Science and Engineering > School of Computing Science
Supervisor's Name: Johnson, Professor Chris and Renaud, Doctor Karen
Date of Award: 2014
Depositing User: Miss Ying He
Unique ID: glathesis:2014-5773
Copyright: Copyright of this thesis is held by the author.
Date Deposited: 20 Nov 2014 13:59
Last Modified: 20 Nov 2014 14:08

Actions (login required)

View Item View Item


Downloads per month over past year