An Effective Design of Model for Information Security Requirement Assessment

Information security is a major domain of analysis for enhancing the security of sensitive detained business organizations. These days, attackers are advancing themselves by applying highly advanced technological solutions such as artificially intelligent malicious codes, advanced phishing methods and many others to acquire sensitive and critical data from businesses. This paper presents a novel model framework to analyze the requirements of information security for a more robust information system and its assets in organizations. The framework of this model is designed in such a fashion that both new and legacy organizations can adopt it to define the requirement of security that will ensure confidentiality, integrity and availability of information systems and their components including sensitive domain business and private data that is critical to the organization. There are two different model frameworks which are proposed here. The first one provides specifications of the security requirements and the second provides for the audit of the access logs to capture any unethical practices and violations by internal users. The proposed model for security requirements provides the roadmap to analyze and build proper security requirements to secure business sensitive data. Stepwise processes which are needed to analyze and define security requirements are the key factors of this security model, as they help in clear definitions of security frameworks and infrastructure for an organization. The Audit Model provides the framework for defining information auditing requirements, thus enabling the capture of unethical and unauthorized access to the information system components of the organization. Keywords—Information security; network security; web security; confidentiality; integrity; availability; communication technology; information system; internet security; security framework introduction


I. INTRODUCTION
Recent developments and advancements in information technology have shifted various systems onto the online platform. This new paradigm of processes and activities on the information and communication technology platform enables stakeholders to execute the required applications over the Internet so that the required services can be secured digitally without necessitating any physical movement to the service provider. Therefore, information security becomes one of the potent concerns of service providers and users. Protection of vital information such as business-related sensitive data, users' personal data, users' transaction data etc. is vital In recent times, cybercriminals have become highly sophisticated with new-generation hacking methods and tools, making security and protection of vital information a significant challenge to business entities and users. Information security provides safeguards to systems which are typically used to process, store, and communicate data. There are various sources of information, and these include the operating environment, management, databases, network infrastructure and the Internet. Securing all these artifacts associated with the information technology and systems is highly challengingboth directly and indirectly as they are heterogeneous in nature and in their functions. While some studies show that cryptography can provide the security to information and its related agents which are used to process, store, and transmit data, it may not be so. This is because the existing cryptographic algorithms may fail to secure the vital information once the decryption key is discovered [1]. Further, by using message analysis, the attackers can analyze the key and therefore decipher the messages that are encrypted. The numerous attacks on various cryptographic systems and their results have demonstrated that these algorithms have been breached by the attackers.
Information security has both technical and non-technical perspectives to it. Purely technical security measures are inadequate for securing information. Therefore, non-technical measures, such as social security measures should also be in place to enhance the overall security effectiveness, so that the information and information system assets can be completely secured. It is simple to design a social tool that can effectively launch a social engineering attack and secure vital information such as access identities and passwords from victims. This indicates that a purely technical security framework is not adequate for securing vital information [2] [3].
Today, what we need is an adaptive security framework for securing information systems and assets. Adaptive security is considered to fall under active security measures that could secure the loopholes and vulnerabilities of the information systems and assets. The level of information security required is heavily dependent on the functional profile of the organization and the equipment and hardware used in the processing of sensitive information. Risk analysis and Vulnerability analysis are the primary processes through which security requirements are analyzed. This helps to identify, manage, and create countermeasures for securing critical information, information system assets and the components vulnerable to security threats. Adequate protection of data is very critical if the information system must generate trust among the stakeholders. A security breach may cause huge financial, trust and image losses [4]. This research article proposes the use of an Analytical Framework for Security Effectiveness that can be applied to critical business data associated with information systems. www.ijacsa.thesai.org

II. EFFECTIVE SECUIRITY FRAMEWORK
The analysis of various risks and vulnerabilities is performed on the information system to model the gaps in the security and privacy of sensitive and critical data. Any effective security framework should have the three basic components proposed in the Fig. 1. To secure the vital information from misuse must be the main consideration. As shown in Fig. 1, four different aspects are mandatory for effective information security, where each one is related to the other to provide security to information [5] [6].

Effectiveness of
To an individual information system firm or organization, the security policy must be very clear in concept and deployment [7]. A clear-cut security policy excludes not only the third party in practice but also direct deployment with respect to the information system assets. Deterrence always prompts the regulatory and legal aspects for the internal users not to go beyond the defined scope or violate the system to disclose sensitive information. This must be in place within the users of firm to assure robust security to the information system assets and critical information. User awareness to different categories of threats associated with social engineering attacks is mandatory and a regular process must be in place to make users aware of the latest trends and procedures of such types of attacks. Audit ensures establishing the violation parameters and depth along with the identity, so that a regular audit must be executed by using the right tools and technology to determine the violators and if necessary, to take legal actions. These four base frameworks provide effective information security to an information system.

III. INTERNET AND SECURITY
Almost all online web application requires Internet services to be made available to the users. Internet is open to all as it is a public network in nature. Due to this fact the risks to confidentiality, integrity and availability of information are very high, with hackers constantly trying to acquire the sensitive information to gain potential benefits by disclosing and abusing the same.

A. Security Analysis Framework
Security analysis is one of the most important processes to scope out the security requirements. Four parameters are considered to analyze the security for Internet based systems. The analysis parameters are detailed under Table I.  These four security domains are mutually associated with the Internet world and analysis of security is performed with respect to the dependency factor the corresponding security breaches. The profiles of the information systems firms and organizations which deal with the business processes on Internet-based applications are detailed in Table II.

B. Analysis Functional Flow
Analysis is the first critical process to advance the security to the information system and its Internet based applications to protect it from adversaries and security breaches. Functional Flow of Analysis is presented in Fig. 2.

IV. COUNTER MEASURE AND SECURITY ENFORCEMENT
Counter Measures are steps taken to secure the information system and data by preventing them from unauthorized access and disclosure, maintaining the integrity and providing the availability [8] [9]. In accordance with Fig. 2 the requirement of countermeasures to secure the information system and its assets -specifically the Internet based applications and their data from security breaches -is identified by the following Table III. In Table III, the defined equation-based countermeasure requirement specification is assessed as per the corresponding security domain. In Table IV, the security domains and counter measure tools and techniques are presented to enforce the security control.
According to Table IV, for security domain countermeasure tools and techniques that secure the information system and its assets, security from the network side can also be considered [10]. Advanced tools and technologies can also be employed to enhance the security of sensitive and vital data.

V. SECURITY AUDIT FRAMEWORK
A parameterized security audit is important to assess all events that are being recorded with database logs and user account logs [11] [12] [13]. The parameters are defined with respect to priority. The audit parameters are derived by the given Pseudocode.
Input Security Parameter i = 1 to n Priority = p Scope = s Interval = g Audit Process = a If p = high then scope = i x 5, g = 7 and a = Manual If p = medium then scope = i x 3, g = 30, a = automated If p = low then scope = i x 1, g = 90, and a = Automated The priority parameters with formulated Pseudocode are derived and the tentative benchmark to audit the logs related to the information system and its assets. They are presented in Table V.

VI. CONCLUSION
Proposing a framework of information security is an extremely complex process. In this research, we have attempted to propose a model framework that would help analyze the security framework for a given information system and its assets; thus, enabling recommendations related to information security tools and technologies that would help in securing critical and vital data. The model framework includes two different models that provide the specifications of security such as information security requirements, tools, and technologies to apply security and security audit to capture any deviation from ethical practices by the users through access logs. The proposed models are effective in specifying the requirements and selecting the security technologies, tools and techniques that can be deployed and also for enhancing the features of security to critical system and sensitive data. The mathematical procedures ascertain the verification and assurance of the correct parameters being adopted, while analyzing the requirements of security with different security domains to secure the system and its critical assets.

VII. FUTURE SCOPE
The proposed Effective Design Model for Security Requirement Analysis and auditing information systems of