SciELO - Scientific Electronic Library Online

 
 número89Enantioselective epoxidation of styrene using in-situ generated dimethyldioxirane and dimeric homochiral Mn(III)-Schiff base complex catalyst índice de autoresíndice de assuntospesquisa de artigos
Home Pagelista alfabética de periódicos  

Serviços Personalizados

Journal

Artigo

Indicadores

Links relacionados

  • Em processo de indexaçãoCitado por Google
  • Não possue artigos similaresSimilares em SciELO
  • Em processo de indexaçãoSimilares em Google

Compartilhar


Revista Facultad de Ingeniería Universidad de Antioquia

versão impressa ISSN 0120-6230versão On-line ISSN 2357-53280

Rev.fac.ing.univ. Antioquia  no.89 Medellín out./dez. 2018

https://doi.org/10.17533/udea.redin.n89a11 

Original article

MePRiSIA: risk prevention methodology for academic information systems

MePRiSIA: metodología de prevención de riesgos para sistemas de información académica

Isabel Cristina Satizábal-Echavarría1  * 

Nancy María Acevedo-Quintana2 

1LACSER (Laboratory for Advanced Computational Science and Engineering Research), Universidad Antonio Nariño. Avenida Bolívar #49 Norte-30. C. P. 630004. Armenia, Colombia.

2LOGOS, Universidad de Pamplona. Km 1 vía a Bucaramanga. C. P. 543050. Pamplona, Colombia.


ABSTRACT

Information of academic systems can be stolen, modified or erased by attackers, causing losses to institutions. Applying a risk prevention methodology at educational institutions would help to avoid academic information misuse by users or attackers. MePRiSIA was designed as a risk prevention methodology to be simple and easy to understand while including the human factor in each step. This methodology has four steps to be considered in the process: setting the context, risk identification, risk analysis, and risk prevention. After being applied to the academic information system of Universidad de Pamplona (Colombia) called ACADEMUSOFT, MePRiSIA was evaluated by experts. In conclusion, after applying MePRiSIA to ACADEMUSOFT, the human factor was part of its most important assets and involved in the very high-level risks identified. According to the experts, implementation of MePRiSIA is hard when institution directors do not provide staff and financial resources for this purpose.

Keywords: Educational information systems; information management; information systems evaluation; methodology; risk assessment

RESUMEN

La información de los sistemas académicos puede ser robada, modificada o borrada por los atacantes y causar grandes pérdidas a las instituciones. Ya que, prevenir es mejor que curar, las instituciones educativas deberían aplicar una metodología de prevención de riesgos para evitar que los sistemas de información académica sean usados incorrectamente por los usuarios o los atacantes. Por ello se diseñó MePRiSIA, una metodología de prevención de riegos simple y fácil de entender que, a diferencia de las existentes, incluye el factor humano en cada paso. MePRiSIA consta de cuatro pasos: establecimiento del contexto, identificación de riesgos, análisis de riesgos y prevención de riesgos. MePRiSIA se aplicó en el sistema de información académica de la Universidad de Pamplona (Colombia) llamado ACADEMUSOFT y fue evaluada por expertos. Después de aplicar MePRiSIA en ACADEMUSOFT, se puede concluir que el factor humano es parte de sus activos más importantes y está entre los riesgos de más alto nivel identificados. De acuerdo con los expertos, la implementación de MePRiSIA es difícil cuando los directivos de la institución no proporcionan el personal ni los recursos financieros para este propósito.

Palabras clave: Sistema de información educativa; gestión de la información; evaluación del sistema de información; metodología; evaluación de riesgos

1. Introduction

Currently, educational institutions use information systems to manage academic information such as subjects, grades, schedules, classrooms, etc. However, due to the increasing number of network threats, this information can be stolen, modified or erased by attackers, causing major losses to institutions; for example, Universidad de Pamplona has had multiple lawsuits for possible traffic of grades [1]. Possible causes of this incident are corrupt staff, unauthorized people manipulating the academic information system, users with privileges that do not correspond with their role in the system and improper use of the system because of their lack of knowledge of information security. Thus, people are considered the weakest link in the security chain, but it is necessary to instruct them on better information management practices for the sake of organizations [2]. In [3], Yilmaz and Yalman made a comparative analysis of the security infrastructure of six universities in Turkey. In this analysis, they found that: in the primary defense stage, the main security faults are found in: remote access (50% severely lacking, 33.3% needs improvement), intrusion detection systems (33.3% severely lacking, 50% needs improvement) and wireless (16.7% severely lacking, 83,3% needs improvement); in the authentication stage, the main security faults are: password policies - user account (100% severely lacking), password policies - remote users (100% severely lacking), administrative users (100% needs improvement) and remote access users (50% severely lacking); in the administration and monitoring stage, the main security faults are: secure build (50% severely lacking, 16.7% needs improvement), physical security (50% needs improvement) and event report & response (50% needs improvement). They also found that the main security faults in the people are: policies & procedures (66.7% severely lacking, 16.7% needs improvement) and training & awareness (33.3% severely lacking, 33.3% needs improvement). For this reason, we decided to design a methodology for academic information systems.

Educational institutions should apply a risk prevention methodology to avoid the academic information misuse by users or attackers. Methodologies found in literature are too complex to understand and to carry out, and are focused more on technology than in human factor.

For this reason, a new methodology called MePRiSIA was designed; it is easy to understand while including the human factor in each step. In addition, this methodology is oriented to academic information systems, so it considers the assets of this kind of systems and their vulnerabilities.

The rest of the paper is organized as follows: in section 2, the methodology used to design and evaluate MePRiSIA is described; in section 3, risk prevention and defense in depth model are defined; in section 4, steps of MePRiSIA are described; in section 5, the results of the evaluation of MePRiSIA and its application to ACADEMUSOFT are presented, and conclusions are given in section 6.

2. Methodology

To design the Risk Prevention Methodology for Academic Information Systems (MePRiSIA- Metodología de Prevención de Riesgos para Sistemas de Información Académica ), the following steps were carried out:

  • Analysis of risk management and prevention methodologies: A qualitative approach was used to analyze nine risk management and prevention methodologies found in the literature: OCTAVE [4], CORAS [5], Risk Management Methodology according to Australian Standard [6], NTC-ISO/IEC 27005: Risk Management in Information Security [7], CRAMM [8], MAGERIT [9], Risk Management Guide for Information Technology Systems [10], Methodology for the Diagnosis, Prevention and Control of Corruption in Public Safety Programs according to IDB [11] and Guide to Malware Incident Prevention and Handling [12]. These methodologies were compared to establish similarities and differences among them in [13].

  • Definition of MePRiSIA: goals and steps: From the previous comparison, four steps present in most of the studied methodologies were identified and the distinctive characteristics that MePRiSIA should have. Therefore, the purpose and goals of MePRiSIA as well as the target audience and steps were established.

  • Specification of MePRiSIA steps: Reviewing how the studied methodologies carry out the steps established for MePRiSIA, it was determined the most important aspects of each step and the simplest way to obtain the expected results. Taking as a reference the book ‘Diseño de un Sistema de Gestión de Seguridad de la Información, Óptica ISO 27001:2005’ [14] there were established the fields of the tables and taken into account the requirements of this kind of systems. Thus, the first 3 steps of MePRiSIA were defined.

  • To specify the step 4 of MePRiSIA, the vulnerabilities identified in the assets of step 1 were combined with the 4 elements of the Guide to Malware Incident Prevention and Handling [12], the layers of Defense in Depth model [15], the controls of NTC-ISO/IEC 27001 [16] and knowledge about security measures of the authors.

  • Evaluation of MePRiSIA: An evaluation form was prepared, and a group of experts were in charge of evaluating and grading the steps of MePRiSIA (from 1(very low) to 5(very high)). They determined if each step is easy to understand, including the human factor and if it is easy to implement. They also had a field to write the observations about each step. Then, the results were analyzed through a matrix that includes: the average value per indicator, standard deviation, weighting per indicator and degree of compliance with goal. The three experts that evaluated MePRiSIA were: Jordi Forné (Ph.D. in Telecommunications Engineering, full professor at the Universitat Politécnica de Catalunya (Spain) and expert in computer security), Rafael Páez (Ph.D. in Telematics Engineering, assistant professor at the Pontificia Universidad Javeriana (Colombia) and expert in computer security) and Rodrigo Alvear (M.Sc. in Management of Computer Projects and technological support coordinator of ACADEMUSOFT).

  • Application of MePRiSIA: MePRiSIA was applied to ACADEMUSOFT, through a mixed approach. ACADEMUSOFT is an EAS (Enterprise Application Solution) for Higher Education Institutes, created by the Universidad de Pamplona (Colombia), which allows the management of the academic processes (subjects, grades, schedules, classrooms, personal data of teachers and students, etc.) [17]. This platform is used by several universities in Colombia.

  • To carry out the first 3 steps of MePRiSIA, the information was obtained from CIADTI staff (Center for Applied Research and Development of Information Technologies) of Universidad de Pamplona, the VII Latin American Survey on Information Security [18] and surveys from students and teachers to determine if they were properly handling the academic information. To calculate the sample size of students and teachers of the seven faculties of the university, Equation (1) was used [19] and the information provided by the Planning Office. The teacher's survey contained 13 multiple-choice questions and the student's survey contains 11 multiple-choice questions.

Where:

n = Sample size

N = Population size

Z = Confidence level (1.96)

p = Probability of occurrence (0.5)

q = Probability of non-occurrence (q=1-p=0.5)

E = Estimation error (0.05)

Also, CIADTI staff gave access to its test platform to explore the tree of privileges of the users.

To carry out the step 4 in MePRiSIA, the tables established were used, as well as the knowledge about defense in depth model and countermeasures.

3. Background

3.1 Risk prevention

Risk prevention is a continuous process which involves: analyzing current risks in an information system; planning and implementing short and long term activities to avoid or reduce risks that were identified; assessing the effectiveness of such activities and updating them according to changes in the internal and external environment of the institution [20].

3.2 Defense in depth model

To protect organizations against different internal and external threats, is not enough one countermeasure but a set of them to cover the weaknesses and protect the network of possible attacks. Defense in depth model helps in this purpose and includes seven layers [15]:

  • Layer 1 - Policies and procedures: It is perhaps the most neglected layer, but also the most important, since it provides a guidance to implement the other defenses. Organization must define its most important assets and the level of security that they must have. These policies must be signed by the senior manager and must be known by all the employees and network users.

  • Layer 2 - Physical security: Since an attacker could damage or steal network devices, it is necessary to establish physical security measures, such as: staff access control, alarm systems, video surveillance, window bars, etc.

  • Layer 3 - Perimeter defense: The network perimeter is composed of those points of the internal network, managed by the organization, which are in contact with external networks. Firewalls, virtual private networks, border routers that are configured to filter unwanted traffic, are commonly used to defend the perimeter.

  • Layer 4 - Network defense: Even with the countermeasures installed in other layers, an attacker could gain access to the internal network. To protect the network, it is necessary to use: intrusion prevention and detection systems, network segmentation, IPSec and/or SSL (Secure Socket Layer) to encrypt data, protection of wireless networks, etc.

  • Layer 5 - Equipment defense: Since an attacker can access to computers of the network, these should be protected, especially the servers. Equipment protection consists of three main tasks: update security patches, disable unnecessary services and maintain the antivirus active and update.

  • Layer 6 - Application defense: If an attacker gains access to the computer, applications should be protected. In this case, the access to them can be controlled through authentication and authorization mechanisms, and install an application firewall to control the information that they send and receive of the network.

  • Layer 7 - Data defense: If the attacker crosses all previous defenses, it is necessary that the data stored on the computer is protected, through encryption and integrity mechanisms.

In addition, each of these layers involves the three elements of defense in depth: people, technologies and operations. There must be a balance among these elements so that implemented countermeasures are effective.

4. MePRiSIA design

MePRiSIA is a methodology designed for the Information Technology (IT) staff of educational institutions. This methodology provides a basis for the development of an effective risk prevention program and contains a practical guidance to identify, assess and prevent the risks encountered in an academic information system. MePRiSIA is structured in 4 steps (see Figure 1] that include the human factor. The complete description of MePRiSIA is in [20].

Figure 1 Steps of MePRiSIA 

Although, the main vulnerabilities of the assets in an academic information system were identified to give some guidance to the IT staff (tables of step 4), other vulnerabilities can arise from the risk analysis due to the environment of each system.

4.1 Step 1: setting the context

The goal of this step is to identify the assets of the system, their security requirements and the scope of the risk analysis. To do this, the evaluator must answer the following questions:

1. What are the assets of the academic information system? To answer this question, the evaluator must identify the processes carried out by the system, such as visualization of students’ academic information (subjects, schedules, and grades), an update of students’ grades by teachers, etc. Then, the evaluator must identify the assets involved in each process. The assets commonly found in an academic information system are:

Information: Assets used to store and manage user information. Within this category are:

Hardware: Includes the devices of the institution and also those of the users. For example:

  • Servers of the system.

  • Devices used by users to access the system (mobile phones, PCs, laptops, etc.).

Software: Includes the applications used to make use of the system. For example:

  • Authentication application

  • Database of academic information

  • Web browser or application used by users to access the system

Network: Includes the communication channel and network devices (switches, routers, etc.). For example:

  • Client/server channel

  • Border router

Staff: Includes the different users of the system. For example:

  • Students

  • Teachers

  • Administrative staff

  • IT staff

Place: Includes the places where computers and devices are located. For example:

  • Data center

  • Place where users access the system (internet cafe, home, university).

Organization: Includes assets that are responsibility of the institution. For example:

  • Image and reputation of the institution.

  • Policies of the system

2. What is the role of each asset? To determine the functions that each asset has within the system, according to the identified processes in the previous item.

3. Which people are responsible for security and management of assets? To determine who is responsible for each asset, according to the function manuals.

4. What is the confidential information of the system? and what should be the level of privacy of the information? First, the evaluator identifies the personal information that is stored in the system, such as grades of students, financial information, etc. Then, he/she must determine what degree of confidentiality this information should have (low (public information), medium (internal use information), high (confidential information)). Finally, the evaluator must identify the assets that store or transport this information.

5. What are the security laws that can be applied to the system at a national and regional level? Government regulations awareness on the management of databases and personal information can be a valuable guideline to manage adequately the system information.

6. What are the institutional security policies applicable to the system assets? The evaluator must identify what institutional security policies talk about the assets of the system.

7. What expectations do the different users have about operation and security of the system? and if those expectations are defrauded, what negative consequences would this bring to the good name and reputation of the institution? To know the expectations of the users and the consequences of defrauding those expectations, the evaluator can do surveys or interviews with a representative sample of each type of user.

In addition, the scope of the risk analysis activities must be defined. According to the budget and the available time, IT staff can decide to focus only on the information and staff assets, or include all the assets. Since people are the weakest link of the security chain [2], staff assets must be included in the analysis.

4.2 Step 2: risk identification

The goal of this step is to determine the vulnerabilities of the assets and identify the threats that can exploit them by following these steps:

1. Assets valuation: The evaluator must determine the impact a loss of confidentiality, integrity, and availability in each asset can cause on the system and the institution. Ramos Lara [21] states about staff assets valuation that “the operational indicators of human resources are: knowledge, skills, and attitudes”. Therefore, for these assets, the evaluator must determine the impact on the system when people do not have the knowledge, skills, and attitudes needed to handle it. A widely used scale to value assets and determine their impact, is the following semi-quantitative Likert scale:

1: Very Low

2: Low

3: Medium

4: High

5: Very High

To determine the impact on each asset, the evaluator must think about the consequences at a functional, economic, legal and administrative level that the loss or lack of these features (confidentiality, integrity, availability, knowledge, skills and attitudes) would bring to the system and the institution, and the time it would take to recover from those losses. Thus, according to the severity of these consequences, the evaluator will give a level in the established scale.

Table 1 shows the assets valuation table and Table 2 shows the staff assets valuation table. In the two tables, the evaluator must give a value of the previous scale to each feature and put the average of the three values in total column. Next, assets must be ordered from highest to lowest total value and give them a priority (fewer priority to greater total values). If two or more assets have the same value, the evaluator must decide, which of the assets is more important for the system. Thus, the result of this evaluation is a prioritized list of the assets. In prioritizing, the evaluator must include both the staff assets and the other assets in the numbering.

Table 1 Assets Valuation Table 

Source: Based on ‘Diseño de un Sistema de Gestión de Seguridad de la Información, Óptica ISO 27001:2005’ [14]

Table 2 Staff Assets Valuation Table 

2. Identification of threats: A threat is an event that can cause damage to assets. These can have natural or human origin, could be accidental or deliberate, and some of these can affect more than one asset. To determine the threats affecting each asset, the evaluator must ask the responsible for the asset, which incidents have affected the availability or proper functioning of the asset during the last year.

3. Identification of vulnerabilities: The vulnerability is a weakness of an asset. To determine these weaknesses, the evaluator can review the tables shown in step 4, and look for vulnerabilities that can be exploited by threats identified previously. It is also important to look in literature the most common vulnerabilities of each asset, to determine what privileges different users have and if they are misusing them, how the assets can be damaged.

Table 3 shows the vulnerabilities of each asset and the threats that can exploit them.

Table 3 Identification of Vulnerabilities and Threats 

4.3 Step 3: risk analysis

The goal of this step is to establish the level of risk of each threat, determine the implemented countermeasures and obtain a prioritized list of risks. A risk has two factors: its impact and its probability of occurrence. To determine the impact of a risk, the evaluator must take into account criteria such as economic impact, recovery time after the incident, activities or processes of the institution affected by this risk and damage to the image of the institution. According to the severity of these criteria, the evaluator can determine the value of the impact in the following Likert scale:

1: Very Low

2: Low

3: Medium

4: High

5: Very High

To determine the probability of occurrence, the evaluator must ask people responsible of assets about the frequency of each security incident. In addition, taking into account current statistics of recognized sources in security area and the frequency of possible attacks that still have not affected the assets. In this case, it is advisable to use a quasi-exponential Likert scale, where a risk is considered very high when the attack occurs 50% of the time.

0 - 4.99% : 1 Very Low.

5 - 14.99%: 2 Low.

15 - 29.99%: 3 Medium

30 - 49.99%: 4 High

50 - 100% : 5 Very High

Table 4 shows the fields that the evaluator must fill, using threats identified in Table 3. In addition, the evaluator must calculate the inherent risk, multiplying the impact of risk (IR) and the probability of occurrence (PO) (see Equation (2)].

Table 4 Inherent Risk Valuation Table 

Source: Based on ‘Diseño de un Sistema de Gestión de Seguridad de la Información, Óptica ISO 27001:2005’ [14]

Then, it is necessary to determine the countermeasures implemented in the system to mitigate each threat. Table 5 shows the fields that must be fill, using threats identified in Table 3. In the third column, the evaluator must describe the countermeasure and in the fourth column, the effectiveness of the countermeasure (EC) must be determine according to the next scale:

0: No countermeasure implemented

1: The countermeasure has not stopped the threat

2: The countermeasure has stopped the threat a few times

3: The countermeasure has stopped the threat several times

4: The countermeasure has stopped the threat most of the time

5: The countermeasure has stopped the threat completely

After that, the evaluator can calculate the residual risk, using Equation (3):

Table 5 Residual Risk Valuation Table 

Next, a risk prioritization is done, ordering the residual risk values from largest to smallest, giving fewer priority to greater risk values. If two or more threats have the same risk value, the evaluator must give the priority according to the importance of the asset determined in Tables 1 and 2 (priority).

Finally, the evaluator must determine the risk level, with the scale:

1 to 4: Very Low

5 to 9: Low

10 to 14: Medium

15 to 19: High

20 o 25: Very High

4.4 Step 4: risk prevention

The goal of this step is to determine countermeasures that avoid or mitigate risks.

The evaluator must consult Table 3 to determine which vulnerability corresponds to the threat evaluated in Table 5 and find out each vulnerability in the tables of this section, in order to define the short and long term controls to be planned and implemented.

According to [10], the elements to be considered to propose risk prevention strategies are policies, awareness, mitigation of vulnerabilities and mitigation of threats. For that reason, this step is divided in those parts.

Policies

The following activities can be done to prevent risks arising from the lack of policies:

  • Definition of security policies: These policies define the guidelines to ensure the security of the system assets.

  • Product: Security Policies of the Academic Information System.

  • Main actors: IT Staff, Institution Directors

  • Short-term controls: See Table 6

Table 6 Definition of Security Policies: Short-Term Controls 

*ISMS: Information Security Management System

Table 7 Definition of Security Policies: Long-Term Controls 

*ISMS: Information Security Management System

Awareness

The activities that can be carried out to prevent the risks caused by lack of awareness are:

  • Definition of awareness programs: A different program must be defined for each user group, since the degree of depth and specialization of each program will change depending on the role and privileges of these users.

  • Product: Awareness Programs for Students, Teachers, Administrative Staff and IT Staff.

  • Main actors: Institution Directors, People in Charge of Awareness, Students, Teachers, Administrative Staff and IT Staff

  • Short-term controls: See Table 8

Table 8 Definition of Awareness Programs: Short-Term Controls 

Table 9 Definition of Awareness Programs: Long-Term Controls 

  • Dissemination of security policies: Ensure that different user groups know the security policies, their responsibilities and the sanctions that would be applied in case of non-compliance.

  • Product: Strategies for Disseminating Security Policies to Students, Teachers, Administrative Staff and IT Staff.

  • Main actors: Institution Directors, Policy Makers, Students, Teachers, Administrative Staff and IT Staff.

  • Short-term controls: See Table 10

Table 10 Dissemination of Security Policies: Short-Term Controls 

Table 11 Dissemination of Security Policies: Long-Term Controls 

Mitigation of vulnerabilities and threats

This section takes into account the layers of Defense in Depth Model [15]. The activities that can be carried out to prevent the risks posed by vulnerabilities and threats are:

  • Coordination of security of the system: Ensure that all activities for managing the security of the assets and the documentation of the ISMS are carried out according to established security policies.

  • Product: ISMS documentation, Security Incident Reports, ISMS Procedures and Action Plans, Audit Reports.

  • Main actors: IT Staff, Institution Directors, Audit Team

  • Short-term controls: See Table 12

Table 12 Coordination of Security of the Academic Information System: Short-Term Controls 

Long-term controls: See Table 13

Table 13 Coordination of Security of the Academic Information System: Long-Term Controls 

  • Physical security: Seeks to protect the places where the assets are located.

  • Product: Physical Security Measures

  • Main actors: IT staff, Maintenance and Cleaning Staff, Teachers, Students, Administrative Staff.

  • Short-term controls: See Table 14

Table 14 Physical Security: Short-Term Controls 

Long-term controls: See Table 15

Table 15 Physical Security: Long-Term Controls 

Perimeter defense: Seeks to protect the network perimeter

Product: Perimeter Security Measures

Main actors: IT Staff

Short-term controls: See Table 16

Table 16 Perimeter Defense: Short-Term Controls 

Long-term controls: See Table 17

Table 17 Perimeter Defense: Long-Term Controls 

Network defense: Seeks to protect information while traveling on the network

Product: Network Security Measures

Main actors: IT Staff

Short-term controls: See Table 18

Table 18 Network Defense: Short-Term Controls 

Long-term controls: See Table 19

Table 19 Network Defense: Long-Term Controls 

  • Equipment defense: Seeks to protect equipment of the system

  • Product: Equipment Security Measures

  • Main actors: IT Staff, Teachers, Students, Administrative Staff

  • Short-term controls: See Table 20.

Table 20 Equipment Defense: Short-Term Controls 

Long-term controls: See Table 21

Table 21 Equipment Defense: Long-Term Controls 

  • Application defense: Seeks to protect applications related to the system

  • Product: Application Security Measures

  • Main actors: IT Staff, Teachers, Students, Administrative Staff

  • Short-term controls: See Table 22

Table 22 Application Defense: Short-Term Controls 

Long-term controls: See Table 23

Table 23 Application Defense: Long-Term Controls 

  • Data defense: Seeks to protect data stored on computers related to the system

  • Product: Data Security Measures

  • Main actors: IT Staff, Teachers, Students, Administrative Staff

  • Short-term controls: See Table 24

Table 24 Data Defense: Short-Term Controls 

Table 25 Data Defense: Long-Term Controls 

5. Results and discussion

5.1 Evaluation of MePRiSIA

After MePRiSIA was designed, three experts were in charge to assess the methodology. Table 26 shows the matrix with the results of the evaluation. This matrix includes: the grade given to each indicator by each expert, the average of the grades of each indicator, the standard deviation, the weighting of each indicator according to its importance, the reached value (reached value =(average x weighting)/5), and the degree of compliance (degree of compliance =(reached value x100)/weighting). The scale used for the degree of compliance was:

0% - 69.99% : Low

70% - 89.99%: Medium

90% - 100% : High

Table 26 Matrix of Evaluation 

According to Table 26, the degree of compliance was higher for steps 1 and 3 than for steps 2 and 4. In addition, in step 1, the degree of compliance of the indicator “easy to implement” is 80% (standard deviation: 1.73), because expert 1 gives a grade of 2, since institutions do not allocate resources for risk prevention.

In step 2, the degree of compliance of indicator “easy to understand” is 80% (standard deviation: 1) because expert 2 gives a grade of 3, since it is unclear how staff assets should be assessed. Also, the degree of compliance of indicator “easy to implement” is 80% (standard deviation: 1) because expert 1 gives a grade of 3, since institutions must have a group of experts to carry out this step.

In step 3, the degree of compliance of the indicator “easy to implement” is 80% (standard deviation: 1), because expert 1 gives a grade of 3, since institutions must have experts in risk management to carry out this step. Finally, in step 4, the degree of compliance of the indicator “easy to implement” is 73.33% (standard deviation: 1.53), because expert 1 gives a grade of 2, due to the little investment in security and the lack of commitment of the institution directors with this issue.

To solve the problem of the indicator “easy to understand” of step 2, this step of the methodology was explained better in [20]. In regards to the commentaries of expert 1 about indicator “easy to implement” of steps 1 and 4, it is true that institutions must allocate resources for risk prevention and directors must be aware of the importance of this issue. With respect to commentaries of expert 1 about indicator “easy to implement” of steps 2 and 3, although IT staff must have some knowledge about risk management and security to apply MePRiSIA, the most important is the knowledge of the assets and their vulnerabilities, so they should document the different security incidents of the system when they happen, although this is one of the most neglected aspects.

5.2 Application of MePRiSIA

MePRiSIA was applied to ACADEMUSOFT, the academic information system of Universidad de Pamplona (Colombia).

In step 1, there were identified 8 processes and the assets involved in each of them. Table 27 shows the 15 useful assets indicated by MePRiSIA, their functions, and the responsible of each asset.

Table 27 Step 1: Assets, Functions, Responsible 

In addition, personal data of teachers, students, and academic information must have a high level of privacy. Law 1581 of 2012 [22], must be taken into account because it regulates the usage of personal data of users. Finally, a risk analysis was made by including the 15 assets involved in the processes.

In step 2, as proposed by MePRiSIA, the Likert scale was used. Knowledge of the system and its context were used to fill Table 1 and Table 2. Table 28 and Table 29 show examples of the given values and their explanation, and then it was calculated the average of the three values to obtain the total and determined the priority of each asset. Table 27 shows the priority of each asset in the last column, and 2 of the 5 most important assets are part of the staff.

Table 28 Step 2: Assets Valuation 

Table 29 Step 2: Staff Assets Valuation 

Filling Table 3, there were found 80 vulnerabilities and threats throughout all the assets. Table 30 shows how to do this, by using the vulnerabilities included in tables of step 4, the knowledge about the assets, the threats that can exploit those vulnerabilities, and vulnerabilities and threats information found in the literature.

Table 30 Step 2. Vulnerabilities and Threats 

The proposed Likert scale was used in step 3, to grade the impact of risk, taking into account the damages that the threat can cause to ACADEMUSOFT and the institution. Afterwards, CIADTI staff was asked to give the probability of occurrence of each threat, according to the quasi-exponential Likert scale of step 3. In some cases, it was necessary to use the results of the VII Latin American Survey on Information Security [18] if the CIADTI staff did not give an specific value. To find out students and teachers threats, the results of the surveys carried out in the institution were valuable. Then, by multiplying the impact of risk, and the probability of occurrence it was obtained the inherent risk (see Table 31].

Table 31 Step 3: Inherent Risk Valuation 

The residual risk and each threat priority were determined, taking into account the priority of each asset (see Table 27] in case of a tie. Finally, it was established the risk level, according to the scale for this purpose in step 3. Table 32 shows an example of the results obtained.

Table 32 Residual Risk Valuation 

Thus, seven very high-level risks were identified due to: unawareness of security policies of ACADEMUSOFT and lack of training and security awareness by teachers, CIADTI staff and students; lack of confidentiality and complexity of the password of the teachers; lack of a formal procedure to remove users from the system and to review periodically access rights; lack of information security provisions in employee contracts; and lack of security policies for ACADEMUSOFT. Therefore, it is important to create and disseminate complete security policies, as well as awareness and training to users about system security. Therefore, it is important to create and disseminate complete security policies, as well as awareness and training to users about system security.

Since CIADTI staff did not provide all information of ACADEMUSOFT needed, some assumptions were made about the possible vulnerabilities and threats of the assets and their value. It is recommended that the IT staff of each institution carries out this methodology because it has all the information for its development, and it is necessary that somebody knows about information and network security.

In step 4, short-term and long-term controls were determined, according to the tables of step 4. When vulnerabilities did not match those of the tables, the most resembled vulnerabilities were taken as examples to establish the controls, using common sense and security knowledge. Table 33 shows an example of the results obtained.

Table 33 Step 4: Short-Term and Long-Term Controls 

Finally, CIADTI staff pointed out the difficulty in implementing the controls suggested by the methodology, when the institution does not allocate staff and financial resources for this purpose, which highlights the importance of awareness the institution directors regarding the necessity of these security measures

6. Conclusions

MePRiSIA is a risk prevention methodology for academic information systems that has four steps: setting the context, risk identification, risk analysis, and risk prevention. In setting the context, the evaluator identifies the assets of the system by process, determines the security requirements of each asset and the information, and establishes the scope of the risk analysis. In risk identification, the evaluator establishes the priority of the assets, determines the vulnerabilities of each asset and the threats that can exploit them. In risk analysis, the evaluator, calculates the inherent and residual risks, determines the implemented countermeasures and obtains a prioritized list of risks. Finally, in risk prevention, the evaluator determines the countermeasures that avoid or mitigate the identified risks.

MePRiSIA was designed to be simple and focused on the human factor. In step 1, human factor is part of the assets of the system, taking into account staff responsibilities and expectations. In step 2, human factor is included in assets valuation, when evaluating the knowledge, skills and attitudes of staff. This kind of evaluation was not present in other methodologies. In addition, in the identification of vulnerabilities and threats, the staff assets are included, analysing the privileges of the different users in the system to determine if they can be the cause of a security incident. In step 3, the vulnerabilities and threats of the staff assets are part of the analysis. Finally, in step 4, human factor is taken into account mainly in the policies, the awareness programs and the audits.

According to the experts that evaluated MePRiSIA, although this is easy to understand and includes the human factor in each step, it is hard to implement when evaluators do not have knowledge about information security and institution directors do not provide staff and financial resources for this purpose.

After MePRiSIA was applied to ACADEMUSOFT, the conclusion was that human factor is part of its most important assets and is involved in the very high-level risks identified, therefore it is very important that users know how to use correctly the systems and which information they must protect.

Finally, although MePRiSIA was designed for academic information systems, this methodology can be extended to other types of systems, since the identified assets and the controls can be applied to any system.

7. Acknowledgments

This work was supported by Universidad de Pamplona (Colombia) under Convocatoria Interna de Mujeres Investigadoras 2014 [number PR130-00-21 (GA 190-CM-I-2014-2.1.2.2.1)].

References

[1] Sistema Informativo de Canal 1. (2013, Oct. 20) Investigan venta de notas y títulos profesionales en universidad de pamplona. Accessed Jun. 12, 2014. [Online]. Available: Available: https://goo.gl/cmuvYRLinks ]

[2] J. E. L. Rueda. (2013, September) El ser humano: Factor clave en la seguridad de la información. [Online]. Available: http://apuntesdeinvestigacion.bucaramanga.upbbga.edu.co/Links ]

[3] R. Yilmaz and Y. Yalman, “A comparative analysis of university information systems within the scope of the information security risks,” TEM Journal, vol. 5, no. 2, pp. 180-191, 2016. [ Links ]

[4] R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, “Introducing OCTAVE allegro: Improving the information security risk assessment process,” Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, Tech. Rep. CMU/SEI-2007-TR-012, May 2007. [ Links ]

[5] The CORAS Model-based Method for Security Risk Analysis, SINTEF, Oslo, 2006. [ Links ]

[6] Estándar Australiano, Administración de Riesgos, AS/NZS 4360:1999, 1999. [ Links ]

[7] Icontec NTC-ISO/IEC 27005: Tecnología de la Información. Técnicas de Seguridad. Gestión del Riesgo en la Seguridad de la Información, ICONTEC, Bogotá, Colombia, 2009. [ Links ]

[8] M. M. Qasem, “Information technology risk assessment methodologies: Current status and future directions,” International Journal of Scientific & Engineering Research, vol. 4, no. 12, pp. 966-972, Dec. 2013. [ Links ]

[9] Magerit version 1.0: Risk Analysis and Management Methodology for Information Systems, 1st ed., Ministerio de Administraciones Públicas, Madrid, España, 1997. [ Links ]

[10] National Institute of Standars and Technology Risk Management Guide for Information Technology Systems, National Institute of Standars and Technology, Gaithersburg, 2002. [ Links ]

[11] M. García. (2010) Metodología para el diagnóstico, prevención y control de la corrupción en programas de seguridad ciudadana. [Online]. Available: https://goo.gl/PF1oMoLinks ]

[12] P. M. Mell, K. Kent, and J. Nusbaum, “Guide to malware incident prevention and handling,” National Institute of Standards and Technology (NIST), Gaithersburg, Maryland, Tech. Rep. 800-83, Nov. 2005. [ Links ]

[13] N. Acevedo and C. Satizábal, “Risk management and prevention methodologies: a comparison,” Sistemas & Telemática, vol. 14, no. 36, pp. 39-58, 2016. [ Links ]

[14] A. G. Alexander, Diseño de un Sistema de Gestión de Seguridad de Información: Óptica ISO 27001:2005, 1st ed. Bogotá, Colombia: Alfaomega, 2007. [ Links ]

[15] G. Alvarez and P. P. Pérez, Seguridad Informática para Empresas y Particulares. Madrid, España: McGraw-Hill Interamericana, 2004. [ Links ]

[16] Icontec Norma Técnica NTC-ISO/IEC Colombiana 27001. Tecnología de la Información. Técnicas de Seguridad. Sistemas de Gestión de la Seguridad de la información (SGSI). Requisitos, ICONTEC, Bogotá, Colombia, 2006. [ Links ]

[17] CIADTI. (2017) Academusoft. Accessed Aug. 25, 2017. [Online]. Available: Available: https://goo.gl/yPS97ZLinks ]

[18] J. J. Cano and G. M. Saucedo, “Vii encuesta latinoamericana de seguridad de la información,” ACIS, Bogotá, Colombia, Tech. Rep., Jun. 2015. [ Links ]

[19] M. Badii, A. Guillen, E. Cerna, and J. Valenzuela, “Nociones introductorias de muestreo estadístico,” International Journal of Good Conscience, vol. 6, no. 1, pp. 89-105, Jun. 2011. [ Links ]

[20] N. M. A. Quintana, “Metodología para la prevención de riesgos en el manejo de la información personal almacenada en el sistema de información académica de la universidad de pamplona,” 2015 unpublished. [ Links ]

[21] C. de Colombia. Ley estatutaria 1581 de 2012 (2012, Oct. 17). [Online]. Available: http://www. alcaldiabogota.gov.co/sisjur/normas/Norma1.jsp?i=49981Links ]

[22] K. J. R. Lara, “Sistema de índices para la valoración de los activos intangibles,” Contribuciones a la Economía, no. 2014-04, July 2014. [ Links ]

Received: February 08, 2018; Accepted: November 15, 2018

* Corresponding author: Isabel Cristina Satizábal Echavarría e-mail: cristsati@hotmail.com

Creative Commons License This is an open-access article distributed under the terms of the Creative Commons Attribution License