Purpose - In any information security risk assessment, vulnerabilities are usually identified by
information-gathering techniques. However, vulnerability identification errors - wrongly identified or
unidentified vulnerabilities - can occur as uncertain data are used. Furthermore, businesses’ security needs
are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and
cost-effectively.
Design/methodology/approach - This paper aims to resolve vulnerability errors by analysing the
security requirements of information assets in business process models. Business process models have
been selected for use, because there is a close relationship between business process objectives and risks.
Security functions are evaluated in terms of the information flow of business processes regarding their
security requirements. The claim that vulnerability errors can be resolved was validated by comparing the
results of a current risk assessment approach with the proposed approach. The comparison is conducted
both at three entities of an insurance company, as well as through a controlled experiment within a survey
among security professionals.
Findings - Vulnerability identification errors can be resolved by explicitly evaluating security
requirements in the course of business; this is not considered in current assessment methods.
Research limitations/implications - Security requirements should be explicitly evaluated in risk
assessments considering the business context. Results of any evaluation of security requirements could be
used to indicate the security of information. The approach was only tested in the insurance domain and
therefore results may not be applicable to other business sectors.
Originality/value - It is shown that vulnerability identification errors occur in practice. With the explicit
evaluation of security requirements, identification errors can be resolved. Risk assessment methods should
consider the explicit evaluation of security requirements.
Funding
Study on Aerodynamic Characteristics Control of Slender Body Using Active Flow Control Technique