Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Effective communication of information security risk

Al Harthi, Aseela Nasser 2019. Effective communication of information security risk. PhD Thesis, Cardiff University.
Item availability restricted.

[img] PDF - Accepted Post-Print Version
Restricted to Repository staff only

Download (6MB)
[img] PDF (Cardiff University Electronic Publication Form) - Supplemental Material
Restricted to Repository staff only

Download (2MB)

Abstract

Cloud computing enables location-independent access to data and plays a significant role in a “linked-up” healthcare environment. Having cloud computing can improve the availability of patient medical records but there is the need to have the right processes in place to realise the benefits of cloud-enabled services. Potential benefits include rapid provisioning and interconnectivity of electronic resources to enhance data availability, and big data analytics help analyse patient data to provide the right intervention to the right patient at the right time through linking the collaboration and communication among healthcare institutions in different locations. Assunção et al. (2015) provided a vision that cloud computing would become the fifth utility, which will offer essential computing services for daily use. Despite the known benefits of cloud computing, the Ministry of Health (MoH) in Oman is hesitant to adopt cloud computing in patient services in healthcare because of perceived risks. There is therefore the need to understand the perception of different types of risks in adopting cloud computing in healthcare in Oman, such as security, management, technical, legal, privacy and other types of risks. To this end, a preliminary interview was conducted with stakeholders and two sets of questionnaires were issued to public and healthcare professionals in order to understand their perception of the risks in adopting cloud computing as a service in healthcare. The findings identified data security, confidentiality, integrity and availability as primary concerns. Therefore, an effective methodology is required to manage those concerns. This research focuses on information security risk management within the healthcare industry. It introduces a methodology, Managing Security Risk-Business Process Modelling (MSR-BPM), as an approach to manage the identified risks. The MSR-BPM approach is built on ISO 27005 processes to help organisations prioritise, manage and treat the identified risks. The primary purpose is to enhance the communication of information security risk in healthcare processes, which can be improved by combining risk registers and business process modelling. A risk register documents the assessment of risk with appropriate countermeasures. BPM visualises the risks, activities, roles, security goals and countermeasures in the process models to promote a shared understanding of risks to decision makers and stakeholders. Finally, the MSR-BPM approach was evaluated through a scenario covering stages in the Integrated Care Pathway for breast cancer. This scenario was chosen because it has been used by previous researchers within the School of Computer Science and Informatics at Cardiff University. An evaluation that covered the set of ISO 27005 processes was produced to create a survey for experts in risk management, business process modelling and healthcare. The experts agreed that combining risk registers with business process modelling improved the communication of information security risk in healthcare processes when compared to using risk registers only.

Item Type: Thesis (PhD)
Date Type: Completion
Status: Unpublished
Schools: Computer Science & Informatics
Date of First Compliant Deposit: 18 October 2019
Last Modified: 23 Jul 2020 02:14
URI: http://orca.cf.ac.uk/id/eprint/126153

Actions (repository staff only)

Edit Item Edit Item

Downloads

Downloads per month over past year

View more statistics