Rahimian2016, Estimation Defeciency Risk and Prioritization of Information Security Controls PDF

International Journal of Accounting Information Systems 20 (2016) 38–64
Contents lists available at ScienceDirect
International Journal of Accounting Information

Systems
journal homepage: www.elsevier.com/locate/accinf
Estimation of deficiency risk and prioritization of information

security controls: A data-centric approach☆
Firoozeh Rahimian a, Akhilesh Bajaj b,⁎, Wray Bradley b,c
a
Cyber Security Institute, Department of Computer Science, USA
b
School of Accounting & Management Information Systems, USA
c
The University of Tulsa, 800 S. Tucker Drive, Tulsa, OK 74104, USA
a r t i c l e i n f o a b s t r a c t
Article history: Risk of unauthorized disclosure or modification of corporate data can impact in different ways,
Received 7 May 2015 including affecting operations, the public image and/or the firm's legal/compliance exposure.
Received in revised form 18 January 2016 While management views risk along these dimensions, the information technology function
Accepted 18 January 2016
(ITF) typically views risk from an IT infrastructure compromise viewpoint, and this drives
Available online xxxx
the establishment of IT security controls. It is oftentimes difficult for the internal audit function
(IAF) to assess control deficiency risk (CDR) in the area of information security, as well as es-
Keywords: timate the importance of each in-place security control. Using a design science approach, we
Security audit
propose the Operational, Public image, Legal (OPL) model and method to classify the security
Security controls
criticality of the organization's data along three dimensions. Through an empirical study, we
User security specifications
Collaborative security specification demonstrate how the OPL method allows for a quantitative estimation of the importance of
Information security audit in-place security controls as well as the CDR of missing controls. This information provides
Design science research guidance on strategies for testing in-place controls during audit, as well as for determining
which controls may need to be incrementally added.
© 2016 Elsevier Inc. All rights reserved.
1. Introduction
Over the last several years, there has been considerable interest in improving the ability of the internal audit function (IAF) to
estimate information security risk (Steinbart et al., 2012; Steinbart et al., 2013). Information security controls are usually formu-
lated and managed by the IT function (ITF) and the IAF has been shown in past works to sometimes lack knowledge of how to
evaluate the adequacy of in-place information security controls (Henderson et al., 2013). Because of this lack of technical IT
knowledge on the part of the IAF “… we lack evidence regarding how well the risk identification and assessment tools used by
the IAF match the organization's current and planned level of risk and IT usage” (Weidenmier and Ramamoorti, 2006).
There is a divergence in the viewpoints of the IAF and the ITF regarding information security (Brown and Nasuti, 2005). Often,
the ITF's focus is on information security at the infrastructure level (ITGI, 2012). This viewpoint is encouraged by recent high-
profile reports of intrusions and data losses (boston.com, 2014; Ponemon Institute LLC, 2014). Examples of this infrastructural
level focus include overall network security, control of user privileges on operating systems, user password policies and the phys-
ical security of the servers.
☆ The authors would like to thank the editor in chief, the anonymous associate editor and two anonymous referees, whose insightful comments greatly improved the
quality of this work.
⁎ Corresponding author.
E-mail addresses: firoozeh-rahimian@utulsa.edu (F. Rahimian), akhilesh-bajaj@utulsa.edu (A. Bajaj), wray-bradley@utulsa.edu (W. Bradley).
http://dx.doi.org/10.1016/j.accinf.2016.01.004
1467-0895/© 2016 Elsevier Inc. All rights reserved.
F. Rahimian et al. / International Journal of Accounting Information Systems 20 (2016) 38–64 39
At the same time, the external audit function is focused on information security risks as they materially affect financial data.
This notion of materiality, usually practiced by external auditors, is primarily quantitative (Julisch et al., 2011). There has been in-
creasing pressure to augment this conceptualization by incorporating a qualitative and/or business process driven approach (U.S.
Congress, Sarbanes–Oxley, 2002 (SOX)). Chandra and Calderon (2009) propose the notion of process-based materiality, where
“every [emphasis added] activity associated with a critical business process should be classified as critical” (p. 223). They further
state that Control Deficiency Risk (CDR) is “the likelihood that an organization will experience losses in the presence of loose,
non-existent or ineffective controls” (p. 220). As businesses operate with increasing information intensity, their approach implies
that the CDR could potentially be high for seemingly un-critical data. Their model serves as a decision aid for managers to allocate
scarce resources to protect key activities. In this work, we apply this notion of process-based materiality to information security,
by explicitly identifying levels of criticality of data tables along the operational, public image and legal dimensions.
The IAF typically uses a checklist approach to test information security controls at the application, system and infrastructure
levels, with the check-off often being performed by ITF personnel. The problem is that IT security controls and tests have been
put in place by the ITF, who focus on risk to the firm at the IT infrastructure level, while the IAF's perception of risk to the
firm is data-focused and multi-dimensional (Debreceny, 2011; Wallace et al., 2011). The result is that it becomes difficult for
IAF to assess if the IT security controls in place are sufficient for assuaging risk to the firm's data.
One potential solution to the problem described above is to create a model that provides the ITF and IAF a data-driven, multi-
dimensional view of information security risk. Such a model can then be used to map to a framework of IT security controls that
are suited to each dimension of the risk. This would ensure that the ITF view is in conformance with the rest of the firm, as rec-
ommended in COBIT1 (ITGI, 2012). From an IAF perspective, this would also lead to a better estimation of the CDR of information
security controls, since the list of controls and tests can be checked along different dimensions of risk.
In this work, we use a design science approach to develop the Operations-Public image-Legal (OPL) model and method that
starts with end user and manager driven identification of risks posed by the compromise of corporate data tables along all
three dimensions and ends with a quantitative estimation of the importance of existing information security controls, as well
as the control deficiency risk (CDR) due to missing security controls.
The contributions of this work include the following. First, we provide a multi-dimensional perspective that draws on collab-
oration between different stakeholders, to specify the risk posed by the compromise of confidentiality or integrity of data of vary-
ing sensitivities. Second, our approach incorporates a formal mapping between the different risk or sensitivity levels of data, and
the levels of confidentiality and integrity protection that are needed for the organization under consideration. Third, we propose a
formal mapping between the protection levels required by the data of different sensitivities, and the values of each in-place and
missing information security control. This allows for a quantitative estimation of the importance of each in-place control as well
as the risk posed by missing controls, i.e. the CDR.
The rest of the paper is organized as follows. In Section 2, we present background research in both accounting and information
system areas. Section 3 contains the development of the OPL model and method. In Section 4, we evaluate and validate the OPL
method via multiple methodologies, with an accompanying discussion in Section 5. We conclude with limitations and opportuni-
ties for future research in Section 6.
2. Background
2.1. Internal audit function perspective
The IAF occupies a central role in corporate governance since it serves as an information gatherer and reporter for external
auditors, executive management and the board of directors (Gramling et al., 2004). Its primary responsibilities include risk assess-
ment, control assurance, and compliance assessment. The Institute of Internal Auditors now requires IAF to understand how IT is
being used in the organization, along with associated risks. However, while extensive research exists on the role of public or ex-
ternal auditors, limited research exists concerning the role of IAF and its interplay with the ITF (Weidenmier and Ramamoorti,
2006; Dhillon and Torkzadeh, 2006). While there are many categories of risk, our work focuses specifically on information security
risk assessment, which clearly requires collaboration between the IAF and ITF.
The IAF typically analyzes variability in performance of business processes and integrates this with its a priori knowledge of
drivers of business risk. This is the core of well known risk assessment frameworks such as the strategic-systems approach
(SSA) or business risk assessment (BRA) (Kochelova-Kozloski et al., 2013; Schultz et al., 2010). Key low-level processes that
drive financial performance and impact quantitative materiality are identified, along with appropriate metrics. Since these low-
level processes are monitored by operational management, the metrics offer less opportunity for manipulation by senior manage-
ment (Bell et al., 2005). Aberrations in metric values can highlight greater risk areas to the IAF. The OPL model and method we
propose here is similar to SSA, in that SSA requires metrics for business processes that affect financial performance, while the OPL
provides the metrics for data criticality from a security standpoint.
Julisch et al. (2011) recognize that, because of limited resources, auditors often have to make simplifying assumptions regard-
ing IT controls. They indicate that overlooking key IT controls can lead to material errors in the audit, and propose 13 IT control
patterns as a checklist for auditors. Their goal is to guide the allocation of scarce resources to perform the audit more effectively
1
Control Objectives for Information and Related Technology.
40 F. Rahimian et al. / International Journal of Accounting Information Systems 20 (2016) 38–64
and efficiently. The IT control patterns proposed are not at the data level, rather they include items such as allowing only a single
access to each business application, exactly-once messaging semantics for moving data across the firm's network, logging all ac-
cesses to data, and the provision of least amount of privileges to each role to be able to accomplish its tasks in a system. Our work
extends this approach by explicitly linking information security controls to data confidentiality and integrity risk, providing quan-
titative estimates of the importance of each in-place and missing control.
2.2. Information technology function perspective
2.2.1. Need for multi-stakeholder teams in information security

After the Sarbanes–Oxley Act of 2002 “IT is playing a pivotal role in corporate governance and SOX compliance” (Weidenmier
and Ramamoorti, 2006). The need to involve stakeholders including business end users, senior managers and legal personnel
when estimating business risks is recognized in Damianides (2004) and Brown and Nasuti (2005), who propose governance
frameworks to allow IT personnel to better align with SOX requirements. The OPL model we propose provides a structured ap-
proach to accomplish this by explicitly requiring that estimations of risks be developed from the data table level and then mapped
to information security controls, using multi-functional stakeholder teams at each stage.
Several standards have been proposed for IT security and compliance. These include the Enterprise Risk management (ERM),
ISO27K, Infrastructure Library (ITIL), and Control Objectives for Information and Related Technology (COBIT). They require the as-
sessment of risk by the ITF to be aligned with the organization's general perception of risk. However, the how of assessing risk is
not specified and often left to each individual firm.
A list of critical security controls is published on (sans.org, 2016), where the need for the identification of the effects of infor-
mation asset compromise on the organization's business or mission is recognized. The importance of multi-functional teams made
up of ITF and IAF personnel is underscored in (Henderson et al., 2013; Helpert and Lazarine, 2009; Chaney and Kim, 2007). They
indicate that this approach leads to a better identification of risks, since it considers business processes, manual and IT-based con-
trols simultaneously. However, past research points out that the IAF has expertise in generally accepted accounting principles/
standards (GAAP/GAAS) and compliance standards such as SOX (Merhout and Buchman, 2007). At the same time, the ITF focuses
on the technical aspects of the systems, along with organizational compliance with IT standards such as COBIT or ISO270002 (ISO,
2013; ITGI, 2012). The need for IAF to understand IT vulnerabilities and how they can impact business processes and data is rec-
ognized in several works (Henderson et al., 2013; Bellino and Hunt, 2007). Steinbart et al. (2012, 2013) find that ITF's perceptions
of the technical expertise of IAF and the extent to which security is reviewed in the internal audit, both positively affect ITF's view
of the quality of the relationship. An integral feature of the OPL method is a structured collaboration between ITF, IAF, manage-
ment, and end users. This collaboration incorporates views from the different stakeholders regarding information security and
the controls that enforce it.
2.2.2. Protection of corporate data

The C–I–A (confidentiality–integrity–availability) triad is a well known information security protection principle for organiza-
tional data (Greene, 2006). Confidentiality is the prevention of unauthorized disclosure or data reads. Integrity is the prevention of
unauthorized modification or data writes. Finally, availability is prevention of unauthorized withholding of data or resources. Ac-
cording to Dhillon and Backhouse (2000), availability is less controversial. This may be because it needs to be assured at the in-
frastructure level, without regard to the individual data. The C–I–A principle highlights the three dimensions of data protection.
However, it is important to note that protection comes at a cost, and there is a need to provide varying levels of protection for
data of varying sensitivities.
From the standpoint of the ITF, Salmela (2008) defines information protection in terms of authenticity, confidentiality, integ-
rity and availability of the firm's data. They describe several methods to tie information security risks to financial exposure. These
include lost profits analysis and information asset value analysis. Smith (2004) looks at changes in sales patterns after an IT event in
the firm, and attempts to measure lost profits. Attribution of lost profits to any one IT security breach is difficult, and “long term
losses resulting from negative media exposure and customer inconvenience are usually impossible to quantify” (Salmela, 2008,
188).
OPL extends this earlier work by offering a framework to formally link confidentiality and integrity protection levels to differ-
ing risk/sensitivity levels of corporate data.
2.2.3. Risk specification of corporate data

Palmer et al. (2001) classify IT assets according to their criticality to the organization along a continuum ranging from restrict-
ed access to public access. The values for each asset are allocated based on competitive losses or legal ramifications if the infor-
mation is compromised (Smith, 2004).
There is widespread recognition that corporate risk is increasingly being tied to the data that the corporation possesses and
utilizes (Redman, 1998; Wang and Strong, 1996; Calder and Watkins, 2005; Page and Spira, 2003 (Turnbull report)). Typical in-
formation security risk specification for data is one dimensional with values ranging from “unclassified” to “highly confidential”2
(Pfleeger and Pfleeger, 2006; Etges and McNeil, 2006). Another popular and single dimensional method of risk specification is a
2
While risk specifications in the literature tend to be single dimensional, the protections needed by data are often considered along several dimensions including
confidentiality, integrity and availability.
quantification of data compromise in terms of dollar loss (Birch and McEvoy, 1992; Courtney, 1977). In Gordon and Loeb (2001),
the risk posed by information is modeled using its financial value if it fell into the hands of a competitor, with three levels (top,
middle and bottom) suggested. There is recognition in Bodin et al. (2008) that firms need to look beyond annual loss expectancy
when specifying risk, and also consider the expectation of severe loss and the standard deviation of the loss. However, as pointed
out in Saari (1987), quantitative approaches to risk specification tend to be unreliable because of lack of industry-wide statistics,
i.e., risk analysis needs to done in the context of the single organization itself.
Multiple stakeholders such as legal personnel, senior management and end users of corporate data evaluate risk due to data
compromise from different perspectives, such as the legal exposure, the public image deterioration and the loss of operational
ability and competitiveness. It may be difficult to incorporate all these perspectives into a single overall dimension that measures
the sensitivity of the data.
Our approach to risk or sensitivity specification is based on a multi-dimensional view of data-level security with a parsimonious
number of levels that permit easy security classification of all corporate data. Next, we present the OPL model that explicitly dif-
ferentiates between three dimensions of data security using three levels for each dimension.
3. The operational–public image–legal (OPL) risk specification model and method
The Committee of the Sponsoring Organizations of the Treadway Commission (COSO) describes a framework for Enterprise
Risk Management (ERM). This framework focuses on four important categories of risk: strategic, operations, reporting and com-
pliance (Curtis and Carey, 2012). In a 2015 report on information security, COSO recommended that corporations should have “A
program of ongoing and separate evaluations to assess the design and operating effectiveness of controls that are intended to re-
duce potential cyber exposures”(Galligan & Rau, 2015, pp 17). The OPL model can be used as an important component of such a
program. For the OPL model, we use the risk categories of the COSO ERM framework and add the categories of public image or
reputational risk, and litigation risk.
The first and most common dimension of higher-level risk in information security is competitive or operational risk, where the
corporation may lose operational revenue or market share (Gilad, 2003; Sarasvathy et al., 1998). The ‘O’ (operational) component
of the OPL model combines the COSO ERM categories of strategic and operational risk as they relate to information security. An
example of risk along this dimension is the compromise of proprietary manufacturing information that could cause a loss of com-
petitive advantage.
The ‘L’ (legal) component of the OPL model combines the COSO ERM categories of reporting and compliance risk and adds lit-
igation risk, as these risks relate to information security. This component includes the overall risk where the firm may face neg-
ative consequences from regulatory bodies or lawsuits (Walsh and Pyrich, 1994). For example, compromise of healthcare
information related to employees, if held by the firm, may lead to serious compliance and litigation costs.
We add a specific area of risk that is not fully developed in the COSO ERM model. This risk area is the ‘P’ (public image) com-
ponent of the OPL model, which includes reputation risk. Reputation risk previously focused on corporate social risk reporting and
managing the public reputation of the firm (Bebbington et al., 2008; Friedman and Miles, 2001; Cravens et al., 2003). However, a
2014 Deloitte survey on reputational risk found that the emerging area for public image risk no longer focuses on social reporting,
rather the “… biggest reputational issue will come from customer relationship management” (Deloitte, 2014, pp. 7). Adding to
this, Raymond (2013) indicates that not only are customers becoming more aware of information security risks, they are moving
toward “… a model that holds the business accountable at each stage of the process.” The ‘P’ (public image) component of the
OPL model includes risks involving social reporting, customer relationship management, and public accountability, as they relate
to information security.
Validation that the three OPL dimensions are complete was accomplished in two steps. First, we proposed the dimensions
based on earlier work discussed above, and our own analysis of the multiple stakeholders in a corporation that are responsible
for data, including frontline end users, senior managers and legal personnel. Second, we empirically evaluated the completeness
of these dimensions by explicitly asking senior managers in a variety of industries, as part of the studies described later.
Overall, we adopted a design science approach to the development and testing of the OPL model and method. Design science
research differs from explanatory or theoretical research in that it involves the creation and evaluation of an artifact with the end
result of solving a problem, as opposed to formulating or testing an explanatory or predictive theory. In explanatory research the
phenomena already exist, whereas in design science, the phenomenon is often artificially created by means of an artifact (Hevner
et al., 2004; Holmstrom et al., 2009; Simon, 1969). There are seven guidelines for rigorous design science research, as described in
Hevner et al. (2004), which are reproduced in Fig. 1, below.
All of these guidelines are applied in this work. As per guideline 1, the artifact we create and evaluate in this work is the OPL
model and accompanying method. From guideline 2, the problem we address is the inclusion of different perspectives of dimen-
sions in the information security risk specification of organizational data, a mapping from different risk levels to relevant protec-
tion levels, and finally the contribution of controls to protection levels. Several studies described below led to a rigorous
evaluation of the OPL model and method, as per guideline 3. Guidelines 4 and 5 point to rigor in the development of the artifact.
This is demonstrated later in this section where we formally define the OPL model and method. Guideline 6 requires that the ar-
tifact be realistic and conform to the constraints of the environment. The implementation of the OPL model and method described
later in this work, illustrates how OPL can be used in realistic environments. Guideline 7 is supported by this document as a com-
munication to academic and practitioner audiences in both the accounting and information systems areas.
Next, we define the OPL risk specification model.
Fig. 1. Guidelines for rigorous design science research.

Reproduced from Hevner et al. (2004).
3.1. Definition of the OPL risk specification model
The OPL model defines risk specification from multiple viewpoints at the data table level. It considers three dimensions:
operational, public image, and legal. For data tables that are high along the operational dimension, compromise of the information
degrades the internal functions and operational capability of the organization. Any impact along this dimension is felt at the tac-
tical and strategic levels of the organization. For tables that are high on the public image dimension, a security compromise will
likely lead to significant break in public trust and reputation, causing a negative financial impact. For data tables that are high
along the legal dimension, a security compromise will lead to a lack of compliance with regulations and industry standards.
This may lead to litigation, shut-downs or fines.
The three dimensions above are independent of each other. It is straightforward to conceptualize examples of corporate data
where the risk level is high only along one dimension and not the others. For example, tables containing part drawings and
manufacturing processes of standard parts may represent high levels of operational risk, if compromised, but low levels of public
image and legal risks. A table containing the salaries of managers may pose a high level of public image risk if the salaries are
inordinately disproportional to the norm, but low levels of operational and legal risk. Finally, a table containing employee social
security numbers, names and addresses may lead to substantive legal risks if the information is compromised and identities are
stolen, but poses low levels of operational and public image risk. We note that while these dimensions are independent, it is pos-
sible that data that is perceived as being risky along one dimension may be considered sensitive along other dimensions as well.
For each of the three data table security dimensions, we propose three potential levels of impact: low, medium and high. We
define low impact as marginal or negligible if the data is compromised. Medium represents moderate impact to the organization if
the security is compromised. There may be short-term effects and moderate penalties associated with the medium level of risk. A
high impact implies a substantial impact to the organization upon compromise of the data table's security. The organization may
be unable to function operationally, or the public image may be degraded for the long term. There may be substantial long term
legal or compliance issues if the data is compromised.
Next, we present a set of theoretic representations of the OPL model.
We define the following three sets:
O ¼ fðO; LÞ; ðO; MÞ; ðO; HÞg

P ¼ fðP; LÞ; ðP; MÞ; ðP; HÞg ð1Þ
L ¼ fðL; LÞ; ðL; MÞ; ðL; HÞg;
where (O,L) represents a low level of operational impact, etc.

We define the set of tables or relations in the database schema as follows:

n o
R ¼ R1 ; R2 ; R3; …RI for a database consisting of I tables: ð2Þ
OPL represents risks from an end user perspective. However, from an ITF perspective, data can be compromised in two pos-
sible ways: it may be accessed (read) inappropriately without being modified, or it may be modified3 (written) inappropriately
as well. For each type of compromise, we define three levels of protection: low, medium and high. The levels are defined in similar
fashion to the OPL levels.
We define two sets to represent the data access and modification protection levels:
A ¼ fðA; LÞ; ðA; MÞ; ðA; HÞg

ð3Þ
M ¼ fðM; LÞ; ðM; MÞ; ðM; HÞg:
Finally, from an ITF and IAF perspective, security is viewed as a set of IT security controls some of which are in place and need
to be tested, while others may be missing. The challenge posed to the IAF is to come up with a good testing strategy for in-place
controls, while evaluating the CDR due to missing controls.
We define the following sets:
C ¼ fC1 ; C2 ; …Cu g is the set of all IT security controls ðin place or missingÞ that are applicable to the organization under audit:
ð4Þ
Cmissing ⊆ C, is the set of controls that are missing in the organization.
Cin-place = C − Cmissing then is the set of controls in place in the organization.
Finally, we define a set of rating scores for each control:
S ¼ f1; 2; 3; 4; 5; 6; 7; 8; 9; 10g: ð5Þ
Next we formally describe how the OPL model can be used in an organization. We term this the OPL method.
3.2. OPL method
The first step in the OPL method is the specification of a functional mapping between data tables and their O, P, L values. This
would typically be performed by organizational teams consisting of end users, the legal department and senior management rep-
resentatives. We term this mapping rateTables and it is defined using Eqs. (1) and (2) above:
rateTables : R → O P L: ð6Þ
rateTables needs to be specified once, and should be reviewed periodically if the environment or the data table structures change.
This mapping represents the non-ITF stakeholder perception of risks posed by data.
Next, we relate the OPL ratings of data tables to the levels of data access and modification protection needed. These are cap-
tured in the A and M sets defined in Eq. (3) above. To accomplish this, functional mappings are specified between all possible OPL
levels and the data access and modification protection required by each level. This mapping is also performed by a multi-
functional organizational team that includes ITF, IAF, senior management and legal experts. We term these mappings mapOPLtoA
and mapOPLtoM and define them using Eqs. (1) and (3) above:
mapOPLtoA : ðO P LÞ → A ð7Þ
mapOPLtoM : ðO P LÞ → M ð8Þ
The mappings in Eqs. (7) and (8) need to be specified once, and represent the organization's perception as to the level of
access and modification protection needed by data tables at different levels of OPL.
Finally, we need to incorporate the viewpoint of the ITF and IAF functions, which is more control driven. Each IT security con-
trol is scored in terms of its cost to implement versus benefit in providing overall protection from unauthorized data access and un-
authorized modification. We term the functions scoreControlsAcc and scoreControlsMod. This scoring would typically be performed
and done by the ITF and IAF, and is defined below in terms of Eqs. (3), (4) and (5):
scoreControlsAcc : ðA CÞ → S ð9Þ
scoreControlsMod : ðM CÞ → S: ð10Þ
3
Data modification or ‘write’ implies an insert, and update or a delete may be performed on the database.
The overall OPL mappings are shown in Fig. 2. As can be seen, the OPL method encourages structured collaboration between
the firm members, ITF and IAF and incorporates perceptions from all three groups.
After the mappings in Fig. 2 are performed, the contribution of each in-place control as well as the risk due to each missing
control can be computed using the algorithms described below.
(11)
(12)
Having formally defined the OPL model and method, we next describe its empirical evaluation as per design science guideline
3 in Fig. 1.
4. Evaluation of the OPL model and method
We evaluated OPL empirically in two studies. The first study served as an evaluation of the OPL model itself, from a senior IT
manager perspective; i.e., were the OPL dimensions and levels comprehensive and yet parsimonious enough to be useful and us-
able when specifying the risk levels of data tables in their organizations? To accomplish this, we conducted an hour long demon-
stration focused on the OPL model, to senior IT executives, followed by a survey and structured discussion.
The second study was a comprehensive multi-phase implementation of the OPL model and accompanying method. In the first
phase, we selected a previously published case narrative describing the data needs of a small manufacturing enterprise (ACME
Corp.) and surveyed senior information system executives on the realism of the narrative. The second phase consisted of creating
a relational data schema from the case narrative. Each of the tables in the schema was then scored for risk along the OPL dimen-
sions. Phase 2 was performed by a team consisting of the authors and a senior manager with over 10 years of experience as Chief
Financial Officer and Controller in several small oil and gas service and production companies.
In the third phase, the mapping of all OPL risk levels to Data access and modification protection levels was performed for
ACME Corp. A Universe of controls was also created, along with a list of controls that would typically be in-place at a small en-
terprise such as ACME. The fourth phase consisted of scoring the controls and calculating the contribution of existing controls and
the control deficiency risk. For phases 3 and 4, the team consisted of the authors working with three internal auditors with over
10 years of experience each, and two IT security auditors with over 10 years of experience, all at mid-size to large firms in the
southwestern USA. Next we describe each study in detail.
Fig. 2. OPL mappings to evaluate IT security controls.

4.1. Study 1: validation of OPL rating system
We identified a key information systems executive in each of four large organizations in the southwestern USA (each over 1000
employees and sales over $100 million4). The executive experience of the participants ranged from five to over 20 years. We demon-
strated the OPL model to the participants with the demonstration lasting about an hour. During the demonstration, the OPL risk spec-
ification model was defined and examples were shown of using it on generic tables such as employee information and customer
information. Participants were free to ask questions regarding the model and how it would be used. At the end of the demonstration,
participants confirmed they understood the OPL model and how organizational data could be classified using the model.
After the demonstration, questionnaires were sent to the attendees from the various organizations to collect feedback on the
ease of use, usefulness, comprehensiveness and effectiveness of the model along with its potential applicability in the organizations.
The measures for ease of use and usefulness are adapted from Davis (1989). Additional questions, both open and closed ended,
measure the comprehensiveness and effectiveness of the OPL model from the information executive's viewpoint. Measures 1–
10 were rated on a five point Likert scale and the remaining measures were open-ended. The measures in the questionnaire,
along with the mean and standard deviation are shown in Appendix A.
The response data related to ease of use indicates that the survey participants found the overall concepts of the OPL framework
easy to comprehend and straightforward to use. However, some level of orientation and training may be needed for cross-
functional teams before they can start using OPL for rating the sensitivity of their data.
Similarly, response data for usefulness indicates that the OPL dimensions and the multiple levels per dimension are perceived
to be useful from an individual and organizational perspective. Responses to comprehensiveness indicate that the three dimensions
of OPL appear to be sufficient to represent the security aspects of the organizations.
In the free-format questions that relate to effectiveness, the surveyed participants broadly agreed that assigning and using OPL
security classifications at the data level would positively impact their organizational activities. Also, the majority of the partici-
pants agreed that the OPL framework would be useful in their current job tasks related to data and software security. Some of
the participants noted that incorporating the OPL framework into their existing software development processes had the potential
to improve data and system security.
After validating OPL from an executive viewpoint, we next describe the field study we undertook to implement the OPL model
and method.
4.2. Study 2: field study utilizing OPL model and method
4.2.1. Phase 1
For the field study, we started by creating a large scale data model of a manufacturing enterprise previously published in Bajaj
(2006). The functional description in Bajaj (2006) was created after examining several small manufacturing enterprises (SMEs)
and is meant to be a realistic depiction of a typical SME from the operations and the sales and marketing standpoint. The case
description for the SME, termed ACME, is shown in Appendix B. In order to validate the realism of the case we presented the
case description to four senior IT managers, three of whom had more than 15 years of managerial experience in medium to
large sized organizations and asked them to fill out a questionnaire that measured user satisfaction with, and perceived semantic
quality of, the ACME case. The participating managers were different from the ones used in the survey described earlier.
Good case descriptions should be correct, conflict-free, complete and contain no redundancies (Shanks et al., 2003). The user
satisfaction measures we used are described in Dunn and Grabski (2001), and the first four measures in Appendix C are derived
from those. The remaining measures in Appendix C capture the perceived semantic quality of the description and its freedom from
error, and are derived from Maes and Poels (2007). The respondents were given a few days to go over the description of ACME
Corp. and ask us any questions they had. The mean values and the standard deviations for each measure, as well as an overall
aggregate value for each construct are shown in Appendix C. The responses indicate that the ACME data model adequately and
realistically describes the data needs of a small manufacturing enterprise. Next we implemented the data model for ACME
Corp. in Microsoft Access. The 54 tables created are shown in Appendix D.
4.2.2. Phase 2
After creating the tables, we followed the steps in Fig. 2 above. As Fig. 2 indicates, the OPL method incorporates the multi-
dimensional risk assessments for data provided by end users, senior managers and legal experts in the first phase (rateTables).
These risk assessments are then mapped to levels of protection required from an ITF perspective, i.e., protection from unautho-
rized access or modification of the data (mapOPLToA, mapOPLToM). A multi-functional team, consisting of senior managers,
legal experts, IAF and ITF personnel, instantiates this mapping between risk levels and appropriate protection levels. The final
mapping (scoreControlsAcc, scoreControlsMod) uses data access and modification protection levels to derive a score for information
security controls that are in-place or missing. The primary personnel involved in this last phase are from IAF and ITF.
In our field study, each of the 54 tables was rated for risk along all three OPL dimensions, thereby populating the rateTable
functional mapping defined in definition (6) in Section 3.2, above. The ratings were performed by two of the co-authors indepen-
dently at first, followed by a discussion meeting. Each field in each table was rated first, with a composite score for each table
4
Names of the organizations are not mentioned because of confidentiality requests.
representing the overall risk posed by the data contained in that table. The assessment of the data was based on reviewing the
fields for:
a) sensitivity and impact to the organization in the event of an unauthorized access or exposure,
b) compliance, industry standards, and regulatory requirements such as HIPAA and SOX,
c) public exposure due to weak security and protection mechanisms,
d) protection of intellectual property against theft, exposure, and loss of market advantage, and
e) protection of operational data pertaining to advertising information, customers, leads, product production, and supplier
information.
The rateTable mapping that came out of this process consisted of 54 × 3 = 162 ratings, for O, P and L dimensions of each table
respectively. These ratings were then given to a senior manager with over 10 years experience as Chief Financial Officer and Con-
troller in several small oil and gas service and production companies. The manager was given two weeks to read the case, ask any
questions regarding the case and then suggest any changes to the ratings based on their experience. Overall, the manager changed
19 of the 162 ratings, and agreed with the remaining (88.2%). To investigate the levels of agreement for each dimension, we cal-
culated the Cohen's Kappa (Cohen, 1960) measure for each dimension. The Kappa scores were 0.51, 0.93 and 1.0 respectively for
the ‘O’, ‘P’ and ‘L’ dimensions. This level of agreement indicates overall stability in the rateTable mapping, with the maximum dis-
cussion being in the area of operational risk. The final rateTable functional mapping incorporates the changes suggested by the
manager, and is shown in Appendix E. Table 1 shows a subset of the mapping. For example, the customers table ranks high on
all three dimensions. The employees table ranks high on the legal dimension but low on the operational and public image dimen-
sions. The departments table ranks low on all three dimensions. Much of the operational information ranks high on the operational
dimension, but low on the public image and legal dimensions.
4.2.3. Phase 3
After specifying the complete rateTables functional mapping for ACME, the next step in Fig. 2 is instantiation of mapOPLToA
(data access protection) and mapOPLToM (data modification protection) functional mappings. These are defined in Eqs. (7) and
(8) in Section 3.2 above. It is important to note that the mapOPLToA and mapOPLToM functions map all the 27 possible OPL
risk levels to appropriate access and modification protection levels for data at a particular OPL risk level. These two mappings re-
flect the context of the organization. While higher OPL levels will usually map to higher A and M risk levels, organizations in a
relatively non-competitive environment, for example, may decide that high operational risk may map to medium A and M
risks. Similarly, organizations in a legally sensitive environment may map data that poses even moderate legal risk to high levels
of access and modification protection.
The complete mapping for all OPL risk levels is shown in Appendix F. The mappings in Appendix F were arrived at as follows.
Two of the authors worked collaboratively with a senior IT security auditor with over 20 years of experience to produce an initial
draft mapping. This was then shown independently to three internal auditors with over 10 years of experience each, and one IT
security auditor with over 10 years of experience, all at mid-size to large firms in the southwestern USA.
As expected, the different backgrounds of the participants led to differences in their initial mappings. The Fleiss Kappa is an
appropriate measure of degree of consensus for more than two participants (Fleiss, 1971), on a scale of −1 to 1, with 0 signifying
neither agreement nor disagreement. The only measure that showed fair agreement was when the levels of protection were LL
(low on the access and modification dimensions). The Fleiss score for LL was 0.35, and significantly greater than zero. The
score for every other protection level was not significantly greater than 0. The overall Fleiss Kappa score was 0.092, and not sig-
nificantly different from zero. This signifies the importance of bringing together the different viewpoints between ITF and IAF in
this phase. A final mapping of all 27 possible risk levels to confidentiality (access) and integrity (modification) protection levels
was created based on majority consensus.
Table 2 lists the OPL rating levels for the six data tables that are described in Table 1 above. A high legal risk in OPL maps to
high data access protection, but moderate data modification protection. However, a high operational risk in OPL maps to high
Table 1
Subset of rateTable mapping for ACME Corp. (complete mapping in Appendix E).
Table OPL classification Comments
Customers (O,H), (P,H), (L,H) Customer information is considered sensitive and has legal requirements for protection. Company image will
be damaged if customer information is released because the company cannot protect sensitive information.
Departments (O,L), (P,L), (L,L) Most companies have similar departments that are publicly known.
Drawings (O,H), (P,L), (L,L) There is high operational damage if competitors have access to how products are built.
EmployeeReportsTo (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not damaged by this information
becoming public.
Employees (O,L), (P,L), (L,H) Employee information is considered sensitive and has legal requirements for protection. Employee information
is not going to impact the company's operations if the information is hacked.
FGPTMachineType (O,M), (P,L), (L,L) Links finished goods to part types and machine types. There is no legal impact if the information is made public.
Public image is not damaged by this information becoming public. There is high operational damage if
competitors know how long it takes to make products.
Table 2
Instantiation of mapOPLToA and mapOPLToM functions for example data tables (complete instantiation in Appendix F).
Data table OPL classification DA DM Overall DA + DM
Customers (O,H), (P,H), (L,H) MHH HMH HH

Departments (O,L), (P,L), (L,L) LLL LLM LM
Drawings (O,H), (P,L), (L,L) MLL HLM MH
EmployeeReportsTo (O,L), (P,L), (L,L) LLL LLM LM
Employees (O,L), (P,L), (L,H) LLH LLH HH
FGPTMachineType (O,M), (P,L), (L,L) MLL MLM MM
levels of access and modification protections. One possible reason for this may be that the legal environment for small manufac-
turers like ACME is not onerous, while the industry in which ACME operates is highly competitive. The overall DA + DM mapping
is the maximum rating for access and modification protections needed for a particular OPL level.
4.2.4. Phase 4
The next step in the OPL method is to instantiate the scoreControlsAcc and scoreControlsMod mappings from definitions (9) and
(10) in Section 3.2. These mappings incorporate information on a universe of IT security controls with a numeric valuation for
each control on its contribution to providing confidentialty and integrity protection. Some of these controls may be in-place
while others are missing.
The same group of participants were involved in phases 3 and 4. Two of the authors worked collaboratively with a senior IT
security auditor with over 20 years of experience to produce an initial Universe of controls that would be applicable to ACME. This
is the instantiation of the set C in definition (4), Section 3.2, for ACME. The Universe of controls was arrived at by consulting the
auditor as well as multiple sources noted for their influence in the area (Homeland Security, 2008; Council on CyberSecurity,
2014). A comprehensive source for IT controls is the ISO27002 specification, which contains over 120 controls and more than
1000 recommended procedures. In our case, the auditor agreed that the list of controls, C, in Table 3 seems comprehensive for
a small manufacturing enterprise. Next, Cin-place was populated with guidance from the auditor by selecting the controls from C
that would typically be in place at a small manufacturing enterprise. This Universe of controls was then shown independently
to three internal auditors with over 10 years of experience each, and one IT security auditor with over 10 years of experience,
all at mid-size to large firms in the southwestern USA. They all agreed that the list was sufficiently representative of controls
that would be applicable to a small manufacturing enterprise. The Fleiss Kappa score for this phase was 1. The list of elements
for Cin-place are shown in Table 3 with a (Y).
In order to instantiate the scoreControlsAcc and scoreControlsMod functional mappings, each control is assigned a rating on a
discrete 1–10 scale for each level of data access and modification protection. An initial rating was created in the case of ACME
Corp. by two of the co-authors, with help from the auditor participant. The ratings incorporate the cost of implementation of
each control as well as the benefit of providing protection from unauthorized access or modification. The initial ratings were
then presented independently to three internal auditors with over 10 years of experience each, and one IT security auditor
with over 10 years of experience, all at mid-size to large firms in the southwestern USA. The final ratings for all the controls
were arrived at by averaging the scores, and rounding up to an integer, for clarity. These are shown in Appendix G. A subset
of these ratings is shown in Table 4.
For example, encryption of data on storage/network , control A5, which is a missing control, has costs associated with it of hard-
ware, software and training of end users. However, control A5 also has benefits, especially as the level of protection required
Table 3
Universal list of controls for ACME (in-place controls indicated by Y).
Application level controls IT process/infrastructure controls
A1. Password complexity is in place (Y) P1. Documented procedures

A2. Who has access to the data (Y) P2. Authentication and authorization rules followed for automated and manual data transfers
A3. Authentication rules followed across systems
A4. Authorization rules followed (Y) P3. Plan for archiving account privileges, data (Y)
A5. Encryption of data on storage/network P4. Problem logs regarding security issues
A6. Internal access log/trace P5. Activity logs regarding security fixes
A7. External access log/trace (Y) P6. DB servers properly configured (Y)
A8. Incident response/management in case of P7. Software patched with version control (Y)
compromise (Y) P8. Limited external network access (Y)
A9. Exception reporting P9. Authentication on network (Y)
A10. Change management policy and procedures P10. Network activity log
A11. Security training on applications P11. Disaster recovery plan if unauthorized internal or external access (Y)
P12. Physical access secured
P13. Limited access to IT assets (Y)
P14. Physical access monitored (Y)
P15. Change management policies and procedures (Y)
P16. Background checks on new IT hires (Y)
Table 4
scoreControlsAcc and scoreControlsMod for a subset of the Universe of controls (complete list in Appendix G).
Control # Data access Data modification
Low Medium High Low Medium High
Application level
A1 Password complexity is in place 3 7 10 3 7 10
A5 Encryption of data on storage/network 1 5 10 1 7 10
IT process/infrastructure level
P2 Authentication and authorization rules followed for automated and manual 4 6 10 6 8 10
data transfers across systems
P3 Plan for archiving account privileges data 1 6 9 2 5 9
increases. In case of unauthorized access and modification to the data, if the protection requirements are low then control A5 is
rated as 1, meaning it is less important. If the access protection requirement is medium, the control has a score of 5, while if the
modification protection requirement is medium, it is more important to have the control, and it gets a score of 7.
Control A1, which is in place, is perceived to have lower cost/greater benefit even for less sensitive data, and hence is scored
higher than missing control A5 in Table 4. Similarly, each control in Appendix G gets a different rating depending on the sensi-
tivity of the data table being protected, and the cost/benefit of implementing each control. We note that these controls are
rated by the IAF and ITF functions working together to determine the cost/benefit tradeoff for each control.
As described in Section 3, the Universe of controls can be split into in-place controls and missing controls. The final step in the
OPL method is to use the algorithms defined in Eqs. (11) and (12) in Section 3.2. These evaluate the contribution of each in-place
control as well as the CDR due to each missing control. The spreadsheets built to perform this calculation are shown in Appendix
H. A subset of these calculations is shown in Table 5, which depicts the scores for controls A1, A5, P2 and P3 for the six data tables
shown in Table 2 above.
Looking at Table 5 for in-place controls, we see that the score for control A1 is 20 for the customers table, for the departments
table the score is 10 and it is 20 for the employees table. Similarly the score for in-place control P3 is 18 for the customers table,
the departments table score is 6 and it is 18 for the employees table.
Looking at Table 5 for missing controls, we see that the score for control A5 is 20 for the customers table, the departments table
is 8 and it is 20 for the employees table. For missing control P2, the scores are 20, 12 and 20 for the same three tables, respectively.
The last two rows in Table 5 represent the last two rows of the spreadsheets in Appendix H, for the controls A1, A5, P2 and P3.
These rows show the contribution scores for in-place controls and the potential contribution scores for missing controls. The
scores for the missing controls represent the control deficiency risk for those controls.
Looking at the second to the last row in Table 5, we see that the raw contribution score for control A1, summed across all the
54 tables, is 835. Similarly, the raw scores for controls P3, A5 and P2 are 688, 759, and 850 respectively.
The last row in each sheet shows the proportional (0–1) contribution or deficiency risk of each control. The proportional
values are obtained by dividing the value for each control by the maximum value amongst all controls in the Universe of controls.
The proportional contributions for in-place controls A1 and P3 are 0.916 and 0.754, respectively. This implies that A1 should be
more fully tested than P3 during an audit. The proportional CDR values for missing controls A5 and P2 are 0.806 and 0.902, re-
spectively. This implies that P2 should receive a stronger consideration for future inclusion at ACME than A5.
5. Discussion
The current state of the art in auditing information security involves ITF and IAF personnel using past experience to propose
lists of controls that need to be in place. This is often done without regard to the tradeoff between the data sensitivity needs of a
Table 5
Scores for subset of controls by data table with contributions/CDR for in-place/missing controls.
Data table OPL classification DA + DM A1(Y) A5 P2 P3(Y)
Customers (O,H), (P,H), (L,H) HH 20 20 20 18

Departments (O,L), (P,L), (L,L) LM 10 8 12 6
Drawings (O,H), (P,L), (L,L) MH 17 15 16 15
EmployeeReportsTo (O,L), (P,L), (L,L) LM 10 8 12 6
Employees (O,L), (P,L), (L,H) HH 20 20 20 18
FGPTMachineType (O,M), (P,L), (L,L) MM 14 12 14 11
Raw overall control contribution/CDR 835 759 850 688

Proportional overall control contribution/CDR 0.916 0.806 0.902 0.754
Fig. 3. Collaborative information security audit framework driven by OPL.
particular organization and the costs of implementing and maintaining each control. The result may be unnecessary controls for
organizations with less sensitive data, or a lack of controls for organizations in more sensitive environments.
The sensitivity of organizational data is best understood by the data owners, senior management and legal experts who are
familiar with the domain and environment of the organization. The OPL method provides a quantitative framework to capture
the viewpoints of these experts in assessing the sensitivity of their data along three dimensions and passing it to IAF and ITF per-
sonnel. The assessments provided at the data level are used to determine the level of protection from unauthorized access and
modification (DA + DM) that needs to be implemented for each data table (see Table 2).
The different levels of DA + DM protection required are mapped to the scores for each control in the Universe of controls that ITF
and IAF have created (see Table 5).This provides a score for the value of each control for each data table, in the context of the orga-
nization. Thus, The OPL method provides a collaborative framework to incorporate the views of different levels of the organization
when evaluating the suitability of information security controls for that organization. This is in contrast to a generic list of controls
that ITF and IAF may use regardless of the context of their organization. This collaborative OPL-driven framework is shown in Fig. 3.
As Fig. 3 indicates, the calculated contribution and CDR scores can be used to create a collaborative audit framework for testing
in-place controls and recommendations for instituting missing controls.
Table 6 shows the proportional contribution of each in-place control (from Appendix H). It also contains the recommended
depth of audit testing for each control, using the heuristic that controls with a score ≥0.9 get heavy testing, a score b0.9 and
N0.75 get moderate testing and scores ≤0.75 get light testing. We note that this heuristic may be varied depending on the envi-
ronment and industry in question.
Table 7 shows the proportional CDR values for missing controls. Recommendations are made by the team regarding which
controls need to be added, based on the heuristic that missing controls with a score N0.9 get a strong recommendation, score
≤0.9 and N0.75 get a moderate recommendation, and score ≤0.75 get a weak recommendation to be added. Based on Table 7,
IT security control P2 is a strong candidate for future inclusion at ACME Corp.
Table 6
Proportional contribution of in-place IT security controls (from Appendix H).
Control Control description Proportional Auditor testing plan depth

code contribution (0–1) (light, moderate, heavy)
A1 Password complexity is in place 0.916 Heavy

A2 Who has access to the data 0.803 Moderate
A4 Authorization rules followed 0.916 Heavy
A7 External access/modification log/trace 0.966 Heavy
A8 Incident response/management in case of compromise 0.749 Light
P3 Plan for archiving account privileges data 0.754 Moderate
P6 DB servers properly configured 0.851 Moderate
P7 Software patched with version control 0.743 Light
P8 Limited external network access 1.000 Heavy
P9 Authentication on network 0.956 Heavy
P11 Disaster recovery plan if unauthorized internal or external access 0.751 Moderate
P12 Physical access secured 0.593 Light
P13 Limited access to IT assets 0.840 Moderate
P14 Physical access monitored 0.695 Light
P15 Change management policy and procedures 0.754 Moderate
P16 Background checks on new IT hires 0.741 Light
Table 7
Proportional deficiency risk of missing IT security controls (from Appendix H).
Control Control description Proportional CDR Recommend adding control

code (0–1) (weak, moderate, strong)
A3 Authentication rules followed 0.846 Moderate

A5 Encryption of data on storage/network 0.806 Moderate
A6 Internal access/modification log/trace 0.783 Moderate
A9 Exception reporting 0.757 Moderate
A10 Change management policy and procedures 0.728 Weak
A11 Security training 0.643 Weak
P1 Documented procedures 0.748 Weak
P2 Authentication and authorization rules followed for automated and manual 0.902 Strong
data transfers across systems
P4 Problem logs regarding security issues 0.877 Moderate
P5 Activity logs regarding security fixes 0.870 Moderate
P10 Network activity log 0.857 Moderate
5.1. Lessons learned from field study with ACME Corp.
We recommend several strategies when implementing the OPL model and method, based on the ACME field study. First, it is extreme-
ly important to elicit strong participation from all stakeholders including end users, legal experts and senior management when it comes
to instantiating the rateTable mapping (see Figs. 2 and 3), which may be reviewed periodically, if the data model changes. This conforms
to recommendations in Julisch et al. (2011) and Steinbart et al. (2012, 2013). These may include group discussions, group interviews, and
anonymous classification by individuals. There is a temptation to classify all data as important, and care needs to be taken to distinguish
between data that is genuinely critical and needs to be secured, versus data that is perceived to be critical by its owners but is less critical
in the larger firm context. It is also important at this stage to get comments from the stakeholders as to why the data is classified at certain
levels. These comments helped guide the downstream activities that were performed by the IAF and ITF participants.
Second, the mapOPLToA and mapOPLToM instantiations (see Figs. 2 and 3) do not need end user involvement, but do need in-
volvement from senior management, legal experts, ITF and IAF. This is because mapping the data sensitivity levels to appropriate
protection levels requires an understanding of the overall industry and environment. Differing opinions are likely in this phase,
and a consensus development strategy is essential.
Third, the scoreControlsAcc and scoreControlsMod (see Figs. 2 and 3) instantiations require collaborative discussion between the ITF
and IAF personnel, since an understanding of the costs versus benefits of each security control is needed from a technical standpoint.
There may be a tendency amongst IAF to classify all controls as highly beneficial, and care needs to be taken to rate controls based on
their costs as well. We note that the scoring of 1–10 (with 1 being least valuable) is based on the qualitative judgments of the indi-
viduals involved in the process. It is important also, for the IAF to budget adequate hours to the risk assessment process.
As can be seen, the audit testing plan and the recommendations for possible implementation of missing controls provide a
quantitative basis for communication between IAF and external auditors with regard to information security.
6. Conclusion
Current estimates of information security risk by the IAF and ITF usually involve a single dimension of risk specification, with a
checklist of generic IT controls that may need to be audited (Julisch et al., 2011). Using a design science approach, we develop the
OPL multi-dimensional risk specification model and method to quantitatively estimate contribution of in-place security controls as
well as the control deficiency risk due to missing controls. Our empirical results indicate that OPL can be used to create a detailed
risk assessment of all corporate data, at the table level. The OPL method requires a structured collaboration amongst multi-stake-
holder teams consisting of business end users, legal experts, senior managers, the IAF and ITF (see Fig. 3).
Mishra and Dhillon (2006) point out that information security governance tends to ignore the management of security details at
operational levels of business processes. Phelps and Milne (2008) recommend a partnership approach between IAF and the ITF to im-
prove returns on IT control activity investments. As mentioned in Steinbart et al. (2012, 2013), COBIT prescribes the maintenance of
an optimal co-ordination, communication and liaison structure between ITF and IAF. The control environment needs to include cross-
divisional co-operation and teamwork (COBIT EDM05). The need for a shared world-view between the IAF and the ITF is also
highlighted in Henderson et al. (2013). They point out that the two functions should perform shared activities in order to reduce
risk. The OPL model meets these requirements by serving as a communication tool between the business end users, management,
legal experts, IAF and ITF, allowing a shared view of the importance of in-place and missing information security controls.
From a theoretical standpoint, OPL represents a formal mechanism to capture the risk assessment viewpoints of the multiple
stakeholders, including the ITF and IAF. Practically, OPL guides the list of recommended IT security controls for the corporate data,
and provides more granular and grounded estimates of risk. Second, the OPL model proposes meta-data that can be incorporated
by database management system vendors into their database server products, so that data security materiality is indicated at the
time of table creation, in the data design phase and hence embedded into the organization's systems.
A recent finding in Steinbart et al. (2013, pp. 65) indicates that “… information security professionals' perceptions about the
level of technical expertise possessed by internal auditors and the extent of internal audit review of information security are
positively related to their assessment about the quality of the relationship between the two functions.” The OPL model and meth-
od enable more cogent and meaningful testing of IT security controls by the IAF. OPL allows better deployment of IT resources by
prioritizing which missing controls need to be in place.
This work has a few limitations. First, the issue may be raised as to why we did not evaluate OPL in a real world organization. It is
well known that many audit studies involve using realistic cases, as opposed to studying real world audits. In this work, we used a
realistic case to validate how the OPL model and method can be used in a small manufacturing enterprise. Our results indicate that
OPL is practical to use in realistic settings. We note that any communication, no matter how unstructured, between different stake-
holders in an IS security audit would involve time costs. The OPL model and method offer a structured method of collaboration be-
tween different stakeholders, with some associated time costs. Our results indicate that real world experts have a positive view of
the benefits of the OPL model and method, versus the time taken to create it. However, only a before and after implementation of
OPL in a real world setting would allow a comparison between the cost and benefit of OPL versus the status quo in a particular orga-
nization. Because of resource constraints, this was beyond the scope of this study.
Second, group discussion dynamics that would facilitate more accurate rateTables, mapOPLToA and mapOPLToM instantiations
were not investigated. However, our questionnaires and structured interviews with senior information officers and internal audi-
tors indicated that OPL offers acceptable ease of use and usefulness when used in their organizations. The involvement of several
IAF and IT senior auditors at different phases of the field study provide external validity to our work. A potentially interesting
question for future research is the investigation of group dynamics when using the OPL method, using techniques such as the An-
alytic Hierarchy Process (Saaty, 1980).
Third, Microsoft Access was used to implement the tables in the data model for the case study. We used common columns
across tables to show the linkages between tables, but did not use the relationship mechanism offered by Microsoft Access that
allows the enforcement of referential integrity.
Fourth, the OPL model captures the specification for each table independent of other tables. However, multiple data tables that
may be independently at low risk may interact to present a higher risk if compromised together. In a relational database, infor-
mation across tables can be represented as table-joins, stored as views. One possibility when specifying the risk for a view is to
use the highest OPL levels from all the tables participating in that view. Additional research is needed to analyze the effects of
interactions between tables and the increased risk that may result.
Despite these limitations, the OPL model and method offer a collaborative framework to tie together the risk classification of
corporate data with levels of data access and modification protections that are needed, and the information security controls to
enforce these protections.
Appendix A. Questions and responses regarding OPL model
No. Measure with 5 point Likert scale Mean (std. deviation)
1 2 3 4 5
Strongly disagree Strongly agree
Q1 The security classification of data fields based on the OPL model is cumbersome to use (reverse coded) 3.5 (1.29)
Q2 The security classification of data fields based on the OPL model requires a lot of mental effort (Reverse Coded) 3.25 (1.5)
Q3 Using the security classification of data fields based on the OPL model would be frustrating (Reverse Coded) 4.25 (0.5)
Q4 Overall, the security classification of data fields based on the OPL model is difficult to use (Reverse Coded) 3.75 (1.26)
Ease of use 3.69 (1.14)
Q5 Using the security classification of data fields based on the OPL model would improve my performance. 3.5 (0.58)
Q6 Using the security classification of data fields based on the OPL model would enhance my effectiveness. 3 (0.82)
Q7 Using the security classification of data fields based on the OPL model would increase my productivity. 3.75 (0.5)
Q8 I would find the security classification of data fields based on the OPL model useful. 3.75 (0.5)
Usefulness 3.5 (0.63)
Q9 The security dimensions (operational, public image, legal) do not meet the requirements of my organization (reverse coded) 4.25 (1.5)
Q10 The impact levels (low, medium, high) do not meet the requirements of my organization (reverse coded) 4.25 (0.95)
Comprehensiveness 4.25 (1.17)
Q11 Would you consider implementing the security classification of data fields based on the OPL model in your organization? Discussion format
Explain.
Q12 Can the security classification of data fields based on the OPL model be incorporated into existing processes in your Discussion format
organization? Explain.
Q13 Please provide any additional comments and recommendations. Discussion format
Effectiveness Discussion comments
were positive in support
Note: Four senior information systems executives from different large organizations (over 1000 employees and sales over $100 million) participated in this survey.
The bold numbers represent the mean of the overall construct. The standard deviation of the overall construct is shown in round parentheses. The construct is
shown in the column to the left.
The mid-value for the 1–5 Likert scales is 3. The mean value for Ease of use is 3.69, Usefulness is 3.5 and Comprehensiveness is 4.25.
While the means are higher than 3, the values are not significantly higher than 3, given that the sample size is 4. As is well known, the
confidence intervals may tighten if the sample size were to be increased, which was beyond the scope of this study.
Appendix B. The ACME Corporation5
The ACME Corporation makes different types of products for sale directly to the general public. Examples of product types in-
clude the ACME bicycle, the ACME scooter and the ACME skateboard. ACME consists of a chief executive officer (CEO) who runs
the company overall and oversees two departments. These departments are the sales and marketing department and the opera-
tions department. Next, the departments are described in detail.
ACME sales & marketing
The ACME sales and marketing department consists of several sales and marketing associates. A group of sales and marketing as-
sociates is managed by a sales and marketing manager. All the sales and marketing managers form one group managed by the Sales
and Marketing VP (Vice President). The VP reports directly to the CEO. In addition, there is one front desk for the department, man-
aged by the sales and marketing receptionist, who supports everybody, but reports to the sales and marketing VP. The performance of
the receptionist is measured by conducting a quarterly survey that is filled in by all the other employees of sales and marketing. Each
quarterly survey has a survey_id, a date and a rating (on a 1–10 scale) from each sales and marketing employee.
Each employee in the sales & marketing department has an employee_id, a name, an office address, a home address, an office
phone, a home phone, a cellular phone, an e-mail, and a title (which is either sales and marketing associate or sales and marketing
manager or sales and marketing VP or sales and marketing receptionist).
The department maintains a listing of customers. Customers are people or organizations who have bought from ACME in the
past. Each customer has a customer_id, a name, a company name (the company that they work for), address, phone, cell phone, e-
mail, and a status (which is either gold, silver or bronze). The sales and marketing employees keep records of all conversations
with customers. Each conversation has a customer_conversation_id, and a summary of conversation. Each customer conversation
takes place between exactly one customer and one or more employees in the sales and marketing department.
The department also has a list of leads. Leads are people or organizations who have not yet bought anything from ACME, but
may buy in the future. Each lead has a lead_id, a name, a company name, address, phone, cell phone, e-mail and a status (cold, warm
or hot). The sales and marketing employees keep records of all conversations with leads. Each conversation has a
lead_conversation_id, and a summary of conversation. Each lead conversation takes place between exactly one lead and one or
more employees in the sales and marketing department.
The performance of sales associates is measured by the dollar value of the products that they sell every month. Some of the
times, customer conversations or lead conversations result in orders. An order has an order_id. Each order is for one or more prod-
uct items, with each product item being of one product type. Each product type that ACME sells has a unit price, which is the price
for one item of the product type. In addition, each product type has a product_type_id, a name and a quantity_on_hand (the num-
ber of product items of that product type, available for sale). The dollar value of each order is added up, and the credit for each
order goes to at least one sales and marketing associate, though possibly more. Each order is given by only one customer. If a
lead conversation results in an order, then that lead is converted into a customer. As soon as a lead becomes a customer, then
their previous lead conversations are deleted.
The department is responsible for advertising campaigns. Each advertising campaign is the responsibility of one sales and mar-
keting manager. Advertising campaign are conducted in media outlets (like newspapers, trade journals, television and radio). Each
advertising campaign has an ad_campaign_id, a name, a budget_total, a costs_to_date, date_began and date_ended. Each media out-
let has a media_outlet_id, name (e.g., post-gazette is a name), a unit_cost_of_ad, an ad_sales_person_name, phone, cell phone and e-
mail. Each ad campaign is linked to several media outlets. E.g., an ad campaign can be one that is linked to ads running in the
post-gazette and WFUN FM (both media outlets) from the dates Jan. 20, 2000 to June 20, 2000.
In order to keep track of advertising effectiveness, ACME also asks each customer and lead, in each conversation with them, if
they heard about ACME since the time of the last conversation. The date and the media outlet which the customer or lead says are
recorded and linked back to the ad campaign that it belongs to. Of course, in each conversation, a customer or lead can say that
they heard about ACME through a number of different media outlets, on different dates. Each of these is recorded and linked back
to the relevant advertising campaign.
The performance of the sales managers is measured by the total dollar of sales generated by the associates who work for that
manager, as well as by the advertising effectiveness of the advertising campaigns that were run by that manager.
The performance of the VP sales & marketing is measured by the total dollar value of the sales generated by the sales & mar-
keting department, as well by the advertising effectiveness of the advertising campaigns run by the department. Performances of
all sales and marketing employees are assessed every quarter. Of course, advertising campaigns may span quarters, so that, for
example, one campaign may run for five months, while another may run for two years.
In order to perform its activities, the department gets a budget that is approved by the CEO. They also keep track of past bud-
gets. Each budget has a budget_id, date_began, a date_ended, and a total field. Each budget has a list of budget items, with each
item in the budget having an item_id, activity_name, and amount. Budgets are for a quarter. Quarters are from Jan–March,
April–June, July–September and Oct.–December.
5
Several small manufacturing enterprises were analyzed to create this company. ACME is a fictitious name to mask their identities for purposes of confidentiality.
Some processes that the sales and marketing department performs include:
a) making a sales call to a customer or a lead,

b) creating a new or conducting an ongoing advertising campaign,
c) creating new products, or updating information about existing products, and
d) in general creating new information or updating information on existing data that is necessary for the day to day running of
the department
e) converting a lead to a customer
f) changing the status of a customer or a lead.
ACME operations
The ACME operations department is responsible for actually manufacturing the different products that ACME sells. The depart-
ment is broken up into different shops, like the fabrication shop, the assembly shop and the packaging shop. Each shop has several
different machines (like lathes, milling machines, drills and packaging machines). Each machine has a machine_id, machine_name,
location_description, function_description, date_machine_was_purchased and date_last_maintenance. Each shop has machinists, with
at least one and possibly more machinists per machine. The machinists work in shifts, with each shift being 8 h. Each shift takes
place in one shop, and has a shift_id, a time_began, and a time_ended. As per union laws, each machinist can work in a maximum of
6 shifts a week, and a minimum of 4 shifts a week. Each shift is managed by one foreman. The foremen report to the shop managers
(each shop is managed by a shop manager). The shop managers report to the Operations Vice President (VP).
Each employee in the operations department has an employee_id, a name, an office_address, a home_address, an office_phone, a
home_phone, a cellular_phone, an e-mail, and a title (which is machinist, foreman, shop manager, receiving clerk, stocking clerk,
shipping clerk or operations VP).
The operations department follows a defined process for manufacturing each product type. A product type is a type of product
(like the ACME skateboard), as opposed to the product item, which is the actual item itself (like an actual, physical ACME skate-
board item). The operations department makes product items. Each product type has a product_type_id, a name, a
date_production_began (the date it was first produced), and a date_production_ended (the date it was not offered anymore and
ACME stopped manufacturing it). Each product also has associated with it a work plan, which includes a set of drawings, and a
process flow. A drawing can only belong to one product. A process flow can only belong to one product. Each product item is typ-
ically made on a number of machines, and may go through different shops. For each product type, ACME has the amount of time
required on each machine to make a product item for that product type. For each product, ACME also records the different types
of raw material needed for the product type, as well as the required quantity of each raw material type.
The operations department also has a list of raw material types (like steel rods, steel bars, cast iron bars, aluminum rods, and
so on). Each raw material type has a raw_material_type_id, and a name. Raw material items are supplied by suppliers. Each sup-
plier has a supp_id, name, address, phone, contact_name, e-mail and web_page. A supplier can supply many raw material types.
Each raw material item is supplied by one supplier. A raw material item is an actual physical item of a raw material type
(e.g., 5 steel bars that were supplied by supplier Bob in one shipment).
When ordering raw material items, the operations department uses purchase orders. E.g., When a supplier supplies 5 steel bars
that are requested on one purchase order, then that is considered to be one raw material item on that purchase order.
A purchase order has a po_id, a date_sent and a list of raw material types that were ordered, including the unit price and quantity of each
raw material type ordered. Each purchase order is made out by one receiving clerk. Receiving clerks report directly to the Operations VP.
The receiving clerks also follow up periodically on the purchase orders they have made. Each purchase order followup is identified by
the po_id and the date on which it was made. In addition, a summary of the conversation that took place during the followup between the
supplier representative (who may be different from the supplier contact_name) and the receiving clerk is also recorded. While all the raw
materials on a purchase order are ordered on the same date (the date of the purchase order), the supplier may deliver the items on
different dates. So, for each raw material type on a purchase order, the date_requested and date_actually_received are captured.
The performance of the receiving clerks is measured by the number of total purchase orders they process in each quarter and
the average delay in receiving raw materials (computed by looking at the average difference between date_requested and
date_actually_received for all items processed by the receiving clerk in a quarter).
Once the raw material items are received, they are handed over to a stocking clerk. All stocking clerks also report directly to
the Operations VP. The stocking clerk puts the items in raw material inventory. Each raw material inventory shelf has a
raw_shelf_id and a description of the shelf location. Each item in the inventory has a raw_material_type_id, a raw_material_item_id,
a name, a quantity, a date_put_in_inventory, a raw_shelf_id and the supplier_id of the supplier who supplied it and the employee_id
of the stocking clerk who shelved it.
The performance of stocking clerks is based on the number of raw material items they shelve every quarter, as well as the
average delay in shelving materials (computed by looking at the average difference between date_actually_received for a raw ma-
terial item and the date_put_in_inventory for that item, for all items shelved by that stocking clerk in that quarter).
When a product item is to be manufactured, the operations department creates a new product item in its system before it starts
manufacturing the item. Each product item has a prod_item_id and is of one product type. The relevant raw materials are removed
(from different raw material items in the raw materials inventory) and the manufacturing of the product item is started. Typically, the
raw materials make their way through the machines that are required to make the product item and are converted by each machine.
We can think of each machine as receiving some unfinished items in each shift, and converting part or all of it to finished items (for that
machine). The finished items are then fed to the next machine, and become the unfinished items for that machine. Each unfinished item
for a machine has a raw_material_item_id (this links it to the raw material item it came from), a time_reached_machine (the time it
reached that machine), and a time_manufactured (the time it came out of that machine as a finished item).
The productivity of each machinist is measured by dividing the amount of time that should have been taken to make all the
finished items that were made on that machine in that shift divided by the time duration of the shift. Of course, in the same
shift, the machine may be used to help in the manufacture of product items for different product types. So, if the duration of a
shift is 8 h and the machine produced finished items on it that should have taken 10 h (according to the different product spec-
ifications), then the machinist's performance is 10/8. If another machine produced only 6 h worth of work in an 8 hour shift, then
that machinist's performance is 6/8. A performance of 1 or higher is excellent, 0.8 to less than 1 is good and below 0.8 is poor.
The performance of each foreman is measured by the combining the performance of all the machinists in the shift. The per-
formance of each shop manager is measured by combining the performances of all the foremen in that shop.
Once a product item is completed (this means that a complete product item has been made), it is ready to be move to the
finished goods inventory. Each completed product item is taken by one shipping clerk and moved to the finished goods inventory.
Each finished inventory shelf has a finished_shelf_id, and a description of where the shelf is. Each completed product item is of one
product type, and has a prod_item_id, a finished_shelf_id, a date put_in_finished_inventory and the employee_id of the shipping clerk
who put it in the finished goods inventory.
The performance of the operations VP is measured by combining the performance of all the shop managers, the receiving
clerks, the stocking clerks and the shipping clerks.
In order to perform its activities, the operations department gets a budget that is approved by the CEO. They also keep track of
past budgets. Each budget has a budget_id, date_began, a date_ended, and a total field. Each budget has a list of budget_items, with
each item in the budget having an item_id, activity_name, and amount. Budgets are for a quarter. Quarters are from Jan–March,
April–June, July–September and Oct.–December.
Some processes that the operations department performs include:
a) creating and sending a purchase order (by the receiving clerk),

b) manufacturing a product item,
c) moving a finished item to shipping inventory (shipping clerk)
d) performing maintenance on a machine
e) getting a new machine,
f) moving raw materials into raw material inventory (stocking clerk)
g) receiving or updating information on new or existing product types.
Appendix C. Questions and responses regarding ACME description
Measure with 7 point Likert scale Mean

(standard deviation)
1 2 3 4 5 6 7
Strongly disagree Strongly agree
1. The written description adequately represents the information needs of the sales and marketing and operations 6.5 (0.58)
departments of a small manufacturing enterprise (SME).
2. The written description is efficient at representing the information needs of the sales and marketing and 6.25 (0.50)
operations departments of a small manufacturing enterprise (SME).
3. I am satisfied that the written description represents the information needs of the sales and marketing and 6.75 (0.50)
4. The written description is effective at representing the information needs of the sales and marketing and 6.5 (0.58)
Overall satisfaction 6.5 (0.52)
5. The written description does not contain errors in its representation of the information needs of the sales and 6.5 (0.58)
marketing and operations departments of a small manufacturing enterprise (SME).
6. The written description is realistic in its representation of the information needs of the sales and marketing and 6.75 (0.5)
operations departments of a small manufacturing enterprise.
7. All elements in the written description are necessary to describe a typical sales and marketing and operations 6.25 (0.5)
departments of a small manufacturing enterprise (SME).
8. The written description presents adequate detail to represent the information needs of the sales and marketing 6.5 (0.58)
and operations departments of a small manufacturing enterprise (SME).
9. All elements in the written description are relevant for the representation of the information needs of the sales 6.5 (0.58)
and marketing and operations departments of a small manufacturing enterprise (SME).
10. The written description is complete in its representation of the information needs of the sales and marketing 6.5 (0.58)
and operations departments of a small manufacturing enterprise (SME).
Overall perceived semantic quality 6.5 (0.51)
The bold numbers represent the mean of the overall construct. The standard deviation of the overall construct is shown in round parentheses. The construct is
shown in the column to the left.
Four respondents who were senior level IT managers. Three had experience of over 15 years each in medium to large sized
organizations.
The mid-value for the 1–7 Likert scale is 4. The mean value for Overall satisfaction is 6.5 and for Overall perceived semantic
quality is also 6.5. Even with a sample size of 4, the values are significantly higher than 4.
Appendix D. Data model implementation for ACME Corp. in Microsoft Access
Appendix E. Instantiation of the rateTables mapping for ACME.
Table OPL Comments

classification
AdCampaignMediaOutlet (O,L), (P,L), (L,M) There may be contractual obligation not to release cost information.
AdvertisingCampaigns (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
damaged by this information becoming public.
Billofmaterials (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
damaged by this information becoming public. Some operational impact if this is
compromised.
BOMInstances (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
Budgets (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
damaged by this information becoming public. Budget amount is not critical
information; some of the information is already published in publicly traded
companies.
CEO (O,L), (P,L), (L,H) CEO information is considered sensitive and has legal requirements for protection.
CEO information is not going to impact the company's operations if the information
is hacked.
ConversationEmployee (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
ConversationMediaOutlet (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
Conversations (O,H), (P,M), (L,H) The conversation details may contain sensitive data as well as embarrassing
information about company services.
Customers (O,H), (P,H), (L,H) Customer information is considered sensitive and has legal requirements for
protection. Company image will be damaged if customer information is released
because the company cannot protect sensitive information.
Departments (O,L), (P,L), (L,L) Most companies have similar departments that are publicly known.
Drawings (O,H), (P,L), (L,L) There is high operational damage if competitors have access to how products
(continued on next page)

Appendix E (continued)
(continued)
Table OPL Comments

classification
are built.
EmployeeReportsTo (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
Employees (O,L), (P,L), (L,H) Employee information is considered sensitive and has legal requirements for
protection. Employee information is not going to impact the company's operations if
the information is hacked.
FGPTMachineType (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
damaged by this information becoming public. There is high operational damage if
competitors know how long it takes to make products.
FinishedGoodShelfs (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
FinishedGoodsProductItems (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
damaged by this information becoming public. Inventory information may be
operationally sensitive.
FinishedGoodsProductType (O,H), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not damaged
by this information becoming public. There is high operational damage if competitors
know UnitPrice and CostPrice to figure out the profit margins.
Foreman (O,L), (P,L), (L,H) There are legal requirements to project employee information. Public image is not
MachineInstances (O,L), (P,M), (L,M) The machines must be maintained and serviced. If an employee is injured on the job
and the machine has not been serviced, there could be public embarrassment and
legal impact in case of litigation.
MachineTypes (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
Machinists (O,L), (P,L), (L,H) There are legal requirements to project employee information. Public image is not
MachinistShift (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
MediaOutlets (O,H), (P,M), (L,H) Media outlets are publically known. However, the cost of media to the company can
be a negotiated item. There is damage if how much company spends on media is
known to competitors. There may be contractual obligation not to release
information.
OperationsVP (O,L), (P,L), (L,H) There are legal requirements to project employee information. Public image is not
POFollowUps (O,H), (P,M), (L,H) The conversation details may contain sensitive information. Legally, cannot release
conversations with individuals.
ProcessFlows (O,H), (P,L), (L,L) There is high operational damage if competitors have access to how products are built.
ProductItems (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
ProductType (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
PurchaseOrders (O,H), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
RawMaterialProductTypes (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
RawMaterialShelves (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
RawMaterialsProductItems (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
ReceivingClerks (O,L), (P,L), (L,H) There are legal requirements to project employee information. Public image is not
RMTypePO (O,H), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
SalesMktgAssociate (O,L), (P,L), (L,H) There are legal requirements to project employee information. Public image is not
SalesMktgManager (O,L), (P,L), (L,H) There are legal requirements to project employee information. Public image is not
SalesMktgReceptionist (O,L), (P,L), (L,H) There are legal requirements to project employee information. Public image is not
SalesMktgReceptionistSurveysItems (O,H), (P,L), (L,M) Legally, cannot release conversations with individuals.
SalesMktgVP (O,L), (P,L), (L,H) There are legal requirements to project employee information. Public image is not
SalesOrderEmployee (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
SalesOrders (O,H), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
Shifts (O,H), (P,M), (L,M) Public image is not damaged by this information becoming public. There might be
legal or public image impact if employees are overworked. Company's operation is
impacted if shift information is damaged or lost.
Appendix E (continued)
(continued)
Table OPL Comments

classification
Shipments (O,H), (P,M), (L,H) The comments may contain sensitive data. Shipping rates that are negotiated via
contracts may require legal obligation not to release information. High operational
damage if shipping details are release to public, which shows profit margins. Public
image damage is possible if shipping profits are released to customers.
ShippingClerks (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
ShopManagers (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
Shops (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
StockingClerks (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
SupplierRMTypes (O,H), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
competitors know how much suppliers are charging for raw materials.
Suppliers (O,H), (P,H), (L,H) Supplier information is considered sensitive and has legal requirements for
protection. Company image will be damaged is supplier information is released
because the company cannot protect sensitive information. There is high operational
damage if competitors have access to supplier information.
Surveys (O,M), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
WIPProductItems (O,H), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
competitors know how long it takes to build products. Inventory information is
financially sensitive as well.
WIPProductTypes (O,L), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
WIPPTMachineType (O,H), (P,L), (L,L) There is no legal impact if the information is made public. Public image is not
competitors know what machines are used to make what products and the time
required to build the products.
Appendix F. Instantiation of mapOPLToA and mapOPLToM functions for all OPL mappings
OPL classification Data access and modification levels
Tuple DA DM DA + DM
(O,L), (P,L), (L,L) LLL LLM LM

(O,L), (P,L), (L,M) LLM LLH MH
(O,L), (P,L), (L,H) LLH LLH HH
(O,L), (P,M), (L,L) LML LMM MM
(O,L), (P,M), (L,M) LMM LMH MH
(O,L), (P,M), (L,H) LMH LMH HH
(O,L), (P,H), (L,L) LHL LMM HM
(O,L), (P,H), (L,M) LHM LMH HH
(O,L), (P,H), (L,H) LHH LMH HH
(O,M), (P,L), (L,L) MLL MLM MM
(O,M), (P,L), (L,M) MLM MLH MH
(O,M), (P,L), (L,H) MLH MLH HH
(O,M), (P,M), (L,L) MML MMM MM
(O,M), (P,M), (L,M) MMM MMH MH
(O,M), (P,M), (L,H) MMH MMH HH
(O,M), (P,H), (L,L) MHL MMM HM
(O,M), (P,H), (L,M) MHM MMH HH
(O,M), (P,H), (L,H) MHH MMH HH
(O,H), (P,L), (L,L) MLL HLM MH
(O,H), (P,L), (L,M) MLM HLH MH
(O,H), (P,L), (L,H) MLH HLH HH
(O,H), (P,M), (L,L) MML HMM MH
(O,H), (P,M), (L,M) MMM HMH MH
(O,H), (P,M), (L,H) MMH HMH HH
(O,H), (P,H), (L,L) MHL HMM HH
(O,H), (P,H), (L,M) MHM HMH HH
(O,H), (P,H), (L,H) MHH HMH HH
Appendix G. Instantiation of scoreControlsAcc and scoreControlsMod mappings for all controls in the Universe of controls for
ACME Corp.
Control IT process/infrastructure level Data access Data modification At Control score (DA + DM)
# ACME
Low Medium High Low Medium High LL LM LH ML MM MH HL HM HH
P1 Documented procedures 3 5 8 3 5 10 N 6 8 13 8 10 15 11 13 18
P2 Authentication and authorization rules 4 6 10 6 8 10 N 10 12 14 12 14 16 16 18 20
followed for automated and manual data
transfers across systems
P3 Plan for archiving account privileges data 1 6 9 2 5 9 Y 3 6 10 8 11 15 11 14 18
P4 Problem logs regarding security issues 4 5 10 5 8 10 N 9 12 14 10 13 15 15 18 20
P5 Activity logs regarding security fixes 3 6 9 5 8 10 N 8 11 13 11 14 16 14 17 19
P6 DB servers properly configured 4 5 10 4 6 10 Y 8 10 14 9 11 15 14 16 20
P7 Software patched with version control 2 5 9 2 5 9 Y 4 7 11 7 10 14 11 14 18
P8 Limited external network access 5 8 10 5 8 10 Y 10 13 15 13 16 18 15 18 20
P9 Authentication on network 5 7 9 6 8 10 Y 11 13 15 13 15 17 15 17 19
P10 Network activity log 5 6 8 5 7 10 N 10 12 15 11 13 16 13 15 18
P11 Disaster recovery plan if unauthorized 3 5 7 4 6 9 Y 7 9 12 9 11 14 11 13 16
internal or external access
P12 Physical access secured 2 5 9 1 3 6 Y 3 5 8 6 8 11 10 12 15
P13 Limited access to IT assets 3 6 9 5 7 9 Y 8 10 12 11 13 15 14 16 18
P14 Physical access monitored 2 4 8 2 6 8 Y 4 8 10 6 10 12 10 14 16
P15 Change management policy and procedures 3 5 9 3 6 8 Y 6 9 11 8 11 13 12 15 17
P16 Background checks on new IT hires 3 5 8 3 5 9 Y 6 8 12 8 10 14 11 13 17
Appendix H. Spreadsheet calculation for contribution of in-place IT security controls
ACME table OPL DA + DM A1 A2 A4 A7 A8 P3 P6 P7 P8 P9 P11 P12 P13 P14 P15 P16 Control Normalized
classification contribution Control
contribution
AdCampaignMediaOutlet (O,L), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8

(L,M)
AdvertisingCampaigns (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
BillOfMaterials (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
F. Rahimian et al. / International Journal of Accounting Information Systems 20 (2016) 38–64

BOMInstances (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
Budgets (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
CEO (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
ConversationEmployee (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
ConversationMediaOutlet (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
Conversations (O,H), (P,M), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
Customers (O,H), (P,H), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
Departments (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
Drawings (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
EmployeeReportsTo (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
Employees (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
FGPTMachineType (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
FinishedGoodShelfs (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
FinishedGoodsProductItems (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
FinishedGoodsProductType (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
Foreman (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
MachineInstances (O,L), (P,M), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,M)
MachineTypes (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
Machinists (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
MachinistShift (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
59
60
(continued)
ACME table OPL DA + DM A1 A2 A4 A7 A8 P3 P6 P7 P8 P9 P11 P12 P13 P14 P15 P16 Control Normalized
classification contribution Control
contribution
(L,L)
MediaOutlets (O,H), (P,M), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
OperationsVP (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
POFollowUps (O,H), (P,M), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)

ProcessFlows (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
ProductItems (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
ProductType (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
PurchaseOrders (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
RawMaterialProductTypes (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
RawMaterialShelves (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
RawMaterialsProductItems (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
ReceivingClerks (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
RMTypePO (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
SalesMktgAssociate (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
SalesMktgManager (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
SalesMktgReceptionist (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
SalesMktgReceptionistSurveysItems (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,M)
SalesMktgVP (O,L), (P,L), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
SalesOrderEmployee (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
SalesOrders (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
Shifts (O,H), (P,M), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,M)
Shipments (O,H), (P,M), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
ShippingClerks (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
ShopManagers (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
Shops (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
Appendix H (continued) (L,L)

StockingClerks (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
SupplierRMTypes (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
Suppliers (O,H), (P,H), HH 20 19 20 18 19 18 20 18 20 19 16 15 18 16 17 17 290 1.0
(L,H)
Surveys (O,M), (P,L), MM 14 11 14 16 9 11 11 10 16 15 11 8 13 10 11 10 190 0.7
(L,L)
WIPProductItems (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
WIPProductTypes (O,L), (P,L), LM 10 8 10 14 7 6 10 7 13 13 9 5 10 8 9 8 147 0.5
(L,L)
WIPPTMachineType (O,H), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8
(L,L)
Raw overall control 835 732 835 881 683 688 776 678 912 872 685 541 766 634 688 676
contribution→
Proportional overall control 0.916 0.803 0.916 0.966 0.749 0.754 0.851 0.743 1.000 0.956 0.751 0.593 0.840 0.695 0.754 0.741
contribution→
Spreadsheet calculation for control deficiency risk due to each missing IT security control
ACME Table OPL Classification DA + DM A3 A5 A6 A9 A10 A11 P1 P2 P4 P5 P10 Raw CDR Proportional
Table CDR
AdCampaignMediaOutlet (O,L), (P,L), (L,M) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8

AdvertisingCampaigns (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
BillOfMaterials (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
BOMInstances (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
Budgets (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
CEO (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
ConversationEmployee (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
ConversationMediaOutlet (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
Conversations (O,H), (P,M), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
Customers (O,H), (P,H), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
Departments (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
Drawings (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
EmployeeReportsTo (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
Employees (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
FGPTMachineType (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
61
62
(continued)
Spreadsheet calculation for control deficiency risk due to each missing IT security control
ACME Table OPL Classification DA + DM A3 A5 A6 A9 A10 A11 P1 P2 P4 P5 P10 Raw CDR Proportional
Table CDR
FinishedGoodShelfs (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5

FinishedGoodsProductItems (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
FinishedGoodsProductType (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
Foreman (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
MachineInstances (O,L), (P,M), (L,M) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
MachineTypes (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5

Machinists (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
MachinistShift (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
MediaOutlets (O,H), (P,M), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
OperationsVP (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
POFollowUps (O,H), (P,M), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
ProcessFlows (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
ProductItems (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
ProductType (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
PurchaseOrders (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
RawMaterialProductTypes (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
RawMaterialShelves (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
RawMaterialsProductItems (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
ReceivingClerks (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
RMTypePO (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
SalesMktgAssociate (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
SalesMktgManager (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
SalesMktgReceptionist (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
SalesMktgReceptionistSurveysItems (O,H), (P,L), (L,M) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
SalesMktgVP (O,L), (P,L), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
SalesOrderEmployee (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
SalesOrders (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
Shifts (O,H), (P,M), (L,M) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
Shipments (O,H), (P,M), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
ShippingClerks (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
ShopManagers (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
Shops (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
StockingClerks (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
SupplierRMTypes (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
Suppliers (O,H), (P,H), (L,H) HH 20 20 18 20 16 15 18 20 20 19 18 204 1.0
Surveys (O,M), (P,L), (L,L) MM 13 12 13 9 11 9 10 14 13 14 13 131 0.6
WIPProductItems (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
WIPProductTypes (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5
WIPPTMachineType (O,H), (P,L), (L,L) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8
Raw overall CDR→ 797 759 738 713 686 606 705 850 826 820 807
Proportional overall control 0.846 0.806 0.783 0.757 0.728 0.643 0.748 0.902 0.877 0.870 0.857
deficiency risk→
The bold numbers represent the contribution of all controls for each table.
References
Bajaj, A., 2006. Large scale requirements modeling: an industry analysis, a model and a teaching case. J. Inf. Syst. Educ. 17 (3), 327.
Bebbington, J., Larrinaga, C., Moneva, J.M., 2008. Corporate social reporting and reputation risk management. Account. Audit. Account. J. 21 (3), 337–361.
Bell, T., Peecher, M.E., Solomon, I., 2005. The 21st Century Public Company Audit Conceptual Elements of KPMGs Global Audit Methodology KPMG LLP.
Bellino, G., Hunt, S., 2007. Auditing Application Controls. Institute of Internal Auditors, Altamonte, FL.
Birch, D.G., McEvoy, N.A., 1992. Risk analysis for information systems. J. Inf. Technol. 7 (1), 44–53.
Bodin, L.D., Gordon, L.A., Loeb, M.P., 2008. Information security and risk management. Commun. ACM 51 (4), 64–68.
boston.com, 2014. Notable data breaches. Available at:: http://www.boston.com/business/technology/gallery/datatheft/.
Brown, W., Nasuti, F., 2005. Sarbanes–Oxley and enterprise security: IT governance — what it takes to get the job done. Inf. Syst. Secur. 14 (5), 15–28.
Calder, A., Watkins, S., 2005. IT Governance: A Manager's Guide to Data Security and BS 7799/ISO 17799. Kogan Page Publishers.
Chandra, A., Calderon, T.G., 2009. Information intensity, control deficiency risk, and materiality. Manag. Audit. J. 24 (3), 220–232.
Chaney, C., Kim, G., 2007. The integrated auditor. Intern. Audit. 64 (4), 46–51.
Cohen, J., 1960. A coefficient of agreement for nominal scales. Educ. Psychol. Meas. 20 (1), 37–46.
Council on Cyber Security, 2014. The Critical Security Controls for Effective Cyber Defense: Version 5.0. SANS Institute, Bethesda, Maryland, USA (http://www.sans.org/
critical-security-controls).
Courtney Jr., R.H., 1977. Security risk assessment in electronic data processing systems. Paper Presented at the Proceedings of the June 13–16, 1977, National Computer
Conference.
Cravens, K., Goad Oliver, E., Ramamoorti, S., 2003. The Reputation Index: measuring and managing corporate reputation. Eur. Manag. J. 21 (2), 201–212.
Curtis, P., Carey, M., 2012. Risk Assessment in Practice. COSO, Durham, NC.
Damianides, M., 2004. Sarbanes–Oxley and IT governance: new guidance on IT control and compliance. EDPACS 31 (10), 1–14.
Davis, F.D., 1989. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13 (3), 319–340.
Debreceny, R., 2011. Betwixt and between? Bringing information systems and accounting systems research together. J. Inf. Syst. 25 (2), 1–9.
Deloitte, 2014. 2014 Global Survey on Reputation Risk. Downloaded at: http://www2.deloitte.com/content/dam/Deloitte/pl/Documents/Reports/pl_Reputation_Risk_
survey_EN.pdf.
Dhillon, G., Backhouse, J., 2000. Technical opinion: information system security management in the new millennium. Commun. ACM 43 (7), 125–128.
Dhillon, G., Torkzadeh, G., 2006. Value-focused assessment of information system security in organizations. Inf. Syst. J. 16 (3), 293–314.
Dunn, C., Grabski, S., 2001. An investigation of localization as an element of cognitive fit in accounting model representations. Decis. Sci. 32 (1), 55–94.
Etges, R., McNeil, K., 2006. Understanding data classification based on business and security requirements. J. Online (downloaded at; www.isaca.org/journal/Past-
Issues/2006/Volume-5/Documents/jopdf0605-understanding-data.pdf).
Fleiss, J.L., 1971. Measuring nominal scale agreement among many raters. Psychol. Bull. 76 (5), 378.
Friedman, A.L., Miles, S., 2001. Socially responsible investment and corporate social and environmental reporting in the UK: an exploratory study. Br. Account. Rev. 33
(4), 523–548.
Galligan, M.E., Rau, K., 2015. COSO in the Cyber Age. COSO, Durham, NC.
Gilad, B., 2003. Early Warning: Using Competitive Intelligence to Anticipate Market Shifts, Control Risk, and Create Powerful Strategies. AMACOM Div American Mgmt
Assn.
Gordon, L.A., Loeb, M.P., 2001. Using information security as a response to competitor analysis systems. Commun. ACM 44 (9), 70–75.
Gramling, A.A., Maletta, M.J., Schneider, A., Church, B.K., 2004. The role of the internal audit function in corporate governance: a synthesis of the extant internal auditing
literature and directions for future research. J. Account. Lit. 23, 194–244.
Greene, S.S., 2006. Security Policies and Procedures. Pearson Education, New Jersey.
Helpert, A., Lazarine, J., 2009. Intern. Audit. 66 (2), 37–40.
Henderson, D.L., Davis, J.M., Lapke, M.S., 2013. The effect of internal auditors' information technology knowledge on integrated internal audits. Int. Bus. Res. 6 (4),
147–163.
Hevner, A., March, S., Park, J., Ram, S., 2004. Design science research in information systems. MIS Q. 28 (10), 75–105.
Holmstrom, J., Ketokikvi, M., Hameri, A.P., 2009. Bridging practice and theory: a design science approach. Decis. Sci. 40 (1), 65–87.
Homeland Security, 2008. Be Ready Utah, Cyber Security Controls Checklist, Utah. Department of Public Safety, Utah, USA (http://utah.ptfs.com/awweb/awarchive?
item=24209).
International Organization for Standardization (ISO), 2013. ISO/IEC 27002:2013 Information Technology Security Techniques—Code of Practice for Information Secu-
rity controls. ISO/IEC, Geneva, Switzerland.
IT Governance Institute (ITGI), 2012. COBIT5 for information security. Rolling Meadows. ITGI, IL.
Julisch, K., Suter, C., Woitalla, T., Zimmermann, O., 2011. Compliance by design—bridging the chasm between auditors and IT architects. Comput. Secur. 30 (2011),
410–426.
Kochelova-Kozloski, N., Kozloski, T.M., Messier, W.F., 2013. Auditor business process analysis and linkages among auditor risk judgments. Audit. J. Pract. Theory 32 (3),
123–139.
Maes, A., Poels, G., 2007. Evaluating quality of conceptual modelling scripts based on user perceptions. Data Knowl. Eng. 63 (3), 701–724.
Merhout, J.W., Buchman, S.E., 2007. Requisite skills and knowledge for entry-level auditors. J. Inf. Syst. Educ. 18 (40), 469–476.
Mishra, S., Dhillon, G., 2006. Information systems security governance research: a behavioral perspective. 1st Annual Symposium on Information Assurance, Academic
Track of 9th Annual NYS Cyber Security Conference, pp. 27–35.
Page, M. & L. F. Spira. (2003), The Turnbull report internal control and risk management executive summary. Downloaded at: icas.org.uk/home/technical-and-re-
search-/research-centre/research-publications/the-turnbull-report- -internal- control-and-risk-management- -executive-summary/
Palmer, M.E., Robinson, C., Patilla, J.C., Moser, E.P., 2001. Information security policy framework: best practices for security policy in the e-commerce age. Inf. Syst.
Secur. 10 (2), 1–15.
Pfleeger, C.P., Pfleeger, S.L., 2006. Security in Computing. fourth ed. Prentice Hall, Indianapolis, IN.
Phelps, D., Milne, K., 2008. Leveraging IT Controls to Improve IT Operating Performance. The Institute of Internal Auditors Research Foundation.
Ponemon Institute LLC, 2014. 2014 Cost of Data Breach Survey: United States. Poneman Institute, Traverse City, MI.
Raymond, A.H., 2013. Data management regulation: your company needs an up-to-date data/information management policy. Bus. Horiz. 56 (4), 513–520.
Redman, T.C., 1998. The impact of poor data quality on the typical enterprise. Commun. ACM 41 (2), 79–82.
Saari, J., 1987. Computer crime—numbers lie. Comput. Secur. 6 (2), 111–117.
Saaty, T.L., 1980. The Analytic Hierarchy Process: Planning, Priority Setting, Resources Allocation. McGraw, New York.
Salmela, H., 2008. Analysing business losses caused by information systems risk: a business process analysis approach. J. Inf. Technol. 23, 185–202.
sans.org. (2016). The CIS critical security controls for effective cyber defense now, 2016, from www.sans.org/critical-security-controls/
Sarasvathy, D.K., Simon, H.A., Lave, L., 1998. Perceiving and managing business risks: differences between entrepreneurs. J. Econ. Behav. Organ. 33 (2), 207–225.
Schultz, J.J., Bierstaker, J.L., O’Donnell, E., 2010. Integrating business risk into auditor judgment about the risk of material misstatement: the influence of a strategic-
systems-audit approach. Acc. Organ. Soc. 3592, 238–251.
Shanks, G., Tansley, E., Weber, R., 2003. Using ontology to validate conceptual models. Commun. ACM 46 (10), 85–89.
Simon, H.A., 1969. The Sciences of the Artificial vol. 136. MIT Press.
Smith, G.S., 2004. Recognizing and preparing loss estimates from cyber-attacks. Inf. Syst. Secur. 12 (6), 46–57.
Steinbart, P.J., Raschke, R.L., Gal, G., Dilla, W.N., 2012. The relationship between internal audit and information security: an exploratory investigation. Int. J. Account. Inf.
Syst. 13 (30), 228–243.
Steinbart, P.R., Raschke, R.L., Gal, G., Dilla, W.N., 2013. Information security professionals’ perceptions about the relationship between the information security and in-
ternal audit functions. J. Inf. Syst. 27 (2), 65–86.
U.S. Congress, 2002. The Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes–Oxley, SOX). Public Law No. 107–204, 116 Statute 745
(July 30). Government Printing Office, Washington, DC.
Wallace, L., Hui, L., Cefaratti, M.A., 2011. Information security and Sarbanes–Oxley compliance; an exploratory study. J. Inf. Syst. 25 (1), 185–211.
Walsh, C.J., Pyrich, A., 1994. Corporate Compliance Programs as a Defense to Criminal Liability: Can a Corporation Save Its Soul? (47 Rutgers L. Rev. 605 (1994-1995))
Wang, R.Y., Strong, D.M., 1996. Beyond accuracy: what data quality means to data consumers. J. Manag. Inf. Syst. 12 (4), 5–33.
Weidenmier, M.L., Ramamoorti, S., 2006. Research opportunities in information technology and internal auditing. J. Inf. Syst. 20 (1), 205–219.
Firoozeh Rahimian got her PhD from the CyberSecurity Institute at the Department of Computer Science, The University of Tulsa. She has over 20 years of experience in
IT project management, IT auditing and database management. Her work involves cyber security methods that can be adopted by organizations at the user and group
levels.
Akhilesh Bajaj got his PhD in Management Information Systems, minor: Computer Science, from the University of Arizona. He has published in several journals includ-
ing Management Science, Information Systems, Journal of Information Systems, Journal of Association of Information Systems, and IEEE Transactions on Knowledge and Data
Engineering. He is currently the Chapman Endowed Chair and Professor of MIS at the University of Tulsa, in the school of Accounting and MIS.
Wray Bradley got his PhD in Accounting from the University of Arkansas. He has published in several journals including The Journal of Information Systems, Behavioral
Research in Accounting and the Journal of the American Academy of Business, Cambridge. He is currently Associate Professor of Accounting at the School of Accounting and
MIS, the University of Tulsa.

Rahimian2016, Estimation Defeciency Risk and Prioritization of Information Security Controls PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rahimian2016, Estimation Defeciency Risk and Prioritization of Information Security Controls PDF

Uploaded by

Copyright:

Available Formats

International Journal of Accounting Information Systems 20 (2016) 38–64

Contents lists available at ScienceDirect

International Journal of Accounting Information

Estimation of deﬁciency risk and prioritization of information

2.1. Internal audit function perspective

2.2. Information technology function perspective

2.2.1. Need for multi-stakeholder teams in information security

2.2.2. Protection of corporate data

2.2.3. Risk speciﬁcation of corporate data

3. The operational–public image–legal (OPL) risk speciﬁcation model and method

Fig. 1. Guidelines for rigorous design science research.

3.1. Deﬁnition of the OPL risk speciﬁcation model

O ¼ fðO; LÞ; ðO; MÞ; ðO; HÞg

where (O,L) represents a low level of operational impact, etc.

We deﬁne the set of tables or relations in the database schema as follows:

A ¼ fðA; LÞ; ðA; MÞ; ðA; HÞg

S ¼ f1; 2; 3; 4; 5; 6; 7; 8; 9; 10g: ð5Þ

3.2. OPL method

4. Evaluation of the OPL model and method

Fig. 2. OPL mappings to evaluate IT security controls.

4.1. Study 1: validation of OPL rating system

4.2. Study 2: ﬁeld study utilizing OPL model and method

Table OPL classiﬁcation Comments

Data table OPL classiﬁcation DA DM Overall DA + DM

Customers (O,H), (P,H), (L,H) MHH HMH HH

Application level controls IT process/infrastructure controls

A1. Password complexity is in place (Y) P1. Documented procedures

Control # Data access Data modiﬁcation

Low Medium High Low Medium High

Data table OPL classiﬁcation DA + DM A1(Y) A5 P2 P3(Y)

Customers (O,H), (P,H), (L,H) HH 20 20 20 18

Raw overall control contribution/CDR 835 759 850 688

Fig. 3. Collaborative information security audit framework driven by OPL.

Control Control description Proportional Auditor testing plan depth

A1 Password complexity is in place 0.916 Heavy

Control Control description Proportional CDR Recommend adding control

A3 Authentication rules followed 0.846 Moderate

5.1. Lessons learned from ﬁeld study with ACME Corp.

Appendix A. Questions and responses regarding OPL model

No. Measure with 5 point Likert scale Mean (std. deviation)

Appendix B. The ACME Corporation5

ACME sales & marketing

a) making a sales call to a customer or a lead,

a) creating and sending a purchase order (by the receiving clerk),

Appendix C. Questions and responses regarding ACME description

Measure with 7 point Likert scale Mean

Appendix D. Data model implementation for ACME Corp. in Microsoft Access

Appendix E. Instantiation of the rateTables mapping for ACME.

Table OPL Comments

(continued on next page)

Table OPL Comments

Table OPL Comments

OPL classiﬁcation Data access and modiﬁcation levels

(O,L), (P,L), (L,L) LLL LLM LM

Low Medium High Low Medium High LL LM LH ML MM MH HL HM HH

AdCampaignMediaOutlet (O,L), (P,L), MH 17 15 17 17 14 15 15 14 18 17 14 11 15 12 13 14 238 0.8

F. Rahimian et al. / International Journal of Accounting Information Systems 20 (2016) 38–64

(continued on next page)

F. Rahimian et al. / International Journal of Accounting Information Systems 20 (2016) 38–64

F. Rahimian et al. / International Journal of Accounting Information Systems 20 (2016) 38–64

AdCampaignMediaOutlet (O,L), (P,L), (L,M) MH 16 15 15 14 13 13 15 16 15 16 16 164 0.8

(continued on next page)

FinishedGoodShelfs (O,L), (P,L), (L,L) LM 9 8 8 8 10 7 8 12 12 11 12 105 0.5