An Open Reference Framework for Enterprise Information Security Risk Management Using the STOPE Scope and the Six-Sigma Process

With the wide-spreading use of e-transactions in enterprises, information security risk management (ISRM) is becoming essential for establishing a safe environment for their activities. This paper is concerned with introducing a new and comprehensive ISRM framework that enables the effective establishment of the target safe environment. The framework has two structural dimensions; and two procedural dimensions. The structural dimensions include: ISRM "scope", and ISRM "assessment criteria"; while the procedural dimensions include: ISRM "process", and ISRM "assessment tools". The framework uses the comprehensive STOPE (Strategy, Technology, Organization, People, and Environment) view for the ISRM scope; while its assessment criteria is considered to be open to various standards. For the procedural dimensions, the framework uses the widely known six-sigma DAMIC (Define, Measure, Analyze, Improve, and Control) cycle for the ISRM process; and it considers the use of various assessment tools. It is hoped that the framework provides useful tools for future applications.