1. Introduction
Currently, educational institutions use information systems to manage academic information such as subjects, grades, schedules, classrooms, etc. However, due to the increasing number of network threats, this information can be stolen, modified or erased by attackers, causing major losses to institutions; for example, Universidad de Pamplona has had multiple lawsuits for possible traffic of grades [1]. Possible causes of this incident are corrupt staff, unauthorized people manipulating the academic information system, users with privileges that do not correspond with their role in the system and improper use of the system because of their lack of knowledge of information security. Thus, people are considered the weakest link in the security chain, but it is necessary to instruct them on better information management practices for the sake of organizations [2]. In [3], Yilmaz and Yalman made a comparative analysis of the security infrastructure of six universities in Turkey. In this analysis, they found that: in the primary defense stage, the main security faults are found in: remote access (50% severely lacking, 33.3% needs improvement), intrusion detection systems (33.3% severely lacking, 50% needs improvement) and wireless (16.7% severely lacking, 83,3% needs improvement); in the authentication stage, the main security faults are: password policies - user account (100% severely lacking), password policies - remote users (100% severely lacking), administrative users (100% needs improvement) and remote access users (50% severely lacking); in the administration and monitoring stage, the main security faults are: secure build (50% severely lacking, 16.7% needs improvement), physical security (50% needs improvement) and event report & response (50% needs improvement). They also found that the main security faults in the people are: policies & procedures (66.7% severely lacking, 16.7% needs improvement) and training & awareness (33.3% severely lacking, 33.3% needs improvement). For this reason, we decided to design a methodology for academic information systems.
Educational institutions should apply a risk prevention methodology to avoid the academic information misuse by users or attackers. Methodologies found in literature are too complex to understand and to carry out, and are focused more on technology than in human factor.
For this reason, a new methodology called MePRiSIA was designed; it is easy to understand while including the human factor in each step. In addition, this methodology is oriented to academic information systems, so it considers the assets of this kind of systems and their vulnerabilities.
The rest of the paper is organized as follows: in section 2, the methodology used to design and evaluate MePRiSIA is described; in section 3, risk prevention and defense in depth model are defined; in section 4, steps of MePRiSIA are described; in section 5, the results of the evaluation of MePRiSIA and its application to ACADEMUSOFT are presented, and conclusions are given in section 6.
2. Methodology
To design the Risk Prevention Methodology for Academic Information Systems (MePRiSIA- Metodología de Prevención de Riesgos para Sistemas de Información Académica ), the following steps were carried out:
Analysis of risk management and prevention methodologies: A qualitative approach was used to analyze nine risk management and prevention methodologies found in the literature: OCTAVE [4], CORAS [5], Risk Management Methodology according to Australian Standard [6], NTC-ISO/IEC 27005: Risk Management in Information Security [7], CRAMM [8], MAGERIT [9], Risk Management Guide for Information Technology Systems [10], Methodology for the Diagnosis, Prevention and Control of Corruption in Public Safety Programs according to IDB [11] and Guide to Malware Incident Prevention and Handling [12]. These methodologies were compared to establish similarities and differences among them in [13].
Definition of MePRiSIA: goals and steps: From the previous comparison, four steps present in most of the studied methodologies were identified and the distinctive characteristics that MePRiSIA should have. Therefore, the purpose and goals of MePRiSIA as well as the target audience and steps were established.
Specification of MePRiSIA steps: Reviewing how the studied methodologies carry out the steps established for MePRiSIA, it was determined the most important aspects of each step and the simplest way to obtain the expected results. Taking as a reference the book ‘Diseño de un Sistema de Gestión de Seguridad de la Información, Óptica ISO 27001:2005’ [14] there were established the fields of the tables and taken into account the requirements of this kind of systems. Thus, the first 3 steps of MePRiSIA were defined.
To specify the step 4 of MePRiSIA, the vulnerabilities identified in the assets of step 1 were combined with the 4 elements of the Guide to Malware Incident Prevention and Handling [12], the layers of Defense in Depth model [15], the controls of NTC-ISO/IEC 27001 [16] and knowledge about security measures of the authors.
Evaluation of MePRiSIA: An evaluation form was prepared, and a group of experts were in charge of evaluating and grading the steps of MePRiSIA (from 1(very low) to 5(very high)). They determined if each step is easy to understand, including the human factor and if it is easy to implement. They also had a field to write the observations about each step. Then, the results were analyzed through a matrix that includes: the average value per indicator, standard deviation, weighting per indicator and degree of compliance with goal. The three experts that evaluated MePRiSIA were: Jordi Forné (Ph.D. in Telecommunications Engineering, full professor at the Universitat Politécnica de Catalunya (Spain) and expert in computer security), Rafael Páez (Ph.D. in Telematics Engineering, assistant professor at the Pontificia Universidad Javeriana (Colombia) and expert in computer security) and Rodrigo Alvear (M.Sc. in Management of Computer Projects and technological support coordinator of ACADEMUSOFT).
Application of MePRiSIA: MePRiSIA was applied to ACADEMUSOFT, through a mixed approach. ACADEMUSOFT is an EAS (Enterprise Application Solution) for Higher Education Institutes, created by the Universidad de Pamplona (Colombia), which allows the management of the academic processes (subjects, grades, schedules, classrooms, personal data of teachers and students, etc.) [17]. This platform is used by several universities in Colombia.
To carry out the first 3 steps of MePRiSIA, the information was obtained from CIADTI staff (Center for Applied Research and Development of Information Technologies) of Universidad de Pamplona, the VII Latin American Survey on Information Security [18] and surveys from students and teachers to determine if they were properly handling the academic information. To calculate the sample size of students and teachers of the seven faculties of the university, Equation (1) was used [19] and the information provided by the Planning Office. The teacher's survey contained 13 multiple-choice questions and the student's survey contains 11 multiple-choice questions.
Where:
n = Sample size
N = Population size
Z = Confidence level (1.96)
p = Probability of occurrence (0.5)
q = Probability of non-occurrence (q=1-p=0.5)
E = Estimation error (0.05)
Also, CIADTI staff gave access to its test platform to explore the tree of privileges of the users.
To carry out the step 4 in MePRiSIA, the tables established were used, as well as the knowledge about defense in depth model and countermeasures.
3. Background
3.1 Risk prevention
Risk prevention is a continuous process which involves: analyzing current risks in an information system; planning and implementing short and long term activities to avoid or reduce risks that were identified; assessing the effectiveness of such activities and updating them according to changes in the internal and external environment of the institution [20].
3.2 Defense in depth model
To protect organizations against different internal and external threats, is not enough one countermeasure but a set of them to cover the weaknesses and protect the network of possible attacks. Defense in depth model helps in this purpose and includes seven layers [15]:
Layer 1 - Policies and procedures: It is perhaps the most neglected layer, but also the most important, since it provides a guidance to implement the other defenses. Organization must define its most important assets and the level of security that they must have. These policies must be signed by the senior manager and must be known by all the employees and network users.
Layer 2 - Physical security: Since an attacker could damage or steal network devices, it is necessary to establish physical security measures, such as: staff access control, alarm systems, video surveillance, window bars, etc.
Layer 3 - Perimeter defense: The network perimeter is composed of those points of the internal network, managed by the organization, which are in contact with external networks. Firewalls, virtual private networks, border routers that are configured to filter unwanted traffic, are commonly used to defend the perimeter.
Layer 4 - Network defense: Even with the countermeasures installed in other layers, an attacker could gain access to the internal network. To protect the network, it is necessary to use: intrusion prevention and detection systems, network segmentation, IPSec and/or SSL (Secure Socket Layer) to encrypt data, protection of wireless networks, etc.
Layer 5 - Equipment defense: Since an attacker can access to computers of the network, these should be protected, especially the servers. Equipment protection consists of three main tasks: update security patches, disable unnecessary services and maintain the antivirus active and update.
Layer 6 - Application defense: If an attacker gains access to the computer, applications should be protected. In this case, the access to them can be controlled through authentication and authorization mechanisms, and install an application firewall to control the information that they send and receive of the network.
Layer 7 - Data defense: If the attacker crosses all previous defenses, it is necessary that the data stored on the computer is protected, through encryption and integrity mechanisms.
In addition, each of these layers involves the three elements of defense in depth: people, technologies and operations. There must be a balance among these elements so that implemented countermeasures are effective.
4. MePRiSIA design
MePRiSIA is a methodology designed for the Information Technology (IT) staff of educational institutions. This methodology provides a basis for the development of an effective risk prevention program and contains a practical guidance to identify, assess and prevent the risks encountered in an academic information system. MePRiSIA is structured in 4 steps (see Figure 1] that include the human factor. The complete description of MePRiSIA is in [20].
Although, the main vulnerabilities of the assets in an academic information system were identified to give some guidance to the IT staff (tables of step 4), other vulnerabilities can arise from the risk analysis due to the environment of each system.
4.1 Step 1: setting the context
The goal of this step is to identify the assets of the system, their security requirements and the scope of the risk analysis. To do this, the evaluator must answer the following questions:
1. What are the assets of the academic information system? To answer this question, the evaluator must identify the processes carried out by the system, such as visualization of students’ academic information (subjects, schedules, and grades), an update of students’ grades by teachers, etc. Then, the evaluator must identify the assets involved in each process. The assets commonly found in an academic information system are:
Information: Assets used to store and manage user information. Within this category are:
Hardware: Includes the devices of the institution and also those of the users. For example:
Servers of the system.
Devices used by users to access the system (mobile phones, PCs, laptops, etc.).
Software: Includes the applications used to make use of the system. For example:
Authentication application
Database of academic information
Web browser or application used by users to access the system
Network: Includes the communication channel and network devices (switches, routers, etc.). For example:
Staff: Includes the different users of the system. For example:
Place: Includes the places where computers and devices are located. For example:
Organization: Includes assets that are responsibility of the institution. For example:
2. What is the role of each asset? To determine the functions that each asset has within the system, according to the identified processes in the previous item.
3. Which people are responsible for security and management of assets? To determine who is responsible for each asset, according to the function manuals.
4. What is the confidential information of the system? and what should be the level of privacy of the information? First, the evaluator identifies the personal information that is stored in the system, such as grades of students, financial information, etc. Then, he/she must determine what degree of confidentiality this information should have (low (public information), medium (internal use information), high (confidential information)). Finally, the evaluator must identify the assets that store or transport this information.
5. What are the security laws that can be applied to the system at a national and regional level? Government regulations awareness on the management of databases and personal information can be a valuable guideline to manage adequately the system information.
6. What are the institutional security policies applicable to the system assets? The evaluator must identify what institutional security policies talk about the assets of the system.
7. What expectations do the different users have about operation and security of the system? and if those expectations are defrauded, what negative consequences would this bring to the good name and reputation of the institution? To know the expectations of the users and the consequences of defrauding those expectations, the evaluator can do surveys or interviews with a representative sample of each type of user.
In addition, the scope of the risk analysis activities must be defined. According to the budget and the available time, IT staff can decide to focus only on the information and staff assets, or include all the assets. Since people are the weakest link of the security chain [2], staff assets must be included in the analysis.
4.2 Step 2: risk identification
The goal of this step is to determine the vulnerabilities of the assets and identify the threats that can exploit them by following these steps:
1. Assets valuation: The evaluator must determine the impact a loss of confidentiality, integrity, and availability in each asset can cause on the system and the institution. Ramos Lara [21] states about staff assets valuation that “the operational indicators of human resources are: knowledge, skills, and attitudes”. Therefore, for these assets, the evaluator must determine the impact on the system when people do not have the knowledge, skills, and attitudes needed to handle it. A widely used scale to value assets and determine their impact, is the following semi-quantitative Likert scale:
1: Very Low
2: Low
3: Medium
4: High
5: Very High
To determine the impact on each asset, the evaluator must think about the consequences at a functional, economic, legal and administrative level that the loss or lack of these features (confidentiality, integrity, availability, knowledge, skills and attitudes) would bring to the system and the institution, and the time it would take to recover from those losses. Thus, according to the severity of these consequences, the evaluator will give a level in the established scale.
Table 1 shows the assets valuation table and Table 2 shows the staff assets valuation table. In the two tables, the evaluator must give a value of the previous scale to each feature and put the average of the three values in total column. Next, assets must be ordered from highest to lowest total value and give them a priority (fewer priority to greater total values). If two or more assets have the same value, the evaluator must decide, which of the assets is more important for the system. Thus, the result of this evaluation is a prioritized list of the assets. In prioritizing, the evaluator must include both the staff assets and the other assets in the numbering.
Source: Based on ‘Diseño de un Sistema de Gestión de Seguridad de la Información, Óptica ISO 27001:2005’ [14]
2. Identification of threats: A threat is an event that can cause damage to assets. These can have natural or human origin, could be accidental or deliberate, and some of these can affect more than one asset. To determine the threats affecting each asset, the evaluator must ask the responsible for the asset, which incidents have affected the availability or proper functioning of the asset during the last year.
3. Identification of vulnerabilities: The vulnerability is a weakness of an asset. To determine these weaknesses, the evaluator can review the tables shown in step 4, and look for vulnerabilities that can be exploited by threats identified previously. It is also important to look in literature the most common vulnerabilities of each asset, to determine what privileges different users have and if they are misusing them, how the assets can be damaged.
Table 3 shows the vulnerabilities of each asset and the threats that can exploit them.
4.3 Step 3: risk analysis
The goal of this step is to establish the level of risk of each threat, determine the implemented countermeasures and obtain a prioritized list of risks. A risk has two factors: its impact and its probability of occurrence. To determine the impact of a risk, the evaluator must take into account criteria such as economic impact, recovery time after the incident, activities or processes of the institution affected by this risk and damage to the image of the institution. According to the severity of these criteria, the evaluator can determine the value of the impact in the following Likert scale:
1: Very Low
2: Low
3: Medium
4: High
5: Very High
To determine the probability of occurrence, the evaluator must ask people responsible of assets about the frequency of each security incident. In addition, taking into account current statistics of recognized sources in security area and the frequency of possible attacks that still have not affected the assets. In this case, it is advisable to use a quasi-exponential Likert scale, where a risk is considered very high when the attack occurs 50% of the time.
0 - 4.99% : 1 Very Low.
5 - 14.99%: 2 Low.
15 - 29.99%: 3 Medium
30 - 49.99%: 4 High
50 - 100% : 5 Very High
Table 4 shows the fields that the evaluator must fill, using threats identified in Table 3. In addition, the evaluator must calculate the inherent risk, multiplying the impact of risk (IR) and the probability of occurrence (PO) (see Equation (2)].
Source: Based on ‘Diseño de un Sistema de Gestión de Seguridad de la Información, Óptica ISO 27001:2005’ [14]
Then, it is necessary to determine the countermeasures implemented in the system to mitigate each threat. Table 5 shows the fields that must be fill, using threats identified in Table 3. In the third column, the evaluator must describe the countermeasure and in the fourth column, the effectiveness of the countermeasure (EC) must be determine according to the next scale:
0: No countermeasure implemented
1: The countermeasure has not stopped the threat
2: The countermeasure has stopped the threat a few times
3: The countermeasure has stopped the threat several times
4: The countermeasure has stopped the threat most of the time
5: The countermeasure has stopped the threat completely
After that, the evaluator can calculate the residual risk, using Equation (3):
Next, a risk prioritization is done, ordering the residual risk values from largest to smallest, giving fewer priority to greater risk values. If two or more threats have the same risk value, the evaluator must give the priority according to the importance of the asset determined in Tables 1 and 2 (priority).
Finally, the evaluator must determine the risk level, with the scale:
1 to 4: Very Low
5 to 9: Low
10 to 14: Medium
15 to 19: High
20 o 25: Very High
4.4 Step 4: risk prevention
The goal of this step is to determine countermeasures that avoid or mitigate risks.
The evaluator must consult Table 3 to determine which vulnerability corresponds to the threat evaluated in Table 5 and find out each vulnerability in the tables of this section, in order to define the short and long term controls to be planned and implemented.
According to [10], the elements to be considered to propose risk prevention strategies are policies, awareness, mitigation of vulnerabilities and mitigation of threats. For that reason, this step is divided in those parts.
Policies
The following activities can be done to prevent risks arising from the lack of policies:
Definition of security policies: These policies define the guidelines to ensure the security of the system assets.
Product: Security Policies of the Academic Information System.
Main actors: IT Staff, Institution Directors
Short-term controls: See Table 6
*ISMS: Information Security Management System
Long-term controls: See Table 7
*ISMS: Information Security Management System
Awareness
The activities that can be carried out to prevent the risks caused by lack of awareness are:
Definition of awareness programs: A different program must be defined for each user group, since the degree of depth and specialization of each program will change depending on the role and privileges of these users.
Product: Awareness Programs for Students, Teachers, Administrative Staff and IT Staff.
Main actors: Institution Directors, People in Charge of Awareness, Students, Teachers, Administrative Staff and IT Staff
Short-term controls: See Table 8
Long-term controls: See Table 9
Dissemination of security policies: Ensure that different user groups know the security policies, their responsibilities and the sanctions that would be applied in case of non-compliance.
Product: Strategies for Disseminating Security Policies to Students, Teachers, Administrative Staff and IT Staff.
Main actors: Institution Directors, Policy Makers, Students, Teachers, Administrative Staff and IT Staff.
Short-term controls: See Table 10
Long-term controls: See Table 11
Mitigation of vulnerabilities and threats
This section takes into account the layers of Defense in Depth Model [15]. The activities that can be carried out to prevent the risks posed by vulnerabilities and threats are:
Coordination of security of the system: Ensure that all activities for managing the security of the assets and the documentation of the ISMS are carried out according to established security policies.
Product: ISMS documentation, Security Incident Reports, ISMS Procedures and Action Plans, Audit Reports.
Main actors: IT Staff, Institution Directors, Audit Team
Short-term controls: See Table 12
Long-term controls: See Table 13
Physical security: Seeks to protect the places where the assets are located.
Product: Physical Security Measures
Main actors: IT staff, Maintenance and Cleaning Staff, Teachers, Students, Administrative Staff.
Short-term controls: See Table 14
Long-term controls: See Table 15
Perimeter defense: Seeks to protect the network perimeter
Product: Perimeter Security Measures
Main actors: IT Staff
Short-term controls: See Table 16
Long-term controls: See Table 17
Network defense: Seeks to protect information while traveling on the network
Product: Network Security Measures
Main actors: IT Staff
Short-term controls: See Table 18
Long-term controls: See Table 19
Equipment defense: Seeks to protect equipment of the system
Product: Equipment Security Measures
Main actors: IT Staff, Teachers, Students, Administrative Staff
Short-term controls: See Table 20.
Long-term controls: See Table 21
Application defense: Seeks to protect applications related to the system
Product: Application Security Measures
Main actors: IT Staff, Teachers, Students, Administrative Staff
Short-term controls: See Table 22
Long-term controls: See Table 23
Data defense: Seeks to protect data stored on computers related to the system
Product: Data Security Measures
Main actors: IT Staff, Teachers, Students, Administrative Staff
Short-term controls: See Table 24
Long-term controls: See Table 25
5. Results and discussion
5.1 Evaluation of MePRiSIA
After MePRiSIA was designed, three experts were in charge to assess the methodology. Table 26 shows the matrix with the results of the evaluation. This matrix includes: the grade given to each indicator by each expert, the average of the grades of each indicator, the standard deviation, the weighting of each indicator according to its importance, the reached value (reached value =(average x weighting)/5), and the degree of compliance (degree of compliance =(reached value x100)/weighting). The scale used for the degree of compliance was:
0% - 69.99% : Low
70% - 89.99%: Medium
90% - 100% : High
According to Table 26, the degree of compliance was higher for steps 1 and 3 than for steps 2 and 4. In addition, in step 1, the degree of compliance of the indicator “easy to implement” is 80% (standard deviation: 1.73), because expert 1 gives a grade of 2, since institutions do not allocate resources for risk prevention.
In step 2, the degree of compliance of indicator “easy to understand” is 80% (standard deviation: 1) because expert 2 gives a grade of 3, since it is unclear how staff assets should be assessed. Also, the degree of compliance of indicator “easy to implement” is 80% (standard deviation: 1) because expert 1 gives a grade of 3, since institutions must have a group of experts to carry out this step.
In step 3, the degree of compliance of the indicator “easy to implement” is 80% (standard deviation: 1), because expert 1 gives a grade of 3, since institutions must have experts in risk management to carry out this step. Finally, in step 4, the degree of compliance of the indicator “easy to implement” is 73.33% (standard deviation: 1.53), because expert 1 gives a grade of 2, due to the little investment in security and the lack of commitment of the institution directors with this issue.
To solve the problem of the indicator “easy to understand” of step 2, this step of the methodology was explained better in [20]. In regards to the commentaries of expert 1 about indicator “easy to implement” of steps 1 and 4, it is true that institutions must allocate resources for risk prevention and directors must be aware of the importance of this issue. With respect to commentaries of expert 1 about indicator “easy to implement” of steps 2 and 3, although IT staff must have some knowledge about risk management and security to apply MePRiSIA, the most important is the knowledge of the assets and their vulnerabilities, so they should document the different security incidents of the system when they happen, although this is one of the most neglected aspects.
5.2 Application of MePRiSIA
MePRiSIA was applied to ACADEMUSOFT, the academic information system of Universidad de Pamplona (Colombia).
In step 1, there were identified 8 processes and the assets involved in each of them. Table 27 shows the 15 useful assets indicated by MePRiSIA, their functions, and the responsible of each asset.
In addition, personal data of teachers, students, and academic information must have a high level of privacy. Law 1581 of 2012 [22], must be taken into account because it regulates the usage of personal data of users. Finally, a risk analysis was made by including the 15 assets involved in the processes.
In step 2, as proposed by MePRiSIA, the Likert scale was used. Knowledge of the system and its context were used to fill Table 1 and Table 2. Table 28 and Table 29 show examples of the given values and their explanation, and then it was calculated the average of the three values to obtain the total and determined the priority of each asset. Table 27 shows the priority of each asset in the last column, and 2 of the 5 most important assets are part of the staff.
Filling Table 3, there were found 80 vulnerabilities and threats throughout all the assets. Table 30 shows how to do this, by using the vulnerabilities included in tables of step 4, the knowledge about the assets, the threats that can exploit those vulnerabilities, and vulnerabilities and threats information found in the literature.
The proposed Likert scale was used in step 3, to grade the impact of risk, taking into account the damages that the threat can cause to ACADEMUSOFT and the institution. Afterwards, CIADTI staff was asked to give the probability of occurrence of each threat, according to the quasi-exponential Likert scale of step 3. In some cases, it was necessary to use the results of the VII Latin American Survey on Information Security [18] if the CIADTI staff did not give an specific value. To find out students and teachers threats, the results of the surveys carried out in the institution were valuable. Then, by multiplying the impact of risk, and the probability of occurrence it was obtained the inherent risk (see Table 31].
The residual risk and each threat priority were determined, taking into account the priority of each asset (see Table 27] in case of a tie. Finally, it was established the risk level, according to the scale for this purpose in step 3. Table 32 shows an example of the results obtained.
Thus, seven very high-level risks were identified due to: unawareness of security policies of ACADEMUSOFT and lack of training and security awareness by teachers, CIADTI staff and students; lack of confidentiality and complexity of the password of the teachers; lack of a formal procedure to remove users from the system and to review periodically access rights; lack of information security provisions in employee contracts; and lack of security policies for ACADEMUSOFT. Therefore, it is important to create and disseminate complete security policies, as well as awareness and training to users about system security. Therefore, it is important to create and disseminate complete security policies, as well as awareness and training to users about system security.
Since CIADTI staff did not provide all information of ACADEMUSOFT needed, some assumptions were made about the possible vulnerabilities and threats of the assets and their value. It is recommended that the IT staff of each institution carries out this methodology because it has all the information for its development, and it is necessary that somebody knows about information and network security.
In step 4, short-term and long-term controls were determined, according to the tables of step 4. When vulnerabilities did not match those of the tables, the most resembled vulnerabilities were taken as examples to establish the controls, using common sense and security knowledge. Table 33 shows an example of the results obtained.
Finally, CIADTI staff pointed out the difficulty in implementing the controls suggested by the methodology, when the institution does not allocate staff and financial resources for this purpose, which highlights the importance of awareness the institution directors regarding the necessity of these security measures
6. Conclusions
MePRiSIA is a risk prevention methodology for academic information systems that has four steps: setting the context, risk identification, risk analysis, and risk prevention. In setting the context, the evaluator identifies the assets of the system by process, determines the security requirements of each asset and the information, and establishes the scope of the risk analysis. In risk identification, the evaluator establishes the priority of the assets, determines the vulnerabilities of each asset and the threats that can exploit them. In risk analysis, the evaluator, calculates the inherent and residual risks, determines the implemented countermeasures and obtains a prioritized list of risks. Finally, in risk prevention, the evaluator determines the countermeasures that avoid or mitigate the identified risks.
MePRiSIA was designed to be simple and focused on the human factor. In step 1, human factor is part of the assets of the system, taking into account staff responsibilities and expectations. In step 2, human factor is included in assets valuation, when evaluating the knowledge, skills and attitudes of staff. This kind of evaluation was not present in other methodologies. In addition, in the identification of vulnerabilities and threats, the staff assets are included, analysing the privileges of the different users in the system to determine if they can be the cause of a security incident. In step 3, the vulnerabilities and threats of the staff assets are part of the analysis. Finally, in step 4, human factor is taken into account mainly in the policies, the awareness programs and the audits.
According to the experts that evaluated MePRiSIA, although this is easy to understand and includes the human factor in each step, it is hard to implement when evaluators do not have knowledge about information security and institution directors do not provide staff and financial resources for this purpose.
After MePRiSIA was applied to ACADEMUSOFT, the conclusion was that human factor is part of its most important assets and is involved in the very high-level risks identified, therefore it is very important that users know how to use correctly the systems and which information they must protect.
Finally, although MePRiSIA was designed for academic information systems, this methodology can be extended to other types of systems, since the identified assets and the controls can be applied to any system.