Download - IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU
IS Integrity and Security
GP Dhillon, PhDAssociate Professor of ISSchool of Business, VCU
The emergent formE
xter
nal
Coa
liti
on
Internal Coalition
Strong
Strong
Weak
Weak
Problem
Problem• According to the latest UK Audit Commission
report, between 1990 and 1994 there was a 183% increase in the value of cases
• Computer fraud has increased 8 times since the previous report
• Average cost of a computer security breach was approx. $42,000
• In 1997 the Audit Commission found organizations reporting computer security problems to have increased from 34% in 1994 to 45% in 1997
What’s happening out there?• Electronic point-of-sale transactions in
the US went up from 38 per day in 1985 to 1.2 million per day in 1993
• In international currency markets, partners transfer an average of $800 billion every day
• Among US banks about $1 trillion is transferred daily
• In the New York markets $2 trillion worth of securities are traded daily
Shocking news ….• 25% of organizations did not have
computer audit skills• 60% of organizations had no security
awareness• 80% of the organizations did not
conduct a risk analysis• In UK 98% of the organizations had
failed to implement British Standard Institutes’ BS 7799 (although 20,000 copies were sold)
Other facts• In 1996 companies spent $830 million on
information security technology to guard against potential abuses
• In 1996 Computer Security Institute survey found 42% of Fortune 500 companies reporting computer security breaches
• In 1999 the Computer Security Institute reported losses amounting to nearly $124 million (theft of proprietary information $42.5 million; financial fraud $39.7 million; laptop theft $13 million)
Survey resultsperceived threat to information security
Survey results physical security precautions in use
Survey results technology security precautions in use
Security risksthe dominant view
• Password sniffing/cracking software
• Spoofing attacks• Denial of service attacks• Direct attacks Man-in-the-middle
Packet sniffs on link between the two end points, and can therefore pretend to be one end of the connection
Routing redirect Redirects routing information from the original host to the hacker's host (this is another form of man-in-the-middle attack).
Security risksa more realistic view (based on Office of Technology Assessment, USA and Dhillon, 1997)
• Human error• Analysis and design faults• Violations of safeguards by trusted
personnel• Environmental damage• System intruders• Malicious software, viruses, worms
The reality
• White-collar crime: (e.g. the Kidder Peabody & Co case)
• Theft: (e.g. the ‘Salami Slicers’)
• Stolen services: (economic espionage costs US $50b a year)
• Smuggling: (the case of ‘One Happy Island’)
• Terrorism: (problems in FedWire; SWIFT)
• Child pornography: (securing a global village)
How have we dealt with these issues?The risk management process
StrategicSecurityPlanning
Follow-up(initiation)
Risk Analysis
StrategicSecurityPlanning
Implementation
Follow-up(Planning)Monitoring andCompliance Testing
Risk analysis
VulnerabilityAssessment
ThreatAssessment
Asset definition& Valuation
Constraints
SecurityObjectives
Determinationof measuresof risks
Measure ofimpact
SelectionofSafeguards
Outcomes of risk analysis
• Results are expressed in monetary units(R = P * C)
• Admits that security is a capital investment opportunity
• Defers security “option” to higher authority
Dhillon’s world view for IS security
Technical
Formal
Informal
Real World
comminication loopssome social and workinggroups with overlapping memberships
organisational/system boundaries
Legend:
Conceptualizing IS security issues
Pragmatic information system and security issues"The organizational environment"
Formal information system andsecurity issues
Communication Security
DataSecurity
Technical informationSystems and security issues
The RITE principles
•Responsibility (and knowledge of Roles)
•Integrity (as requirement of Membership)
•Trust (as distinct from Control)
•Ethicality (as opposed to Rules)
Principles for managing IS security
Background to the development of IS security principles• Spent about 18 months talking to
managers at various levels in broad spectrum of firms:
– Marks & Spencer (Retail) - 7 meetings; Sainsbury (Retail) - 3 meetings; Safeway (Retail) - 6 meetings; British Telecom (Telecom) - 16 meetings; British Rail (Transport) - 2 meetings; Shell Petroleum (Oil) - 21 meetings; IBM (Computers) - 4 meetings; Telia (Swedish Telecom) - 8 meetings; Proctor & Gamble (FMCG) - 3 meetings; Thames Valley Water (Public Utility) - 7
• Intensive research into a few case study organizations
– British NHS hospital (1 year)– British Local Govt. (1 year)– Shell Petroleum (2 years)– ABB (1 year)– Motorola (1 year)– Sunrise Hospital (1 year)
Debunking the myths• Security was more than password control/management• Security did not equate to encrypting messages • Number of security problems were caused by analysis and design faults - both
intentional and unintentional• Information stored in computers was not necessarily more vulnerable than other
forms of information• Information loss did not necessarily occur from modification, destruction, disclosure,
and unauthorized use• Effective information security can not necessarily be achieved by using good controls
and practices• Comprehensive, quantified risk assessment is not a valid, effective method of
security review• Business confidentiality does not require that the need-to-know principle be applied• Authentication of identity is not based on “what you know, what you possess and
what you are” but on trust• Computer viruses are not a major business security crisis• It is not the role of the information security specialist to help improve the quality of
clients’ data
The systems lifecycle
Plan
Design
Implement
Evaluate
evaluate
evaluate
evaluate
evaluate
Planning for IS security
Plan
Design
Implement
Evaluate
1. A well conceived corporate plan establishes a basis for developing a security vision
2. A secure organization lays emphasis on the quality of its operations
3. A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document
4. Information systems security planning is of significance if there is a concurrent security evaluation procedure
Planning for IS security
IS security planning process
IS SecurityPolicy
IS TacticalPlanning
Provision of a frameworkfor IS strategy formulation
Alignment and assessment
with respect to corporate objectivesof IS strategy and IS security
Recognising security as akey enabler of businesses
Development of a security vision
IS budgetsIT acqusition policyCorporate information needs
Risk analysisSWOT analysis
feedback
Evaluation
IS project developmentplans; Allocation ofresources & responsibilities
IS security implementation;Identification of appropriate controls
IS audits;Security audits
Evaluation
IS DevelopmentProcess
IS Security Development Process
Corporate Planning
IS StrategyFormulation
IS Security StrategyFormulation
Planning Process
IS Security
aligned with the ISPlanning Process
Environment scanning; Future analysis;Organisationalanalysis
Designing IS security
Plan
Design
Implement
Evaluate
1. The adherence to a specific security design ideal determines the overall security of a system
2. Good security design will lay more emphasis on ‘correctness’ during system specification
3. A secure design should not impose any particular controls, but choose appropriate ones based on the real setting
Implementing IS security
Plan
Design
Implement
Evaluate
1. Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal
2. Implementation of security measures should take a ‘situational issue-centered’ approach
3. To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managers
Evaluating IS security
Plan
Design
Implement
Evaluate
1. Security evaluation can only be carried out if the nature of an organization is understood
2. The level of security cannot be quantified and measured; it can only be interpreted
3. Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out
MeansObjectives
Personalfinancial situation
Censure
Empowerment
Legal &proceduralcompliance
Informationownership
Authoritystructures
Trust
Communication
Access control
Informationavailability
Personal needsfulfillment
Work allocationpractices
Responsibility &accountability
Individualcharacteristics
Personal beliefs
Work situation
FundamentalObjectives
Overall objective:Maximize IS Security
Maximizeawareness
Human resourcepractices
Ethicalenvironment
Integral businessprocesses
Managementdevelopment
practices
Data integrity
Organizationalintegrity
Privacy
Individual ethics
Principles for managing IS security
Planning• A well conceived corporate plan establishes a basis for developing a security vision• A secure organization lays emphasis on the quality of its operations• A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document• Information systems security planning is of significance if there is a concurrent security evaluation procedureDesign• The adherence to a specific security design ideal determines the overall security of a system• Good security design will lay more emphasis on ‘correctness’ during system specification• A secure design should not impose any particular controls, but choose appropriate ones based on the real settingImplementation• Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal• Implementation of security measures should take a ‘situational issue-centered’ approach• To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managersEvaluation• Security evaluation can only be carried out if the nature of an organization is understood• The level of security cannot be quantified and measured; it can only be interpreted• Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out
Consolidated principles
• Education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment.
• Responsibility, integrity, trust and ethicality are the cornerstones for maintaining a secure environment.
• Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures.
• Rules for managing information security have little relevance unless they are contextualized.
• In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose.
• Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.