320 likes | 433 Views
IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU. Strong. External Coalition. Weak. Weak. Internal Coalition. Strong. The emergent form. Problem. Problem.
E N D
IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU
Strong External Coalition Weak Weak Internal Coalition Strong The emergent form
Problem • According to the latest UK Audit Commission report, between 1990 and 1994 there was a 183% increase in the value of cases • Computer fraud has increased 8 times since the previous report • Average cost of a computer security breach was approx. $42,000 • In 1997 the Audit Commission found organizations reporting computer security problems to have increased from 34% in 1994 to 45% in 1997
What’s happening out there? • Electronic point-of-sale transactions in the US went up from 38 per day in 1985 to 1.2 million per day in 1993 • In international currency markets, partners transfer an average of $800 billion every day • Among US banks about $1 trillion is transferred daily • In the New York markets $2 trillion worth of securities are traded daily
Shocking news …. • 25% of organizations did not have computer audit skills • 60% of organizations had no security awareness • 80% of the organizations did not conduct a risk analysis • In UK 98% of the organizations had failed to implement British Standard Institutes’ BS 7799 (although 20,000 copies were sold)
Other facts • In 1996 companies spent $830 million on information security technology to guard against potential abuses • In 1996 Computer Security Institute survey found 42% of Fortune 500 companies reporting computer security breaches • In 1999 the Computer Security Institute reported losses amounting to nearly $124 million (theft of proprietary information $42.5 million; financial fraud $39.7 million; laptop theft $13 million)
Security risksthe dominant view • Password sniffing/cracking software • Spoofing attacks • Denial of service attacks • Direct attacks • Man-in-the-middle • Packet sniffs on link between the two end points, and can therefore pretend to be one end of the connection • Routing redirect • Redirects routing information from the original host to the hacker's host (this is another form of man-in-the-middle attack).
Security risksa more realistic view (based on Office of Technology Assessment, USA and Dhillon, 1997) • Human error • Analysis and design faults • Violations of safeguards by trusted personnel • Environmental damage • System intruders • Malicious software, viruses, worms
The reality • White-collar crime: (e.g. the Kidder Peabody & Co case) • Theft: (e.g. the ‘Salami Slicers’) • Stolen services: (economic espionage costs US $50b a year) • Smuggling: (the case of ‘One Happy Island’) • Terrorism: (problems in FedWire; SWIFT) • Child pornography: (securing a global village)
Strategic Security Planning Strategic Security Planning Follow-up (Planning) Monitoring and Compliance Testing Risk Analysis Follow-up (initiation) Implementation How have we dealt with these issues?The risk management process
Vulnerability Assessment Threat Assessment Selection of Safeguards Determination of measures of risks Measure of impact Asset definition & Valuation Constraints Security Objectives Risk analysis
Outcomes of risk analysis • Results are expressed in monetary units (R = P * C) • Admits that security is a capital investment opportunity • Defers security “option” to higher authority
Communication Security Data Security Technical information Systems and security issues Formal information system and security issues Pragmatic information system and security issues "The organizational environment" Conceptualizing IS security issues
The RITE principles • Responsibility (and knowledge of Roles) • Integrity (as requirement of Membership) • Trust (as distinct from Control) • Ethicality (as opposed to Rules)
Background to the development of IS security principles • Spent about 18 months talking to managers at various levels in broad spectrum of firms: • Marks & Spencer (Retail) - 7 meetings; Sainsbury (Retail) - 3 meetings; Safeway (Retail) - 6 meetings; British Telecom (Telecom) - 16 meetings; British Rail (Transport) - 2 meetings; Shell Petroleum (Oil) - 21 meetings; IBM (Computers) - 4 meetings; Telia (Swedish Telecom) - 8 meetings; Proctor & Gamble (FMCG) - 3 meetings; Thames Valley Water (Public Utility) - 7 • Intensive research into a few case study organizations • British NHS hospital (1 year) • British Local Govt. (1 year) • Shell Petroleum (2 years) • ABB (1 year) • Motorola (1 year) • Sunrise Hospital (1 year)
Debunking the myths • Security was more than password control/management • Security did not equate to encrypting messages • Number of security problems were caused by analysis and design faults - both intentional and unintentional • Information stored in computers was not necessarily more vulnerable than other forms of information • Information loss did not necessarily occur from modification, destruction, disclosure, and unauthorized use • Effective information security can not necessarily be achieved by using good controls and practices • Comprehensive, quantified risk assessment is not a valid, effective method of security review • Business confidentiality does not require that the need-to-know principle be applied • Authentication of identity is not based on “what you know, what you possess and what you are” but on trust • Computer viruses are not a major business security crisis • It is not the role of the information security specialist to help improve the quality of clients’ data
The systems lifecycle Plan evaluate Design Evaluate evaluate evaluate evaluate Implement
Plan Evaluate Design Implement Planning for IS security • A well conceived corporate plan establishes a basis for developing a security vision • A secure organization lays emphasis on the quality of its operations • A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document • Information systems security planning is of significance if there is a concurrent security evaluation procedure
Plan Evaluate Design Implement Designing IS security • The adherence to a specific security design ideal determines the overall security of a system • Good security design will lay more emphasis on ‘correctness’ during system specification • A secure design should not impose any particular controls, but choose appropriate ones based on the real setting
Plan Evaluate Design Implement Implementing IS security • Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal • Implementation of security measures should take a ‘situational issue-centered’ approach • To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managers
Plan Evaluate Design Implement Evaluating IS security • Security evaluation can only be carried out if the nature of an organization is understood • The level of security cannot be quantified and measured; it can only be interpreted • Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out
Principles for managing IS security • Planning • A well conceived corporate plan establishes a basis for developing a security vision • A secure organization lays emphasis on the quality of its operations • A security policy denotes specific responses to specific recurring situations and hence • cannot be considered as a top level document • Information systems security planning is of significance if there is a concurrent security • evaluation procedure • Design • The adherence to a specific security design ideal determines the overall security of a system • Good security design will lay more emphasis on ‘correctness’ during system specification • A secure design should not impose any particular controls, but choose appropriate ones based • on the real setting • Implementation • Successful implementation of security measures can be brought about if analysts consider • the informal organization before the formal • Implementation of security measures should take a ‘situational issue-centered’ approach • To facilitate successful implementation of security controls, organizations need to share • and develop expertise and commitment between the ‘experts’ and managers • Evaluation • Security evaluation can only be carried out if the nature of an organization is understood • The level of security cannot be quantified and measured; it can only be interpreted • Security evaluation cannot be based on the expert viewpoint of any one individual, rather • an analysis of all stakeholders should be carried out
Consolidated principles • Education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment. • Responsibility, integrity, trust and ethicality are the cornerstones for maintaining a secure environment. • Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures. • Rules for managing information security have little relevance unless they are contextualized. • In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose. • Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.