IS Integrity and Security

GP Dhillon, PhDAssociate Professor of ISSchool of Business, VCU

The emergent formE

xter

nal

Coa

liti

on

Internal Coalition

Strong

Strong

Weak

Weak

Problem

Problem• According to the latest UK Audit Commission

report, between 1990 and 1994 there was a 183% increase in the value of cases

• Computer fraud has increased 8 times since the previous report

• Average cost of a computer security breach was approx. $42,000

• In 1997 the Audit Commission found organizations reporting computer security problems to have increased from 34% in 1994 to 45% in 1997

What’s happening out there?• Electronic point-of-sale transactions in

the US went up from 38 per day in 1985 to 1.2 million per day in 1993

• In international currency markets, partners transfer an average of $800 billion every day

• Among US banks about $1 trillion is transferred daily

• In the New York markets $2 trillion worth of securities are traded daily

Shocking news ….• 25% of organizations did not have

computer audit skills• 60% of organizations had no security

awareness• 80% of the organizations did not

conduct a risk analysis• In UK 98% of the organizations had

failed to implement British Standard Institutes’ BS 7799 (although 20,000 copies were sold)

Other facts• In 1996 companies spent $830 million on

information security technology to guard against potential abuses

• In 1996 Computer Security Institute survey found 42% of Fortune 500 companies reporting computer security breaches

• In 1999 the Computer Security Institute reported losses amounting to nearly $124 million (theft of proprietary information $42.5 million; financial fraud $39.7 million; laptop theft $13 million)

Survey resultsperceived threat to information security

Survey results physical security precautions in use

Survey results technology security precautions in use

Security risksthe dominant view

• Password sniffing/cracking software

• Spoofing attacks• Denial of service attacks• Direct attacks Man-in-the-middle

Packet sniffs on link between the two end points, and can therefore pretend to be one end of the connection

Routing redirect Redirects routing information from the original host to the hacker's host (this is another form of man-in-the-middle attack).

Security risksa more realistic view (based on Office of Technology Assessment, USA and Dhillon, 1997)

• Human error• Analysis and design faults• Violations of safeguards by trusted

personnel• Environmental damage• System intruders• Malicious software, viruses, worms

The reality

• White-collar crime: (e.g. the Kidder Peabody & Co case)

• Theft: (e.g. the ‘Salami Slicers’)

• Stolen services: (economic espionage costs US $50b a year)

• Smuggling: (the case of ‘One Happy Island’)

• Terrorism: (problems in FedWire; SWIFT)

• Child pornography: (securing a global village)

How have we dealt with these issues?The risk management process

StrategicSecurityPlanning

Follow-up(initiation)

Risk Analysis

StrategicSecurityPlanning

Implementation

Follow-up(Planning)Monitoring andCompliance Testing

Risk analysis

VulnerabilityAssessment

ThreatAssessment

Asset definition& Valuation

Constraints

SecurityObjectives

Determinationof measuresof risks

Measure ofimpact

SelectionofSafeguards

Outcomes of risk analysis

• Results are expressed in monetary units(R = P * C)

• Admits that security is a capital investment opportunity

• Defers security “option” to higher authority

Dhillon’s world view for IS security

Technical

Formal

Informal

Real World

comminication loopssome social and workinggroups with overlapping memberships

organisational/system boundaries

Legend:

Conceptualizing IS security issues

Pragmatic information system and security issues"The organizational environment"

Formal information system andsecurity issues

Communication Security

DataSecurity

Technical informationSystems and security issues

The RITE principles

•Responsibility (and knowledge of Roles)

•Integrity (as requirement of Membership)

•Trust (as distinct from Control)

•Ethicality (as opposed to Rules)

Principles for managing IS security

Background to the development of IS security principles• Spent about 18 months talking to

managers at various levels in broad spectrum of firms:

– Marks & Spencer (Retail) - 7 meetings; Sainsbury (Retail) - 3 meetings; Safeway (Retail) - 6 meetings; British Telecom (Telecom) - 16 meetings; British Rail (Transport) - 2 meetings; Shell Petroleum (Oil) - 21 meetings; IBM (Computers) - 4 meetings; Telia (Swedish Telecom) - 8 meetings; Proctor & Gamble (FMCG) - 3 meetings; Thames Valley Water (Public Utility) - 7

• Intensive research into a few case study organizations

– British NHS hospital (1 year)– British Local Govt. (1 year)– Shell Petroleum (2 years)– ABB (1 year)– Motorola (1 year)– Sunrise Hospital (1 year)

Debunking the myths• Security was more than password control/management• Security did not equate to encrypting messages • Number of security problems were caused by analysis and design faults - both

intentional and unintentional• Information stored in computers was not necessarily more vulnerable than other

forms of information• Information loss did not necessarily occur from modification, destruction, disclosure,

and unauthorized use• Effective information security can not necessarily be achieved by using good controls

and practices• Comprehensive, quantified risk assessment is not a valid, effective method of

security review• Business confidentiality does not require that the need-to-know principle be applied• Authentication of identity is not based on “what you know, what you possess and

what you are” but on trust• Computer viruses are not a major business security crisis• It is not the role of the information security specialist to help improve the quality of

clients’ data

The systems lifecycle

Plan

Design

Implement

Evaluate

evaluate

evaluate

evaluate

evaluate

Planning for IS security

Plan

Design

Implement

Evaluate

1. A well conceived corporate plan establishes a basis for developing a security vision

2. A secure organization lays emphasis on the quality of its operations

3. A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document

4. Information systems security planning is of significance if there is a concurrent security evaluation procedure

Planning for IS security

IS security planning process

IS SecurityPolicy

IS TacticalPlanning

Provision of a frameworkfor IS strategy formulation

Alignment and assessment

with respect to corporate objectivesof IS strategy and IS security

Recognising security as akey enabler of businesses

Development of a security vision

IS budgetsIT acqusition policyCorporate information needs

Risk analysisSWOT analysis

feedback

Evaluation

IS project developmentplans; Allocation ofresources & responsibilities

IS security implementation;Identification of appropriate controls

IS audits;Security audits

Evaluation

IS DevelopmentProcess

IS Security Development Process

Corporate Planning

IS StrategyFormulation

IS Security StrategyFormulation

Planning Process

IS Security

aligned with the ISPlanning Process

Environment scanning; Future analysis;Organisationalanalysis

Designing IS security

Plan

Design

Implement

Evaluate

1. The adherence to a specific security design ideal determines the overall security of a system

2. Good security design will lay more emphasis on ‘correctness’ during system specification

3. A secure design should not impose any particular controls, but choose appropriate ones based on the real setting

Implementing IS security

Plan

Design

Implement

Evaluate

1. Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal

2. Implementation of security measures should take a ‘situational issue-centered’ approach

3. To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managers

Evaluating IS security

Plan

Design

Implement

Evaluate

1. Security evaluation can only be carried out if the nature of an organization is understood

2. The level of security cannot be quantified and measured; it can only be interpreted

3. Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out

MeansObjectives

Personalfinancial situation

Censure

Empowerment

Legal &proceduralcompliance

Informationownership

Authoritystructures

Trust

Communication

Access control

Informationavailability

Personal needsfulfillment

Work allocationpractices

Responsibility &accountability

Individualcharacteristics

Personal beliefs

Work situation

FundamentalObjectives

Overall objective:Maximize IS Security

Maximizeawareness

Human resourcepractices

Ethicalenvironment

Integral businessprocesses

Managementdevelopment

practices

Data integrity

Organizationalintegrity

Privacy

Individual ethics

Principles for managing IS security

Planning• A well conceived corporate plan establishes a basis for developing a security vision• A secure organization lays emphasis on the quality of its operations• A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document• Information systems security planning is of significance if there is a concurrent security evaluation procedureDesign• The adherence to a specific security design ideal determines the overall security of a system• Good security design will lay more emphasis on ‘correctness’ during system specification• A secure design should not impose any particular controls, but choose appropriate ones based on the real settingImplementation• Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal• Implementation of security measures should take a ‘situational issue-centered’ approach• To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managersEvaluation• Security evaluation can only be carried out if the nature of an organization is understood• The level of security cannot be quantified and measured; it can only be interpreted• Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out

Consolidated principles

• Education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment.

• Responsibility, integrity, trust and ethicality are the cornerstones for maintaining a secure environment.

• Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures.

• Rules for managing information security have little relevance unless they are contextualized.

• In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose.

• Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.