Is integrity and security gp dhillon phd associate professor of is school of business vcu
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU PowerPoint PPT Presentation


  • 61 Views
  • Uploaded on
  • Presentation posted in: General

IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU. Strong. External Coalition. Weak. Weak. Internal Coalition. Strong. The emergent form. Problem. Problem.

Download Presentation

IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Is integrity and security gp dhillon phd associate professor of is school of business vcu

IS Integrity and Security

GP Dhillon, PhD

Associate Professor of IS

School of Business, VCU


The emergent form

Strong

External Coalition

Weak

Weak

Internal Coalition

Strong

The emergent form


Problem

Problem


Problem1

Problem

  • According to the latest UK Audit Commission report, between 1990 and 1994 there was a 183% increase in the value of cases

  • Computer fraud has increased 8 times since the previous report

  • Average cost of a computer security breach was approx. $42,000

  • In 1997 the Audit Commission found organizations reporting computer security problems to have increased from 34% in 1994 to 45% in 1997


What s happening out there

What’s happening out there?

  • Electronic point-of-sale transactions in the US went up from 38 per day in 1985 to 1.2 million per day in 1993

  • In international currency markets, partners transfer an average of $800 billion every day

  • Among US banks about $1 trillion is transferred daily

  • In the New York markets $2 trillion worth of securities are traded daily


Shocking news

Shocking news ….

  • 25% of organizations did not have computer audit skills

  • 60% of organizations had no security awareness

  • 80% of the organizations did not conduct a risk analysis

  • In UK 98% of the organizations had failed to implement British Standard Institutes’ BS 7799 (although 20,000 copies were sold)


Other facts

Other facts

  • In 1996 companies spent $830 million on information security technology to guard against potential abuses

  • In 1996 Computer Security Institute survey found 42% of Fortune 500 companies reporting computer security breaches

  • In 1999 the Computer Security Institute reported losses amounting to nearly $124 million (theft of proprietary information $42.5 million; financial fraud $39.7 million; laptop theft $13 million)


Survey results perceived threat to information security

Survey resultsperceived threat to information security


Survey results physical security precautions in use

Survey resultsphysical security precautions in use


Survey results technology security precautions in use

Survey resultstechnology security precautions in use


Security risks the dominant view

Security risksthe dominant view

  • Password sniffing/cracking software

  • Spoofing attacks

  • Denial of service attacks

  • Direct attacks

  • Man-in-the-middle

    • Packet sniffs on link between the two end points, and can therefore pretend to be one end of the connection

  • Routing redirect

    • Redirects routing information from the original host to the hacker's host (this is another form of man-in-the-middle attack).


Security risks a more realistic view based on office of technology assessment usa and dhillon 1997

Security risksa more realistic view (based on Office of Technology Assessment, USA and Dhillon, 1997)

  • Human error

  • Analysis and design faults

  • Violations of safeguards by trusted personnel

  • Environmental damage

  • System intruders

  • Malicious software, viruses, worms


The reality

The reality

  • White-collar crime: (e.g. the Kidder Peabody & Co case)

  • Theft: (e.g. the ‘Salami Slicers’)

  • Stolen services: (economic espionage costs US $50b a year)

  • Smuggling: (the case of ‘One Happy Island’)

  • Terrorism: (problems in FedWire; SWIFT)

  • Child pornography: (securing a global village)


How have we dealt with these issues the risk management process

Strategic

Security

Planning

Strategic

Security

Planning

Follow-up

(Planning)

Monitoring and

Compliance

Testing

Risk Analysis

Follow-up

(initiation)

Implementation

How have we dealt with these issues?The risk management process


Risk analysis

Vulnerability

Assessment

Threat

Assessment

Selection

of

Safeguards

Determination

of measures

of risks

Measure of

impact

Asset definition

& Valuation

Constraints

Security

Objectives

Risk analysis


Outcomes of risk analysis

Outcomes of risk analysis

  • Results are expressed in monetary units

    (R = P * C)

  • Admits that security is a capital investment opportunity

  • Defers security “option” to higher authority


Dhillon s world view for is security

Dhillon’s world view for IS security


Conceptualizing is security issues

Communication Security

Data

Security

Technical information

Systems and security issues

Formal information system and

security issues

Pragmatic information system and security issues

"The organizational environment"

Conceptualizing IS security issues


The rite principles

The RITE principles

  • Responsibility (and knowledge of Roles)

  • Integrity (as requirement of Membership)

  • Trust (as distinct from Control)

  • Ethicality (as opposed to Rules)


Principles for managing is security

Principles for managing IS security


Background to the development of is security principles

Background to the development of IS security principles

  • Spent about 18 months talking to managers at various levels in broad spectrum of firms:

    • Marks & Spencer (Retail) - 7 meetings; Sainsbury (Retail) - 3 meetings; Safeway (Retail) - 6 meetings; British Telecom (Telecom) - 16 meetings; British Rail (Transport) - 2 meetings; Shell Petroleum (Oil) - 21 meetings; IBM (Computers) - 4 meetings; Telia (Swedish Telecom) - 8 meetings; Proctor & Gamble (FMCG) - 3 meetings; Thames Valley Water (Public Utility) - 7

  • Intensive research into a few case study organizations

    • British NHS hospital (1 year)

    • British Local Govt. (1 year)

    • Shell Petroleum (2 years)

    • ABB (1 year)

    • Motorola (1 year)

    • Sunrise Hospital (1 year)


Debunking the myths

Debunking the myths

  • Security was more than password control/management

  • Security did not equate to encrypting messages

  • Number of security problems were caused by analysis and design faults - both intentional and unintentional

  • Information stored in computers was not necessarily more vulnerable than other forms of information

  • Information loss did not necessarily occur from modification, destruction, disclosure, and unauthorized use

  • Effective information security can not necessarily be achieved by using good controls and practices

  • Comprehensive, quantified risk assessment is not a valid, effective method of security review

  • Business confidentiality does not require that the need-to-know principle be applied

  • Authentication of identity is not based on “what you know, what you possess and what you are” but on trust

  • Computer viruses are not a major business security crisis

  • It is not the role of the information security specialist to help improve the quality of clients’ data


The systems lifecycle

The systems lifecycle

Plan

evaluate

Design

Evaluate

evaluate

evaluate

evaluate

Implement


Planning for is security

Plan

Evaluate

Design

Implement

Planning for IS security

  • A well conceived corporate plan establishes a basis for developing a security vision

  • A secure organization lays emphasis on the quality of its operations

  • A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document

  • Information systems security planning is of significance if there is a concurrent security evaluation procedure


Planning for is security1

Planning for IS security


Is security planning process

IS security planning process


Designing is security

Plan

Evaluate

Design

Implement

Designing IS security

  • The adherence to a specific security design ideal determines the overall security of a system

  • Good security design will lay more emphasis on ‘correctness’ during system specification

  • A secure design should not impose any particular controls, but choose appropriate ones based on the real setting


Implementing is security

Plan

Evaluate

Design

Implement

Implementing IS security

  • Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal

  • Implementation of security measures should take a ‘situational issue-centered’ approach

  • To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managers


Evaluating is security

Plan

Evaluate

Design

Implement

Evaluating IS security

  • Security evaluation can only be carried out if the nature of an organization is understood

  • The level of security cannot be quantified and measured; it can only be interpreted

  • Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out


Principles for managing is security1

Principles for managing IS security

  • Planning

  • A well conceived corporate plan establishes a basis for developing a security vision

  • A secure organization lays emphasis on the quality of its operations

  • A security policy denotes specific responses to specific recurring situations and hence

  • cannot be considered as a top level document

  • Information systems security planning is of significance if there is a concurrent security

  • evaluation procedure

  • Design

  • The adherence to a specific security design ideal determines the overall security of a system

  • Good security design will lay more emphasis on ‘correctness’ during system specification

  • A secure design should not impose any particular controls, but choose appropriate ones based

  • on the real setting

  • Implementation

  • Successful implementation of security measures can be brought about if analysts consider

  • the informal organization before the formal

  • Implementation of security measures should take a ‘situational issue-centered’ approach

  • To facilitate successful implementation of security controls, organizations need to share

  • and develop expertise and commitment between the ‘experts’ and managers

  • Evaluation

  • Security evaluation can only be carried out if the nature of an organization is understood

  • The level of security cannot be quantified and measured; it can only be interpreted

  • Security evaluation cannot be based on the expert viewpoint of any one individual, rather

  • an analysis of all stakeholders should be carried out


Consolidated principles

Consolidated principles

  • Education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment.

  • Responsibility, integrity, trust and ethicality are the cornerstones for maintaining a secure environment.

  • Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures.

  • Rules for managing information security have little relevance unless they are contextualized.

  • In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose.

  • Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.


  • Login