Introduction to Information Security Management

Transcription

1 Introduction to Information Security Management CIS 8080 Security and Privacy of Information and Information Systems Richard Baskerville Georgia State University 1 Principles Information Security Management Assumptions PFirst Principle: T-F-O model of information security P Second Principle: Incident-centered security management 2

2 Theory of Secure Information Systems Hoffman, L., Michelman, E., and Clements, D. "SECURATE - Security evaluation and analysis using fuzzy metrics," in: AFIPS National Computer Conference Proceedings, 1978, pp The natural relationship involves the association of potential intrusion activities associated with each member of the set of system objects. These threat-object relations defined a set of edges T i O j that manifest the components of insecurity or risk in systems. T 1 T 2 T 3 T 4 O 1 O 2 O 3 T n T O m O 3 Theory of Secure Information Systems The relationship between a set of system objects (each with a loss value), a set of threats (each with a likelihood), and a set of system security features (each with a resistance). In a protected system, all edges are instead prescribed in the form T i F k and F k O j that represents the insertion of security features between threats and system objects. T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 4

3 Security Objects T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 5 Types of Security Objects P Physical Assets < Computers and communications machinery < Attack with physical assaults PSoft Assets < Protocols and software < Attack with cracking and malicious code P Psychic Assets < Perceptions and information < Attack with data falsification 6

4 Security Threats T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 7 Security Incidents Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 24, 8

5 Sources of Cyberthreats US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey, PricewaterhouseCoopers. p. 4 9 Frequency of Data Breach Patterns 10 Verizon Risk Team "2015 Data Breach Investigations Report." New York: Verizon, p. 31

6 Malicious Spam Cisco 2015 Annual Security Report, pp Vulnerability: Expertise ISACA 2015 Global Cybersecurity Status Report 12

7 Industry Victims 13 Verizon Risk Team "2015 Data Breach Investigations Report." New York: Verizon, p. 5 Cost of Information Security Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 25, 14

8 Cost per Compromised Record Verizon Risk Team "2015 Data Breach Investigations Report." New York: Verizon, p Contrasts: Insider or Outsider? 16

9 Data Breach Actors 17 Verizon Risk Team "2015 Data Breach Investigations Report." New York: Verizon, p. 4 Sources of Security Incidents Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 24, 18

10 Contrasts: Mobile/IoT Risks? 19 Non-adnoyance Mobile Malware Infections Verizon Risk Team "2015 Data Breach Investigations Report." New York: Verizon, p

11 Attacks on IoT Devices & Systems Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p Security Features T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 22

12 Security Features International Treaties Standards CobiT ISO ISO NIST Laws Institutions Security Policies & Organizations Practices & Safeguards 23 Regulatory Compliance Improves Security Applicable regulations from: 2010/2011 CSI Computer Security Survey 24

13 Double-Edged Complexity T 1 T 2 T 3 T 4 O 1 O 2 O 3 T n T O m O T 1 T 2 T 3 T 4 F 1 F 2 F 3 O 1 O 2 O 3 T n F l O m T F O 25 Incident-Centered Security Management Baskerville, R., Spagnoletti, P., and Kim, J "Incident-Centered Information Security: Managing a Strategic Balance between Prevention and Response," Information & Management (51:1), pp LEFT OF BANG RIGHT OF BANG t Prof. Merrill Warkentin of Mississippi State University recognized the conceptual value of this IED management approach for general security management. 26

14 Modes of Protection Prevention Response t 27 Different Action Paradigms Risk Management Forensics and Incident Response t 28

15 Model Assumptions 29 Logical Structure of Models 30

16 Organizing Principles 31 Interaction of Left & Right Paradigms Left of Incident Right of Incident Indications & Warnings Prevent Refine Information System Resource Contain, Recover, Harden Threat Incident Detect Respond Deter Legislate & Policy Setting Investigate, Notify, Sue, Prosecute, Retaliate Adapted from Denning, D. E. (1999). Information Warfare and Security. Reading Mass: Addison-Wesley. 32

17 Incidents Prevention Recovery t 33 Introduction to Information Security Management CIS 8080 Security and Privacy of Information and Information Systems Richard Baskerville Georgia State University 34