INFORMATION SECURITY TECHNOLOGY AND DATA INSURANCE (ISYS) Duration of the project: Febr 2001 Dec 2003 Home page of the project: <www.kurt.hu> Co-ordinator: KÜRT Computer Rendszerház Rt., Budapest Home page: <http://www.kurt.hu> Address: H-1112 Budapest, Péterhegyi út 98. Phone.: (36-1)-228-5410 Project leader: KÜRTI Sándor dr. <sandor.kurti@kurt.hu> Team leader: REMZSŐ Tibor dr. <tibor.remzso@kurt.hu> Deputy project/team leader: PAPP Attila <attila.papp@kurt.hu> Consortium member(s): Computer and Automation Resarch Institute Hungarian Academy of Sciences (MTA SZTAKI), Budapest Home page: <http://www.sztaki.hu> Team leader: BENCZÚR András dr. <andras.benczur@sztaki.hu> Department of Mathematics and Computing University of Veszprém, Veszprém Home page: <http://www.szt.vein.hu> Team leader: GYŐRI István dr. <gyori@almos.vein.hu> Keywords: (information security; data recovery; statistical analysis; insurance technology; data insurance; cryptography) 1. Introduction The primary aim of the project is to lay the foundation of an information technology risk management and data insurance system. As the value assessment in data insurance greatly differs from the evaluation of other property, an objective information technology value determination methodology is a vitally important research area. The Information Security Technology (ISyS ) to be created by this project shall provide the basis for a homogenous, simple and organized IT infrastructure, upon which we can start planning the introduction of procedures that can guarantee a higher level of information technology infrastructure security in the future. Based on its vast experience in data recovery, KÜRT has gathered a large amount of information about information technology catastrophes and the reasons of data loss. This reservoir of knowledge has not yet been scientifically analyzed before this project. In cooperation with the Computer and Automatization Research Institute (MTA SZTAKI) and the Department of Mathematics and Computing at the University of Veszprém, we intended to determine those factors, which constitute an information technology threat for companies or organizations. Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 1
2. Main objectives of the project IT protection now concentrates on 2 basic functions: - prevention of information loss, and - prevention of information theft. The creation of secure IT systems requires substantial investment of both money and manpower, logically preceded by risk assessment. Today s situation, however, is that a large number of organizations don t even have a set of security regulations, security strategy, security manual. If the management of an organization can make a distinction between safe and unsafe, and it can assign a required degree of security to its business procedures, then IT security experts can create a protection system which can control the technical gateways and shut the door to intruders. IT and Security Objectives According to the above, the strategic aim of the consortium s IT development program, is to lay the foundation of international IT utilization which shall be a lot more efficient than it is today, enhancing progress in some important areas: - ensuring quality and security of IT activities, so that the systems quality and security requirements be met in a harmonized fashion; - securing the IT system components and their connections; - documented regulation of IT security systems; - a definition of the range and priorities of systems, files, and data intended for protection; - minimizing material damage in case of data loss; - minimizing damages resulting from human error or negligence; - creation and applicability analysis of mathematical solutions connected with IT security; - creation of the theoretical basis of data insurance activity; - analysis of the target areas and applicability of data insurance activity; - feasibility of risk management in the IT infrastructure of business organizations; - analysis of Hungarian IT infrastructure and IT literacy compared to EU requirements; assessment of deviations and deficiencies; promotion of bringing about the conditions necessary to the country s joining the EU; - preparation of the country for joining the EU, and contribution to IT elements of legal harmonization. ISyS The organic parts of Isys are the following: - Framework - Data protection modul - Data security modul - IT system procedures - IT Organizational procedures Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 2
- Audit preparation - Emergency plan Data insurance KÜRT possesses a large amount of information (almost 10 thousand case histories) related with IT catastrophes, emergencies, data losses, and this treasury of information is yet scientifically unexplored. The projected Information Security Technology (ISyS ) will create the fundamentals of a homogenous, simple and organized IT infrastructure. However, due to the rapid progress of information technology and the limited resources available we have to realize that providing a complete and final solution for every conceivable risk and problem is next to impossible. There always may be unexpected problems, and the new solutions can bring about the emergence of new risks and problems. In our research aiming at the creation on company IT security, we intend to follow and study the trends of international assault cases, because whatever happens in the outside world can also happen in Hungary. During our research, we will attempt to assess the number and direction of potential attacks. For insurance risk assessment, we will specialists with expertise in cryptography systems. Relying on the theoretical and practical cryptography expertise of our researchers, our target is to explore the available literature and standards, in order to incorporate this expertise into our security technology directives and requirements, and also, in case of damage, to provide adequate means for finding the reasons, and detect insurance fraud attempts. On the above mathematical basis, within our research and development activity, we intend to examine primarily the practical applicability of mathematical methods (statistics, probabilities, game theory, risk analysis) suitable for modeling simple handling and analysis of large quantities of data, decision making based on insufficient information, and prognostication of future processes on the basis on current information, in order to practical utilization of these techniques in the industry. Data insurance is a brand new concept in insurance business, and it is very hard, in not impossible to grasp, mainly because value definition differs from value definition of other kinds of property. An important field of research shall be to examine how computer data can become an object of insurance in mass proportions, like automobiles. The intent of this consortium is to engage into this research project, making use of the vast experience available in information technology, data recovery, and mathematics. An insurance methodology that can be used simply, coherently and with the necessary automation, can only be created on two conditions. One that it guarantees adequate compensation for the client in case of damage, and on the other hand, the insurance companies can make a reasonable profit on this kind of service. The objective of this research and development project is to increase data security, to reduce the risk of data loss and unauthorized data access, and to outline the foundations Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 3
of an IT insurance system which should provide a high quality risk management service for its clients. Both on the field of ISyS and in data insurance, the factors threatening the individual system components must be identified, the probability of their occurrence and estimated damage must be previously defined, the effects of the elements on each other have to be assessed, and an overall risk value has to be defined for the entire system. These values must not be the matter of intuitive guesswork; to get exact figures, a number of complex mathematical tools and methods must be applied. These tools are available at the Mathematics and Computing Department at the University of Veszprém, and also at the research base of MTA SZTAKI. The system to be realized by this project presents a number of theoretical problems on various fields of mathematics: mathematical statistics, risk analysis, database theory, combinatorics, image recognition, and cryptography. The range of phenomena commonly known as data loss also presents a number of questions we want to find the answer to in our research; such as, - Statistical examination of the damage process (the total sum of damages up to the given moment, as a function defined by time and chance). The data loss cases of KÜRT s data recovery experience can provide the causes (virus, operating system malfunction, human error, etc.) to prepare such statistics. - The distribution of (physical and intellectual) damages converted to financial terms. It must be determined which of the distribution patterns (Pareto, lognormal, etc.) described in insurance mathematical literature can be fitted to the data available. - The above models and results will provide a foundation to define net insurance charges, according to various theoretical principles, e. g. expected value principle, positive distribution principle, average value principle, etc. By studying public statistics of data file evaluation, credibility theory can also be utilized for assessing net charges. Completing this project will inevitably require tools from the area of data mining. The study and processing of KÜRT s data bank of damage cases and other public and relevant data collections can lead to such tasks to be fulfilled. Information extraction, characteristic of such activity, starts with data cleansing the handling of noisy, faulty, defective data. The next step is data integration and data selection to precisely define the range of data used for analysis, and convert the data into a unified form, independent of the source. The next move can then be the exploration of the regularities (patterns, association rules, etc.) within the data. The results of the statistical analysis can also be utilized on a shorter time span, within risk management. Based on the analysis and the connected research, KÜRT s ISyS technology can be improved by a new component which provides a finer and more exact risk assessment. 3. Utilization, expected economic results, direct and indirect effects of the project The whole world seems to be entangled in a network of information technology. Real life events and visions concerning Internet opportunities are the driving force for the quality improvement on IT devices. The concept of IT quality shall bring about a new product, information technology insurance. Traditional industries have gone through the same line of progress. Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 4
The insurance technology in its current form primarily offers value-for money, optimized security solutions for large, multi-national organizations. In 2004, we intend to launch a subset of the whole technology (IT Protection Shield (ITPS)). IT Protection Shield is simpler than ISyS, providing efficient and cost-effective planning, modeling, execution, and regulation procedures for small and medium size enterprises. Generally speaking, data insurance is a sound investment for a company or organization if the elimination of the risks discovered in its system would cost a lot more than the damage in case of data loss. Future target groups of data insurance services can be found on both sides of the business sphere. Data insurance as a product shall undoubtedly be offered by insurance companies. Data insurance as a service will presumably be spreading among such clients, as - Internet service providers; - content providers; - banks and other financial institutions; - companies, organizations, and institutions which store large quantities of electronic data, considered valuable for business or personal right reasons; - companies and organizations which utilize massive IT support in business and production processes; - companies and organizations which utilize valuable business-to-business or business-toconsumer techniques; - companies and organizations which utilize valuable business-to-administration or consumer-to-administration techniques; - government organizations in which IT security and IT insurance measures should be mandatory in the near future. 4. European Dimensions In December 1999, the Europe Committee announced eeurope initiative for harvesting the fruits of available digital technologies and to create an overall Information Society in Europe. Europe Council s decision of Feira, made in June 2000, states that the action plan made there has to be executed by the end of 2002. This action plan puts extra emphasis on network security and the fight against network crime. Europe Committee shall initiate, among others, to establish a police force against international computer crime in countries where such units have not been set up, and support training courses and programs. On technology level, the Committee will support research and development in the field of exploration of methods for risk and vulnerability elimination, and the dissemination of pertaining know-how. The realization of this project may result in Hungary joining and playing a prominent role in this initiative. Besides direct home utilization, this project can also help Hungary to receive the appropriate position in European IT security research and development, a position appropriate to the country s reputation and intellectual capacity. Research & Development Division, Ministry of Education, Hungary <http://www.om.hu/nkfp> 5