principles introduction to information information ... · introduction to information security...
TRANSCRIPT
Introduction to Information
Security Management
CIS 8080
Security and Privacy of Information
and Information Systems
Richard Baskerville
Principles
• First Principle: T-F-O model of information security
• Second Principle: Incident-centered security management
Information Security Management Assumptions
Theory of Secure Information Systems
•The natural relationship involves the association of potential intrusion
activities associated with each member of the set of system objects.
These threat-object relations defined a set of edges TiOj that manifest
the components of insecurity or risk in systems.
Hoffman, L., Michelman, E., and Clements, D. "SECURATE - Security evaluation and analysis using fuzzy metrics," in: AFIPS National Computer Conference Proceedings, 1978, pp. 531-
540.
T1
T2
T3
T4
Tn
. . .
O1
O2
O3
Om
. . .
T O
Theory of Secure Information Systems
•The relationship between a set of system objects (each with a loss
value), a set of threats (each with a likelihood), and a set of system
security features (each with a resistance). In a protected system, all
edges are instead prescribed in the form TiFk and FkOj that represents
the insertion of security features between threats and system objects.
T1
T2
T3
T4
Tn
. . .
F1
F2
F3
Fl
. . .
O1
O2
O3
Om
. . .
T F O
Security Objects
T1
T2
T3
T4
Tn
. . .
F1
F2
F3
Fl
. . .
O1
O2
O3
Om
. . .
T F O
Types of Security Objects
• Physical Assets
– Computers and communications machinery
– Attack with physical assaults
• Soft Assets
– Protocols and software
– Attack with cracking and malicious code
• Psychic Assets
– Perceptions and information
– Attack with data falsification
Security Threats
T1
T2
T3
T4
Tn
. . .
F1
F2
F3
Fl
. . .
O1
O2
O3
Om
. . .
T F O
Security Incidents
Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security® Survey 2016, PricewaterhouseCoopers, p. 24, http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/download.html
Sources of Cyberthreats
ISACA January 2016 Cybersecurity SnapshotUS Results http://www.isaca.org/cyber/Documents/2016-US-Cybersecurity-Snapshot-Data-Sheet_mkt_Eng_0116.pdf
Number of Breaches Per Category Over Time (n=9,009)
Verizon Risk Team. 2016. "2016 Data Breach Investigations Report." New York: Verizon, p. 8
Vulnerability: Expertise
ISACA 2015 Global Cybersecurity Status Report www.isaca.org/cybersecurityreport
ISACA January 2016 Cybersecurity SnapshotUS Results http://www.isaca.org/cyber/Documents/2016-US-Cybersecurity-Snapshot-Data-Sheet_mkt_Eng_0116.pdf
Industry Victims
Verizon Risk Team. 2016. "2016 Data Breach Investigations Report." New York: Verizon, p. 4
Cost of Information Security
Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security® Survey 2016, PricewaterhouseCoopers, p. 25, http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/download.html
Motives for Exploits
Verizon Risk Team. 2016. "2016 Data Breach Investigations Report." New York: Verizon, p. 4
Contrasts: Insider or Outsider?
Data Breach Actors
Verizon Risk Team. 2016. "2016 Data Breach Investigations Report." New York: Verizon, p. 7
Sources of Security Incidents
Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security® Survey 2016, PricewaterhouseCoopers, p. 24, http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/download.html
Contrasts: Mobile/IoT Risks?
Non-adnoyance Mobile Malware
Infections
Verizon Risk Team. 2015. "2015 Data Breach Investigations Report." New York: Verizon, p. 19
Attacks on IoT Devices & Systems
Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security® Survey 2016, PricewaterhouseCoopers, p. 11 http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/download.html
Security Features
T1
T2
T3
T4
Tn
. . .
F1
F2
F3
Fl
. . .
O1
O2
O3
Om
. . .
T F O
Security Features
International Treaties
Standards
Laws
Institutions
Security Policies &
Organizations
Practices & Safeguards
CobiTISO 27002ISO 27001
NIST
Feature Usage
Cisco 2016 Annual Security Report p. 45http://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf
Formal Policy Usage
Cisco 2016 Annual Security Report p. 46http://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf
Regulatory Compliance Improves Security
Applicable regulations from: 2010/2011 CSI Computer Security Survey
Double-Edged Complexity
T1
T2
T3
T4
Tn
. . .
F1
F2
F3
Fl
. . .
O1
O2
O3
Om
. . .
T F O
T1
T2
T3
T4
Tn
. . .
O1
O2
O3
Om
. . .T O
Incident-Centered Security ManagementBaskerville, R., Spagnoletti, P., and Kim, J. 2014. "Incident-Centered Information Security: Managing a
Strategic Balance between Prevention and Response," Information & Management (51:1), pp 138-151.
t
LEFT OF
BANG
RIGHT OF
BANG
Prof. Merrill Warkentin of Mississippi State University recognized the conceptual value of this IED management approach for general security management.
Modes of Protection
t
Prevention Response
Different Action Paradigms
t
Risk Management
Forensics and Incident Response
Model Assumptions
Logical Structure of Models Organizing Principles
Interaction of Left & Right Paradigms
Threat
Information System Resource
Detect
Contain, Recover, HardenPrevent
Deter
Respond
Left of Incident Right of Incident
Adapted from Denning, D. E. (1999). Information Warfare and Security. Reading Mass: Addison-Wesley.
Refine
Indications & Warnings
Incident
Legislate & Policy Setting
Investigate, Notify, Sue, Prosecute,
Retaliate
Incidents
t
Prevention Recovery
Introduction to Information
Security Management
CIS 8080
Security and Privacy of Information
and Information Systems
Richard Baskerville