Introduction to Information Security Management

Transcription

1 Introduction to Information Security Management CIS 8080 Security and Privacy of Information and Information Systems Richard Baskerville Principles Information Security Management Assumptions First Principle: T-F-O model of information security Second Principle: Incident-centered security management Theory of Secure Information Systems Theory of Secure Information Systems Hoffman, L., Michelman, E., and Clements, D. "SECURATE - Security evaluation and analysis using fuzzy metrics," in: AFIPS National Computer Conference Proceedings, 1978, pp The natural relationship involves the association of potential intrusion activities associated with each member of the set of system objects. These threat-object relations defined a set of edges T i O j that manifest the components of insecurity or risk in systems. The relationship between a set of system objects (each with a loss value), a set of threats (each with a likelihood), and a set of system security features (each with a resistance). In a protected system, all edges are instead prescribed in the form T i F k and F k O j that represents the insertion of security features between threats and system objects. F 1 F 2 F 3 T O m O

2 Security Objects F 1 F 2 F 3 Types of Security Objects Physical Assets Computers and communications machinery Attack with physical assaults Soft Assets Protocols and software Attack with cracking and malicious code Psychic Assets Perceptions and information Attack with data falsification Security Incidents Security Threats F 1 F 2 F 3 Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 24, survey/download.html

3 Sources of Cyberthreats Number of Breaches Per Category Over Time (n=9,009) ISACA January 2016 Cybersecurity Snapshot US Results Cybersecurity-Snapshot-Data-Sheet_mkt_Eng_0116.pdf Verizon Risk Team "2016 Data Breach Investigations Report." New York: Verizon, p. 8 Vulnerability: Expertise Industry Victims ISACA 2015 Global Cybersecurity Status Report ISACA January 2016 Cybersecurity Snapshot US Results Cybersecurity-Snapshot-Data-Sheet_mkt_Eng_0116.pdf Verizon Risk Team "2016 Data Breach Investigations Report." New York: Verizon, p. 4

4 Cost of Information Security Motives for Exploits Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 25, survey/download.html Verizon Risk Team "2016 Data Breach Investigations Report." New York: Verizon, p. 4 Data Breach Actors Contrasts: Insider or Outsider? Verizon Risk Team "2016 Data Breach Investigations Report." New York: Verizon, p. 7

5 Sources of Security Incidents Contrasts: Mobile/IoT Risks? Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p. 24, survey/download.html Non-adnoyance Mobile Malware Infections Attacks on IoT Devices & Systems Verizon Risk Team "2015 Data Breach Investigations Report." New York: Verizon, p. 19 Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security Survey 2016, PricewaterhouseCoopers, p survey/download.html

6 Security Features Security Features International Treaties Standards Laws Institutions CobiT IS7002 IS7001 NIST F 1 F 2 F 3 Security Policies & Organizations Practices & Safeguards Feature Usage Formal Policy Usage Cisco 2016 Annual Security Report p Cisco 2016 Annual Security Report p. 46

7 Regulatory Compliance Improves Security Double-Edged Complexity O m T O F 1 F 2 F 3 Applicable regulations from: 2010/2011 CSI Computer Security Survey Incident-Centered Security Management Baskerville, R., Spagnoletti, P., and Kim, J "Incident-Centered Information Security: Managing a Strategic Balance between Prevention and Response," Information & Management (51:1), pp Modes of Protection LEFT OF BANG RIGHT OF BANG Prevention Response t t Prof. Merrill Warkentin of Mississippi State University recognized the conceptual value of this IED management approach for general security management.

8 Different Action Paradigms Model Assumptions Risk Management Forensics and Incident Response t Logical Structure of Models Organizing Principles

9 Interaction of Left & Right Paradigms Incidents Left of Incident Right of Incident Indications & Warnings Prevent Refine Information System Resource Contain, Recover, Harden Prevention Recovery Threat Deter Legislate & Policy Setting Incident Detect Investigate, Notify, Sue, Prosecute, Retaliate Respond t Adapted from Denning, D. E. (1999). Information Warfare and Security. Reading Mass: Addison-Wesley. Introduction to Information Security Management CIS 8080 Security and Privacy of Information and Information Systems Richard Baskerville