Embed Size (px)
Citation preview
I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/ijcip
Blind information security strategy
Finn Olav Sveena,b, Jose M. Torresa,∗, Jose M. Sarriegia
a Tecnun (University of Navarra), Manuel de Lardizbal 13, 20018 San Sebastian, SpainbNISlab, Gjovik University College, 2802 Gjovik, Norway
A R T I C L E I N F O
Article history:
Received 7 November 2008
Received in revised form
8 June 2009
Accepted 27 July 2009
Keywords:
Information security strategy
System dynamics
Risk assessment
Learning from incidents
A B S T R A C T
How do enterprises relate to and manage information security controls? This paper
documents a study of twenty enterprises, six of them in the critical infrastructure (CI)
domain. The state of security in the CI enterprises differed little from that in the
other enterprises. Information security was seen as a technical problem with technical
solutions. However, vulnerabilities in processes and human fallibility create a need for
formal and informal controls in addition to technical controls. These three controls are
interdependent. They vary widely in implementation time and resource needs, which
render the task of building security resources a challenging problem. This paper presents
a system dynamics model that illustrates how security controls are interconnected and
are interdependent at a high level. The model is intended to aid security managers in CI
domains to better understand information security management strategies, especially the
complexities involved in managing a socio-technical system where human, organizational
and technical factors interact. The model also demonstrates how the knowledge gained
from proactive security activities can help managers improve the effectiveness of security
controls, risk assessments and incident detection capabilities.c© 2009 Elsevier B.V. All rights reserved.
d
1. Introduction
Security is a multifaceted problem encompassing both logicaland physical issues. Protection is no longer amatter of lockingthe door to leave out unwanted guests. Today, those “guests”enter through fiber optic cables. Technology simplifies ourlives and makes it more efficient. However, technologyevolves rapidly. New technologies are often unproven andpoorly understood even by the designers. Technology isfrequently deployed by people who only have knowledge ofthe technical principles behind it, and scarcely more thanthat. In such an environment there will always be weaknessesto exploit and implementing security will always be resourceintensive, as controls must be created, maintained andaudited to ensure that they are effective.
Information security, which is extremely vital in criticalinfrastructures (CIs) such as energy, transportation and
∗ Corresponding author. Tel.: +34 943219877.E-mail addresses: [email protected] (F.O. Sveen), jmtorres@tecn
1874-5482/$ - see front matter c© 2009 Elsevier B.V. All rights reservedoi:10.1016/j.ijcip.2009.07.003
un.es (J.M. Torres), [email protected] (J.M. Sarriegi).
health, always competes for resources. Information securitycannot be approached as a mere technological issue in thesecomplex systems in which technology, processes and peopleco-exist. Schneier [1] states: “If you think technology can solveall your security problems, then you neither understand theproblems nor the technology”.
The analysis and control of information security effortsin CIs are vital to improving the prevention, detectionand mitigation of vulnerabilities. Technologically-focusedCI security management strategies hide organizational andsocial issues that could, for example, create a formalvulnerability (e.g., not updating a security process) in one CIthat causes a technical vulnerability in another CI [2].
Security experts stress the need to understand the inter-dependencies between information security controls to suc-cessfully protect critical information infrastructures [3,4,1].
.
96 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9
However, relatively little work has focused on the impact thatinterdependencies between security controls and their dy-namics have on security strategies [5,2]. A failure to under-stand these interdependencies and their dynamics can resultin ineffective security strategies that cause poor coordinationbetween decision makers and the individuals responsible forrescue, recovery and restoration after incidents.
This paper reports on the results of a survey of twentyenterprises in the Basque Country of Spain. Six of theseenterprises are in the CI domain—two banks, two hospitals,a military contractor and a food producer. Interviews wereconducted with information security professionals in eachenterprise. The goal was to discover the state of theirstrategic work with information security, the security modelsthey used and the drivers for security investments. Weinvestigated whether CI enterprises differed significantlyfrom non-CI enterprises. As discussed later in this paper, ourconclusion is that they do not differ significantly.
We consider the issue of whether or not enterprises havea security strategy in place to be very important. This showsif an enterprise is acting consciously in advance or merelyreacting to the circumstances it encounters. An informationsecurity strategy is like any other business strategy—it is theprocess of building up resources [6,7]. The real managementchallenge is to build and sustain resources, not simply toallocate resources [6,7]. From our point of view, informationsecurity controls are resources like any other resources.
We present a system dynamics (SD) model that showsthe interactions of information security controls and theconsequences for resource building. The model builds on theresource-based view and our empirical research. It attemptsto describe the situation within the surveyed enterprises.Also, the model suggests how information security effortsshould be redesigned to achieve a more comprehensiveapproach to information security. Our position is thatinformation security should be treated as a holistic qualityimprovement process. Investments in technical controlsmust be balanced with investments in formal and informalcontrols with special care given to knowledge creationprocesses.
SD is a modeling methodology for analyzing the structureof complex systems that generates their complex behavior[8,9]. This structure involves feedback, accumulation, andinformation and material delays. SD models can bequalitative or quantitative. The qualitative model of CIsecurity presented in this paper is the integrated result of theinterviews and a more comprehensive group model building(GMB) exercise conducted with the military contractor [10].
GMB is a methodology for collaboratively building SDmodels [11–13]. It is an effective way of de-fragmenting partialmental models found in representative multidisciplinaryteams. GMB usually takes the form of a series of facilitatedworkshops where subject matter experts and modelers worktogether to explore the problem under study and build amodel. A workshop consists of a series of exercises called“scripts” in GMB terminology. Each script attempts to elicitparticular pieces of information. Examples include elicitingstakeholders, eliciting reference modes, developing policysuggestions and developing model structure. GMB elicitspartial mental models, makes them explicit, combines them,
resolves conflicts and ambiguities, and creates new insightsand consensus. The result is new knowledge that is shared bythe participants.
Section 2 of this paper provides a brief overview ofthe data gathered from the twenty enterprises. Section 3describes the typical reactive information security strategythat we encountered at the enterprises. Section 4 discussesthe necessity of implementing formal and informal controlsin addition to technical controls; Section 5 details how thesecontrols are dependent on each other. Section 6 describeshow enterprises may move towards a more proactiveinformation security approach. Section 7 comments on therole of quality improvement systems in information security.The final section, Section 8, provides our concluding remarks.
Note that the terms security and information security areused interchangeably throughout the paper, always referringto information security and not other facets of security.
2. Overview of results
Table 1 summarizes the survey results. The participatingenterprises came from a variety of sectors ranging fromfinance to food production. They varied in size from 70employees to 12,300 employees. Each enterprise is assignedan identifier to preserve confidentiality. Six of the enterprisesfit the CI profile. CI01 and CI02 are banks; the current financialcrisis demonstrates the impact of financial institutionson society. CI03 is a military contractor; the theft ofsensitive information can impact national security. CI04is a government enterprise, which supports democraticinstitutions and makes decisions during crises. CI05 is ahospital; few services are more critical to society than healthcare. CI06 is a food producer; food is the most basic need ofsociety.
The interviews, which were conducted in 2005, weredesigned to collect information about: (i) security drivers inthe enterprises (i.e., why the enterprises needed securityand what initially made them consider security); (ii) typicalsecurity problems experienced by the enterprises; (iii)placement of the security function in the enterprises; (iv)security model used by the enterprises (e.g., if they use aspecific security model such as ISO 17799); (v) use of securityindicators by the enterprises to keep track of the state ofsecurity; and (vi) development, testing and use of contingencyplans by the enterprises.
The typical information security drivers were the intro-duction of new technology as a result of security incidentsand laws and regulations. With regard to technology, specificdrivers included various forms of remote access (e.g., elec-tronic data interchange (EDI) and Internet connections). How-ever, in the majority of the cases, it was not the introductionof new technology, but incidents experienced after its intro-duction that raised the awareness of security issues. Manyenterprises were also concerned with laws and regulationssuch as the Spanish Data Protection Law (LOPD) and the USSarbanes–Oxley Act (SOX). Other enterprises had clients, suchas the military, which required certain security measures tobe in place. A small number of enterprises considered secu-rity in advance on their own volition, and took the appropriatemeasures.
I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9 97
Table1–Ove
rview
ofresu
lts.
IDSe
ctor
Staff
Initiala
ndprim
ary
secu
rity
drive
rsCom
mon
secu
rity
pro
blem
sOrgan
izationof
secu
rity
Secu
rity
mod
elFo
rmal
method
ofm
easu
rem
ent
Con
tinge
ncy
plan
CI01
Finan
ce15
00Con
cern
sab
out
pos
sibledisas
ters;
major
secu
rity
inciden
t(floo
dingof
server
room
)
Tech
nical
pro
blem
san
dresistan
cefrom
use
rs
Secu
rity
Dep
artm
ent;1
full-tim
ean
d4part-time
employe
es
Plan
ningce
rtifica
tion
Inform
almea
suremen
tson
lyto
justify
budge
tincrea
se
Effectivein
previou
scrises
CI02
Finan
ce28
0Im
por
tantse
curity
pro
blem
sth
atincrea
sedaw
aren
ess
Viruse
s,phishingan
dinform
ationin
widely-distributed
loca
tion
s
Within
theIT
Dep
artm
ent
Intern
alru
les
Extern
al(sco
red
88/10
0)an
dintern
alau
dits
Scor
ed80
/10
0in
extern
alau
dit
CI03
Military
contrac
tor
1300
Clien
t’srequirem
ents;
Introd
uctionof
remote
acce
ssan
dIn
tern
et
Viruse
s,lost
laptops
andinform
ation
leak
agedueto
pen
drive
s
Cen
tralized
,with
man
agem
entan
dIT
wor
kingtoge
ther
ISO
1779
9(close
toco
mpletion
ofce
rtifica
tion
pro
cess)
Mag
erit(risk
asse
ssmen
tmethod
)
Separateforea
chbr
anch
CI04
Gov
ernmen
t70
0Tran
sition
from
IBM
mainfram
eto
MS
Window
sintrod
uce
dpro
blem
s
Unsp
ecified
secu
rity
brea
ches
andlack
ofuse
raw
aren
ess
Within
theIT
Dep
artm
ent;so
ftware
dev
elop
men
tou
tsou
rced
Bas
edon
experience
andco
mmon
sense
Limited
extern
alau
dit;d
oesnot
wan
tce
rtifica
tion
,follow
sbe
stpractices
instea
d
Only
for
inform
ation
system
s
CI05
Hea
lth
service
NA
(150
PCs)
LOPD
andremote
acce
ssviaVPN
Prob
lemsse
curingan
dstor
inginform
ation
Within
theIT
Dep
artm
ent;lega
land
sometech
nical
aspec
tsou
tsou
rced
LOPD
asase
curity
mod
elNomea
suremen
ts,
butinciden
tsare
repor
ted
Only
forpatientfiles
CI06
Food
pro
duction
NA
Virusinciden
tsan
dIn
tern
etco
nnec
tion
sEx
tern
alattack
sth
atfollow
edmarke
ting
campaign
s;insider
attack
s
Within
theIT
Dep
artm
ent;50
%of
man
agem
entou
tsou
rced
ISO
1779
9use
das
agu
ide
Limited
intern
alan
dex
tern
alau
dits
withnorisk
asse
ssmen
ts
Plan
inplace
,butis
not
tested
byex
tern
alen
tity
O01
Res
earch
center
507
Introd
uctionof
remote
acce
ssan
dIn
tern
etUnau
thor
ized
use
ofco
mpan
yreso
urces
;ex
tern
alattack
san
ddifference
sin
use
rnee
ds
Within
theIT
Dep
artm
ent
Ownmod
elba
sedon
experience
and
common
sense
Intern
alrisk
asse
ssmen
t(bas
edon
ownex
perience
)withlimited
extern
alau
dit
Under
dev
elop
men
t,bu
tfocu
seson
preve
ntive
not
correc
tive
action
s
O02
Man
ufacturing
NA
Secu
rity
=an
ti-virus;
nostro
ngse
curity
drive
r
Poor
back
up
man
agem
ent
Within
theIT
Dep
artm
ent
Nomod
elNomea
suremen
tsIn
form
al,o
nly
base
don
back
ups
stor
edat
staff
mem
ber’shom
eO03
Enginee
ring
NA
Hired
apen
etration
tester
(did
not
divulge
why)
whoga
ined
full
system
acce
ss
Viruse
s,sp
aman
dth
eftof
equipmen
tW
ithin
theIT
Dep
artm
ent
Bas
edon
experience
andco
mmon
sense
,withex
tern
alsu
ppor
t
Nomea
suremen
tsNoform
alco
ntinge
ncy
plan,
only
daily
back
ups
O04
Maintenan
ceof
mac
hines
andth
een
viro
nmen
t
NA
Introd
uctionof
remote
acce
ss(Intern
etan
dED
I)
Inform
ationloss
Outsou
rced
;rep
orts
direc
tlyto
upper
man
agem
ent
Intern
ally-d
evelop
edmod
eldes
igned
toco
mply
withLO
PD
Nomea
suremen
ts,
butwillintrod
uce
limited
mea
suremen
tsin
thefu
ture
Noform
alco
ntinge
ncy
plan,
only
back
ups
(con
tinu
edon
next
page
)
98 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9
Table1(con
tinued
)
IDSe
ctor
Staff
Initiala
ndprim
ary
secu
rity
drive
rsCom
mon
secu
rity
pro
blem
sOrgan
izationof
secu
rity
Secu
rity
mod
elFo
rmal
method
ofm
easu
rem
ent
Con
tinge
ncy
plan
O05
Enginee
ring
and
Man
ufacturing
2000
Introd
uctionof
remote
acce
ssan
dco
nce
rns
abou
tpos
sible
inciden
ts
Inform
ationloss
and
man
agem
entof
back
ups
Within
theIT
Dep
artm
ent
Ownmod
elba
sedon
experience
and
common
sense
(bas
ically
back
ups)
Nomea
suremen
ts,
butfu
ture
extern
alau
ditis
planned
Intern
ally-
dev
elop
ed,u
ntested
plan
O06
Man
ufacturing
5800
Merge
dwith
intern
ational
compan
ywhichpush
edse
curity
Isolated
viru
ses
Within
theIT
Dep
artm
ent
Bas
edon
experience
andLO
PDIn
form
alpro
cedures;
limited
extern
alau
dits
Only
forER
Psy
stem
O07
Bro
adca
sting
925
Branch
esco
nnec
ted
vianetwor
ksan
dLO
PDIsolated
viru
sesan
dunau
thor
ized
use
ofco
mpan
yreso
urces
Within
theIT
Dep
artm
ent
Ownmod
elba
sedon
experience
and
common
sense
Inform
altrac
king
ofpolicy
complian
ce
Noform
alplan,b
ut
oneis
being
considered
O08
Man
ufacturing
12,300
Inciden
tsex
perience
dby
competitor
san
dpressure
from
the
mainUSoffice
Only
isolated
viru
ses
Within
theIT
Dep
artm
ent;2ded
icated
system
sad
ministrator
s
Bas
edon
SOX
Noge
neral
secu
rity
indicator
s,bu
tex
tern
alau
ditto
trac
kSO
Xco
mplian
ce
Plan
foralla
ssets
aimed
atreco
very
within
24h
O09
Man
ufacturing
225
Introd
uctionof
remote
acce
ssan
dincrea
sing
dep
enden
cyon
inform
ationsy
stem
s
Viruse
san
dinform
ationleak
age
byem
ploye
es
Within
theIT
Dep
artm
ent
Bas
edon
experience
,co
mmon
sense
and
back
ups
Only
keep
strac
kof
viru
ses
Noco
ntinge
ncy
plan,o
nly
men
tal
mod
el
O10
Man
ufacturing
250
Pres
sure
from
the
mainUSoffice
Chan
gein
pro
cesses
andmen
tality
Multidisciplinaryteam
repor
tingto
CSO
Bas
edon
SOXan
dISO
1779
9Con
trol
ofac
cess,
butnoform
almea
suremen
ts
Holisticplan
focu
sedon
shor
t-an
dlong-term
correc
tive
mea
sures
O11
Res
earch
Institution
200
System
updatean
dse
curity
pro
blem
sViruse
s,phishingan
dac
cess
control
Within
theIT
Dep
artm
ent
Ownmod
elba
sedon
ISO
1779
9In
ciden
trepor
ting
system
Noco
ntinge
ncy
plan,o
nly
amen
tal
mod
elO12
ITse
rvices
150
LOPD
andclient
requirem
ents
(con
fiden
tialityan
dintegrity)
Nomajor
pro
blem
sex
perience
dW
ithin
theIT
Dep
artm
ent
Bas
edon
ISO
1779
9In
ciden
trepor
ting
system
Noco
ntinge
ncy
plan,o
nly
anou
tline
O13
Enginee
ring
and
man
ufacturing
70In
trod
uctionof
remote
acce
ssProb
lemswithviru
ses
(serve
rsan
dem
ail)
Outsou
rced
Totallydep
enden
ton
thesu
bcon
trac
tor
Nomea
suremen
tsof
general
secu
rity;
Subc
ontrac
torhas
aninciden
trepor
tingsy
stem
Noco
ntinge
ncy
plan,o
nly
amen
tal
mod
el
O14
Res
earch
institution
225
Cen
tralizationof
inform
ation
Viruse
s,slow
reco
very
from
back
upsan
dlow
use
raw
aren
ess
Within
theIT
Dep
artm
ent
Ownmod
elat
anea
rly
stag
eof
dev
elop
men
tNomea
suremen
tsCon
tinge
ncy
plan
foralla
ssetsba
sed
ontotalq
uality
man
agem
ent
I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9 99
The most common security problem was viruses, followedby theft and equipment loss. A few enterprises cited problemsposed by the lack of employee security awareness and backupmanagement.
The security function in almost every enterprise waslocated within the IT Department. Only CI01 and CI03 hadseparate departments while O10 used a multidisciplinaryteam with representation from several departments. Manyof the enterprises outsourced a portion of the securitymanagement function; in some cases, the entire securityfunction was outsourced.
Six enterprises used ISO 17799 (renamed as ISO 27001)as a reference model for security; of these enterprises, onlyCI03 employed a certification process. Five enterprises usedLOPD or SOX as guides; one enterprise used a security modelbased on ISO 17799 and LOPD. The remaining enterprisesused security models based on common sense and pastexperience. Only seven of the twenty enterprises conductedinternal or external audits.
Most of the enterprises stated that they either did notmeasure the state of security, or did so informally or onlymeasured certain aspects of security. Two enterprises hadincident reporting systems, but did not implement any othersecurity indicators.
Eight of the twenty enterprises did not have formalcontingency plans. Two had contingency plans related to veryspecific issues. The other enterprises had more holistic plans,but not all of them had tested their contingency plans.
From a holistic perspective, it appears that the typicalenterprise in our study focused on the most salient securityissues and these were the primary drivers behind security.The most salient issues are related to previous securityincidents or external requirements imposed by clients or lawsand regulations. A technical view on security was the mostpredominantly held position. The majority of the enterprisesplaced the security function within the IT Department.No enterprise was certified according to a national orinternational standard, and one enterprise was undergoing acertification process. Most of the enterprises were aware ofISO 17799 but considered it too complex for their use; thus,the standard was not fully implemented and was only used asa reference. Furthermore, very few of the enterprises actuallymeasured the state of security; the prevailing attitude wasthat problems would be fixed if and when they arose.
Did the CI enterprises differ significantly from the non-CIenterprises? All the enterprises had contingency plans andfour of them had holistic plans. No enterprise was certifiedaccording to an external security management standard,although one was close to being certified. Two enterprisesdid not perform any internal or external audits. All buttwo enterprises placed the security function within the ITDepartment. The CI enterprises reported the same securityproblems as the non-CI enterprises.
Overall, the state of security in the CI enterprises wasmarginally better than that in the other enterprises. However,there was little difference with regard to security drivers(previous incidents, pressure from clients, and laws andregulations). This had some unfortunate consequences. Forexample, the healthcare enterprise focused exclusively onpreserving the confidentiality of patient data as dictated by
LOPD. Security meant satisfying LOPD; key issues such asintegrity and availability were almost completely ignored.
The CI enterprises followed the same pattern of develop-ment as the other enterprises. They went through four dis-tinct phases (described in detail in [14]). The phases are: (i)Growth, where the use of information systems is increasing,but the enterprises are not yet dependent on them and thereis no coherent security strategy; (ii) Integration, where the en-terprises depend on information systems, but they are in achaotic state after the rapid growth phase; the informationsystems are consolidated and centralized, and attention ispaid to security, but primarily on technical controls; (iii) For-malization, in which the increasing number of security con-trols in the integration phase makes them harder to manageand security administrators recognize the need to formallymanage the controls; (iv) Involvement, in which the enter-prises recognize that the users are both an obstacle and a keyto achieving security, and security is expanded to include userawareness training and similar issues. Very few of the enter-prises surveyed had reached the involvement phase.
The next section describes a typical enterprise using asimplified SD model. The model is based on the interviewresults and an in-depth GMB exercise with CI03. Existingtheory is used to fill in the gaps where needed.
3. Reactive information security perspective
Asmentioned in the previous section, the enterprises focusedon the most salient security issues. Thus, if incidents areinfrequent, security will most likely not have high priorityuntil a serious incident happens. The variables IncidentFrequency and Incident Severity, and Impact are associated withthe incidents suffered by an enterprise and the consequencesof the incidents, respectively.
The (+) sign next to the arrow from Incident Frequency toImpact expresses the notion that an increase in the frequencyof incidents increases the impact suffered by the enterprise.The same relationship applies in the opposite direction—fewer attacks lead to less impact. Therefore, a change inIncident Frequency causes a change in Impact in the samedirection. This also applies when Incident Severity is changed—higher severity implies a greater impact and vice versa.
The impact also depends on the degree to which anenterprise is vulnerable. The Actual Security Gap representsthe discrepancy between the defensive measures and thesophistication of the threats that exist in the environment.If the Threat Sophistication increases, the Actual Security Gapwidens, potentially increasing the Impact because incidentsoccur with a higher probability. The actual Impact sufferedalso depends on Incident Severity.
Incident Frequency, Incident Severity and Threat Sophisticationare not constants. The discovery of new vulnerabilities andthe development of new attack methods ensure that singleshot solutions will only be temporary.
An enterprise can reduce the Actual Security Gap throughsecurity controls. More Security Controls in Place diminishes theActual Security Gap, which is represented by the (–) sign nextto the arrowhead. Fewer Security Controls in Place increases the
100 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9
Fig. 1 – Reactive security.
Imapct (EUR/Year)
High
Low
Time(Years)
Imapct (EUR/Year)
High
Low
Time(Years)
Fig. 2 – Perception of security by management.
gap. The (–) sign denotes a causal influence in the oppositedirection.
An enterprise with a security gap is likely to sufferincidents. However, a single, small incident is not enoughto significantly change an enterprise’s perception of security.Many small incidents over time or a few large incidentsin a short time may cause a change in the management’sperception of security (Fig. 2). One of the typical problemsfaced by the surveyed enterprises was viruses, a problem thatwas prominent in 2005 and had been building for some time.However, only a few enterprises had experienced a completework stoppage due to a virus. When the losses are small, itis the perception of the accumulated losses over time thatcounts (right-hand side of Fig. 2). Some of the enterprises hadexperienced larger incidents (e.g., flooding of the server roomat CI01). This immediately raised the awareness of securityissues. Fortunately, the enterprise was not totally unpreparedand followed its contingency plan, enabling operations to berestored within 24 h. The immediate appreciation of the needfor security is illustrated in the left-hand side of Fig. 2.
In the model in Fig. 1, the perception of the state ofsecurity is represented by the link from Impact to DetectedImpact to Perceived Impact Trend. The vertical mark on thearrow denotes a time delay. As explained above, perceptionschange quickly only when serious, high impact incidents
occur. Normally, perceptions are adjusted over time. Hence,the Perceived Impact Trend is negatively affected by the Time toChange Perception of Impact Trend (i.e., the influence is in theopposite direction). If the Time to Change Perception of ImpactTrend increases, the Perceived Impact Trend will take longer toadjust to the Impact. The opposite is also true: a decreasecauses the Perceived Impact Trend to be adjusted faster.
An incident makes an enterprise painfully aware of itssecurity shortcomings. If a large Perceived Security Gap isidentified, more Security Resources are allocated to acquirenew security controls. After a decision is made about thenew security controls (represented by the Initiation Rate), thecontrols must be implemented, which always takes time.This situation is represented in the model by the controlsfirst residing in the Initiated Security Controls and then beinggradually moved over to Security Controls in Place at a speeddecided by the Implementation Rate. The double-lined arrowsdenote flows. The two triangles facing each other on each sideof the double-lined arrows is a stylized valve, which expressesthe ability of the influencing variables to control the rate. Thecloud symbols at the beginning and end of a flow expressthe fact that the controls come from outside sources anddisappear into outside sources when they are no longer used.
When security controls are in place, they prevent incidentsfrom occurring and/or reduce their impact. Thus, we have aclosed feedback loop named Reactive Security (B1). This is abalancing or goal-seeking feedback loop. In this case, the goalof the loop is the Desired Security Level, which expresses therisk acceptance of the enterprise. The lower the risk appetite,the higher the desired security level. If the security levelis perceived to be different from the desired security level,resources are adjusted until a satisfactory level is reached. Animportant consequence of this loop is that the security levelis perceived indirectly. As long as nothing is happening, thesecurity level is perceived to be adequate.
Another consequence of B1 is that if security resourcesare increased in response to incidents, the resources
I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9 101
gradually reduce over time unless incidents occur frequently.Additional (and better) controls reduce the impact ofincidents that over time cause management to perceive thesecurity level as higher than necessary. As mentioned above,there is some inertia in the system: it takes time before thelower risk is perceived through the Perceived Impact Trend.
The loops B2 and B3 act as brakes. The implementationof additional security controls increases costs, which slowsdown the initiation rate of new controls. The moststraightforward and least expensive controls are usuallyimplemented first. As controls become more advanced, theimplementation and maintenance costs increase.
If security strategies are reactive, only the absoluteminimum security level is maintained under the normalcondition of infrequent incidents. It is only when an incidentoccurs that management and staff begin to pay attention.This is natural as they perceive the security level almostexclusively through incidents that have occurred. Whenauditing and risk assessment mechanisms are not in place, itis difficult to tell if the enterprise has a good security postureor is just lucky. The majority of the enterprises intervieweddid not have such mechanisms in place.
Another serious deficiency is that the enterprises invari-ably lag behind developments in the threat environment. Newvulnerabilities are discovered continuously, new attack meth-ods are always being developed, and the frequency and sever-ity of attacks change. It takes time to implement securitycontrols. Waiting for an attack to occur before implementingsecurity controls is equivalent to deliberately leaving the doorto a home open.
4. Security is a complex system
Securing information systems is a complex task that requiresthe implementation of three types of security controls:technical, formal and informal controls [15,16,5]. Someauthors have proposed classifications using different terms(e.g., technology controls, process controls and humancontrols [17]) to refer to similar security controls. In this paper,we use the terms, technical, formal and informal controls,which are defined as follows:
Technical controls: These controls include hardware andsoftware tools that restrict access to buildings, rooms,computer systems and programs in order to prevent improperuse. Examples of technical controls include biometric devices,locks, anti-virus software, firewalls and intrusion detectionsystems.
Formal controls: These controls comprise policies andprocedures that manage the access to and use of information.Formal controls include policies and procedures thatestablish and ensure the effective use of technical controls.Examples of formal controls include system audits, updatemechanisms, risk assessments, identification of securityroles, segregation of responsibilities and implementation ofindicators.
Informal controls: These controls involve actions related todeploying information security in the workforce by creating asecurity culture. Examples of informal controls include train-ing employees, implementing security incentives, increasingthe commitment to security and motivating users.
This trinity of security controls is necessary to achievehigh security performance, especially because the controlsare hierarchically dependent on each other (Fig. 3). A failurein one type of control may open up holes in another.
Unfortunately, the surveyed enterprises based theirinformation security practices almost entirely on technicalsolutions. Practically all the surveyed enterprises located thesecurity function within the IT Department. This is mostlikely a consequence of the technical nature of securityincidents such as virus/worm infections and denial-of-serviceattacks, which have positioned technological solutions overmanagerial solutions.
It is important to note that information security alsoinvolves non-technical aspects. Detecting malicious insidersmay require psychological profiling [18]. A security breachmay lead to legal action against the enterprise as well as theperpetrator. Anderson [19] states: “All the really large frauds– the cases over a billion dollars – have involved lax internalcontrols”. He goes on to cite examples such as the collapseof Barings Bank. Single vector approaches are no longeradequate to counter today’s diverse threats [20]. Securitydepends on well-functioning multidisciplinary teams [3].
The current situation is also reinforced by the fact thatsecurity personnel usually have strong technical backgroundswith limited management expertise. This is a naturalconsequence of the security function being located withinthe IT Department. Only one of the surveyed enterpriseshad a multidisciplinary team that reported directly to uppermanagement. Systems administrators usually fill the securitymanager role. However, they primarily see themselves astechnicians and, therefore, may not hone their analytical,managerial and interpersonal skills. These skills are vital toimplementing formal and informal security controls [17].
A further complication is that implementing and main-taining controls are not straightforward. Each category of con-trols differs from the others in the time it takes to implementthem, how often theymust be renewed, reinforced or audited,as well as the attack mechanisms used to penetrate them.This level of complexity makes it extremely difficult to man-age security. In particular, three loops (B1, B4 and B7) appearin Fig. 3, which expand the security challenge.
Technical controls (e.g., firewalls) are implementedrelatively quickly and often provide immediate resultscompared with formal and informal controls. In other words,the Time to Implement Technical Controls has a low value(minutes, hours or days) comparedwith, for example, trainingusers to defend against social engineering threats, which cantake months or years.
Formal controls (e.g., implementing a system to measurethe effectiveness of security controls) require longer imple-mentation times. It may also take some time before the con-trols become effective and are perceived as being effective. Inother words, the Time to Implement Formal Controls has a highervalue than the Time to Implement Technical Controls.
Informal controls (e.g., launching a security awarenesscampaign, explaining the needs and benefits, and gettingthe workforce involved) are difficult to implement and oftentake a substantial amount of time. The goal of an enterpriseis not to implement perfect security, but to provide goodsand/or services. Thus, business pressuresmay delay or negate
102 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9
Fig. 3 – Trinity of security controls.
attempts at improving security [21]. As such, the Time toImplement Informal Controls has a higher value than both theTime to Implement Formal Controls and the Time to ImplementTechnical Controls.
Building a security culture can take years. Although,technical controls are normally the fastest to implement,they are also the controls that become obsolete most rapidlyand have to be renewed most frequently. In general, formaland informal controls last longer than technical controls.Informal controls contribute to the creation of a “securityculture” where employees take security into account intheir daily work and not just as an afterthought. Thisrequires a change in the mindset of employees and, crucially,of management because management sets the precedent.Instituting a security culture is critical as it impacts theother two classes of controls. In the absence of a securityculture, formal controls may just be words on a piece of paper.Although informal controls are the most expensive and timeconsuming to implement, they last much longer than othercontrols. But they do depreciate—a security culture that is notsupported by the enterprise quickly withers and dies.
Our discussion of security controls is based on commonknowledge in the information security field. Nevertheless,very few of the surveyed enterprises followed a holisticstrategy that included all three classes of security controls;themajority only focused on salient security issues. The three
classes of security controls can be further analyzed bymakingdistinctions within each security control (e.g., controlsagainst internal and external attacks, and controls againstdeliberate attacks and accidents). For the purpose of thispaper, it is not necessary to go into more detail aboutsecurity controls, but it is very important to understand theirinterdependencies.
5. Interdependencies between security con-trols
Technical controls depend on formal controls in order tofunction. Formal controls depend on informal controls tofunction well. For example, password protection is uselessif the password is written on a Post-It note that is stuck tothe monitor. Password access control is a technical measure;sticking the password to the monitor is a breach of formalcontrols.
Formal instructions should be in place to guide users aboutsafe and appropriate behavior. Without such instructions,a lack of user awareness cannot be blamed for a securitybreach; the lack of formal controls is the real reason forthe breach. However, if formal instructions are in place, theuser’s lack of understanding about why a password shouldnot be stuck to a monitor (an informal control) is the direct
I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9 103
Fig. 4 – Hierarchical interdependence of security controls.
cause of the breach. When a formal control is undermined,the error propagates upwards, rendering the technical controlineffective. This hierarchical dependence of security controlsis shown in Fig. 4.
Two more loops thus exist in addition to the threeloops shown in Fig. 3 (B1, B4, B7). These two loops,which significantly affect the ultimate goal of the system(decreasing the impact) are: Technical Depends on Formal (B10)and Formal Depends on Informal (B11) (see Fig. 4). The directlinks from Informal Security Controls and Effective Formal SecurityControls to Actual Security Gap represent defenses against theimpact suffered from non-technical incidents. The attackermay, for example, use impersonation to gain confidentialinformation. However, even if an incident is purely technicaland technical controls are in place, an attackmay still succeedbecause of inadequate formal controls. An example is whenthe failure to install a patch allows a worm to infect thesystem. A low-tech example is a simple door lock. To open thedoor an attacker can attack the technical defense by pickingthe lock. A second option is to attack the formal layer—sloppy key management may allow access to the key. A thirdpossibility is for the attacker to target the informal layer byusing social engineering to have someone with access openthe door.
The effectiveness of implemented technical controls canbe extended and improved by robust formal controls (B10).Likewise, informal controls ease the implementation offormal controls, extending and improving their effectiveness
(B11). A house can be used as a metaphor to explainthis dependency. The informal controls provide a strongfoundation. Formal controls are the load-bearing walls thatare built on the foundation and support the roof, whichconstitutes the technical controls. The foundation, wallsand roof of the house mutually support each other toprovide shelter from rain, wind and cold (i.e., attacks and/orincidents).
Unfortunately, security controls are often viewed asindependent layers where the first line of defense is technicalcontrols. Enterprises usually start by implementing technicalcontrols, followed by formal controls and then barelyimplement informal controls. Informal controls require themost effort and the longest implementation time; this (atleast partially) explains why enterprises often build their“security houses” starting with the roof (technical controls),followed by the walls (formal controls) and leave thefoundation (informal controls) for last.
The difficulty of building strong informal controls (e.g., asecurity culture) is widely recognized. This has led to variousattempts to compensate by building very strong formalcontrols as evidenced by the large number of informationsecurity standards (e.g., ISO 27001:2005 and COBIT). However,implementing strong formal controls is not possible withoutimplementing strong informal controls. There is a differencebetween what is written in the standards and what is actuallyimplemented in enterprises. Moreover, the absence of asecurity culture can sabotage attempts at introducing strong
104 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9
Technical
Formal
Informal
Fig. 5 – Critical infrastructure security strategy.
formal controls. Compensating for a weak foundation bybuilding thicker walls simply does not work.
We are certainly not advocating a pure bottom-upsecurity approach. Enterprise assets would be vulnerable(albeit somewhat less vulnerable) if very strong informalcontrols were to be implemented without any technical andformal controls. Instead, we stress the importance of payingsimultaneous attention to all three types of controls and toconsider the long-term view. A failure to assign resourcesto build and maintain any of the three types of securitycontrols could result in severe consequences in the futureas the system becomes more susceptible to attacks. Thissecurity approach [2] is based on the assumption that if anattacker identifies and exploits a single vulnerability in any ofthe three controls (the holes in the piece of cheese in Fig. 5represent vulnerabilities), then the enterprise asset could beseverely compromised.
6. Proactive information security perspective
Most of the surveyed enterprises operated in a reactivemode and focused only on the salient security issues. Afterdiscussing the consequences of a reactive security strategy,its complexity and the interdependencies between controls,the fundamental question is: How do we change the securitystrategy to be proactive in nature? We turn to existing theoryto answer this question; where appropriate, we also draw onsources outside the information security domain.
An attractive proactive strategy is to identify vulnera-bilities in advance instead of waiting for them to revealthemselves through incidents. Many enterprises conduct riskassessments to create a better foundation for decision mak-ing. A risk assessment is defined as “an objective analysis ofthe effectiveness of current security controls that protect anorganization’s assets and a determination of the probabilityof losses to those assets” [22].
According to Landoll [22], an information security riskassessment provides the following benefits: (i) checks andbalances: the architects of an information security programand the administrators of the security controls are too closeto the decisions that have been made, and may not beable to perform an objective analysis; (ii) periodic review:
the effectiveness of a security program must be measuredand adjusted based on the changing threat environment andbusiness mission; and (iii) resource allocation based on riskto assets: unless the enterprise understands the risk it faces,resources may be expended in areas where they do little or nogood.
The loop B12 in Fig. 6 illustrates this aspect. (Toavoid complexity, the three classes of security controls arecollapsed into one.) Internal or external risk assessmentsenable an enterprise to discover the Actual Security Gapwithout having to suffer from incidents. The more often riskassessments are performed, the quicker the real security gapis perceived. This is represented by the negative polaritylink from Time to Perceive Security Gap to Perceived SecurityGap from Risk Assessment. B12 is a goal-seeking loop withthe same goal as B1 (Desired Security Level). However, becauseperceiving the security gap involves anticipating the futurewhile contextualizing history, the perception of the state ofsecurity in the enterprise should be more accurate than apure reactive approach.
A forward-looking enterprise that regularly performs riskassessments gains other benefits as well. By implementingsecurity controls in advance, the detection capability isimproved because the enterprise has a better idea ofwhat to look for. From a practical perspective, this caninclude installing an intrusion detection system with amore specific configuration. In the model, this dynamic isrepresented by the loop Detection (R1). As Security Controlsin Place increases, the Detection Capability also increases,resulting in an increase in the Detected Impact. Although,major incidents are usually detected, small incidents suchas port scans may pass under the radar. Small incidents areseemingly insignificant, but they serve as an early warningsystem. As the detection capability of an enterprise increases,it detects more incidents (i.e., Detected Impact increases)and the Perceived Impact Trend improves, and with it, thePerceived Security Gap. The enterprise should then be able tomake informed decisions about security investments (SecurityResources) and the controls to implement. R1 is a reinforcingloop where the enterprise continually improves and adaptsits security controls according to the threat environment.This is necessary because the Threat Sophistication continuallyincreases [23].
In general, a proactive security approach also enhancesreactive mechanisms. A risk assessment activates loop B12,which puts the minimum of security controls in place. Thisactivates the reinforcing loop R1 via an improved detectioncapability due to the security controls implemented as aresult of the risk assessment.
7. Quality improvement
Due to the rapidly changing threat environment [23], securitycontrols rapidly become obsolete. Security must, therefore,be treated as a continuous process [1]. Some informationsecurity management standards have adopted the Plan-Do-Check-Act (PDCA) cycle from the domain of qualitymanagement. An example is ISO 17799 [24], which hasbeen renamed as ISO 27001 (Control Objectives) and ISO
I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9 105
Fig. 6 – Proactive security strategy.
27002 (Controls). Calder and Watkins [24] state that “theISMS [information security management system] should beintegrated with the quality assurance system to the greatestextent possible”.
Calder and Watkins [24] describe the PDCA cycle asfollows. The first stage (Plan) has eight steps: (i) define thescope of the ISMS; (ii) define the information security policy;(iii) define a systematic approach to risk assessment; (iv)conduct a risk assessment to identify (within the context ofthe policy and the ISMS scope) the important informationassets of the enterprise and the risks to them; (v) assess therisks; (vi) identify and evaluate options for the treatment ofthe risks; (vii) select the control objectives and controls to beimplemented for each option; and (viii) prepare a statementof applicability.
The second stage (Do) has five steps: (i) formulate a risktreatment plan and its documentation; (ii) implement therisk treatment plan and the planned controls; (iii) initiatethe appropriate training for the affected staff and awarenessprograms for the workforce; (iv) manage operations in linewith the ISMS; and (v) implement procedures that enable theprompt detection of and response to security incidents.
The third stage (Check) involves the continuous monitor-ing, review, testing and auditing of the ISMS and the securitycontrols.
The fourth stage (Act) requires management to reviewthe ISMS, and the testing and auditing outcomes regularly.Improvements to the ISMS should also be identified,documented and implemented.
The PDCA cycle represents a continuous, incrementalapproach to quality improvement. It includes not only theimplementation of appropriate controls, but subsequentfollow-ups to: (i) check that the controls work as intended;(ii) improve the controls, and (iii) check that the controls arestill sufficient and appropriate. This is a fundamental andnecessary starting point to operate in the current challengingsecurity environment.
Although standards are a good starting point, anenterprise should go beyond standards to achieve continuousquality improvement [25]. Standards are sanctioned bynational and international bodies, and approval times canbe lengthy. Hence, standards tend to lag behind the latestdevelopments in their fields. In order to succeed, enterprisesshould therefore become learning enterprises [26].
Risk assessments can provide a foundation for continuousimprovement. They should be conducted at regular intervalsand care should be taken to learn as much as possible fromthem. The outputs of a risk assessment provide a basis forselecting and implementing security controls; they also serveas important inputs for the next risk assessment. Landoll [22]describes several secondary benefits: (i) transfer of knowledgefrom the risk assessment team to the enterprise staff; (ii)increased communication about security issues betweenbusiness units (security is multidisciplinary and potentiallytouches all the business units in an enterprise); and (iii)increased security awareness within the enterprise.
The enterprises in our study did not appear to appreciatethis wisdom. The majority of the enterprises did not carry outinternal or external risk assessments. Only two of the six CIenterprises (CI02 and CI03) performed risk assessments.
Fig. 7 models the risk assessment process as a learningmechanism. If the Perceived Security Gap from Risk Assessmentincreases, the enterprise learns more and the Learning Rateincreases. The body of information security knowledge inthe enterprise also increases, which enhances the perceptionof the security gap (i.e., the Perceived Security Gap from RiskAssessment increases if it is less than the Actual Security Gap).These variables form the loop Learning from Risk Assessment(R2), which continually reinforces the ability of the enterpriseto detect security gaps.
A second learning mechanism is an effective incidentlearning system. It is not a given that the implementedcontrols will actually work [17]. Routines and instructionsshould, therefore, be in place to identify incidents that occurdue to missing or ineffective controls. This is not unique to
106 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9
Fig. 7 – Quality improvement process.
security. Industrial safety incident learning systems providevaluable feedback on which controls actually do work [27].One successful incident learning system is NASA’s AviationSafety Reporting System, which logs information aboutthousands of incidents every year. Every report is analyzedand the information is distributed to airline companies,aircraft manufacturers, airport authorities and regulators,enabling them to improve operations and equipment [27].Aviation incidents still do occur, but enterprises that useaviation incident learning systems perform better than thosewho do not. A poorly-functioning national reporting systemin Taiwan may be one reason why its accident rate is higherthan that in the US and Western Europe [28].
Only two of the surveyed enterprises explicitly mentionedthat they had incident reporting systems. A large majority ofthe interviewees stated that they did not believe in perfectsecurity, but they did not take the logical next step. If perfectsecurity is impossible to achieve, an incident will occursooner or later. Enterprises must, therefore, have incidentreporting systems and contingency plans in place. Thesurveyed enterprises either did not have contingency plansor had very limited plans. The reinforcing loop Learning fromIncidents (R3) represents the process of knowledge creationand acquisition from incidents. Increased Detection Capabilityleads to a higher Detected Impact. If detected incidents areinvestigated properly, they add to the enterprise’s knowledgebase. A higher Detected Impact increases the Learning Rate,which increases the Security Knowledge and, ultimately, theDetection Capability of the enterprise.
R2 and R3, together with B13 and B14, represent thecontinuous quality improvement process in our model. Thelearning processes are fundamental, but R2 and R3 are notactivated automatically; they require conscious, deliberateactivities aimed at learning and capturing knowledge. Wehave little evidence of successful quality improvement inthe field of information security; in fact, there is evidencethat the opposite is taking place. In their study of computersecurity incident response teams (CSIRTs), Killcrece et al. [23]
state: “Because of the amount of detailed work done byincident handlers and the increasing work loads, manyof the authors of the books and articles reviewed in theliterature identified staff burnout as a problem for CSIRTs”.In the surveyed enterprises, the security administrators wereprimarily the systems administrators and also held incidenthandling responsibilities. Their potential workload was veryhigh, causing them to focus on issues that were perceivedas most important in a short-term perspective. As far asincident handling was concerned, their task was to get thesystem up and running as soon as possible. The majority ofthe enterprises surveyed did not prioritize debriefs and otherquality improvement activities. Many CSIRTs may not be inan ideal situation, but at least they have dedicated incidenthandling resources.
An environment such as that described above is notconducive to learning. The seminal work of Nonaka andTakeuchi [29] shows that new knowledge is created via asocial process of interaction. In an environment where theemployees are overworked there is less time for interactionand common reflection on problems. Other improvementactivities, such as creating software tools to aid employees,are also difficult to accomplish [30]. This has lead to theprevalence of ad hoc solutions.
One mechanism that can work to the detriment ofquality improvement systems has been described by Wiik,et al. [30] in the information security domain and byRepenning and Sterman [31] in the process improvementdomain. Wiik, et al. [30], who have studied a CSIRT for a majorEuropean research network, describe how it can fall intoa “capability trap”. Working harder to alleviate short-termpressures takes resources away from long-term improvementefforts. The team falls into a “vicious circle” (or cycle),where resources are continuously moved from long-termimprovements to cope with short-term pressure. The lackof long-term improvements over time increases the short-term pressure. Wiik, et al. have shown that the solutioninvolves a worse-before-better scenario, which makes an exit
I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9 107
from the vicious circle all the more difficult. After studyingthe CSIRT literature, Gonzalez [32] states: “One might safelyconclude that inmany CSIRTs reactive fire-fighting dominatesto the detriment of proactive work and security qualitymanagement services”.
CSIRTs only represent a part of the information securitysolution, but in enterprises where the incident handlingteam is overworked, it is likely that the general informationsecurity team is also overworked. Our own research supportsthe hypothesis that the staff in most Information SecurityDepartments are overworked. Indeed, in smaller enterprises,the Information Security Department may have just oneindividual who has to handle all security-related matters inaddition to a long list of other chores. A common responseis: “We have a firewall, a logging system, anti-virus softwareand an intrusion detection system. All of them provide veryinteresting information... but I have no time to analyze it!” [33]
Enterprises in other fields have had more success. Busi-nesses that succeed in implementing total quality man-agement programs invariably outperform their competitors[34–37]. The seminal work by Repenning and Sterman [31]on process improvement has shown that most of the prob-lems encountered are due to internal dynamics, not exter-nal causes. The other lesson from Repenning and Stermanis that in order to implement an effective security learningprogram, the environment in which the program will operatemust be taken into account. This leads us to believe that itis possible to implement effective information security qual-ity improvement programs in enterprises. Note, however, thatimplementing such a quality improvement program may bedifficult because security often interferes with business pro-cesses, which could cause the program to be disregarded (oreven undermined) by managers and staff [38].
In cases such as those outlined above, R2 and R3 operate asvicious circles. For example, a reduced Detected Impact impliesa reduced Learning Rate, which leads to a small increase inSecurity Knowledge. This leads to small increase in DetectionCapability and, thus, a lower Detected Impact because the threatenvironment is continuously evolving.
R2 and R3 represent learning processes that enable anenterprise to perform better risk assessments and detectmore incidents; also, the knowledge gained as a result ofthese two processes helps enhance the effectiveness ofsecurity controls. If the problems described above can beovercome and R2 and R3 can be made to operate as “virtuous”circles, the increased Security Knowledge should enhance theEffectiveness of Controls, which ultimately reduces the SecurityGap.
Instead of investing in completely new controls, anenterprise could learn how to better use the existing controls.Accordingly, we have two more balancing loops, B13 andB14. Upon analyzing loop B13, we observe that an increasein Security Knowledge increases the Effectiveness of Controls,which decreases the Security Gap. This decreases the PerceivedSecurity Gap from Risk Assessment, which reduces the LearningRate and slows the increase in Security Knowledge. The loopadjusts Security Knowledge to match the Threat Sophistication.The B14 loop is similar. Increased Security Knowledge increasesthe Effectiveness of Controls, which decreases the Security Gap.This decreases the Impact, which lowers the Detected Impact,
reduces the Learning Rate and, ultimately, slows the increasein Security Knowledge.
When loops R2 and R3 are operating in a negative manner,a reduction in the Detected Impact may be caused by areduction in Detection Capability. Furthermore, when R2 and R3work as vicious circles, B13 and B14 may actually widen theSecurity Gap. When loops R2 and R3 are operating virtuously,reductions in the Detected Impact and the Perceived ImpactTrend are likely to be due to an improvement in security(reduced Actual Security Gap) and not random fluctuations inIncident Frequency and Incident Severity. Most of the commonattacks facing an enterprise are far less advanced than thelatest attacks. Consequently, the true state of security canbe masked if the enterprise only focuses on the most salientsecurity issues.
Proactive and reactive security processes strengthen eachother; knowledge created by one process enhances theother. However, it is important that both processes are wellstructured. An ad hoc approach makes it difficult for anenterprise to learn much from a risk assessment or fromincidents. Moreover, an ad hoc risk assessment may onlyexamine the most salient issues, while ignoring the subtleones. When there are no routines for incident handling, ateam will have to be put together in a hurry; the absenceof routines would make it difficult to relay importantinformation and lessons learned to key personnel. Learningfrom an incident requires careful analysis, which may notbe prioritized if the objective is to get the systems upand running as soon as possible. We advocate a measuredapproach where proactive risk assessments are conductedand reactive incident learning systems are implemented.In fact, implementing a system to facilitate learning fromincidents can be considered to be a proactive approach. Thecomplexity of modern information systems [17] and evolvingthreats make it unlikely that a risk assessment would be ableto identify all the vulnerabilities.
Human beings are natural learners. But, how fast we learnand what we learn depend on the learning resources andthe nature of the learning process. An unstructured learningprocess could lead enterprise managers back to their oldreactive security habits.
Although, our presentation is novel, our SD model mostlyintegrates previous research. For example, with the adoptionof the PDCA cycle, ISO 17799 (now ISO 27001) advocateslearning processes as those described above. Many of thesecurity administrators that we interviewed were aware ofthe standard, but considered it (and other standards) to betoo complex and time consuming to use.
8. Conclusions
Security management in the surveyed enterprises wasnot yet elevated to the strategic level. The enterprises,including those in the CI domain, engaged a technology-based paradigm for information security. The enterprisesmainly focused on technical solutions and did not adopt aholistic view. The approaches were reactive and improvisedand, in many cases, lacked indicators and a risk assessmentfoundation. This is a consequence of the understanding that
108 I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9
the enterprises have of security. The primary informationsecurity drivers at the surveyed enterprises were incidents,laws and regulations, and client requirements. As a result, thesecurity solutions applied at the enterprises often addressedthe symptoms instead of the root cause.
The results are somewhat troubling. A comment made bya systems administrator exemplifies the security mindset—when asked about information security, this individualanswered, “Oh yes, that’s McAfee”. The survey sample sizewas small (20); wemay have been unlucky and picked some ofthe worst enterprises in the region. Still, the enterprises weredrawn from a variety of sectors and the results are consistentacross the board.
An effective security management strategy should relyon the simultaneous implementation of technical, formaland informal controls. However, before this is done, it isimportant to consider all three classes of security controlsand understand their interdependencies. Enterprises shouldundertake systematic risk assessments and have functioningincident learning systems. Moreover, the two processesshould interact in a structured and beneficial manner.Without well-functioning learning systems, enterpriseswould be unable to build and maintain the most crucialresource in information security—knowledge. The lack ofknowledge exposed itself in many ways. For example, oneenterprise was developing a contingency plan, but the planwould only include preventive measures. The lack of basicknowledge was astonishing—a contingency plan comes intoeffect after preventive measures have failed!
Laws and regulations (e.g., LOPD and SOX) provedto be key information security drivers for the surveyedenterprises. Some enterprises were required by their clientsto institute certain security processes. While externalinterventions had an overall positive effect, our investigationindicated a possible downside: enterprises were focused oncomplying with laws, regulations and client requirementswhile ignoring other important security issues. Indeed,the emphasis on securing assets and processes subject tothese external drivers often spurs expensive and inefficientinvestments [39].
Many enterprises had created their own security modelsbased on ISO 17799, but felt that it was much toocomplex. Certification was not pursued because it was timeconsuming and deemed to be (somewhat) unnecessary. Itmay be productive for standards bodies to create simplerstandards involving only key components to promote broaderimplementation by enterprises.
Our study did not discern any significant differencesbetween CI enterprises and non-CI enterprises with respectto information security. The principal security drivers wereactual incidents and external requirements. One financialinstitution (CI01) and the military contractor were moreproactive than the other four CI enterprises, but some non-CI enterprises also exhibited proactive behavior. In the caseof CI01, the tradition of evaluating financial risk may havespilled over into information security. The military contractorsimply had to comply with client requirements. The levelsof security management at the remaining four CI enterpriseswere essentially the same as those at the non-CI enterprises.Perhaps the situation is different in sectors like energy and
transportation that have longstanding safety and securitycultures.
In summary, CI and non-CI enterprises appear to betrapped in a vicious circle. Because no systems are in place tomeasure and track risk, the risk is invisible to management.Since management cannot see the risk, it does not allocateresources to control the risk.
The model presented in this paper integrates informationsecurity theory and practice. It is, therefore, both normativeand explanatory. However, there are some limitations. Onelimitation is the lack of knowledge about the degrees to whichthe three classes of security controls depend on each other.Another problem is that limited data is available about therelationship between the actual security gap and impact.Further study is necessary to understand the impact of riskassessments and incident learning systems and how theyinteract. It is also important to know the challenges faced bythese processes, how to avoid potential vicious circles andturn them into virtuous circles. Having more insight aboutthese relationships would improve the basis for securitypolicy design and implementation. This would also enableus to further develop the qualitative model presented in thispaper into a simulation model.
Finally, the SD model has been very beneficial inunderstanding the dynamics of information security. Inparticular, it has enabled us to express and analyze thevarious interactions, interdependencies and time delays thatexist in information security systems. Information securityin CI enterprises is much more complex than the simplediagrams utilized in this paper. However, the simple diagramsprovide a framework for constructing complex models.They also provide useful, intuitive mechanisms for securityprofessionals and managers to reason about security withoutgetting bogged down in the details.
Acknowledgements
We would like to thank the reviewers for comments thathave enabled us to improve this paper. We also wish tothank Susan Alustiza for reviewing the English grammarand spelling. Last, but not least, we are very grateful to theenterprises that participated in our survey.
R E F E R E N C E S
[1] B. Schneier, Secrets and Lies, John Wiley, New York, 2000.[2] J. Torres, J. Sarriegi, Dynamic aspects of securitymanagement
of information systems, presented at the Twenty-SecondInternational Conference of the System Dynamics Society,2004.
[3] R. Anderson, Why information security is hard—An eco-nomic perspective, in: Proceedings of the Seventeenth An-nual Computer Security Applications Conference, 2001, pp.358–365.
[4] K. Mitnick, The Art of Deception, John Wiley, Indianapolis,Indiana, 2002.
[5] G. Dhillon, S. Moores, Computer crimes: Theorizing about theenemy within, Computers and Security 20 (8) (2001) 715–723.
I N T E R N A T I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N 2 ( 2 0 0 9 ) 9 5 – 1 0 9 109
[6] K. Warren, Competitive Strategy Dynamics, John Wiley, NewYork, 2002.
[7] K. Warren, Strategic Management Dynamics, John Wiley,New York, 2008.
[8] J. Forrester, Industrial Dynamics, Productivity Press, Cam-bridge, Massachusetts, 1961.
[9] J. Sterman, Business Dynamics: Systems Thinking andModeling for a Complex World, McGraw-Hill/Irwin, Boston,Massachusetts, 2000.
[10] J. Sarriegi, J. Santos, J. Torres, D. Imizcoz, E. Egozcue, D. Liberal,Modeling and simulating information security management,presented at the Second International Workshop on CriticalInformation Infrastructure Security, 2007.
[11] G. Richardson, D. Andersen, Teamwork in group modelbuilding, System Dynamics Review 11 (2) (1995) 113–137.
[12] J. Vennix, D. Andersen, G. Richardson, J. Rohrbaugh, Modelbuilding for group decision support: Issues and alternativesin knowledge elicitation, European Journal of OperationalResearch 59 (1) (1992) 28–41.
[13] J. Vennix, Group model-building: Tackling messy problems,System Dynamics Review 15 (4) (1999) 379–401.
[14] J. Santos, N. Serrano, J. Torres, J. Sarriegi, Empiricalstudy of information systems security management inBasque Country SMEs, presented at the Eighth InternationalConference of the Decision Science Institute, 2005.
[15] R. Botha, T. Gaadingwe, Reflecting on 20 SEC conferences,Computers and Security 25 (4) (2006) 247–256.
[16] G. Dhillon, Managing and controlling computer misuse,Information Management and Computer Security 7 (4) (1999)171–175.
[17] B. Schneier, Beyond Fear, Copernicus Books, New York, 2003.[18] E. Shaw, The role of behavioral research and profiling in
malicious cyber insider investigations, Digital Investigation3 (1) (2006) 20–31.
[19] R. Anderson, Security Engineering, John Wiley, New York,2001.
[20] S. Campbell, How to think about security failures, Communi-cations of the ACM 49 (1) (2006) 37–39.
[21] S. Gorling, Themyth of user education, presented at the VirusBulletin Conference, 2006.
[22] D. Landoll, The Security Risk Assessment Handbook,Auerbach Publications, Boca Raton, FL, 2006.
[23] G. Killcrece, K. Kossakowski, R. Ruefle, M. Zajicek, Stateof the practice of computer security response teams(CSIRTs), Technical Report CMU/SEI-2003-TR-001, SoftwareEngineering Institute, Carnegie Mellon University, Pittsburgh,Pennsylvania, 2003.
[24] A. Calder, S. Watkins, IT Governance: A Manager’s Guide toData Security and BS 7799/ISO 17799, Kogan Page, London,United Kingdom, 2005.
[25] F. Sveen, J. Torres, J. Sarriegi, Learning from your elders: Ashortcut to information security management success, in:Proceedings of the Twenty-Sixth International Conference onComputer Safety, Reliability and Security, 2007, pp. 224–237.
[26] P. Senge, The Fifth Discipline, Currency Doubleday, New York,1990.
[27] C. Johnson, Failure in Safety Critical Systems: A Handbookof Incident and Accident Reporting, University of GlasgowPress, Glasgow, United Kingdom, 2003.
[28] P. Lee, T. Weitzel, Air carrier safety and culture: Aninvestigation of Taiwan’s adaptation to Western incidentreporting programs, Journal of Air Transportation 10 (1) (2005)20–37.
[29] I. Nonaka, H. Takeuchi, The Knowledge-Creating Company,Oxford University Press, Oxford, United Kingdom, 1995.
[30] J. Wiik, J. Gonzalez, K. Kossakowski, Limits to effectivenessof computer security incident response teams, presented atthe Twenty-Third International Conference of the SystemDynamics Society, 2005.
[31] N. Repenning, J. Sterman, Nobody ever gets credit for fixingproblems that never happened: Creating and sustainingprocess improvement, California Management Review 43 (4)(2001) 64–88.
[32] J. Gonzalez, Towards a cyber security reporting system—Aquality improvement process, in: Proceedings of the Twenty-Fourth International Conference on Computer Safety, Relia-bility and Security, 2005, pp. 368–380.
[33] J. Torres, J. Sarriegi, J. Santos, Explaining security manage-ment evolution through the analysis of CIOs’ mental mod-els, presented at the Twenty-Third International Conferenceof the System Dynamics Society, 2005.
[34] G. Easton, S. Jarrell, The effects of total quality managementon corporate performance: An empirical investigation,Journal of Business 71 (2) (1998) 253–307.
[35] K. Hendricks, V. Singhal, Quality awards and themarket valueof the firm: An empirical investigation, Management Science42 (3) (1996) 415–436.
[36] K. Hendricks, V. Singhal, Does implementing an effectiveTQM program actually improve operating performance?Empirical evidence from firms that have won quality awards,Management Science 43 (9) (1997) 1258–1274.
[37] K. Hendricks, V. Singhal, Firm characteristics, total qualitymanagement and financial performance, Journal of Opera-tions Management 19 (3) (2001) 269–285.
[38] E. Schultz, The human factor in security, Computers andSecurity 24 (6) (2005) 425–426.
[39] R. Caralli, The critical success factor method: Establishing afoundation for enterprise security management, TechnicalReport CMU/SEI-2004-TR-010, Software Engineering Institute,Carnegie Mellon University, Pittsburgh, Pennsylvania, 2004.
