Introduction to Information

Security Management

CIS 8080

Security and Privacy of Information

and Information Systems

Richard Baskerville

Principles

• First Principle: T-F-O model of information security

• Second Principle: Incident-centered security management

Information Security Management Assumptions

Theory of Secure Information Systems

•The natural relationship involves the association of potential intrusion

activities associated with each member of the set of system objects.

These threat-object relations defined a set of edges TiOj that manifest

the components of insecurity or risk in systems.

Hoffman, L., Michelman, E., and Clements, D. "SECURATE - Security evaluation and analysis using fuzzy metrics," in: AFIPS National Computer Conference Proceedings, 1978, pp. 531-

540.

T1

T2

T3

T4

Tn

. . .

O1

O2

O3

Om

. . .

T O

Theory of Secure Information Systems

•The relationship between a set of system objects (each with a loss

value), a set of threats (each with a likelihood), and a set of system

security features (each with a resistance). In a protected system, all

edges are instead prescribed in the form TiFk and FkOj that represents

the insertion of security features between threats and system objects.

T1

T2

T3

T4

Tn

. . .

F1

F2

F3

Fl

. . .

O1

O2

O3

Om

. . .

T F O

Security Objects

T1

T2

T3

T4

Tn

. . .

F1

F2

F3

Fl

. . .

O1

O2

O3

Om

. . .

T F O

Types of Security Objects

• Physical Assets

– Computers and communications machinery

– Attack with physical assaults

• Soft Assets

– Protocols and software

– Attack with cracking and malicious code

• Psychic Assets

– Perceptions and information

– Attack with data falsification

Security Threats

T1

T2

T3

T4

Tn

. . .

F1

F2

F3

Fl

. . .

O1

O2

O3

Om

. . .

T F O

Security Incidents

Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security® Survey 2016, PricewaterhouseCoopers, p. 24, http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/download.html

Sources of Cyberthreats

ISACA January 2016 Cybersecurity SnapshotUS Results http://www.isaca.org/cyber/Documents/2016-US-Cybersecurity-Snapshot-Data-Sheet_mkt_Eng_0116.pdf

Number of Breaches Per Category Over Time (n=9,009)

Verizon Risk Team. 2016. "2016 Data Breach Investigations Report." New York: Verizon, p. 8

Vulnerability: Expertise

ISACA 2015 Global Cybersecurity Status Report www.isaca.org/cybersecurityreport

ISACA January 2016 Cybersecurity SnapshotUS Results http://www.isaca.org/cyber/Documents/2016-US-Cybersecurity-Snapshot-Data-Sheet_mkt_Eng_0116.pdf

Industry Victims

Verizon Risk Team. 2016. "2016 Data Breach Investigations Report." New York: Verizon, p. 4

Cost of Information Security

Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security® Survey 2016, PricewaterhouseCoopers, p. 25, http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/download.html

Motives for Exploits

Verizon Risk Team. 2016. "2016 Data Breach Investigations Report." New York: Verizon, p. 4

Contrasts: Insider or Outsider?

Data Breach Actors

Verizon Risk Team. 2016. "2016 Data Breach Investigations Report." New York: Verizon, p. 7

Sources of Security Incidents

Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security® Survey 2016, PricewaterhouseCoopers, p. 24, http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/download.html

Contrasts: Mobile/IoT Risks?

Non-adnoyance Mobile Malware

Infections

Verizon Risk Team. 2015. "2015 Data Breach Investigations Report." New York: Verizon, p. 19

Attacks on IoT Devices & Systems

Turnaround and transformation in cybersecurity Key findings from The Global State of Information Security® Survey 2016, PricewaterhouseCoopers, p. 11 http://www.pwc.com/gx/en/issues/cyber-security/information-security- survey/download.html

Security Features

T1

T2

T3

T4

Tn

. . .

F1

F2

F3

Fl

. . .

O1

O2

O3

Om

. . .

T F O

Security Features

International Treaties

Standards

Laws

Institutions

Security Policies &

Organizations

Practices & Safeguards

CobiTISO 27002ISO 27001

NIST

Feature Usage

Cisco 2016 Annual Security Report p. 45http://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf

Formal Policy Usage

Cisco 2016 Annual Security Report p. 46http://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf

Regulatory Compliance Improves Security

Applicable regulations from: 2010/2011 CSI Computer Security Survey

Double-Edged Complexity

T1

T2

T3

T4

Tn

. . .

F1

F2

F3

Fl

. . .

O1

O2

O3

Om

. . .

T F O

T1

T2

T3

T4

Tn

. . .

O1

O2

O3

Om

. . .T O

Incident-Centered Security ManagementBaskerville, R., Spagnoletti, P., and Kim, J. 2014. "Incident-Centered Information Security: Managing a

Strategic Balance between Prevention and Response," Information & Management (51:1), pp 138-151.

t

LEFT OF

BANG

RIGHT OF

BANG

Prof. Merrill Warkentin of Mississippi State University recognized the conceptual value of this IED management approach for general security management.

Modes of Protection

t

Prevention Response

Different Action Paradigms

t

Risk Management

Forensics and Incident Response

Model Assumptions

Logical Structure of Models Organizing Principles

Interaction of Left & Right Paradigms

Threat

Information System Resource

Detect

Contain, Recover, HardenPrevent

Deter

Respond

Left of Incident Right of Incident

Adapted from Denning, D. E. (1999). Information Warfare and Security. Reading Mass: Addison-Wesley.

Refine

Indications & Warnings

Incident

Legislate & Policy Setting

Investigate, Notify, Sue, Prosecute,

Retaliate

Incidents

t

Prevention Recovery

Introduction to Information

Security Management

CIS 8080

Security and Privacy of Information

and Information Systems

Richard Baskerville