is integrity and security gp dhillon, phd associate professor of is school of business, vcu
DESCRIPTION
IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU. Strong. External Coalition. Weak. Weak. Internal Coalition. Strong. The emergent form. Problem. Problem. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/1.jpg)
IS Integrity and Security
GP Dhillon, PhDAssociate Professor of ISSchool of Business, VCU
![Page 2: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/2.jpg)
The emergent formE
xter
nal
Coa
liti
on
Internal Coalition
Strong
Strong
Weak
Weak
![Page 3: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/3.jpg)
Problem
![Page 4: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/4.jpg)
Problem• According to the latest UK Audit Commission
report, between 1990 and 1994 there was a 183% increase in the value of cases
• Computer fraud has increased 8 times since the previous report
• Average cost of a computer security breach was approx. $42,000
• In 1997 the Audit Commission found organizations reporting computer security problems to have increased from 34% in 1994 to 45% in 1997
![Page 5: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/5.jpg)
What’s happening out there?• Electronic point-of-sale transactions in
the US went up from 38 per day in 1985 to 1.2 million per day in 1993
• In international currency markets, partners transfer an average of $800 billion every day
• Among US banks about $1 trillion is transferred daily
• In the New York markets $2 trillion worth of securities are traded daily
![Page 6: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/6.jpg)
Shocking news ….• 25% of organizations did not have
computer audit skills• 60% of organizations had no security
awareness• 80% of the organizations did not
conduct a risk analysis• In UK 98% of the organizations had
failed to implement British Standard Institutes’ BS 7799 (although 20,000 copies were sold)
![Page 7: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/7.jpg)
Other facts• In 1996 companies spent $830 million on
information security technology to guard against potential abuses
• In 1996 Computer Security Institute survey found 42% of Fortune 500 companies reporting computer security breaches
• In 1999 the Computer Security Institute reported losses amounting to nearly $124 million (theft of proprietary information $42.5 million; financial fraud $39.7 million; laptop theft $13 million)
![Page 8: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/8.jpg)
Survey resultsperceived threat to information security
![Page 9: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/9.jpg)
Survey results physical security precautions in use
![Page 10: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/10.jpg)
Survey results technology security precautions in use
![Page 11: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/11.jpg)
Security risksthe dominant view
• Password sniffing/cracking software
• Spoofing attacks• Denial of service attacks• Direct attacks Man-in-the-middle
Packet sniffs on link between the two end points, and can therefore pretend to be one end of the connection
Routing redirect Redirects routing information from the original host to the hacker's host (this is another form of man-in-the-middle attack).
![Page 12: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/12.jpg)
Security risksa more realistic view (based on Office of Technology Assessment, USA and Dhillon, 1997)
• Human error• Analysis and design faults• Violations of safeguards by trusted
personnel• Environmental damage• System intruders• Malicious software, viruses, worms
![Page 13: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/13.jpg)
The reality
• White-collar crime: (e.g. the Kidder Peabody & Co case)
• Theft: (e.g. the ‘Salami Slicers’)
• Stolen services: (economic espionage costs US $50b a year)
• Smuggling: (the case of ‘One Happy Island’)
• Terrorism: (problems in FedWire; SWIFT)
• Child pornography: (securing a global village)
![Page 14: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/14.jpg)
How have we dealt with these issues?The risk management process
StrategicSecurityPlanning
Follow-up(initiation)
Risk Analysis
StrategicSecurityPlanning
Implementation
Follow-up(Planning)Monitoring andCompliance Testing
![Page 15: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/15.jpg)
Risk analysis
VulnerabilityAssessment
ThreatAssessment
Asset definition& Valuation
Constraints
SecurityObjectives
Determinationof measuresof risks
Measure ofimpact
SelectionofSafeguards
![Page 16: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/16.jpg)
Outcomes of risk analysis
• Results are expressed in monetary units(R = P * C)
• Admits that security is a capital investment opportunity
• Defers security “option” to higher authority
![Page 17: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/17.jpg)
Dhillon’s world view for IS security
Technical
Formal
Informal
Real World
comminication loopssome social and workinggroups with overlapping memberships
organisational/system boundaries
Legend:
![Page 18: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/18.jpg)
Conceptualizing IS security issues
Pragmatic information system and security issues"The organizational environment"
Formal information system andsecurity issues
Communication Security
DataSecurity
Technical informationSystems and security issues
![Page 19: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/19.jpg)
The RITE principles
•Responsibility (and knowledge of Roles)
•Integrity (as requirement of Membership)
•Trust (as distinct from Control)
•Ethicality (as opposed to Rules)
![Page 20: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/20.jpg)
Principles for managing IS security
![Page 21: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/21.jpg)
Background to the development of IS security principles• Spent about 18 months talking to
managers at various levels in broad spectrum of firms:
– Marks & Spencer (Retail) - 7 meetings; Sainsbury (Retail) - 3 meetings; Safeway (Retail) - 6 meetings; British Telecom (Telecom) - 16 meetings; British Rail (Transport) - 2 meetings; Shell Petroleum (Oil) - 21 meetings; IBM (Computers) - 4 meetings; Telia (Swedish Telecom) - 8 meetings; Proctor & Gamble (FMCG) - 3 meetings; Thames Valley Water (Public Utility) - 7
• Intensive research into a few case study organizations
– British NHS hospital (1 year)– British Local Govt. (1 year)– Shell Petroleum (2 years)– ABB (1 year)– Motorola (1 year)– Sunrise Hospital (1 year)
![Page 22: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/22.jpg)
Debunking the myths• Security was more than password control/management• Security did not equate to encrypting messages • Number of security problems were caused by analysis and design faults - both
intentional and unintentional• Information stored in computers was not necessarily more vulnerable than other
forms of information• Information loss did not necessarily occur from modification, destruction, disclosure,
and unauthorized use• Effective information security can not necessarily be achieved by using good controls
and practices• Comprehensive, quantified risk assessment is not a valid, effective method of
security review• Business confidentiality does not require that the need-to-know principle be applied• Authentication of identity is not based on “what you know, what you possess and
what you are” but on trust• Computer viruses are not a major business security crisis• It is not the role of the information security specialist to help improve the quality of
clients’ data
![Page 23: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/23.jpg)
The systems lifecycle
Plan
Design
Implement
Evaluate
evaluate
evaluate
evaluate
evaluate
![Page 24: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/24.jpg)
Planning for IS security
Plan
Design
Implement
Evaluate
1. A well conceived corporate plan establishes a basis for developing a security vision
2. A secure organization lays emphasis on the quality of its operations
3. A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document
4. Information systems security planning is of significance if there is a concurrent security evaluation procedure
![Page 25: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/25.jpg)
Planning for IS security
![Page 26: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/26.jpg)
IS security planning process
IS SecurityPolicy
IS TacticalPlanning
Provision of a frameworkfor IS strategy formulation
Alignment and assessment
with respect to corporate objectivesof IS strategy and IS security
Recognising security as akey enabler of businesses
Development of a security vision
IS budgetsIT acqusition policyCorporate information needs
Risk analysisSWOT analysis
feedback
Evaluation
IS project developmentplans; Allocation ofresources & responsibilities
IS security implementation;Identification of appropriate controls
IS audits;Security audits
Evaluation
IS DevelopmentProcess
IS Security Development Process
Corporate Planning
IS StrategyFormulation
IS Security StrategyFormulation
Planning Process
IS Security
aligned with the ISPlanning Process
Environment scanning; Future analysis;Organisationalanalysis
![Page 27: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/27.jpg)
Designing IS security
Plan
Design
Implement
Evaluate
1. The adherence to a specific security design ideal determines the overall security of a system
2. Good security design will lay more emphasis on ‘correctness’ during system specification
3. A secure design should not impose any particular controls, but choose appropriate ones based on the real setting
![Page 28: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/28.jpg)
Implementing IS security
Plan
Design
Implement
Evaluate
1. Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal
2. Implementation of security measures should take a ‘situational issue-centered’ approach
3. To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managers
![Page 29: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/29.jpg)
Evaluating IS security
Plan
Design
Implement
Evaluate
1. Security evaluation can only be carried out if the nature of an organization is understood
2. The level of security cannot be quantified and measured; it can only be interpreted
3. Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out
![Page 30: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/30.jpg)
MeansObjectives
Personalfinancial situation
Censure
Empowerment
Legal &proceduralcompliance
Informationownership
Authoritystructures
Trust
Communication
Access control
Informationavailability
Personal needsfulfillment
Work allocationpractices
Responsibility &accountability
Individualcharacteristics
Personal beliefs
Work situation
FundamentalObjectives
Overall objective:Maximize IS Security
Maximizeawareness
Human resourcepractices
Ethicalenvironment
Integral businessprocesses
Managementdevelopment
practices
Data integrity
Organizationalintegrity
Privacy
Individual ethics
![Page 31: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/31.jpg)
Principles for managing IS security
Planning• A well conceived corporate plan establishes a basis for developing a security vision• A secure organization lays emphasis on the quality of its operations• A security policy denotes specific responses to specific recurring situations and hence cannot be considered as a top level document• Information systems security planning is of significance if there is a concurrent security evaluation procedureDesign• The adherence to a specific security design ideal determines the overall security of a system• Good security design will lay more emphasis on ‘correctness’ during system specification• A secure design should not impose any particular controls, but choose appropriate ones based on the real settingImplementation• Successful implementation of security measures can be brought about if analysts consider the informal organization before the formal• Implementation of security measures should take a ‘situational issue-centered’ approach• To facilitate successful implementation of security controls, organizations need to share and develop expertise and commitment between the ‘experts’ and managersEvaluation• Security evaluation can only be carried out if the nature of an organization is understood• The level of security cannot be quantified and measured; it can only be interpreted• Security evaluation cannot be based on the expert viewpoint of any one individual, rather an analysis of all stakeholders should be carried out
![Page 32: IS Integrity and Security GP Dhillon, PhD Associate Professor of IS School of Business, VCU](https://reader035.vdocuments.net/reader035/viewer/2022062519/568152eb550346895dc10894/html5/thumbnails/32.jpg)
Consolidated principles
• Education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment.
• Responsibility, integrity, trust and ethicality are the cornerstones for maintaining a secure environment.
• Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures.
• Rules for managing information security have little relevance unless they are contextualized.
• In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose.
• Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.