Freedom of information implications of information sharing networks for critical infrastructure protection

Protection of “critical infrastructure” has become a major issue for govern- ments worldwide. Yet in Australia, as in many other countries, including the United States, an estimated 90% of critical infrastructure is privately owned or operated commercially – in other words, critical infrastructure protection is not the exclusive domain of government. As a result, information sharing between government and the private sector has become a vitally important component of effective risk management. However, establishing effective arrangements of this kind between the public and private sector needs to take account of existing regimes of access and public disclosure which relate to government-held documents; in particular, that which is established by freedom of information (FOI) legislation. This article examines the extent to which the current Commonwealth FOI regime is likely to act as an impediment to the private sector operators of critical infrastructure participat- ing in government-operated information sharing arrangements. By examining developments in other jurisdictions, principally the United States, the article considers whether amendments to the current Australian FOI regime are necessary to ensure effective participation, consistent with the underlying object and purpose of FOI.

A risk simulation framework for information infrastructure protection

Information communication and technology (ICT) systems are almost ubiquitous in the modern world. It is hard to identify any industry, or for that matter any part of society, that is not in some way dependent on these systems and their continued secure operation. Therefore the security of information infrastructures, both on an organisational and societal level, is of critical importance. Information security risk assessment is an essential part of ensuring that these systems are appropriately protected and positioned to deal with a rapidly changing threat environment. The complexity of these systems and their inter-dependencies however, introduces a similar complexity to the information security risk assessment task. This complexity suggests that information security risk assessment cannot, optimally, be undertaken manually. Information security risk assessment for individual components of the information infrastructure can be aided by the use of a software tool, a type of simulation, which concentrates on modelling failure rather than normal operational simulation. Avoiding the modelling of the operational system will once again reduce the level of complexity of the assessment task. The use of such a tool provides the opportunity to reuse information in many different ways by developing a repository of relevant information to aid in both risk assessment and management and governance and compliance activities. Widespread use of such a tool allows the opportunity for the risk models developed for individual information infrastructure components to be connected in order to develop a model of information security exposures across the entire information infrastructure. In this thesis conceptual and practical aspects of risk and its underlying epistemology are analysed to produce a model suitable for application to information security risk assessment. Based on this work prototype software has been developed to explore these concepts for information security risk assessment. Initial work has been carried out to investigate the use of this software for information security compliance and governance activities. Finally, an initial concept for extending the use of this approach across an information infrastructure is presented.

Towards authorisation models for secure information sharing : a survey and research agenda

This article presents a survey of authorisation models and considers their ‘fitness-for-purpose’ in facilitating information sharing. Network-supported information sharing is an important technical capability that underpins collaboration in support of dynamic and unpredictable activities such as emergency response, national security, infrastructure protection, supply chain integration and emerging business models based on the concept of a ‘virtual organisation’. The article argues that present authorisation models are inflexible and poorly scalable in such dynamic environments due to their assumption that the future needs of the system can be predicted, which in turn justifies the use of persistent authorisation policies. The article outlines the motivation and requirement for a new flexible authorisation model that addresses the needs of information sharing. It proposes that a flexible and scalable authorisation model must allow an explicit specification of the objectives of the system and access decisions must be made based on a late trade-off analysis between these explicit objectives. A research agenda for the proposed Objective-based Access Control concept is presented.

Organisational challenges in understanding and implementing effective buiness continuity management strategies in a complex and critical organisation : an airport case study

With the increasing complexity of modern day threats and the growing sophistication of interlinked and interdependent operating environments, Business Continuity Management (BCM) has emerged as a new discipline, offering a strategic approach to safeguarding organisational functions. Of significant interest is the application of BCM frameworks and strategies within critical infrastructure, and in particular the aviation industry. Given the increased focus on security and safety for critical infrastructures, research into the adoption of BCM principles within an airport environment provides valuable management outcomes and research into a previously neglected area of inquisition. This research has used a single case study methodology to identify possible impediments to BCM adoption and implementation by the Brisbane Airport Corporation (BAC). It has identified a number of misalignments between the required breadth of focus for a BCM program, identified differing views on specific roles and responsibilities required during a major disruptive event and illustrated the complexities of the Brisbane Airport which impede the understanding and implementation of effective Business Continuity Management Strategies.

Information sharing in the 21st century : progress and challenges

With the increasing threat of cyber and other attacks on critical infrastructure, governments throughout the world have been organizing industry to share information on possible threats. In Australia the Office of the Attorney General has formed Trusted Information Sharing Networks (TISN) for the various critical industries such as banking and electricity. Currently the majority of information for a TISN is shared at physical meetings. To meet cyber threats there are clearly limitations to physical meetings. Many of these limitations can be overcome by the creation of a virtual information sharing network (VISN). However there are many challenges to overcome in the design of a VISN both from a policy and technical viewpoint. We shall discuss some of these challenges in this talk.

Rebuilding housing after a disaster : factors for failure

Unlike most normal construction projects, post-disaster housing projects are diverse in nature, have unique socio-cultural and economical requirements, and are extremely dynamic and thus necessitate a meaningful and dynamic response. Post-disaster reconstruction practices that lack a strategy compatible with the severity of disaster, community culture, socio-economic requirements, environmental condition, government legislations, and technical and technological situations, often fail to operate and respond effectively to the needs of the wider affected population. Factors that frequently pose real threats to the eventual success of reconstruction projects are rarely given appropriate consideration when designing such projects. Research into past reconstruction practices has shown that ignoring these factors altogether or failing to give them meaningful consideration can affect housing reconstruction projects. In other words, they either miss their targets altogether or undergo serious modifications after their occupancy, subsequently resulting in an overall loss of project resources. This article touches upon the common factors that negatively impact the outcome of such projects.