Does traditional security risk assessment have a future in information security?

The current information security standards still advocate the use of risk assessment in the prioritisation of security investments. However, prior research on the use of risk assessment methodologies in organisational security has shown that the use of the traditional monolithic risk assessment process described in the current risk management standard is simply not practical at the organisational level. This paper first examines the problems in performing a systematic risk assessment and then discusses the limitations of a traditional risk assessment. To address these limitations, this paper proposes splitting up the current monolithic risk assessment process. The result is an information security assessment framework that puts greater emphasis on situational awareness and allows for better decision making on the prioritization of security investments.

Environmental Information Access as a Security Risk

The United Sates was founded on the principles of freedom. Events in recent history have threatened the freedoms we as individuals enjoy. Notably, changes to government legislation and policies regarding access to environmentally sensitive information following September 11, 2001, are troubling. The government has struggled with a difficult balancing act. The public has the right of access to information, yet, information some view as sensitive or dangerous must be kept out of the hands of terrorists. This project examines and discusses the information access debate within the United States and how to best provide the public environmentally sensitive information.

Asset identification in information security risk assessment: A business practice approach

Organizations apply information security risk assessment (ISRA) methodologies to systematically and comprehensively identify information assets and related security risks. We review the ISRA literature and identify three key deficiencies in current methodologies that stem from their traditional accountancy-based perspective and a limited view of organizational "assets". In response, we propose a novel rich description method (RDM) that adopts a less formal and more holistic view of information and knowledge assets that exist in modern work environments. We report on an in-depth case study to explore the potential for improved asset identification enabled by the RDM compared to traditional ISRAs. The comparison shows how the RDM addresses the three key deficiencies of current ISRAs by providing: 1) a finer level of granularity for identifying assets, 2) a broader coverage of assets that reflects the informal aspects of business practices, and 3) the identification of critical knowledge assets.

A risk analysis model to reduce computer security risks among healthcare organizations

The paper describes the on-going development of a new computer-based security risk analysis methodology that may be used to determine the computer security requirements of medical computer systems. The methodology has been developed for use within healthcare, with particular emphasis placed upon protecting medical information systems. The paper goes on to describe some of the problems with existing automated risk analysis systems, and how the ODESSA system may overcome the majority of these problems. Examples of security scenarios are also presented.

The ascent of asymmetric risk in information security: an initial evaluation

Dramatic changes in the information security risk landscape over several decades have not yet been matched by similar changes in organizational information security which is still mainly based on a mindset that security is achieved through extensive preventive controls. As a result, maintenance cost of information security is increasing rapidly, but this increased expenditure has not really made an attack more difficult. The opposite seems to be true, information security attacks have become easier to perpetrate and appear more like information warfare tactics. At the same time, the damage caused by a successful attack has increased significantly and may sometimes become critical to an organization. In this paper we evaluate one particular extremely asymmetric risk where a strongly motivated attacker unleashes a prolonged attack on an organization with the aim to do maximum damage, and suggest that the probability of such an attack is increasing. We discuss how preventive controls are unlikely to ever be effective against such an attack and propose more advanced strategies that aim to limit the damage when such an attack occurs. One crucial lesson to be learned for those organizations that are dependant on their information security, such as critical infrastructure organizations, is the need to deny motivated attackers access to any information about the success of their attack. Successful deception in this area is likely to significantly reduce any potential escalation of the incident.

An agile IT security model for project risk assessment

There are two fundamental challenges in effectively performing security risk assessment in today's IT projects.The first is the project manager's need to know what IT security risks face the project before the project begins. At this stage IT security staff are unable to answer this question without first knowing the system requirements for the project which are yet to be defined. Second organisations that deal with a large project throughput each year find the current IT security risk assessment process to be tedious and expensive, especially when the same process has to be repeated for each individual project. This also makes it difficult for an organisation to prioritise which projects require more investment in IT security in order to fit within budget constraints. This paper presents a conceptual model that is based on an agile approach to alleviate these challenges. We do this by first analysing two online database resources of vulnerabilities by comparing them to each other, and then compare them to the agile criteria of the conceptual model which we define. The conceptual model is then presented and an example is given of how it can be applied to an actual project. We then briefly discuss what further work needs to be done to implement the conceptual model and validate it against an existing IT project.

A Proposed Framework for Understanding Information Security Culture and Practices in the Saudi Context

An examination of Information Security (IS) and Information Security Management (ISM) research in Saudi Arabia has shown the need for more rigorous studies focusing on the implementation and adoption processes involved with IS culture and practices. Overall, there is a lack of academic and professional literature about ISM and more specifically IS culture in Saudi Arabia. Therefore, the overall aim of this paper is to identify issues and factors that assist the implementation and the adoption of IS culture and practices within the Saudi environment. The goal of this paper is to identify the important conditions for creating an information security culture in Saudi Arabian organizations. We plan to use this framework to investigate whether security culture has emerged into practices in Saudi Arabian organizations.

A risk simulation framework for information infrastructure protection

Information communication and technology (ICT) systems are almost ubiquitous in the modern world. It is hard to identify any industry, or for that matter any part of society, that is not in some way dependent on these systems and their continued secure operation. Therefore the security of information infrastructures, both on an organisational and societal level, is of critical importance. Information security risk assessment is an essential part of ensuring that these systems are appropriately protected and positioned to deal with a rapidly changing threat environment. The complexity of these systems and their inter-dependencies however, introduces a similar complexity to the information security risk assessment task. This complexity suggests that information security risk assessment cannot, optimally, be undertaken manually. Information security risk assessment for individual components of the information infrastructure can be aided by the use of a software tool, a type of simulation, which concentrates on modelling failure rather than normal operational simulation. Avoiding the modelling of the operational system will once again reduce the level of complexity of the assessment task. The use of such a tool provides the opportunity to reuse information in many different ways by developing a repository of relevant information to aid in both risk assessment and management and governance and compliance activities. Widespread use of such a tool allows the opportunity for the risk models developed for individual information infrastructure components to be connected in order to develop a model of information security exposures across the entire information infrastructure. In this thesis conceptual and practical aspects of risk and its underlying epistemology are analysed to produce a model suitable for application to information security risk assessment. Based on this work prototype software has been developed to explore these concepts for information security risk assessment. Initial work has been carried out to investigate the use of this software for information security compliance and governance activities. Finally, an initial concept for extending the use of this approach across an information infrastructure is presented.

Deception: a tool and curse for security management

With the proliferation of electronic information systems over the last two decades, the integrity of the stored data and its uses have become an essential component of effective organisational functioning. This digitised format, used in input, output, processing, storage, and communication, has given those wishing to deceive new opportunities. This paper examines the nature of deception and its potential as a new security risk in the information age.

A review of critical information infrastructure protection within IT security guidelines

This research takes the form of a review and looks at the current advisories offered to informationl security professionals in Ihe area of critical information infrastructure protection A critical information infrastructure protection mode! is also presented along with a critical review of some of lhe recent formal guidance that has been offered. The Critical lnformation Infrastructure Protection - Risk Analysis-Methodology (CIlP-RAM) is then offered as a solution to the lack of information and advice.

A risk analysis approach to critical information infrastructure protection

Critical Information Infrastructure (CII) has become a priority for all levels of management, It is one of the key components of efficient business and business continuity plans. There is a need for a new security methodology to deal with the new and unique attack threats and vulnerabilities associated with the new information technology security paradigm. Critical Information Infrastructure Protection - Risk Analysis Methodology
(ClIP-RAM), is a new security risk analysis method which copes with the shift from computer/information security to critical information infrastructure protection. This type of methodology is the next step toward handling information technology security risk at all levels from upper management information security down to firewall configurations. The paper will present the methodology of the new techniques and their application to critical information infrastructure protection. The associated advantages of this methodology will also be discussed.