Information Stewardship: Systems Perspectives, Systems Solutions David Pym University of Aberdeen Information Security Leaders, Edinburgh, 10/02/2011
Information Stewardship Information stewardship is one of the next two big challenges for security/assurance research Stewardship goes beyond protecting CIA Adding/protecting value; complying with and upholding values; obligation; trust The other one is the convergence of physical and information security concepts in the Internet of Things (airport security as an information processor)
Information Stewardship Lifecycle Security Analytics Environment: threat, economic, investment Policy: people, process, technology, operations (Trusted) infrastructureAssurance/situational awareness Governanc e Design Analysis Revise
Stewardship Economics It’s all about trade-offs For example, confidentiality and availability trade off, just like inflation and unemployment Cost also trades off Use utility theory to understand security trade-offs and system design This is done for real in Security Analytics: utility theory and mathematical systems modelling yield predictive simulations in security management
Satisficing Cloud Stewardship Sharing Service level Due diligence Target zone
Summary We’re making security management into a science HP’s Security Analytics is the first (commercial) step Stewardship presents huge challenges, in the Cloud, in the Internet of Things, … Getting it right means doing the math, doing the economics, capturing behaviour, predicting design/investment consequences