The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU

Slides:



Advertisements
Similar presentations
Module 1 Evaluation Overview © Crown Copyright (2000)
Advertisements

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
© Peter Readings Data Leakage Pete Readings CISSP.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU
Protection of Information Assets I. Joko Dewanto 1.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Auditing Concepts.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Ch.5 It Security, Crime, Compliance, and Continuity
The costs and benefits related to cyber security breaches Chapter 3 – Gordon & Loeb.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works
Information Security Policies and Standards
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Information Systems Controls for System Reliability -Information Security-
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Fraud Prevention and Risk Management
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
An Overview of Environmental Management Systems (EMS)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
IS for Managers (INFO 640) L1(b): Challenges in introducing and managing IS/IT in modern day organizations GP Dhillon, PhD Associate Professor of IS School.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Internet Security Breach & Its Impact on Business Operations Kim Nguyen Manish Shirke Wa Mo Saravanan Velrajan.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
Wireless Intrusion Prevention System
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Software Development Risk Assessment for Clouds National Technical University of Ukraine “Kiev Polytechnic Institute” Heat and energy design faculty Department.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
INFORMATION SECURITY AWARENESS Whose Job is it Anyway? Ron Freedman Ron Freedman Vice President VCampus Corporation Scott Wright Scott WrightPresident.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.
IS3220 Information Technology Infrastructure Security
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Auditing Concepts.
Risk management.
Chapter 8 – Administering Security
Securing Information Systems
Information Security based on International Standard ISO 27001
Cyber security Policy development and implementation
Presentation transcript:

The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU

Problem – (1) Billions are being lost –US Fraud Information Center: Internet fraud - losses up from $3.4 million to $4.4 million in 2000 Average loss per person rose from $427 in 2000 to $636 in 2001 –CSI/FBI: Theft of proprietary information- 1.5 billion in 2001 IT security breaches cost companies about $15 billion each year (Source: Datamonitor) –UK Audit Commission Consistently reported a nearly 180% increase in IT abuse cases in their reports published every 3 years.

Problem – (2) Remarkable increases in spending on security Estimated $8.7 billion spending on security measures in 2000 That figure will rise to $30.3 billion in 2005, showing 28% growth year on year. Security breaches take place despite deployment of various technologies 95% had firewalls; 61% had Intrusion Detection Systems; 90% had access control of some sort; 42% had Digital IDs etc. (Source: CSI/FBI 2001 survey) UK Audit commission reported that 25% of organizations did not have computer audit skills 60% of organizations had no security awareness 80% of the organizations did not conduct a risk analysis For example: In UK 98% of the organizations had failed to implement British Standard Institutes’ BS 7799 (now ISO 17799). However 20,000 copies had been sold

Conceptualizing IS security ‘Informal’ information system and security issues "The internal organizational environment" Formal information system and security issues Communication Security Data Security Technical information system and security issues Network Security External organizational environment - legal/regulatory

Types of security breaches and related preventive mechanisms IS Security Internal External Technical Formal Informal Checklists Risk Management Malicious code Formal models (CIA) Security policies (s/w; h/w, network) Evaluation methods (TCSEC, ITSEC etc) Information modeling Responsibility modeling Secure ISD Practically none (except perhaps work by Baskerville and Dhillon) Formal models (CIA) Intrusion detection Firewalls Encryption PKI Legal, regulatory and Public policy None within security except some work in information privacy and internet privacy.

‘Internal’ IS security: some definitions Organizations: evolving social forms of sense making and hence constituted of formal, technical and informal parts Information systems: Information systems and organizations have become indistinguishable from each other. Organizing entails handling information in a purposeful manner. This is achieved in a formal rule based manner, informally or through the use of any technology Computer based IS: This is part of the IS/Organization where information technology has been used for automation. IS security: IS security therefore is not just the security of the technical edifice, but that of the formal and informal systems within an organization as well. Therefore security breaches (negative events) occur because of 1.lack of integrity between formal, technical and informal 2.inconsistencies in expectations and obligations 3.breakdown in normative and rule based structures 4.exploitation of technical vulnerabilities

My argument in managing internal IS security problems To resolve the problem of managing IS security, we need to understand the deep- seated pragmatic aspects of an organization. Solutions to the problem of security can be provided by interpreting the behavioral patterns of the people involved.

Common approaches for managing internal IS security Internal External Technical Formal Informal - Checklists and standards (ISO17799; TCSEC; ITSEC) - Risk Management - Malicious code – virus protection - Formal models (typically for Confidentiality, Integrity and Availability) - Cookbooks – self reflected cookbooks - Security policies (s/w; h/w, network) - Checklists and standards (ISO17799, TCSEC, ITSEC) - Information modeling - Responsibility modeling - Business process security modeling - Secure ISD - Value focused security assessment - Soft system security development - Emergent security planning - Security culture mapping - Value focused security assessment

Concerns with common approaches for managing internal IS security Internal External Technical Formal Informal - Based on “what can be done” principle - Confronted with developmental duality problem - Present an extreme mechanistic orientation R= P * C - Lack of modeling support - Difficult to integrate into mainstream systems development - Restrict autonomy of developers - Numerous ISD methods hence difficult to present a predefined universal security method - No principles offered - No objectives presented - Lack of integration with formal and technical measures

Conclusion Pollution Treatment Plants Embankments Dams Canals

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.