José Manuel Torres

Blind information security strategy

Abstract How do enterprises relate to and manage information security controls? This paper documents a study of twenty enterprises, six of them in the critical infrastructure (CI) domain. The state of security in the CI enterprises differed little from that in the other enterprises. Information security was seen as a technical problem with technical solutions. However, vulnerabilities in processes and human fallibility create a need for formal and informal controls in addition to technical controls. These three controls are interdependent. They vary widely in implementation time and resource needs, which render the task of building security resources a challenging problem. This paper presents a system dynamics model that illustrates how security controls are interconnected and are interdependent at a high level. The model is intended to aid security managers in CI domains to better understand information security management strategies, especially the complexities involved in managing a socio-technical system where human, organizational and technical factors interact. The model also demonstrates how the knowledge gained from proactive security activities can help managers improve the effectiveness of security controls, risk assessments and incident detection capabilities.

Modeling and simulating information security management

Security Management is a complex task. It requires several interconnected activities: designing, implementing and maintaining a robust technical infrastructure, developing suitable formal procedures and building a widespread, agreed upon security culture. Thus, security managers have to balance and integrate all these activities simultaneously, which involves short and long-term effects and risks. For this reason, security managers need to correctly understand, achieve and maintain a dynamic equilibrium between all of them. The development of a simulation model can be an efficient approach towards this objective, as it involves making explicit key factors in security management and their interconnections to efficiently reduce organizational security risks. This endogenous perspective of the problem can help managers to design and implement more effective policies. This paper presents a methodology for developing simulation models for information security management. The use of this methodology is illustrated through examples.

Security Strategy Analysis for Critical Information Infrastructures

How do security departments relate to and manage information security controls in critical infrastructures (CI)? Our experience is that information security is usually seen as a technical problem with technical solutions. Researchers agree that there are more than just technical vulnerabilities. Vulnerabilities in processes and human fallibility creates a need for Formal and Informal controls in addition to Technical controls. These three controls are not independent, rather they are interdependent. They vary widely in implementation times and resource needs, making building security resources a challenging problem. We present a System Dynamics model which shows how security controls are interconnected and interdependent. The model is intended to aid security managers in CI to better understand information security management strategy, particularly the complexities involved in managing a socio-technical system where human, organisational and technical factors interact.

Steering Security through Measurement

This paper presents the results of a security management survey of IT administrators from small and medium sized enterprises (SMEs) who ranked predefined Critical Success Factors (CSFs) and Indicators. The outcome of this study relies on the development of a set of security management guidelines that allows IT administrators to adopt assessment and managerial security routines. The secondary contribution relies on allowing IT administrators to establish a culture of implementing and tracking the effectiveness of technical and non-technical security controls. The survey results describe how IT administrators would like the most critical aspects of security to evolve.