Louise Yngström

Addressing Dynamic Issues in Information Security Management

Ett ramverk for behandling av osakerhet inom ledningssystem for informationssakerhet presenteras. Ramverket baseras pa teorier fran corporate finance. En fallstudie visar hur ramverket kan appliceras.

The 14 layered framework for including social and organisational aspects in security management

The ultimate aim of the COINS - COntrolled INformation Security – project is to investigate, assess, and provide tools to improve the information security status in organizations with a focus on public agencies. A central question for the project is how information security issues are communicated within the organizations, specifically underlining that communication is control in a cybernetic sense. The project is carried out in a number of steps embracing to design modelling techniques and metrics for information security issues in organizations (1), collect data from Swedish governmental agencies (2), use the modelling techniques to model communication of information security in organizations from different perspectives (3), to apply metrics on the data in order to assess information security levels in the agencies (4), identify gaps (5) and needs for improvement (6). The 14 layered framework, which is based on well established knowledge within information security: frameworks, models, standards, and terminology is presented. The scientific base is cybernetics, including variety engineering and recursion to provide adaptation and learning. The motivation for the research is that communication of information security issues within organizations tend to be insufficient and the mental connections between IT-security and information security work are weak, which prohibits the organization from learning and adapting in its security work. This is a report on research in progress.

Technology as a Tool for Fighting Poverty: How Culture in the Developing World Affect the Security of Information Systems

Many developing nations are looking to IT infrastructure investments as means to reach sustainable economic growth. They strive to automate various processes in anticipation to improve production and quality of service to meet millennium development goals and cope with globalization needs. This has led to the automation of critical systems. It is therefore imperative that the security of such critical systems is one of the central issues to be addressed as developing nations plan, acquire and use information systems. The purpose of this paper is to examine the role of culture in systems security problems. We argue that insecure systems undermine economic growth and that culture defines how people plan, acquire and use information systems in a secure way. We also present some findings of culture evaluation case study that was carried out in Tanzania to determine the role of culture in the process of securing electricity power utility systems

Option Based Evaluation: Security Evaluation of IT Products Based on Options Theory

Reliability of IT systems and infrastructure is a critical need for organizations to trust their business processes. This makes security evaluation of IT systems a prime concern for these organizations. Common Criteria is an elaborate, globally accepted security evaluation process that fulfills this need. However CC rigidly follows the initial specification and security threats and takes too long to evaluate and as such is also very expensive. Rapid development in technology and with it the new security threats further aggravates the long evaluation time problem of CC to the extent that by the time a CC evaluation is done, it may no longer be valid because new security threats have emerged that have not been factored in. To address these problems, we propose a novel Option Based Evaluation methodology for security of IT systems that can also be considered as an enhancement to the CC process. The objective is to address uncertainty issues in IT environment and speed up the slow CC based evaluation processes. OBE will follow incremental evaluation model and address the following main concerns based on options theory i.e. i) managing dynamic security requirement with mid-course decision management ii) devising evaluation as an improvement process iii) reducing cost and time for evaluation of an IT product.

Security characterization for evaluation of software architectures using ATAM

Significant technological advancement in the current electronic era has influenced the work processes of private and government business entities. E-Government is one such area where almost every country is emphasizing and automating their work processes. Software architecture is the integral constituent of any software system with not only cumbersome modeling and development but require heedful evaluation. Considering this aspect we have highlighted in this paper, security evaluation of an ongoing e-society project ESAM using Architectural Tradeoff Analysis Method (ATAM). ESAM is a web based system intended to provide e-services to the Swedish community residents. ATAM is primarily used for architectural evaluation aligned with the quality goals i.e. performance, availability and modifiability of an organization. We present research analysis for characterization, stimuli, and architectural decisions to evaluate software architecture with respect to security measures using ATAM. This security characterization will serve as a tool to evaluate security aspects of a software architecture using ATAM. We believe that ATAM capability of evaluating software security will provide potential benefits in secure software development.

A Structured Approach for Internalizing Externalities Caused by IT Security Mechanisms

Organizations relying on Information Technology for their business processes have to employ various Security Mechanisms (Authentication, Authorization, Hashing, Encryption etc) to achieve their organizational security objectives of data confidentiality, integrity and availability. These security mechanisms except from their intended role of increased security level for this organization may also affect other systems outside the organization in a positive or negative manner called externalities. Externalities emerge in several ways i. e. direct cost, direct benefit, indirect cost and indirect benefit. Organizations barely consider positive externalities although they can be beneficial and the negative externalities that could create vulnerabilities are simply ignored. In this paper, we will present an infrastructure to streamline information security externalities that appear dynamically for an organization.

Adaptability infrastructure for bridging IT security evaluation and options theory

The constantly rising threats in IT infrastructure raise many concerns for an organization, altering security requirements according to dynamically changing environment, need of midcourse decision management and deliberate evaluation of security measures are most striking. Common Criteria for IT security evaluation has long been considered to be victimized by uncertain IT infrastructure and considered resource hungry, complex and time consuming process. Considering this aspect we have continued our research quest for analyzing the opportunities to empower IT security evaluation process using Real Options thinking. The focus of our research is not only the applicability of real options analysis in IT security evaluation but also observing its implications in various domains including IT security investments and risk management. We find it motivating and worth doing to use an established method from corporate finance i.e. real options and utilize its rule of thumb technique as a road map to counter uncertainty issues for evaluation of IT products. We believe employing options theory in security evaluation will provide the intended benefits. i.e. i) manage dynamically changing security requirements ii) accelerating evaluation process iii) midcourse decision management. Having all the capabilities of effective uncertainty management, options theory follows work procedures based on mathematical calculations quite different from information security work processes. In this paper, we will address the diversities between the work processes of security evaluation and real options analysis. We present an adaptability infrastructure to bridge the gap and make them coherent with each other. This liaison will transform real options concepts into a compatible mode that provides grounds to target IT security evaluation and common criteria issues. We will address ESAM system as an example for illustrations and applicability of the concepts.

Bridging the Gap between General Management and Technicians — A Case Study in ICT Security

The lack of planning, business re-engineering, and coordination in the whole process of computerisation, is the most pronounced problem facing organisations in developing countries. These problems often lead to a discontinuous link between technology and the business processes. As a result, the introduced technology poses some critical risks to the organisations due to the different perceptions of the management and technical staff in viewing the ICT security problem. This paper discusses a practical experience of bridging the gap between the general management and ICT technicians.

Can We Tune Information Security Management Into Meeting Corporate Governance Needs? (Invited Paper)

This paper intends to stimulate discussion, research and new points-of-action for IS/IT security management from the background of corporate governance, contemporary debates of how to express observable consequences of IT and IT security, and of didactic issues. It is concluded that empirical research within IT security management is rare as compared to theoretical approaches but needed in order to have IS/IT security management on par with general management.

An Holistic Approach to an International Doctoral Program

The paper discusses forms and structures for an international doctoral program with specialization in information security and information assurance based on an analysis of international educational efforts in the area 1995–2003. The presentation underlines the need for holistic approaches to the IT security area and presents, as an example, the Systemic-Holistic Approach, SHA.