Wolfgang Boehmer

Appraisal of the Effectiveness and Efficiency of an Information Security Management System Based on ISO 27001

The ISO27001:2005, as an information security management system (ISMS), is establishing itself more and more as the security standard in enterprises. In 2008 more than 4457 certified enterprises could be registered worldwide. Nevertheless, the registering an ISMS still says nothing about the quality and performance of its implementation. Therefore, in this article, a method for measuring the performance of the implementation and operation of an ISMS is presented.

Survivability and Business Continuity Management System According to BS 25999

In this paper, a new model is presented for evaluating the performance of a Business Continuity Management System according to BS 25999. This model is able to calculate the survivability \emph{ex-ante} if the key performance indicator for the effectiveness exists. Performance is based fundamentally on the systems Business Continuity Plans and Disaster Recovery Plans. Typically, the performance of these plans is evaluated by a number of specific exercises at various intervals and, in many cases, with a variety of targets. Furthermore, these specific exercises are rerun after a longer period (

Dynamic Systems Approach to Analyzing Event Risks and Behavioral Risks with Game Theory

\ge

Analysis of Strongly and Weakly Coupled Management Systems in Information Security

a year) and then often only partially. If a company is interested in taking performance measurements over a shorter period, obstacles and financial restrictions are often encountered. Furthermore, it is difficult for companies to give an \emph{ex-ante} statement of their survival in the case of a disaster.Two key performance indicators are presented that allow the performance of a Business Continuity Management System to be evaluated according to BS 25999. Using these key performance indicators, the probability of survival can be estimated before extreme events occur.

Towards Analysis of Sophisticated Attacks, with Conditional Probability, Genetic Algorithm and a Crime Function

In the development of individual security concepts, risk-based information security management systems (ISMS)according to ISO 27001 have established themselves in addition to policies in the field of IT infrastructures. Particularly in the field of critical infrastructures, however, it has been shown that despite functioning security concepts, the Stuxnet virus was able to spread through industrial systems (infection). Nevertheless -- the existing security concepts are not useless, but rarely take e ffect in behavioral risk. In this paper, we use the Trust/Investor game of the Game Theory to analyze the infection path. In general, the infection path is one game in a complex multi layer game. As a result, based on a Nash equilibrium, a cooperative solution is proposed to arm the existing IT security concepts against such infections.

How to Estimate a Technical VaR Using Conditional Probability, Attack Trees and a Crime Function

In an effort to enhance enterprise security, three standard management systems have been established as applications of the Deming cycle: the Information Security Management System (ISMS) in accordance with the ISO 27001 standard, the Business Continuity Management System (BCM) in accordance with the BS 25999 standard and the Information Technology Service Management System (ITSM) in accordance with the ISO 20000 standard. These three management systems have been developed to operate independent of one another, but are often used together within a given company. It can be shown that management systems modeled after the Deming cycle behave as bisimulations with dynamic feedback policies and can be expressed formally as control circuits within the Discrete Event Systems (DES) theory. In this article, we present an analytical description of the optimal structure through which the three management systems (ISMS, BCMS, and ITSM) should be linked in a company. We define a coupling parameter and, using an equation for the discrete control loop, show that ISMS and ITSM should ideally be strongly coupled, and ISMS and BCMS should be weakly coupled.

Toward a target and coupling function of three different Information Security Management Systems

In this short article, a proposal to simulate a sophisticated attack on a technical infrastructure is discussed. Attacks on (critical) infrastructures can be modeled with attack trees, but regular (normal) attack trees have some limitation in the case of a sophisticated attack like an advanced persistent (sophisticated) attack. Furthermore, attacks can also be simulated to understand the type of attack, and in order to subsequently develop targeted countermeasures. In this case, a normal, and also a sophisticated attack, is typically carried out in three phases. In the first phase (I) extensive information is gathered about the target object. In the second phase (II), the existing information is verified with a target object scan. In the third phase (III), the actual attack takes place. A normal attack tree is not able to explain this kind of attack behavior. So, we advanced a normal attack tree, which uses conditional probability according to Bayes to go through a certain path - step by step - from the leaf to the root. The learning ability, which typically precedes an attack (phase II), is simulated using a genetic algorithm. To determine the attack, we used threat trees and threat actors. Threat actors are weighted by a function that is called criminal energy. In a first step, it proposes three types of threat actors. The vulnerabilities have been identified as examples for a laboratory network.

Toward a Target Function of an Information Security Management System

According to the Basel II Accord for banks and Solvency II for the insurance industry, not only should the market and financial risks for the institutions be determined, also the operational risks (opRisk). In recent decades, Value at Risk (VaR) has prevailed for market and financial risks as a basis for assessing the present risks. Occasionally, there are suggestions as to how the VaR is to be determined in the field of operational risk. However, existing proposals can only be applied to an IT infrastructure to a certain extent, or to parts of them e.g. such as VoIP telephony. In this article, a proposal is discussed to calculate a technical Value at Risk (t-VaR). This proposal is based on risk scenario technology and uses the conditional probability of the Bayes theorem. The vulnerabilities have been determined empirically for an insurance company in 2012. To determine the threats, attack trees and threat actors are used. The attack trees are weighted by a function that is called the criminal energy. To verify this approach the t-VaR was calculated for VoIP telephony for an insurance company. It turns out that this method achieves good and sufficient results for the IT infrastructure as an effective method to meet the Solvency II’s requirements.

Performance, survivability, and cost aspects of Business Continuity Processes According to BS 25999

The limits of traditional (static) policies are well known in many areas of computer science and information security and are extensively discussed in the literature. Although some flexibility has been achieved with the introduction of dynamic policies, these efforts have only addressed a fraction of the requirements necessary to secure todays enterprises. Currently, no feedback mechanisms are in place to evaluate the effectiveness or economic impacts of static or dynamic policy implementation. Here, we address the requirement for feedback and present a policy for the next generation. This is a policy that includes a dynamic feedback response to the effectiveness of changes. The structure of this new type of policy, called a ‘management system’, is borrowed from discrete event system theory and functions as a control loop. A management system consists of four elements (control system, sensor, controller, and actuator) that are involved in a control law. In this article, we present also an analytical description of the optimal structure through which the three management systems (Information Security Management System (ISMS), Business Continuity Management System, and IT Service Management) should be linked in a company. We define a coupling parameter and, using an equation for the discrete control loop, show that ISMS and IT Service Management should ideally be strongly coupled, and ISMS and Business Continuity Management System should be weakly coupled. Furthermore, two types of management system can be defined. A simple management system (1 st order management system) responds to and regulates only perturbations. An advanced management system (2 nd order management system) has an overarching target function that influences the controller. This target function is usually economically oriented. Copyright