Presentation is loading. Please wait.

Presentation is loading. Please wait.

The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU

Published byRachel Conley Modified over 8 years ago

Similar presentations

Presentation on theme: "The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU"— Presentation transcript:

1 The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU gdhillon@vcu.edu

2 Problem – (1) Billions are being lost –US Fraud Information Center: Internet fraud - losses up from $3.4 million to $4.4 million in 2000 Average loss per person rose from $427 in 2000 to $636 in 2001 –CSI/FBI: Theft of proprietary information- 1.5 billion in 2001 IT security breaches cost companies about $15 billion each year (Source: Datamonitor) –UK Audit Commission Consistently reported a nearly 180% increase in IT abuse cases in their reports published every 3 years.

3 Problem – (2) Remarkable increases in spending on security Estimated $8.7 billion spending on security measures in 2000 That figure will rise to $30.3 billion in 2005, showing 28% growth year on year. Security breaches take place despite deployment of various technologies 95% had firewalls; 61% had Intrusion Detection Systems; 90% had access control of some sort; 42% had Digital IDs etc. (Source: CSI/FBI 2001 survey) UK Audit commission reported that 25% of organizations did not have computer audit skills 60% of organizations had no security awareness 80% of the organizations did not conduct a risk analysis For example: In UK 98% of the organizations had failed to implement British Standard Institutes’ BS 7799 (now ISO 17799). However 20,000 copies had been sold

4 Conceptualizing IS security ‘Informal’ information system and security issues "The internal organizational environment" Formal information system and security issues Communication Security Data Security Technical information system and security issues Network Security External organizational environment - legal/regulatory

5 Types of security breaches and related preventive mechanisms IS Security Internal External Technical Formal Informal Checklists Risk Management Malicious code Formal models (CIA) Security policies (s/w; h/w, network) Evaluation methods (TCSEC, ITSEC etc) Information modeling Responsibility modeling Secure ISD Practically none (except perhaps work by Baskerville and Dhillon) Formal models (CIA) Intrusion detection Firewalls Encryption PKI Legal, regulatory and Public policy None within security except some work in information privacy and internet privacy.

6 ‘Internal’ IS security: some definitions Organizations: evolving social forms of sense making and hence constituted of formal, technical and informal parts Information systems: Information systems and organizations have become indistinguishable from each other. Organizing entails handling information in a purposeful manner. This is achieved in a formal rule based manner, informally or through the use of any technology Computer based IS: This is part of the IS/Organization where information technology has been used for automation. IS security: IS security therefore is not just the security of the technical edifice, but that of the formal and informal systems within an organization as well. Therefore security breaches (negative events) occur because of 1.lack of integrity between formal, technical and informal 2.inconsistencies in expectations and obligations 3.breakdown in normative and rule based structures 4.exploitation of technical vulnerabilities

7 My argument in managing internal IS security problems To resolve the problem of managing IS security, we need to understand the deep- seated pragmatic aspects of an organization. Solutions to the problem of security can be provided by interpreting the behavioral patterns of the people involved.

8 Common approaches for managing internal IS security Internal External Technical Formal Informal - Checklists and standards (ISO17799; TCSEC; ITSEC) - Risk Management - Malicious code – virus protection - Formal models (typically for Confidentiality, Integrity and Availability) - Cookbooks – self reflected cookbooks - Security policies (s/w; h/w, network) - Checklists and standards (ISO17799, TCSEC, ITSEC) - Information modeling - Responsibility modeling - Business process security modeling - Secure ISD - Value focused security assessment - Soft system security development - Emergent security planning - Security culture mapping - Value focused security assessment

9 Concerns with common approaches for managing internal IS security Internal External Technical Formal Informal - Based on “what can be done” principle - Confronted with developmental duality problem - Present an extreme mechanistic orientation R= P * C - Lack of modeling support - Difficult to integrate into mainstream systems development - Restrict autonomy of developers - Numerous ISD methods hence difficult to present a predefined universal security method - No principles offered - No objectives presented - Lack of integration with formal and technical measures

10 Conclusion Pollution Treatment Plants Embankments Dams Canals

Download ppt "The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU"

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
© Peter Readings 2007 1 Data Leakage Pete Readings CISSP.

© Peter Readings Data Leakage Pete Readings CISSP.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU

Understanding the management of IS security GP Dhillon, Ph. D. Associate Professor of IS, VCU
Protection of Information Assets I. Joko Dewanto 1.

Protection of Information Assets I. Joko Dewanto 1.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Auditing Concepts.

Auditing Concepts.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Ch.5 It Security, Crime, Compliance, and Continuity

Ch.5 It Security, Crime, Compliance, and Continuity
The costs and benefits related to cyber security breaches Chapter 3 – Gordon & Loeb.

The costs and benefits related to cyber security breaches Chapter 3 – Gordon & Loeb.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Similar presentations

Ads by Google