Abstract
The Internet and information systems have enabled businesses to reduce costs, attain greater market reach, and develop closer business partnerships along with improved customer relationships. However, using the Internet has led to new risks and concerns. This research provides a management perspective on the issues confronting CIOs and IT managers. It outlines the current state of the art of information security, the important
issues confronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a model for classification of threats and control measures. It also develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. It involves validation of information assets and probabilities of success of attacks on those assets in organizations and evaluates the
expected damages of these attacks. The research outlines some suggested control measures and presents some cost models for quantifying damages from these attacks and compares the tangible and intangible costs of these attacks. This research also develops a
risk management system for information systems security incidents in five stages: 1- Resource and application value analysis, 2- Vulnerability and risk analysis, 3- Computation of losses due to threats and benefits of control measures, 4- Selection of
control measures, and 5- Implementation of alternatives. The outcome of this research should help decision makers to select the appropriate control measure(s) to minimize damage or loss due to security incidents. Finally, some recommendations for future work
are provided to improve the management of security in organizations.
Contents
Chapter 1 Overview of Research
Chapter 2 Information Security: Practice and Threats in Organizations
2.1 The State of the Art of Security Practice in Businesses
2.2 The Nature of Security Threats
2.3 Deploying Resources in Information Security
2.4 Security Standards and Overview of Common Criteria
Chapter 3 Costs Resulting from Information Security
Incidents
3.1 A Critical Overview
3.2 Insurance and Risk Mitigation
3.2.1 Liability Issues
3.2.2 Information Systems Disasters
viii
3.2.3 Working with the Insurance Industry
3.2.4 Limiting Cases
3.3 Cost of an Incident
3.4 Variability of Losses Resulting from Similar Exploitation
3.5 Quantifying the Cost of Security Incidents
3.6 Analysis of Cost of Security Breach Announcements
Chapter 4 Probability of Security Incidents
4.1 Subjective Probability Assessment
4.2 Possible Pitfalls of Subjective Analysis
4.3 Scope of Subjective Analysis
4.4 Probability Assessment
Chapter 5 Classification of Security Threats in Information
Systems
5.1 A Review of Existing Taxonomies
5.2 A Model for Threat Classification and Control Measures
Chapter 6 Developing a Risk Management System
6.1 A Critical Overview
6.2 A Risk Management System
6.2.1 Resource and Application Value Analysis
ix
6.2.2 Vulnerability and Risk Analysis
6.2.3 Computation of Losses due to Threats and Benefits
of Countermeasures
6.2.4 Selection of Countermeasures
6.5 Implementation of Alternatives
Chapter 7 Case Studies
7.1 First Round of Interviews
7.2 Summary of Answers in First Round
7.3 Round Two and Summary of Results
Chapter 8 Contributions and Conclusions
Chapter 9 Future Work