Download - Information Systems Security Planning Dr. Gurpreet Dhillon Virginia Commonwealth University
Information Systems SecurityPlanning
Dr. Gurpreet DhillonVirginia Commonwealth University
© G. DhillonAll Rights Reserved
Security Plan, what is it?
In most companies there ain’t one Common problems…
It’s some one else’s problem We told the developers dilemma It’s a business issue. No, it’s an IT issue. No, the
auditors are responsible. Emergence of developmental duality
© G. DhillonAll Rights Reserved
Why bother?
PentaSafe survey, Security Awareness Index (SAI), reported that:
One out of ten employees had never read any of their company's security policies
A quarter had not read them in over two years And 70 percent of companies admitted not tracking or following up
cases where staff had not signed a statement to say they had read and understood the security policy
© G. DhillonAll Rights Reserved
Yes, there is a problem?
Yes, indeed. Gartner estimates that by 2006, one in five enterprises will experience a serious
attack that results in a material loss for the company Gartner says: Executives must get employees on board and establish a corporate
culture that endorses security… Culture is probably the single biggest influence in an enterprise…We need to start thinking about security as a business enabler.
© G. DhillonAll Rights Reserved
RealWorld
InformationFeedbackDecisions
Singleloop
Mental Models of
RealWorld
Strategy,Structure,Decision
Rules
Doubleloop
Single and Double Loops
© G. DhillonAll Rights Reserved
ImpedimentsReal
World
InformationFeedbackDecisions
Mental Models of
RealWorld
Strategy,Structure,Decision
Rules
Compounding factors
Delays
Conflicting untestedattributions
ImperfectAmbiguousInformation
Implementation failure
Erroneousassumptions
© G. DhillonAll Rights Reserved
Argument
IS security problems occur when an organization’s ‘espoused theory’ and their ‘theory-in-use’ (what they actually do) are contradictory.
© G. DhillonAll Rights Reserved
Our research project (2003 – 2008)
Phase 1: Identify the Espoused theories for IS Security
Phase 2: Identify the Theories-in-Use for IS Security
Phase 3: Comment on congruence
© G. DhillonAll Rights Reserved
EVENTS
PATTERNS
STRUCTURE
React
AnticipateForecast
UnderstandImprove
What happened?
What’s been happeningover time?
Why is this happening?What are the root causes?
IncreasedLeverage
Events: a snapshot, a picture of a single moment in time Patterns: trends or changes in events over time Structure: answers the question, “what are the underlying structures and root causes of these events and patterns?”
Why are we doing this? The Iceberg
© G. DhillonAll Rights Reserved
Conceptual territory
IS Security is the protection of organizational data and information - technically, formally and informally
© G. DhillonAll Rights Reserved
Informal information system
Formal information systems
Data Communication
Technical information Systems
Networking
Technical IS Security
ConfidentialityIntegrityAvailabilityNon repudiation
Formal IS Security
Structures of ResponsibilityAuthorityIntegrity of roles
Informal IS Security
TrustworthinessEthicality
© G. DhillonAll Rights Reserved
Phase 1 Overall Objective
To develop a value based objectives for IS security in organizations
© G. DhillonAll Rights Reserved
Value-focused thinking Values are ‘principles used for evaluation’, which are essential to
assess ‘actual or potential consequences of action or inaction’. A value proposition focuses on benefits that end users anticipate to
receive. Value of IS security is therefore the net benefit and cost associated
with maintaining the security and integrity of the computer based IS and the organization
People choose among various alternatives since the consequences of alternatives may be different enough in terms of our values.
Hence the relative desirability of a consequence is a concept based on values.
And alternatives are a means to achieve the more fundamental values
© G. DhillonAll Rights Reserved
Embedded value framesDifferent alternatives to achieve the fundamental objective Maximize IS security
Fundamental objective ofimproving data integrity
E.g. information ownership; Legal and procedural compliance; Empowerment
Fundamental objective ofmaximize privacy
Fundamental objective ofmaximize awareness
Overlapping and nested value frames
© G. DhillonAll Rights Reserved
Procedure (framing)
Develop a list of user values Structuring values: express each value in a
common form Organizing objectives
© G. DhillonAll Rights Reserved
Develop a list of values
Techniques used: wish list, posing alternatives, identifying problems and shortcomings to name a few.
Probing techniques adopted to overcome difficulty with the latency of the values. In order to overcome this problem, multiple probing techniques were used to identify the latent values.
Examples of probes: “If you did not have any constraints, what would your objectives be?” “What needs to be changed from the status quo?” “How do you evaluate whether IS security is being maintained?” “How do you tell if IS security is being compromised?”
Average duration of interview: 40 minutes Goal: to identify factors that influence individual and group behavior towards IS
security and values they have with respect to managing IS security.
© G. DhillonAll Rights Reserved
Structuring values
Convert each value statement into an objective statement expressed in a common form
An objective is constituted of the decision context, an object and a direction of preferences.
In our study: “Decision context” is adequate management of IS security and a value
such as “personal integrity of employees is important” and “maximize employee integrity” etc become “emphasize importance of confidentiality
© G. DhillonAll Rights Reserved
Organizing objectives
Categorize The “Why is this important?” test (WITI) 9 fundamental and 16 means objectives were identified
Relate categories by establishing a Means-End Network by establishing Issue Hierarchy
© G. DhillonAll Rights Reserved
© G. DhillonAll Rights Reserved
© G. DhillonAll Rights Reserved
WITI Test
“Establish ownership of information”.
This objective helps to
“Ensure legal and procedural compliance”.
This objective in turn is important to
“Increase trust”,
Increasing trust further helps
“Maximize organizational integrity”.
When the application of the WITI test suggests that a given objective is important to achieve something more fundamental, such an objective is a means objective. However when the response to the WITI test suggests that the objective is simply important in our decision context, it is a fundamental objective.
© G. DhillonAll Rights Reserved
Summary
Interview goal: to identify factors that influence individual and group behavior towards IS security and values they have with respect to managing IS security.
Part 1: 73 interviews of 40 minutes each 312 values identified. Consolidated into 246 values 246 values resulted in 83 objectives (there is a many to one relationship between values and
objectives) Part 2: 30 interviews of 40 minutes each
120 values identified. Consolidated into 76 values 42 values were repeats from part 1, hence only 27 additional values added 27 values resulted in 4 new objectives and in modification of another 4
Synthesis of part 1 and 2 In all there were 273 values resulted in 87 objectives
Categorize 87 objectives organized into 25 clusters Using the “Why is this important?” test (WITI) 9 fundamental and 16 means objectives were
identified
© G. DhillonAll Rights Reserved
The 25 objectivesMeans Objectives• Improve authority structures• Increase communication• Promote responsibility and accountability• Establish ownership information• Increase trust• Understand work situation• Optimize work allocation practices• Maximize access control• Ensure empowerment• Maximize fulfillment of personal needs• Enhance understanding of personal financial situation• Understand individual characteristics• Ensure legal and procedural compliance• Understand personal beliefs• Maximize availability of information• Ensure censure
Fundamental Objectives• Maximize awareness• Adequate human resource management practices• Developing and sustaining an ethical environment• Enhance integrity of business processes• Enhanced management development practices• Maximize data integrity• Maximize organizational integrity• Maximize privacy• Promote individual work ethics
© G. DhillonAll Rights Reserved
Means objectives
Improve authority structures Clarify delegation of authority Minimize the need for one to gain control Link information access to an individuals’ position Increased communication Minimize curiosity by open communication Create open-door environment at all levels Stress IT department interactiveness Develop open communication with IT department Limit “arm’s length” management Promote responsibility and accountability Clarify delegation of responsibilities Distribute workload evenly Maximize level of commitment to organization Create an environment that promotes accountability Establish ownership information Promote ownership in the organization Emphasize importance of confidentiality Decrease information sharing for shock value Emphasize the understanding of the value of information Create a contract of confidentiality Increase trust Display employer trust in employees Develop environment that promotes a sense of responsibility Maximize loyalty Understand work situation Minimize need to have leverage on others Minimize desire to seek revenge on others Minimize creation of disgruntled employees
Optimize work allocation practices Distribute workload evenly Distribute workload aggressively Do not allow for much unoccupied time Minimize temptation to use information for personal benefit Develop understanding of procedures Maximize access control Create user passwords Provide several levels of user access Control accessibility to information Ensure empowerment Promote empowerment in the organization Maximize fulfillment of personal needs Appreciate personal needs for job enhancement Facilitate attainment of self-actualization needs Enhance understanding of personal financial situation Understand the needs of different level of financial status Eliminate motivation to sharing information with competitors Minimize the desire to steal from others Understand individual characteristics Understand demographics with potential to subvert controls Interpret individual lifestyles Ensure legal and procedural compliance Minimize the disregard for laws Decrease level of employer’s tolerance for information misuse Develop understanding of legalities Develop understanding of regulations/rules
Understand personal beliefs Understand effect of religious beliefs on security Celebrate and understand ones upbringing Minimize the need for greed in the organization Create desire to not jeopardize company position Maximize availability of information Ensure adequate procedures for availability of information Ensure censure Introduce a fear of being exposed or ridiculed Instill a fear of consequences Instill a fear of losing your job Minimize the fear of information Minimize the fear of accessibility
© G. DhillonAll Rights Reserved
Fundamental objectives
Overall Objective: Maximize IS security Maximize awareness Create an environment that promotes awareness Understand impact of varying education levels Adequate human resource management practices Provide necessary job resources Create an environment that promotes contribution Encourage high levels of group morale Create sense of pride in organization Create an environment of employee motivation Create an organizational code of ethics Developing and sustaining an ethical environment Develop an understood value system in the organization Develop co-worker and organizational relationships Instill value-based work ethics Instill professional work ethics Minimize temptation to use information for personal benefit Enhance integrity of business processes Understand the expected use of all available information Develop understanding of procedures Enhanced management development practices Develop a management team that leads by example Create growth opportunities within company Maximize individual comfort level of computers/software Minimize insecurity with computer systems Create legitimate possibilities for financial gain Provide employees with adequate IT training Maximize capability level of IT staff Maximize data integrity Maximize unauthorized changes
Maximize organizational integrity Create an environment of managerial support Create environment of positive management interaction Promote positive self-image among employees Create an environment that promotes respect Create an environment that promotes reliability Create environment of positive peer interaction Develop an environment that promotes a sense of responsibility Maximize privacy Emphasize importance of privacy Decrease information sharing for gossip purposes Promote individual work ethics Create an environment that promotes customer loyalty Create an environment that promotes organizational loyalty Emphasize the importance of integrity Maximize employee integrity in the company Minimize temptation to steal information Minimize need for self-promotion Minimize urgency of personal gain Minimize desire to seek revenge on others Create a desire to not jeopardize the position of the company Minimize the desire to steal from others Create an environment that promotes company profitability Instill moral values Stress individuals treating others as they would like to be treated
© G. DhillonAll Rights Reserved
MeansObjectives
Personalfinancial situation
Censure
Empowerment
Legal &proceduralcompliance
Informationownership
Authoritystructures
Trust
Communication
Access control
Informationavailability
Personal needsfulfillment
Work allocationpractices
Responsibility &accountability
Individualcharacteristics
Personal beliefs
Work situation
FundamentalObjectives
Overall objective:Maximize IS Security
Maximizeawareness
Human resourcepractices
Ethicalenvironment
Integral businessprocesses
Managementdevelopment
practices
Data integrity
Organizationalintegrity
Privacy
Individual ethics
© G. DhillonAll Rights ReservedBenevolent ----------- Intentions ----------- Malicious
Expert -------- E
xpertise ---------N
ovice
Unintentional(In)security
Unintentional(In)security
NaïveMistakes
Detrimental Vexation
BasicHygiene
AwareAssurance
Intentional Destruction
DangerousTinkering
Making Sense
© G. DhillonAll Rights Reserved
Cornerstone of good planning
Cooperation Managers can use a variety of carrots and sticks to
encourage people to work together for a common purpose.
Their ability to get results depends on selecting objectives and tools that match the circumstances they face.
© G. DhillonAll Rights Reserved
Security agreement matrix
Broad Consensus
No Consensus
Ext
en
t to
wh
ich
pe
op
le k
no
w w
ha
t th
ey
wa
nt
Hope of what they will gain
Disagreementon everything
Maintainstatus quo
Willing o followprescribed procedures
No Consensus Broad Consensus
Extent to which people agree on cause and effect
© G. DhillonAll Rights Reserved
Cooperation tools
No Consensus Broad Consensus
Broad Consensus
No Consensus
Ext
en
t to
wh
ich
pe
op
le k
no
w w
ha
t th
ey
wa
nt
Extent to which people agree on cause and effect
Leadership
Power
Culture
Management
Charisma
Salesman-ship
RoleModeling
Folklore
Rituals
Tradition
Religion
Democracy
Vision
Coercion
Fiat(sanction)
Threats
RoleDefinition
Negotiation
MeasurementSystem
St. Op. Procedures
Training
Apprenticeship
StrategicPlanning
FinancialInitiatives
TransferPricing
ControlSystems
Hiring &Promotion
© G. DhillonAll Rights Reserved
Challenge
One of the rarest managerial skill is the ability to understand which tools will work in a given situation.
Although training and making users aware is an important planning issue, it is even more important to build competencies for managing security.