kÜrt computer rt. computer and automation research institute (mta sztaki) university of veszprÉm

KÜRT COMPUTER RT.

COMPUTER AND AUTOMATION RESEARCH INSTITUTE (MTA SZTAKI)

UNIVERSITY OF VESZPRÉM MATHEMATICS AND COMPUTING DEPARTMENT

KÜRT COMPUTER RT.

COMPUTER AND AUTOMATION RESEARCH INSTITUTE (MTA SZTAKI)

UNIVERSITY OF VESZPRÉM MATHEMATICS AND COMPUTING DEPARTMENT

Information Technology Security Technology and Data Insurance

Project leader

Sándor KÜRTI dr. KÜRT Computer Rt.

National Research and Development Program

Veszprémi Egyetem

MTA SZTAKI

KÜRT Computer

Information Security Technology and Data Insurance (ISYS)

System

Risk analysis

Risk ManagementInsurance

Regulation

Traditional risk management

Security Expenditure

Level of security


Level of security

Security gap


Risk Management in IT

IT system

Risk analysis

Risk managementInsurance

Regulation


Level of Security


Level of Security

Security Gap


Research Targets

• Determination of value of information• Development of an up-to-date IT security

technology • Development of a comprehensive e-Risk

management program– Network security applications

– Computer-based e-Insurance methodology


Strengths of the project

1. Technological backgrounds.

2. High level project management practice.

3. Database of information technology catastrophes and the reasons of data loss.

4. High level mathematical background.

1. Technological backgrounds.

2. High level project management practice.

3. Database of information technology catastrophes and the reasons of data loss.

4. High level mathematical background.


• Processing of multi-valued statistical data

• Examination of internal relationships, determination of background variables

• Determination of quantitative dependencies

• Visualization of connections with introduction of new variables

• Determination of the value of the risk

• Processing of multi-valued statistical data

• Examination of internal relationships, determination of background variables

• Determination of quantitative dependencies

• Visualization of connections with introduction of new variables

• Determination of the value of the risk

2. Mathematical researches in the Risk analysis area


First Phase: Information Collection (data security issues)

• Scientific processing of data recovery data set

• Planning of the database structure

• Analysis of the causes of data losses and data crimes

• Starting of the statistical analysis


Scientific processing of data recovery database

• Analysis of possible damages of data storing media

• Analysis of the possible data backup and recovery methodologies

• Collecting of paper-based and electronic data recovery information


Planning of the Database Structure

• Development of uniform data format from the backup and recovery information

• Coding of paper-based information• Harmonization and converting of electronic data• Testing of user interface of database system• Database creation


Analysis of the causes of data losses and data crimes

• Analysis of international trends

• Analysis of the Hungarian trends

• Data loss hardware causes (appr. 70%)

• Data crimes internal workers (appr. 77%)


Statistical analysis

• The main target – More exact determination of the value of

information from the data recovery cases

• Involving the users into the IT value estimation– Size of company, size of data storage media,

ordering value


Assessment of the first phase

• Project tasks were done

• The data recovery database is operable

• Scientifically valuable results (publications)

• Initialization of statistical analyses for assisting the definition of value of information and risks


Phase 2: Production of knowledge base

• Converting recovery database into the initial knowledge base

• Cryptographic protocol errors, case studies

• Assessment of market needs and possibilities

• Continuation of statistical analysis


Converting recovery database into the initial knowledge base

• Observation matrix – Knowledge base format

• Identifiers

• Company data (industrial sector, size)

• Operating system information

• Causes of data losses

• Recoverable/Non-recoverable

• Ordered/ Not-ordered

• Price of data recovery action


Cryptographic protocol errors, case studies

• Contingencies of cryptographic systems– Assessment for the risk management

• Case studies

• Assessments, statistical analysis

• Legal issues– Hungarian and international (EU) regulations

• Assessment of data insurance possibilities


Assessment of market needs and possibilities

• Data insurance possibilities (Hungary, international)– Needs– Concurrent products– Client preferences– User groups

• Market possibilities – Methodology for the insurance companies– Methodology for IT companies (risk analysis)


Continuation of statistical analysis

• Development a statistical model

• Simulation on the data recovery data set– The observatory matrix gives a solid base for

the statistical analysis

• The simulation tool proofs the goodness of the statistical analysis


Results of the 2nd phase

• Project tasks were done• Scientifically valuable results (publications)• High level analysis of the weak points of the

cryptographic systems• Market analysis — good base for product

development and analysis• The next step in ISYS development is the

development of Business Continuity Plan and Disaster Recovery Plan and an insurance module


3rd Project Phase: Statistical Analysis, Summary of Methodologies

• Collection and examination of multi-valued statistical methods

• Assessments

• Development of algorithms


Collection and examination of multi-valued statistical methods

• Method selection– Single-valued– Multivalued

• Strategy for assessments– Statistical analysis on the stored data recovery

data (10,000 cases)


Assessments

• Time functions of data losses

• Recoverable/ordered recovery cases

• Analysis of data recovery cases– Business strategy analysis– Analysis of data insurance possibilities


Development of algorithms

• Extension of examination methods based on censored sample

• Examination of the goodness of the other analysis and solutions

• Single- and multi-valued analysis


Evaluation of the 3rd phase

• Scientifically relevant results (publications)

• Business decisions were made based on the statistical results (in the project and in KÜRT)

• Solid base for the further developments in value estimations and insurance strategies


4th Phase: Quality Management

• IT quality management – IT system parts

– IT business processes

– Cryptographic processes and solutions

• New developments in quality management, further improvements in our system


IT Quality Management

• IT system parts, technological processes and organizational processes

• Uniform – Processes– Utilities– Measurement tools– Feedbacks– Reporting system

• ISO 9001:2000 based quality management system in KÜRT and in MTA SZTAKI (TÜV Rheinland)


New developments in quality management, further improvements in our system

• Quality management trends– Software Process Improvement (SPI)– ESSI Scope measurement tools– Target: Capability Maturity Model

• IT Security trends– ISACA COBIT– BS 7799-ISO 17799


Evaluation of 4th phase results

• ISO 9001:2000 systems in KÜRT and MTA SZTAKI

• Possible trends in improvement of quality systems (international trends) — EU trends


Next Project Phases

• Tasks of 5th Phase– Disaster Recovery Module for IBiT (DRP module, in progress)

• Methodology for IBiT• Determination of value of damages • Risk analysis methodology• Business Continuity Processes

• Tasks of 6th Phase– Data insurance system (service pack, in progress)

• Probability of damage cases • Damage value models• Business value determinations • Insurance value determinations


Cooperation in the consortium

• Task areas — as planned

• Workflow system — project management (Prince) (electronic tools)

• Acceptance of ready material

• Stable project staff


Dissemination of Results

• Lectures:– Ministry of Education (2002)– Hungarian IT-Business Conference (2002)– Centennial Conference of the John von Neumann Computer

Society (invited lecture 2003)

• Scientific seminar (MTA SZTAKI)http://csillag.ilab.sztaki.hu/dms/eszigno/szeminarium.htm

• Educational courses– University of Budapest, Informatics Ph.D. programme (2002-)– University of Debrecen, Informatics Ph.D. programme (2002-)– University of Veszprém, Informatics Ph.D. programme (2001-)


Dissemination of Results (2)

• 2 Ph.D. candidates in the project area• TV programs :

– CNN (2001)– Hungarian TV1 DELTA (2002)– Duna TV (2002)

• Awards– Innovation Award (Ministry of Informatics)

(2003)


Thank you for your attention!

Veszprémi Egyetem

MTA SZTAKI

KÜRT Computer

kÜrt computer rt. computer and automation research institute (mta sztaki) university of veszprÉm

Documents