Is there a need for new information security models?

Information assurance is a continuous crisis in the digital world. The attackers are winning and efforts to create and maintain a secure environment are proving not very effective. Information assurance is challenged by the application of information security management which is the framework for ensuring the effectiveness of information security controls over information resources. Information security management should “begin with the creation and validation of a security framework, followed by the development of an information security blueprint” (Whitman & Mattord, 2004, p. 210). The framework is the result of the design and validation of a working security plan which is then implemented and maintained using a management model. The framework serves as the basis for the design, selection, and implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. A blueprint can be designed using established security models and practices. The model could be proprietary or based on open standards. The most popular security management model is based on the British Standard 7999 which addresses areas of security management practice. The recent standards, called ISO/IEC 27000 family, include documents such as 27001 IMS Requirements (replaces BS7799:2); 27002, Code of Practice for Information Security Management (new standard number for ISO 17799); and 27006, Guidelines for the accreditation of organizations offering ISMS certification, and several more in development. Similar security models are supported by organizations such as NIST, IETF, and VISA. From one point of view, information security management evolved on an application of published standards, using various security technologies promoted by the security industry. Quite often, these guidelines conflict with each other or they target only a specific type of organization (e.g., NIST standards are better suited to government organizations). However, building a security control framework focused only on compliance to standards does not allow an organization “to achieve the appropriate security controls to manage risk” (ISM-Community, 2007, p. 27). Besides technical security controls (firewalls, passwords, intrusion detection systems, disaster recovery plans, encryption, virtual private networks, etc.), security of an organization includes other issues that are typically process and people issues such as policies, training, habits, awareness, procedures, and a variety of other less technical and nontechnical issues (Heimerl & Voight, 2005; Tassabehji, 2005). All these factors make security a complex system (Volonino & Robinson, 2004) and a process which is based on interdisciplinary techniques (Maiwald, 2004; Mena, 2004). While some aspects of information security management changed since the first edition of the chapter (Hentea, 2005), the emerging trends became more prevalent. Therefore, the content of this chapter is organized on providing an update of the security threats and impacts on users and organizations, followed by a discussion on global challenges and standardization impacts, continued with information security management infrastructure needs in another section, followed with a discussion of emerging trends and future research needs for the information security management in the 21st century. The conclusion section is a perspective on the future of the information security management.

Download Full-text

Metric Based Security Assessment

Information Security and Ethics ◽

10.4018/978-1-59904-937-3.ch094 ◽

2008 ◽

pp. 1396-1415

Author(s):

James E. Goldman ◽

Vaughn R. Christie

Keyword(s):

Information Security ◽

Assessment Tool ◽

Maturity Model ◽

Security Assessment ◽

Self Assessment ◽

Security Metrics ◽

Capability Maturity ◽

Security Models ◽

Organization's Information Security ◽

Systems Security Engineering

This chapter introduces the Metrics Based Security Assessment (MBSA) as a means of measuring an organization’s information security maturity. It argues that the historical (i.e., first through third generations) approaches used to assess/ensure system security are not effective and thereby combines the strengths of two industry proven information security models, the ISO 17799 Standard and the Systems Security Engineering Capability Maturity Model (SSE-CMM), to overcome their inherent weaknesses. Furthermore, the authors trust that the use of information security metrics will enable information security practitioners to measure their information security efforts in a more consistent, reliable, and timely manner. Such a solution will allow a more reliable qualitative measurement of the return achieved through given information security investments. Ultimately, the MBSA will allow professionals an additional, more robust self-assessment tool in answering management questions similar to: “How secure are we?”

Download Full-text

Information Security Policies and Procedures Guidance for Agencies

Impact of Digital Transformation on Security Policies and Standards - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-2367-4.ch004 ◽

2020 ◽

pp. 47-62

Author(s):

Dasari Kalyani

Keyword(s):

Information Security ◽

Security Policy ◽

Large Scale ◽

Management Strategies ◽

Security Policies ◽

Risk Levels ◽

Security Models ◽

Policies And Procedures ◽

Good Policy ◽

The Right

In today's digital e-commerce and m-commerce world, the information itself acts as an asset and exists in the form of hardware, software, procedure, or a person. So the security of these information systems and management is a big challenging issue for small and large-scale agencies. So this chapter discusses the major role and responsibility of the organization's management in identifying the need for information security policy in today's world of changing security principles and controls. It focuses on various policy types suitable for all kinds of security models and procedures with the background details such as security policy making, functionality, and its impact on an agency culture. Information security policies are helpful to identify and assess risk levels with the available set of technological security tools. The chapter describes the management strategies to write a good policy and selection of the right policy public announcement. The agencies must also ensure that the designed policies are properly implemented and ensure compliance through frequent intermediate revisions.

Download Full-text

MODERN TOOLS FOR INFORMATION SECURITY SYSTEMS

NEWS OF THE NATIONAL ACADEMY OF SCIENCES OF THE REPUBLIC OF KAZAKHSTAN ◽

10.32014/2021.2518-1726.2 ◽

2021 ◽

Vol 335 (1) ◽

pp. 14-18

Author(s):

N. Baisholan ◽

K.E. Kubayev ◽

T.S. Baisholanov

Keyword(s):

Information System ◽

Risk Management ◽

Information Systems ◽

Information Security ◽

Information Technologies ◽

Business Processes ◽

Security Audit ◽

Security Systems ◽

Security Models ◽

Methods And Techniques

Efficiency of business processes in modern organizations depends on the capabilities of applied information technologies. The article describes and analyzes the role and features of audit tools and other methodological tools and models in ensuring the quality and security of information systems. The standard’s principles are reviewed, as well as the importance of meeting business needs. In order to protect virtual values in a company’s system environment, the importance of using information security models is revealed. Practical proposals in risk management and information security in information technology are analyzed through the COBIT standard. Measures for protecting the information system of an organization from accidental, deliberate or fake threats are considered. The possibility of using one of the real information security models by the information recipient or provider in accordance with the requirements of external processes is reported. Furthermore, in connection with increase in the number of attack methods and techniques and development of their new tools and vectors, the need to improve and ways to ensure information security are being considered. The essential tasks of security audit are considered, and the stages of their implementation are described. With regard to security of information systems, an analytical model is proposed for determining vulnerability’s numerical value.

Download Full-text

A New Information Security Model in Smart Grid

Information and Business Intelligence - Communications in Computer and Information Science ◽

10.1007/978-3-642-29084-8_7 ◽

2012 ◽

pp. 39-44 ◽

Cited By ~ 3

Author(s):

Yuan Yu-qing ◽

Ge Xiao-yan ◽

Lu Li-lei

Keyword(s):

Information Security ◽

Smart Grid ◽

Security Model ◽

New Information

Download Full-text

Teleradiology mobile internet system and home care medical system with a new information security solution

10.1117/12.2082379 ◽

2015 ◽

Author(s):

Hitoshi Satoh ◽

Noboru Niki ◽

Eiji Takahashi ◽

Kenji Eguchi ◽

Hironobu Ohmatsu ◽

...

Keyword(s):

Information Security ◽

Home Care ◽

Medical System ◽

Mobile Internet ◽

New Information

Download Full-text

RESEARCH OF THE FUNCTION OF INTENSITY OF CYBER ATTACKS USING THE DEGREE OF P-TRANSFORMATION OF ANALYTICAL FUNCTION

Collection of scientific works of the Military Institute of Kyiv National Taras Shevchenko University ◽

10.17721/2519-481x/2020/66-06 ◽

2019 ◽

pp. 54-65

Author(s):

O. Barabash ◽

Y. Halakhov

Keyword(s):

Time Series ◽

Information Security ◽

Real Data ◽

Cyber Attacks ◽

Analytical Function ◽

New Information ◽

P Transformation ◽

Parameter Values ◽

Standard Software ◽

Selection Of

Strengthening cybersecurity requires identifying the subjects of the threat, their goals, intentions of attacks on the infrastructure and weaknesses of the information security of the enterprise. To achieve these goals, enterprises need new information security solutions that extend to areas that are protected by traditional security. The levels of evolution and adaptability of viruses, as well as cybersecurity protection policies, respectively, are presented. It is shown that errors in predicting the functions of the intensity of cyberattacks at an enterprise are partially due to the selection of a model in the study of indicators of cyberattacks. Known methodologies for analyzing the intensity of cyberattacks at an enterprise are presented. It is proved that the problems of studying the intensity of cyberattacks and their predictions have been little studied in the scientific literature, which is associated with the unpredictability of cyberattacks and the absence in many cases of real data, as well as available methods for predicting them. Mathematical modeling of time series of the intensity of cyberattacks per enterprise is presented to provide comprehensive solutions and predictions of strengthening the enterprise's resistance against current targeted cyber threats. We consider a first-order nonlinear differential equation, the Bernoulli equation, which describes the process of the time series of the intensity of cyberattacks. The analysis of the intensity function of cyberattacks is carried out analytically due to the power-law p-transformation by the analytical function. Statistical data on the number of cyberattacks at the enterprise are considered, provided that a scheduled audit is carried out once a quarter. The types of cyberattacks to defeat network infrastructure, proprietary applications, the level of patches and server configurations, standard software, and their number at the enterprise for certain time periods are presented. A geometric visualization of the change in the steepness of the logistic curve of the intensity of cyberattacks is presented at various parameter values with a uniform step for the period between scheduled audits when applying p-conversion.

Download Full-text