Information Security: The Importance of the Human Element
Dissertation
Presented to the Faculty of the Preston University In partial fulfillment of the requirements for the degree of Doctor of Philosophy in Business Administration
By
Rita Goh
June 23, 2003 Singapore Campus
ACKNOWLEDGEMENTS
There are many people that have helped bring this project to completion. To them I owe my heartfelt gratitude. There is no question in my mind that I could not have done this without them.
I would first like to thank Dr. Juergen Rudolph, my dissertation mentor, for providing an outstanding environment in which to complete this research. I would also like to thank Dr. Ooi Can Seng, for his moral support and encouragement.
Acknowledgements also go the following people, whose support in various ways has been decisive for the successful completion of this project. To my business partners from Phoenix Computer Security Pte. Ltd., Mr. Toh Puay Yong, Mr. Lim Thou Tin, Ms. Bhanumathi Balasubramanian, and Mr Tan Kow Wah, and my friend Ms. Irene Sng for their consistent support and friendship; and to all participants around the globe who replied to my questionnaire and especially those who kindly granted me interviews as part of my empirical research.
2
No study of this size can be completed without the support and understanding of one’s family. I am deeply grateful for the encouragement, and love and caring of my husband Vincent and my children, Ian, Olivia and Shaun.
ABSTRACT
This research project addresses the people issues affecting Information Security (IS) in organizations. More specifically, this research provides the following: a discussion of the critical business needs for security; a comprehensive view of the environmental security risks and human related security threats; a discussion of the consequences of human neglect for security; a discussion of recommended security strategies; descriptive-interpretative data revealing security professionals’ perceptions about organizational security issues; and a basis for development of a humanistic security strategy framework for organizations. Each of these provisions is integral to developing a comprehensive understanding of the people problems associated with security in organizations and lays the foundations for future development of a human security management model for organizations.
The research in this study suggests that there are two primary results, which are shown here. The first is that leadership is fundamental to the ultimate effectiveness of security. This is congruent with previous studies which have shown that senior management’ perspectives and behaviors towards information security and its risks have a profound impact on the level of security in their
3
organizations. Finally, it is shown that adoption of a holistic approach with regard to security has proven to be a major contributing factor to effective security in organizations.
TABLE OF CONTENTS
ACKNOWLEDGEMENTS…………………………………………………. 2
ABSTRACT………………………………………………………………….. 3
CHAPTER 1: INTRODUCTION…………………………………………...12 1.1 SCOPE OF THE RESEARCH………………………………………..12 1.2 RESEARCH QUESTION…………………………………………….16 1.3 DEFINING INFORMATION SECURITY………………………..….16 1.2.1 Other Useful Definitions………………………………………...21 1.4 PROBLEM STATEMENT…………………………………………....29 1.4.1
The Security Discipline and the Need for a New Paradigm.….29
1.4.2
Security Problems Remain Unsolved……………………….....32
1.4.3
Calls for a Holistic Approach………………………………….37
1.5 SIGNIFICANCE OF STUDY…………………………………………39 1.5.1
Theoretical Contributions……………………………………...39
1.5.2
Methodological Contributions…………………………………41
1.5.3
Practical Contributions………………………………………..41
4
1.6 ORGANIZATION OF THE THESIS…………………………………43
CHAPTER 2: LITERATURE REVIEW………………………………….45 2.1 OVERVIEW OF THE TOPIC……………………………………….45
2.2 SCOPE AND LIMITATIONS OF THIS REVIEW………………….45
2.3 ORGANIZATION OF THE LITERATURE REVIEW……………...47
2.4 SECURITY – A COMPELLING BUSINESS CASE………………..48
2.4.1 Business Uses of the Internet…………………………………49
2.4.2 The Competitive Edge………………………………………...53
2.4.3 Value of Information……………………………………….…57
2.4.4 Business Risks………………………………………………...60
2.5 SOURCES OF SECURITY THREATS……………………………...67
2.5.1 Natural Disasters………………………………………….….68
5
2.5.2 Human Threats………………………………………….…....68
2.5.3 Limitations of Existing Solutions………………………...….136
2.5.4 Security As a People Problem………………………...……..141
2.6 ORGANIZATIONAL PERSPECTIVES OF SECURITY……….....143
2.6.1 Views of Security and its Risks……………………………...144
2.6.2 Managing Security……………………………………….....151
2.7 TOWARDS A HOLISTIC SOLUTION……………………………156
2.7.1 The Leadership Role…………………………………..….…157
2.7.2 Nurturing a Security Corporate Culture……………………161
2.7.3 Training…………………………………………………......163
2.7.4 Communications……………………………………...….…167
6
2.7.5 Rewards Systems………………………………………….....170
2.7.6 Formulating and Implementing Security Policies……….…..170
2.7.7 Supplementary Security Measures………………….……..…179
2.8 SUMMARY…………………………………………………..……...179
CHAPTER 3: THE METHODOLOGY……………………………..…….185 3.1 INTRODUCTION………………………………………………..…..185 3.2 SECURITY AS A MULTI-DISCIPLINARY TOPIC…………..……185 3.3 RESEARCH PARADIGMS IN INFORMATION SECURITY…..….189 3.3.1
Positivist Approaches………………………………………....190
3.3.2
Interpretive Approaches………………………………..……..200
3.4 THE RESEARCH DESIGN…………………………………..………202 3.4.1
Research Strategy………………………………………..……202
3.4.2
Objectives of the Empirical Research…………………..……..205
3.4.3
Stages of the Empirical work……………………………..…...206
3.5 LIMITATIONS AND ASSUMPTIONS………………………..…….230 3.6 SUMMARY……………………………………………………..…….232
CHAPTER 4: RESULTS AND DATA ANALYSIS………………………..233
7
4.1 INTRODUCTION…………………………………………………….233 4.2 PROFILE OF SURVEY RESPONDENTS…………………………...234 4.3 ANALYSIS OF GENERAL DATA…………………………………..238 4.3.1
Security Measures in Place…………………………………...238
4.3.2
Perceived Role of Security……………………………………240
4.3.3
Top 2 Potential Threats………………………………………242
4.3.4
Top 3 Organizational Issues………………………………….244
4.3.5
Security Role Responsibility………………………………….245
4.3.6
Security Rating……………………………………………….247
4.3.7
Improving Security Effectiveness…………………….………249
4.4 ANALYSIS OF PRIMARY DATA…………………………….…….253 4.4.1
Impacting External Environmental Risks……………….……253
4.4.2
Existing Solutions Issues………………………………….…..255
4.4.3
External Human Threats………………………………….…..256
4.4.4
Organizational Inhibitors………………………………….….258
4.4.5
Security Management Issues……………………………….…259
4.4.6
Senior Managers Issues………………………………………260
4.4.7
Personnel Issues………………………………………………262
4.4.8
Internal Human Threats………………………………………263
4.5 SUMMARY…………………………………………………………...264
CHAPTER 5: SYNTHESIS OF THE INTERVIEWS AND SURVEY…..266 5.1 INTRODUCTION……………………………………………………266
8
5.2 ENVIRONMENTAL CONDITIONS………………………………..267 5.2.1
Technological Forces……………………………………….....267
5.2.2 Risk Communication…………………………………………268 5.2.3 Risk Perception………………………………………………268 5.3 WEB SURVEY……………………………………………………...269 5.3.1 Descriptive Analysis……………………………………….…...270 5.3.2 Inferential Analysis…………………………………………….270 5.4 INTERPRETATION OF THE FINDINGS: A SYNTHESIS……….271 5.5 SUMMARY…………………………………………………………284
CHAPTER 6: CONCLUSION AND RECOMMENDATIONS…………286 6.1 INTRODUCTION…………………………………………………...286 6.2 CONCLUSIONS…………………………………………………….287 6.2.1 The Humanistic Nature of Security Problems…………………287 6.3 RECOMMENDATIONS……………………………………………289 6.3.1 The Business Leadership……………………………………....289 6.3.2 Specific Security Strategies…………..………………………..290 6.3.3 Future Research Directions………………………………..….300
GLOSSARY BIBLIOGRAPHY APPENDIX 1 (Cover Letter)
9
APPENDIX 2 (Participants List) APPENDIX 3 (Description of Issues) APPENDIX 4 (IS Issues Database) APPENDIX 5 (Responses to Improving Security Effectiveness)
10
LIST OF FIGURES AND TABLES
FIGURE 1.1 GROWTH IN SECURITY INCIDENTS FIGURE 1.2 CERT/CC STATISTICS 1988-2002 FIGURE 2.1 BUSINESS USES OF THE INTERNET FIGURE 2.2 INTERNET GENERATED REVENUE 1996-2002 FIGURE 2.3 GLOBAL ECONOMIC IMPACT OF VIRUS ATTACKS FIGURE 2.4 ANALYSES OF VIRUSES BY INCIDENT FIGURE 2.5 ONLINE BUSINESS RISKS FIGURE 2.6 HUMAN SECURITY THREATS FIGURE 2.7 WHO ARE THE HACKERS? FIGURE 2.8 DENIAL OF SERVICE ATTACK FIGURE 2.9 CIA WEB DEFACEMENT FIGURE 2.10 HUMAN RIGHTS WEB DEFACEMENT FIGURE 2.11 AN EXAMPLE OF SOCIAL ENGINEERING FIGURE 2.12 INSIDER BREACHES FIGURE 2.13 LAX TRAINING FIGURE 2.14 SUMMARY OF A TYPICAL HACKER INSURANCE FIGURE 3.1 CONTEMPORARY RESEARCH APPROACHES TO SECURITY FIGURE 3.2 THE TRIANGULATION OF RESEARCH METHODS TABLE 3.1 STAGES OF THE EMPIRICAL WORK TABLE 3.2 EXTERNAL AND INTERNAL THREATS ISSUES FIGURE 4.1 RESPONDENTS BY COUNTRY FIGURE 4.2 PERCEIVED ROLE OF SECURITY FIGURE 4.3 SECURITY RATING FIGURE 4.4 IMPROVING SECURITY EFFECTIVENESS TABLE 4.1 RESPONDENT BREAKDOWN TABLE 4.2 RESPONDENTS SECURITY EXPERIENCE TABLE 4.3 SECURITY MEASURES IN PLACE TABLE 4.4 PERCEIVED ROLE OF SECURITY TABLE 4.5 TOP 2 POTENTIAL THREATS TABLE 4.6 TOP 3 ORGANIZATIONAL SECURITY INHIBITORS TABLE 4.7 SECURITY ROLE RESPONSIBILITY TABLE 4.8 SECURITY RATING TABLE 4.9 IMPROVING SECURITY EFFECTIVENESS TABLE 4.10 EXTERNAL ENVIRONMENTAL RISKS TABLE 4.11 EXISTING SOLUTIONS ISSUES TABLE 4.12 EXTERNAL HUMAN THREATS TABLE 4.13 ORGANIZATIONAL ISSUES TABLE 4.14 SECURITY MANAGEMENT ISSUES TABLE 4.15 SENIOR MANAGERS ISSUES TABLE 4.16 PERSONNEL ISSUES
11
TABLE 4.17 INTERNAL HUMAN THREATS
CHAPTER 1
1.1
INTRODUCTION
SCOPE OF THE RESEARCH
The proliferation of hackers and the threats they pose to national security and the global economy have captured the attention of the authorities, business communities and the media all over the world. On the economic front, a recent study commissioned by PriceWaterhouseCoopers involving 4,900 IT professionals in 30 different countries indicated that corporate hacking is estimated to cost the world economy an astounding US$1.6 trillion in the year 2000 (Knight 2000f). In fact, the latest "2002 Computer Crime and Security Survey" jointly conducted by Computer Security Institute (CSI) and Federal Bureau of Investigation (FBI) points toward an upward trend in security risks to U.S. organizations (Computer Security Institute 2002). Findings revealed that 90 percent of respondents detected security breaches within the last 12 months. Based on responses from 503 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, results also indicated that financial losses from cyber attacks soared for the third year in a row. These losses amounted to billions of dollars in lost revenue including costs associated with clean up, loss of data, liability and loss of customer confidence. Additional statistical evidences confirming the trends that
12
security breaches are continuing unabated was provided by Computer Emergency Response Team (CERT) as shown in Figures 1 and 2 below. CERT is the federally funded computer security clearinghouse located at Pittsburgh's Carnegie Mellon University to help private industry and government deal with Internet security issues. As shown in Figure 1.1 below, the number of reported computer security incidents and vulnerabilities has been on the increase each year ever since CERT’s establishment in 1988.
FIGURE 1.1
13
[Source: http://www.cert.org/encyc_article/tocencyc.html#Overview]
FIGURE 1.2 CERT/CC STATISTICS 1988-2002
Number of incidents reported 1988-1989 198 198 Year 8 9 Incident 6 132 s 1990-1999
Year Incident s
199 199 199 1999 1993 1994 1995 1996 1997 1998 0 1 2 * 1,33 2,34 2,41 2,57 2,13 3,73 252 406 773 9,859 4 0 2 3 4 4
2000-2002
Year
2000
2001
Q1-Q3, 2002
Incident s
21,75 52,65 6 8
73,359
Total incidents reported (1988-Q3, 2002): 173,728 Please note that an incident may involve one site or hundreds (or even thousands) of sites. Also, some incidents may involve ongoing activity for long periods of time.
Vulnerabilities reported 1995-1999 Year Vulnerabilitie
199 199 199 199 1999 5 6 7 8 * 171 345 311 262
14
417
Although the data for 1997 in Figure 1.2 above shows a slight decrease in the rate at which incidents are reported to the CERT, the rate continues to increase from the year 1998 onwards which saw the year 2001 more than doubled that of the previous year.
What is even more worrisome for the authorities and the business community is that despite the introduction of tougher new international and national laws, and increasingly sophisticated security technologies, cyber attacks continue to see phenomenal increases each year. The inability of organizations in securing their networks and systems has been attributed to a myriad of factors. Historical and contemporary research studies conducted in the public and private sectors over the past thirty years suggests inherent flaws and weaknesses in the design of networks
15
and systems, bugs in security software, human errors and malicious acts of individuals as major contributory factors. Opposing the views of security as a technological problem are some of the world’s leading security practitioners, for instance Farmer (1996), Winkler (1997), Benson (2000a), Hinde (2000), Schneider (2001), Schlesinger (2002), Shimomura (Chng 2002) and legendary former hacker Mitnick (ABC News 2002). Their contentions are that the root causes of security problems are human led rather than technology driven. This research adheres to these views, which is essentially why it will be conducted adopting a humanistic approach. The principal objective of this research then is to identify what are the most problematic human factors affecting security in organizations.
1.2
RESEARCH QUESTION
This research is designed to answer the following research question. What are the most problematic people issues facing organizations with regard to security?
16
1.3
DEFINING INFORMATION SECURITY
In order that the terminology used in this study is clearly understood, a selection of key terms are defined here. Before delving any further, it is vital that the term security be clearly defined. What does security commonly referred as computer security mean? Moreover, what does information security mean? A review of the various sources of computer related terms including SANS Institute (1998), Tech TV ‘Cybercime” Glossary (2001a), and Webopedia Online Computer Dictionary (2002) revealed numerous and diverse definitions of these terms indicating that there are no widely agreed upon definitions. The first definition of security is by Webopedia (2002).
Security refers to techniques forBottom ensuring of Formthat data stored in a computer cannot be read or compromised.
The second definition of security is by SANS Institute (1988). Security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences.
17
The first definition of computer security is by Benson (2000a).
Computer security means to protect information. It deals with the prevention and detection of unauthorized actions by users of a computer.
The second definition of computer security by SANS Institute (1998) has been extended to include availability, integrity and confidentiality.
Computer security: Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system
The definition of computer security above implies that organizations need to know the value of information and how it can be compromised in order to develop protective measures.
18
There is a general consensus as to the meanings of the terms: availability, integrity and confidentiality.
•
Availability. The prevention of unauthorized withholding of information or resources. This does not apply just to personnel withholding information. Information should be as freely available as possible to authorized users.
•
Integrity. The prevention of erroneous modification of information. Authorized users are probably the biggest cause of errors and omissions and the alteration of data. Storing incorrect data within the system can be as bad as losing data. Malicious attackers also can modify, delete, or corrupt information that is vital to the correct operation of business functions.
•
Confidentiality. The prevention of unauthorized disclosure of information. This can be the result of poor security measures or information leaks by personnel. An example of poor security measures would be to allow anonymous access to sensitive information.
The third definitional statement of computer security is by Howard (1997).
19
Computer security is preventing attackers from achieving objectives through unauthorized access or unauthorized use of computers and networks
The first definitional statement of information security is by SANS Institute (1998). Information security is a system of procedures and policies designed to protect and control information
Compounding the definitional problems of computer security is that it is viewed essentially as being synonymous with information security although their meanings differ as seen from the definition by SANS Institute (1998) below.
Information Security: The result of any system of policies and/or procedures for identifying, controlling, and protecting from unauthorized disclosure, information whose protection is authorized by executive order or statute. In the above definition, information security is distinguished from computer security in that it is a goal whereas computer security is a means toward a goal: information security.
From the definitions above, two key points stand out:
20
(1) talking about security implies talking about entities of a technological nature (2) information is the key most important asset that needs protection
The definitions above are also useful in bringing out the problem of the distinction between security and a host of other security related terms. The distinction is far from being clear-cut. As such, security is often used interchangeably in the literature to mean computer security, Internet security, network security and information security. The same applies in this thesis.
1.3.1
Other Useful Definitions
Anti-Virus Software Software designed to detect, and potentially eliminate, viruses before they have had a chance to wreak havoc within the system, as well as repairing or quarantining files which have already been infected by virus activity
21
Attack An attempt to bypass security controls on a computer
Authentication Authentication is the process of verifying that users are who they claim to be when logging onto a system
Authorization The process of allowing only authorized users access to sensitive information. An authorization process uses the appropriate security authority to determine whether a user should have access to resources
Black Hat Hackers Black Hat hackers are those who perform clandestine hacking for malicious reasons; such persons can also be referred to as ‘crackers’ Breach The successful defeat of security controls that could result in a penetration of the system
Bug An error or defect in software or hardware that causes a program to malfunction
22
Computer abuse The willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation
Computer fraud Computer-related crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value
Corporate hacking Corporate hacking is the process of illegal retrieval of critical information that will compromise the organization's competitiveness and subsistence in the global market place Countermeasure Any action, device, procedure, technique that reduces the vulnerability of a computer system
Cracker A cracker refers to a person who attempts to gain unauthorized access to a computer system. Such persons are usually ill intentioned and perform malicious acts of cybercrime
23
Cybercrime Crime related to technology, computers, and the Internet
Data Mining Data Mining is the analysis of corporate data, for relationships and correlations which have yet to be discovered. Such relationship discoveries can identify significant marketing opportunities to target specific client segments
e-Commerce e-Commerce or e-Business is an electronic transaction performed over the Internet and usually via the World Wide Web - in which the parties to the transaction agree, confirm and initiate both payment and goods transfer Encryption Encryption is the translation of data into a secure code to ensure the safe transfer of information across the Internet
Firewalls Firewalls are security devices used to restrict access in communication networks. They prevent computer access between networks, and only allow access to services which are expressly registered
24
Grey Hat Hackers Grey hat hackers are those who fall between white hat hackers and black hat hackers
Hacker A person who breaks into computer systems for the purpose of stealing or destroying data
Hacking Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network
Information Systems The computer systems and information sources used by an organization to support its day-to-day operations
Information Systems A term used to describe an integrated system which makes use of any number of varied information technologies.
25
Information Technologies (IT) Currently information technology has become an umbrella term used to describe a rapidly expanding group of equipment, services, applications, and basic technologies. For the purposes of this thesis, information technologies are any of the above.
Intrusion Detection Systems (IDS) Intrusion Detection Systems are complex software applications, which monitor network activity using various techniques
ISO 17799 Internationally recognized standards for security
Logic bomb A program routine that destroys data when certain conditions are met
Operating System Computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than with processing work for users
26
Organization In this study, organizations are discussed generally; they can be any commercial business, government entity, or military unit that operates in any competitive environment
Security Administrator Individual(s) who are responsible for all security aspects of a system on a day-to-
day basis
Security Breach A breach of security is where a stated organizational policy or legal requirement regarding security has been contravened
Security Incident A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place
Security Officer The Security Officer in an organization is the person who takes primary responsibility for the security related affairs of the organization
Security Policies
27
The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information
Social Engineering Social engineering is a means by which information is extracted, usually verbally, by someone impersonating a legitimate holder or user of the information in
question
Source Code The actual program, as written by the programmer, which is compiled into machine code which the computer can understand
Techno Crime Techno Crime is the term used by law enforcement agencies to denote criminal activity which uses (computer) technology, not as a tool to commit the crime, but as the subject of the crime itself
Techno Vandalism Techno Vandalism is a term used to describe a hacker or cracker who breaks into a computer system with the sole intent of defacing and or destroying its contents.
28
Virus A computer program designed to make copies of itself and spread itself from one machine to another without the help of the user
Warez Illegally-copied software or hacking tools
White Hat Hackers White Hat hackers are hackers who perform hacking for legitimate reasons; e.g. IT Security technicians testing their systems and researchers testing the limits of systems. Worm Independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads
1.4
PROBLEM STATEMENT
The research problem, as seen below, is not a single problem but a set of related issues. In a thesis dealing with such a complex issue as security, it would not
29
make sense to have a single research problem. Thus, several issues are put forward in constituting the research problem (or problems).
1.4.1
The Security Discipline and the Need for a New Paradigm
Although security problems were first detected as early as the 1950s, it was only in the early 1970s when security was first studied as a discipline. Since then, numerous U.S. government funded research were conducted including those at Rand Corporation, University of Southern California (USC), Stanford University, University of California Los Angeles (UCLA) and The MITRE Corporation. The primary concerns of these early researches including those in the 80s were on how to protect classified information stored in the operating systems of the U.S. army, Air Force and the Navy. At that time, and up until recently, computer security was primarily a military problem (Howard 1997). Findings from one of the earliest researches conducted by researcher Anderson (1972) of the U.S. Air Force revealed that network systems are not built and designed to be hacker proof. He concluded, “there is little question that most of the contemporary commercially available systems have serious design and implementation flaws that can be exploited by individuals with programming access to the system” (Anderson 1972). Another conclusion was that “the major threats to security was that of a malicious user, either externally led or through the misguided or disgruntled actions taken by an individual against the ‘establishment’” (Anderson 1972).
30
Anderson’s key recommendation to solving the identified problems is “developing hardware and software with the defensive mechanisms built in” (Anderson 1972).
However, PhD researcher Baldwin (1987) argues, “even when the operating system provides good protection mechanisms, users may be lax or inconsistent in their use of the protection mechanisms leading to security holes. People make mistakes that cause operational security problems. These problems are not caused by software bugs; they are caused by user errors.” Despite the long recognition of security as a people problem, approaches to tackling the people problems like those of Howard’s and Anderson’s remains a technocratic one till today. The review of literature on security research conducted over the past three decades reveals a gap, where the human issues for security research are not considered. To overcome security issues, security researchers recommend a variety of technical or sometimes referred to as ‘positivist’ methods such as risk analysis, checklists and evaluation. For example, all information systems security researchers Courtney (1977), Fitzgerald (1978), Parker (1981), Saltmarshe & Brown (1983), Fisher (1984), Badenhorst & Eloff (1990), Birch & McEvoy (1992), Baskerville (1988, 1991, 1993), Krueger (1993) and Kailay & Jarrattt (1994) have adopted the risk analysis approach. Risk analysis is most commonly viewed as a tool for planning security by statistically selecting controls for implementation (Baskerville 1991).
31
Although there have been the occasional attempts to look into alternative approaches to security research such as the cultural, social and organizational aspects in recent years, there still lies a noticeable absence of the human perspective in research approaches adopted thus far.
Why, with people’s profound impact on security in organizations, is the human approach to security research neglected? This may be primarily due to the general perception held by many including sponsors, of security as a purely technical problem and thus the primary objective in only seeking technical solutions; the emergence of security from a computer science domain; security researchers coming from computer science and engineering backgrounds; and the commercial viability of technological security products. The view of this study is that although the existing technical research approaches are useful and relevant, they only tackle part of the problem. Considering the critical role of which people play in creating security threats and defending security risks, it is imperative then that the security discipline needs a different approach: the human approach.
This research takes on a portion of this task by adopting a human approach to researching security in organizations with an interpretivist paradigm as the mode of inquiry. Hence, the research discusses security from a non-technical standpoint, which is in opposition to the mainly technical or positivist approaches that have
32
dominated the discipline so far. In supplementing and complementing the existing ones, this new approach will afford an overall, all-encompassing view of the security phenomenon.
1.4.2
Security Problems Remain Unsolved
Over the years, the authorities, business communities, security industry experts and researchers all over the world have been spending a great deal of time, money and effort in seeking new ways on how best to tackle the security problems plaguing organizations, both in public and private sectors.
Concerns over the proliferation of hackers and their negative social and economic impacts have initiated government legislation. Computer crime laws were first introduced in the United States in the 1980s such as the 1987 Computer Abuse Act (U.S. Department of Justice 2002n). However, U.S. laws were later found to be ineffective as the majority of cyber attackers came from outside America. Unlike robbery or murder, most countries do not consider hacking a crime. Hence, international hackers were able to exploit the lack of cooperation and compatibility in international laws. For instance, during the 1980s, hackers targeting U.S. government computers often routed attacks through the Netherlands to make tracing and prosecution difficult. Tom Taller, former NASA’s top investigator for high-tech crimes, said: “some of them were very crafty back then
33
and knew the Netherlands was a country that did not have cyberlaw” (The Straits Times 2000g).
The late 1990s saw the recognition of global cooperation by world leaders in cracking down cyber attacks (The Straits Times 2000h). This acknowledgement eventually led to the signing of the International Cybercrime Treaty in November 2001 involving 30 countries (Middleton 2001; Perera 2001). Recently, President George W. Bush signed into law the Patriot Act (Provide Appropriate Tools Required to Intercept and Obstruct Terrorism Act). Created in the wake of the September 11 tragedies, the Patriot Act included computer crime such as fraud, theft, and extortion as terrorist acts. Under the Act, offenders may be sentenced to life imprisonment without parole (Evoy 2001; Legard 2001b). However, industry observers remain skeptical as to its effectiveness as past experiences have demonstrated that laws and regulations have never been effective in curbing computer crimes (Rasch 2001). In the case of China, for example, having one of the toughest computer crime laws in the world including the death sentence did little to stop the proliferation of hacking activities in China.
In 1999, Hao Jingwen, a former employee of the Industrial and Commercial Bank of China, was sentenced to death for hacking into his company’s computer network (Wakefield 1999). The following year, it was reported that half of the Internet users in China have been hacked (The Sunday Times 2001). Based on the same report, government statistics showed 400,000 hacking attempts and 78
34
hacking-related systems breakdowns took place in just two months — August and October 2001 just in Shanghai alone. Chen Liangyu, then acting mayor of Shanghai, said: “The crimes conducted in the cyber-world are like the September 11 attacks, in which criminals always hide in the dark and strike suddenly” (The Sunday Times 2001).
For the past three decades, there has been no lack of research and advice on how best to secure networks and systems. Research into information security covers a wide range of topics, including those falling under the general headings of operating system security, database security, communications security, network security, and cryptography. Security research also reaches into areas as diverse as software and system engineering, number theory and algebra, formal methods and logic, human-computer interfaces, and even quantum theory, material sciences and the law.
Neither has there been a lack of security conferences where new ideas and technologies are disseminated. Research symposia and trade conventions are flourishing all over the world. Regional and international conferences bring together communities that look at security from different angles, be it foundations, applications, or new paradigms.
New security challenges and techniques keep emerging, such as digital watermarks for digital rights management schemes. In one of the latest offerings
35
of promising solutions, Eric Uner and Eric Hauk, co-founders of Bodacion Technologies claim that their Hydra tight security is hacker-proof and urged organizations to “throw away their firewalls” (O’Brien 2002).
Despite all the countless promising and possible solutions, the enforcement of stringent new international and domestic laws and reams of background research, security problems remain unsolved till today. In fact, security expert Bruce Schneier (2001) laments that with each passing year, security problems get even worse.
Some experts suggest that the inability of organizations in securing their networks and systems is largely due to them having forgotten or ignoring the human elements when managing security. In a recent September 2000 CERIAS Security Vision Roundtable where fifteen of the world’s leading security experts were gathered, participants voiced deep concerns of businesses willingness “to buy technology solutions, yet they are forgetting to use good business practices to ensure employees act responsibly” (Accenture & CERIAS 2001). When managing security, they further stressed that “organizations must first recognize that security is, above all, a people problem” (Accenture & CERIAS 2001).
This research adheres to these views. It will focus on the people issues with regard to security in organizations. These issues will be examined from the standpoint of their relationships and their impacts on security in organizations. The information
36
gathered here should aid in creating greater awareness amongst organizations of the importance of the human elements when considering security. 1.4.3
Calls for a Holistic Approach
In recent years, repeated calls have been made by industry observers Andress & Fonseca (2000) and Vizard (2001), and practitioners Farmer (1996), Schneier (2001), Mitnick (ABC News 2002), Pemberton (2002) and Power (2002), for organizations and researchers to look beyond technical solutions. They believe the key to achieving security effectiveness is through the adoption of a holistic approach, embracing both technical and human dimensions.
However, Farmer (1996) laments, “Regretfully, there is no commercially available system that incorporates human and technical considerations in security management”. Currently, a large number of technical security management models exist, and some of them are quite advanced and certainly have substantial information. The problem with appropriating one of these models is that it may not fit the area in question. For instance, the primary focus of these models is on how to manage security systems with the objective of combating outside cyber attacks, completely ignoring threats from within the organizations and the human aspects of security. Any number of people issues that needs consideration with regard to managing security may be uniquely different and therefore must be approached in a different way.
37
More importantly, the overriding obstacle for organizations seeking a holistic solution is the lack of what I call a “human security management model” for them to consult or follow. This model is based on the approach that considers security in terms of managing the people within organizations and the processes they use.
“Why is a “human security management model” so important?” The reality is that security is a people problem. Obviously, no model can completely address all of the people issues each organization faces with regard to security. Organizations are each subtly different even from those in the same industry. What a “human security management model” provides is a general framework designed to address the people issues and needs of security in organizations. In essence, this model provides an alternative to reinventing the wheel every time an understanding of human-related security issues is needed.
The time is right for the development of such a model for organizations. They have reached a point where their susceptibility to the proliferation of human related security problems has grown increasingly real and yet they lack the tools and knowledge on how to address the people issues affecting them. However, in order for a “human security management model” to be created successfully, an indepth knowledge of the people issues with regard to security in organizations is needed. This particular study will focus on these issues from the perspectives of security professionals in order to determine which are the most problematic for organizations. Ultimately, the information gathered here should aid in the
38
development of a human security management model. When integrated with the existing technical security management models, “the human security management model” should prove useful to the development of an effective and usable holistic security management model for any organization.
1.5
SIGNIFICANCE OF THE RESEARCH
1.5.1
Theoretical Contributions
The theoretical contributions of this thesis can be classified in two categories. One is the new research approach to the study of information security in organizations – the human approach. The other is the contribution to information security domain as knowledge.
An extensive search of the literature conducted by the researcher over a four-year period revealed that the study of security in organizations adopting a people approach is virtually a new concept. While the adoption of the human approach to this research is surely an important endeavor, it in no way forms a complete discussion of the complexities of the humanistic nature of security. Nonetheless, this research should aid in overcoming the identified shortcomings of the existing approaches to understanding the intrinsic people problems impacting security in
39
organizations. Moreover, it is hoped that this study will act as a catalyst to further research adopting a holistic approach to the study of security in organizations.
An in-depth understanding of the myriad of people issues affecting security in organizations is vital for the establishment of effective security strategies to protect assets and limit vulnerabilities. As discussed in this chapter, a vast portion of the research studies conducted prior to this study tended to focus purely on the technical aspects of security and was based on what I term “hardware” issues, or those issues related to security technologies. While these studies are undoubtedly very important and useful in formulating security strategies in ensuring the privacy, integrity and availability of information, they failed to address what have been identified to be the heart of security problems – the people problem. The bottom line remains that if we do not address the underlying root causes of security problems, then it really does not matter what security measures we take, because in the end we’ll end up disappointed, dissatisfied or both. Development of future security strategies needs to take into account not just the technological issues but also the people issues. This study will provide an exploratory look at the people issues affecting security in organizations, especially with regard to how security professionals perceive them.
1.5.2
Methodological Contributions
40
The contributions of this thesis to research methodology are related to the contributions of the theory. I developed an IS Issues Database model which is to be use for the collection of data and analysis of both the theories and the interviews. This model can be used as an alternative model in the social, organizational and cultural studies of information security. Although it may not be sufficient to explain the complexities of human related security issues, this model may be used by researchers of information security as a frame of reference or a starting point to explore the dynamics of people issues surrounding security in organizations.
1.5.3
Practical Contributions
The research carried out in the past three decades has indeed enriched the field of information security. It has been possible now to implement legislative measures, especially in relation to a variety of cybercrimes and privacy related issues (Bequai 1987). These has helped in implementing operational security so it is now possible to establish management control by setting objectives and guidelines for accountability, surveillance, and authority (Hsiao et al 1979; Norman 1983; Weber 1988). Threats and risks can also be identified with a reasonable amount of precision. However, all past and present researches have still failed to identify and address the people issues affecting security in organizations.
41
By showing that security is more than just a technological problem as has been generally recognized, this study not only offers deeper insights into the people issues affecting organizations, but also may be helpful to researchers whose adoption of research approaches may have been based on an understanding of security issues from a technical standpoint. The knowledge gained from this research is not only important for the researchers of security, but also will be useful for security systems designers in the development of a holistic security management model.
More significantly, by recommending a set of preventive security strategies in tackling the people issues affecting security in organizations that can be implemented in helping to minimize security risks, this research permits business leaders, administrators, practitioners, officials, and those vitally interested in security to: (a) rethink and regroup their existing security strategies; and (b) incorporate the measures, in leading their organizations towards a more secured environment.
1.6 ORGANIZATION OF THE THESIS
42
This thesis consists of six chapters. This chapter introduces the research topic and why this research was undertaken as well as the contributions of the thesis.
Chapter 2 presents a review of the literature in key areas of relevance to the thesis. It provides a discussion on the importance of security from a business context which can have a profound impact on the bottom line of organizations; a discussion of the complexities surrounding human related security threats affecting organizations; a comprehensive view of the overriding problems associated with existing solutions; and recommendations for security effectiveness.
Chapter 3 discusses research methodology. The first part of the chapter is a literature survey on research methodologies in information security and puts the research topic in perspective as far as the information security domain is concerned. The second part of the chapter discusses the research method adopted for this research and stages of the empirical work.
Chapters 4 and 5 are the key chapters of the thesis and present the results of the research. Chapter 4 provides descriptive data revealing security professionals’ perceptions about issues surrounding security in organizations. Chapter 5 provides interpretive data through the synthesis of the results of the survey with findings of the in-depth interviews in determining the most problematic people issues affecting security in organizations, addressing the research question.
43
What are the most problematic people issues facing organizations with regard to security?
The last chapter summarizes the key findings of Chapters 4 and 5, and its implications for theory and practice as well as suggestions for further research possibilities.
CHAPTER 2
LITERATURE REVIEW
44
2.1
OVERVIEW OF THE TOPIC
This literature review includes historical and contemporary writings, research and scholarly opinion concerning the description, measurement and evaluation of the importance of security, potential external and internal environmental security threats, existing security solutions and organizational perspectives of security and its risks and as they relate to security. All of which provide the necessary background needed for evaluation of what human factors most significantly affect security in organizations. Together, the historical theories and modern approaches form a solid basis upon which to design a research study to further refine the human causal relationships affecting security in organizations.
2.2
SCOPE AND LIMITATIONS OF THIS REVIEW
The writings included in this review reflect authors and researchers interested in the description, measurement and evaluation of the people issues with regard to security and its resultant effects in organizations. This review focuses on studies of the dimensions of security needs, security threats, business risks, and existing security solutions. Special emphasis is placed upon the effect of organizational members’ attitudes, behaviors and concepts of security upon organizational security effectiveness. Both historic and contemporary writings are reviewed with
45
extra attention given to those authors whose theories have gained popular acceptance or have been widely replicated.
Over the course of the last three decades researchers have developed a large body of literature and research related to the technical aspects of security. This literature is helpful in the initial stages of understanding the people issues impacting security in organizations. However, it cannot provide a complete approach because of the differences which exist in the fundamental makeup of technical versus human aspects of security. In the case of security management, for example, the primary focus of the technical approach would be on managing the networks and systems whereas the aim of a humanistic viewpoint would be on how to manage people and the processes they use. Unfortunately, very little literature exists with regard to the people aspects of security, and that which does exist lacks breadth. Several surveys regarding information security practices and risks have been conducted in the last 5 years. These surveys provided background information and perspectives for this thesis. A few observations on the surveys as a whole: first, when security practitioners use certain terms in the reports of these surveys, the exact meaning may not always be the same e.g., what constitutes an attack? Second, the basis used for reporting many of the findings in the surveys were similar in some areas and quite different in others. Third, the sizes of the surveys and the areas statistically tracked differed significantly. However, despite these
46
observations, survey results on lack of security, continuing exposure, actual incidents, and general management neglect were similar among companies throughout the world, in both developed and developing countries, indicating that national and geographic boundaries matter little when it comes to fraud in the global electronic marketplace and management attitudes towards security issues.
Some articles posted on the Internet are, at best, questionable. To help ensure the reliability of the various sources, I examine a lot of material, comparing it, and not treating it purely as fact but as discourse.
2.3
ORGANIZATION OF THE LITERATURE REVIEW
The discussion portion of this review is organized into five sections. Section 2.4 describes the key concepts on the importance of security from a business perspective. Section 2.5 identifies the various sources of threats, introduces key members of the corporate hacking community and their motivations will also be examined. In doing so the question of who corporate hackers are will be answered, rather than the technical question of how they perform their acts. As this research is concerned with identifying the people problems affecting security in organizations, it is necessary to review organizational members’ perspectives of security, in particular, those of senior management’s. Section 2.6 reviews the thoughts of more contemporary writers on organizational perspectives, beliefs and
47
behaviors with regard to security issues and its impact. The writers selected represent a cross-section of security gurus, past and present industry observers and other mainstream security management thinkers. Section 2.7 is a presentation of the prescriptions of popular security writers concerning security strategies leading to security effectiveness. Finally, a summary section ties together the philosophies, concepts, evidence, theories and practices discussed in this review. This section identifies how the existing theories account for causal relationships between senior management behaviors, risk environments, and overall organizational security failures.
2.4
SECURITY – A COMPELLING BUSINESS CASE
Security has become an important issue for companies since the advent of the Internet for e-business in the 1990s. While the Internet revolutionizes the way organizations conduct business, the risks it introduces can be fatal to business. Any breach or compromise of networks, systems and sensitive information could negatively affect business operations, severely impact organizations’ customers, and constitute a breach of laws and regulations. All of which can have devastating consequences for organizations of all levels which may threaten their continued existence. To appreciate and understand the importance of the role of security in
48
organizations, it is essential to discuss three key elements: Business Uses of the Internet, Value of Information, and Business Risks. Together, these define organizational needs for having secured networks and systems.
2.4.1
Business Uses of the Internet
Organizations are being transformed by the Internet that is changing the way they conduct their business activities at the most fundamental levels. This transformation is precipitated by a number of trends: a shift from brick and mortar business to e-commerce; the usage of information as a competitive resource; a knowledge-based economy; telecommuting and globalization.
Companies realize that doing business on the Internet involves some risks just like any other business transaction. However, Bener (2000) contends that if the companies install secure procedures, the Internet is not riskier than other business. On the contrary from a business standpoint it becomes riskier (i.e. market risk/business risk) if the companies do not have a presence on the Internet. The Internet is critical to business. Organizations have become increasingly dependent on the flexibility, access, and services that the Internet provides them for their daily business needs. Realistically, it has become nearly impossible for an organization to operate without the use of the Internet.
49
In the mid 1990s, the use of the Internet was mainly for information collection as illustrated in figure 2.1 below.
FIGURE 2.1 BUSINESS USES OF THE INTERNET
[Source: http://www.nua.ie/surveys/analysis/graphs_charts/1995graphs/bususe.html]
Today, the use of the Internet has extended beyond just information collection. Ecommerce, including personal banking, stock market trading and credit card
50
transactions, has gained greater prominence and popularity. As shown in Figure 2.2 below, recent years saw phenomenal growth in Internet revenue despite the dot.com crash.
FIGURE 2.2
[Source: http://www.activmedia.com]
Based on research company e-Marketer’s latest report, worldwide e-commerce revenues are expected to total USD2.7 trillion by 2004 (NUA 2003).
51
Besides e-commerce, some of the reasons and benefits for using the Internet to gain a presence in the electronic marketplace include globalization, information access, sales and marketing, and effective communication.
Globalization. As companies move into the international marketplace, the Internet provides a global communications network that is vital to creating a global business presence. The Internet allows companies of any size to pursue customers on a worldwide basis. In the process, companies can unlock the vast business potential of the Internet – new markets, new customers, new revenue sources, and new business models.
Information access. Using the Internet, businesses can access information, including government databases, industry statistics, and competitor practices.
Sales and marketing. The Internet allows companies to post the latest customer information in a labor efficient and cost effective way. Using the Internet, customers and prospective customers can obtain information about products, services, advertisements, prices, schedules, contact persons, service capabilities, and business opportunities.
52
Effective communication. Effective communication of information is the lifeblood of businesses. Companies without rapid and easy access to their customers, suppliers and partners will not survive in today’s highly competitive industries (Lipson & Fisher 1999). Using the Internet, businesses have access to an international electronic communications network that facilitates communications and interactions among customers, suppliers, and competitors in far-flung locations.
2.4.2
The Competitive Edge
In considering ways to use the Internet for competitive advantage, a firm has to develop a strategy that addresses buyers, suppliers, substitute products, new entrants, or rivals (Schultheis and Sumner 1995). In his book Competitive Strategy, Porter (1980) argues that three generic strategies can be used to achieve a competitive edge in an industry: low-cost leadership, product differentiation, and market specialization. The optimum and effective use of the Internet can support each of these strategies, as illustrated by the examples given in this section.
Low-cost leadership
53
Low-cost leadership refers to the ability to reduce costs or to improve productivity without incurring additional costs.
Cost savings. Doing business electronically is much less expensive than using paper communications, phone contact, and information distribution by paper and by mail. Airlines, for example, can now dispense air tickets in a fraction directly to customers instead of going through travel agencies, resulting in cost savings.
Time saving. Traditionally, business research has been conducted by gathering information from conventional sources such as newspapers, library references, financial disclosures, academic institutions and professional journals as well as court and legal records or government sources. With the Internet, information can still be obtained from the same sources directly or indirectly, and at a far more convenient and expeditious rate. Hence, saving time and enhancing productivity.
Product Differentiation
54
Most products and services are alike. In adopting product differentiation strategy to compete, a company uses features, fit, styling, reliability, packaging, sizes, service and branding to distinguish its products and services from the rest of the field. Dell, for example, distinguishes itself by providing customers with better information. Owners of Dell computers have access to a bulletin board system that provides up-to-date information on technical issues, product features, technological developments, and research.
Market Specialization
The third competitive strategy Porter describes is market specialization, which is achieved by concentrating on a particular market or product niche. For instance, by analyzing the information gathered from the Internet about the profitability of specific market segments can help enable manufacturers and distributors to design and market products and services addressing the needs of a particular market niche.
While the Internet provides opportunities for businesses to increase their customer base, to lower transaction costs, and to sell more of their products, security implications hinder the business (Forcht and Wex 1996). There are studies on consumer perception of Internet security, and consumer attitudes towards the
55
Internet. Hoffman et al. (1999) conducted a survey on consumer trust in Internet transactions. They reviewed survey responses done by Nielsen Media research in 1997 and by Georgia Tech Graphics in 1997. The researchers (Hoffman et al. 1999) found out that the reason more people have yet to shop on-line or even provide information to companies on the Internet is the fundamental lack of faith between most businesses and consumers on the Internet today. A recent survey on corporate and customer views of the Internet showed that the major barrier to the development of e-commerce was on-line security (Young 1999). Another recent Yankelovich Partners study, eighty-five percent of Web users surveyed reported that a lack of security made them uncomfortable sending credit card numbers over the Internet (Verisign 2002). The results of the surveys showed that on the Internet, customer trust and loyalty will remain important features of companycustomer relationship just as they are in the physical world. Hence, e-merchants who are able to win the confidence of their customers will gain their loyalty and an opportunity to expand market share. Conversely, if a cyber-attack disrupts critical business functions and interrupts the essential services that customers depend upon, then the survival of the business itself is at risk. All of which signals the vital importance of ensuring that connectivity to the Internet is not disrupted or compromised. Besides consumer confidence, companies with the ability to effectively secure their networks and systems can reap numerous benefits such as positive corporate and brand image, enhanced sales, higher customer retention, empowered mobile workforce, increased market capitalization, achieve and maintain a competitive edge over their competitors (Computer Times 1999;
56
KPMG LLP 2001; KPMG LLP 2002; The Straits Times 2002a). All of which can translate into increased profitability and revenue. In the process, what is even more critical is that valuable information stored within networks and systems remains intact. In today’s complex world, information systems are under attack from many forces. Such attacks create the need to take security measures to protect information from being stolen or modified by unauthorized parties. “Most information systems are highly vulnerable and can only be termed “secured” in the sense that they have not yet been challenged or compromised” (Bhaskar 1983).
2.4.3
Value of Information
In the current knowledge based economy, information is a more powerful and more valuable asset than ever before. Information is essential for daily business operations, since managers need it to help them make critical decisions, conduct their research, plan activities, execute those plans, monitor progress, and report on results. It is only with this information that organizations can engage in daily business and commercial activities.
Organizations are also able to obtain competitive advantages through the effective use of information. For instance, data mining has enabled many companies to
57
adapt their products where necessary to gain a competitive edge and/or to keep abreast of consumer needs. This can result in higher customer retention. Realistically, it has become nearly impossible for any organization to operate without the use of information.
An organization’s information also includes proprietary data that is of immense value to those bent on compromising it and to a company. Items include future plans, product technical data, customer lists, personnel files, and financial records. This highly critical and sensitive data needs to be protected from disclosure to competitors.
In recent years, the availability, integrity and confidentiality of information are no longer just a business necessity for organizations as there are legal and regulatory requirements they must comply with. With the recent push towards more stringent privacy laws, securing corporate information is fast becoming mandatory for organizations in many countries.
European countries have strict privacy laws; companies can be held liable if they do not take steps to protect the privacy of their customers. The UK Data Protection Act 1988 enforced in March 2000, for example, requires that organizations in possession of personal data must abide by the principles of the Act (Glendalesystems.com Ltd. 2001). Any organization processing personal data must comply with the eight enforceable principles of good practice. Data must be:
58
1. fairly and lawfully processed 2. processed for limited purposes 3. adequate, relevant and not excessive 4. accurate 5. not kept longer than necessary 6. processed in accordance with the data subject’s rights 7. secure 8. not transferred to countries without adequate protection The United States has similar laws. The U.S. Privacy Act was passed in 1974 (U.S. Department of Justice 2002j) but only covered the public sector. Since then, numerous laws have been introduced especially for businesses categorized in the high risks sectors such as the banking and healthcare industries. Under the Health Insurance Portability and Accountability Act, organizations in the healthcare sectors have to meet the basic security requirements (Shehata 2002), and these include:
Ability to prevent, detect, contain and correct security breaches.
Policies must be implemented for access control with context-, role- and user-based access rules.
Identification and authentication of system users must be in place.
59
Establish an audit trail to record and track who accesses an organization’s applications and data.
Hence, organizations that fail to show due diligence in protecting their data assets face a real risk of legal implications.
Indeed, the importance of having secured networks and systems can no longer be ignored. The Internet has become indispensable for conducting business in government, commercial and academic organizations. The Internet allows organizations to access much needed information rapidly, have effective communications while reducing costs, collaborate with partnerships, provide enhanced customer service, and conduct e-commerce.
Ultimately, what’s at stake is not simply business information, but the business itself.
2.4.4
Business Risks
Without adequate security, an organization is open to a variety of risks— consequences of which can be highly detrimental to the bottom line. The
60
following are some statistics of financial losses attributable to corporate hacking:
As mentioned in Chapter 1, the recent study commissioned by PriceWaterhouseCoopers suggests that security breaches have been estimated to cost the world economy an astounding US$1.6 trillion in the year 2000 (Knight 2000f).
Virus creators have a profound negative impact on the global economy. Figure 2.3 below shows the Computer Economics (2002a) analysis of the worldwide economic impact of malicious virus code attacks since 1995.
FIGURE 2.3 THE GLOBAL ECONOMIC IMPACT OF VIRUS ATTACKS
61
Worldwide Economic Impact ($ U.S. Billions)
Analysis by Year Year
$13.2
2001
17.1
2000
12.1
1999
6.1
1998
3.3
1997
1.8
1996
0.5
1995
[Source: http://www.computereconomics.com/article.cfm?id=133]
The Computer Economics Cyber Attack Index (See Figure 2.4) shows the relative economic impact of specific incidents in relationship to the I Love You (Love Bug) outbreak which occurred in 2000 and to date remains the incident with the greatest economic impact. In Figure 2.4 the Love Bug attack has a rating of 10 and all other attacks are rated according to their relative economic impact.
62
FIGURE 2.4 ANALYSES OF VIRUSES BY INCIDENT
Worldwide Economic Impact ($ U.S.)
Year
Code Name
2001
Nimda
2001
Code Red(s)
2.62 Billion
2001
SirCam
1.15 Billion
2000
Love Bug
8.75 Billion
1999
Melissa
1.10 Billion
1999
Explorer
1.02 Billion
$635 Million
Cyber Attack Index
0.73 2.99 1.31 10.00 1.26 1.17
[Source: http://www.computereconomics.com/article.cfm?id=133]
63
In America alone, statistics from the Trends in Proprietary Information Loss Survey conducted jointly by ASIS & PriceWaterhouseCoopers LIP (1999) suggest that the potential loss from the theft of intellectual property may amount to more than $300 billion a year.
However, industry experts believe that the economic figures represent only a tiny fraction of the real numbers due mainly to the following factors:
Most computer crimes are not detected
The complex, anonymous nature of the attacks makes them difficult to trace. Hackers often use fake identifications, either by using someone else’s account, or masking their own identities (Shimeall 2001b). Michael Vatis, director of the FBI's National Infrastructure Protection Committee, told a Senate subcommittee that tracing cyberattacks is like "tracking vapor" (Christensen 1999).
Financial Losses are difficult to ascertain
Financial losses such as lost contracts, jobs, markets and design rights are often
64
difficult to calculate. Besides, information is not a physical asset, which makes the calculation of its monetary value rather difficult. It might, for example, have cost thousands of dollars to compile mailing lists, but after the lists are created, they may be worth millions to a competitor in ongoing sales, when stolen.
Most computer crimes are not reported to the authorities
Most corporate victims do not report network security breaches to the authorities (Cimino 2000). A recent Federal Bureau of Investigations (FBI) survey found that out of the ninety percent of U.S. businesses and government agencies who suffered hacker attacks, only a third of them reported the intrusions to law enforcement (Krebs 2002b; NUA 2002). The reluctance in reporting to the authorities may be due to the following reasons, key ones include:
Fear of Embarrassment
The negative publicity highlights a company’s vulnerabilities. It would be detrimental, especially for banks and credit card companies, if their investors, shareholders, and customers come to know how insecure their computer systems are. Corporate victims would also find it rather embarrassing if the public found out that teenage hackers could read their secrets or transfer money from their
65
accounts.
Fear of Lawsuits
It would be detrimental for companies if customers come to know that they have been victimized. The disclosure may open them up for potential lawsuits.
Hackers are difficult to prosecute
It is virtually impossible to take legal action against hackers due mainly to the following factors:
Some hackers come from far-off locations where there are no statutes against computer crime. Compounding the difficulties of detection is the rerouting of hacking activities through various countries (Maria 1999a). Hence, making the prosecution process difficult.
Hackers can only be prosecuted if the exposed company can show that it was actively security conscious (Fonseca & Harreld 2001), which many
66
companies find great difficulty in proving due to complexities of putting together a bulletproof case.
There are few laws on the books that set clearly applicable precedents for the right to legal relief in computer-related cases (Halbert 1994).
The price of prosecution does not come cheap. In the U.K., the threshold for pursuing attackers can cost more than US$73,000 (McAlearney 2001b). Furthermore, since hackers tend to work by themselves, the cost of a lawsuit may be much more than can reasonably be recovered from the defendant.
Besides huge financial losses, corporate victims also suffer from some other important direct and indirect losses as shown in Figure 2.5 below.
FIGURE 2.5 ONLINE BUSINESS RISKS
67
Direct Losses
•
Theft
•
Money
•
Trade Secrets
•
Company Information
•
Digital Assets
•
Customer Information
•
Computer Resources
Productivity Loss
•
Corruption of Data
•
Diversion of Funds
68
The consequential results of these direct and indirect losses “can destroy a corporation, put people out of work, bankrupt businesspeople, and devastate shareholders and investors” (Ravindran 2000).
The next section deals with the potential external and internal sources of security threats facing organizations today, in particular the human threats. It also discusses the motives or goals that malicious attackers have, techniques and methods for gaining access, and the effectiveness of existing security solutions. As the primary focus of this study is on determining the most problematic people issues facing organizations with regard to security, real life cases of corporate hackers who have been successfully prosecuted in the United States and their motivations will also be examined.
2.5
SOURCES OF SECURITY THREATS
Potential environmental risks can come in many different forms, both externally and within organizations. Generally, sources of security threats can be broken up into two categories: natural disasters and human threats (Howard 1997 and Benson 2000a).
69
2.5.1
Natural Disasters
Natural disasters such earthquakes, hurricanes, floods, lightning and fire can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware can disrupt essential services. Other threats such as riots, wars and terrorist attacks could be included here. Although they are threats caused by people, they have been classified as disastrous (Benson 2000a). However, in comparison with human threats, the unexpected and occasional natural disasters pose few security threats to organizations. It has been well documented that “the greatest threat to computer systems and their information comes from humans, through actions that are either malicious or ignorant” (Benson 2000a).
2.5.2
Human Threats
Human threats are threats perpetrated by individuals or groups of individuals that attempt to penetrate systems through computer networks, public switched telephone networks or other sources. These attacks generally target known security vulnerabilities of systems and many of these vulnerabilities are simply due to configuration errors (Bassham & Polk 1994). The major sources of human
70
security threats can take the form of internal and external corporate hacking for information or hacking for malice. Figure 2.6 introduces a layout that can be used to break up human security threats into different areas.
FIGURE 2.6 HUMAN THREATS
71
HUMAN SECURITY THREATS
External
Internal
Competitors
Disgruntled employees
Network hackers
Ignorant employees
Script kiddies
Malicious workers
Software pirates
Careless workers
Phreakers
Indifferent workers
Virus creators
Planted employees
Hacktivists
Temporary consultants
Social Engineers
Naive Senior Executives
External Consultants
Telecommuters
[Self Created]
72
External Perpetrators
External perpetrators are intruders from outside the organizational environment and they comprise mainly of competitors, network hackers, hacktivists, script kiddies, external consultants, phreakers, and virus creators.
Competitors
The spread of high technology from computer-related industries to traditional manufacturing to services such as banking has been a double-edged sword for business. Information today is more powerful and more valuable asset than ever before, but it is also more difficult to control. According to Richard Blaksley, managing director of Kroll Associates, a U.S. based firm specializing in corporate intelligence, “the requirement to get a competitive edge both domestically and globally is getting greater and greater, and people will go to extreme lengths to get that competitive edge” (International Herald Tribune 1998). As a result, competing businesses, under the buzzword "competitive intelligence", increasingly are snooping online for any information which can be used to limit rivals’ business opportunities or to help make the next big sale or gain a technological edge. The ultimate aim for perpetrators is to access valuable
73
information, which could not have otherwise been obtained normally. Valuable information refers to any piece of knowledge that could hurt an organization or help its competition if it were to fall into the wrong hands. Sought after items comprise mainly of the following:
Customer lists
Sales and financial figures
Merger / buy out discussions and proposals
Contract negotiations
Proprietary secrets and innovations
Research and development work
Unannounced product specifications, and prototypes
Reports on management and operational problems
74
Future plans
Personnel files
Potentially embarrassing organizational information
Attackers trying to harm a system or disrupt normal business operations use a variety of methods as suggested by Bassham & Polk (1994), Cramer (1996), Winkler (1997), Nelson (1998), Sproles & Byars (1998), Williams (1999), Benson (2000a), Konrad (2000), Sung (2001) and Schlesinger (2002), and these include:
Penetrating computer networks
Denial of Service Attacks
Password cracking. Password cracking is a technique used to surreptitiously gain system access by using another users account.
Exploiting known security weaknesses such as configuration errors, and security bugs.
75
Stealing proprietary information contained in drawings and documents and on floppy disks and CD ROMs.
Using a “swallow” (an attractive woman) or a “raven” (an attractive man) to form a close personal relationship with an employee with access to trade secrets.
Hiring a competitor’s employee who has valuable knowledge.
Bribing a supplier or employee.
Planting an agent in a company with the mission to compromise key employees, tap into computer databases, and intercept communications to ferret out confidential research, technologies and other information.
Misinformation. Misinformation involves providing false information to the targeted competitor's collection systems to induce this organization to make bad decisions based upon this faulty information.
Disinformation. Disinformation may include hiring corporate hackers from remote countries to spread rumors about competitors without having much fear of reprisal from authorities or of being held accountable.
76
Data Diddling. Data diddling involves changing information such as financial records or stealing passwords.
Hiring hackers. Hackers in Russia “charge as little as US$100 to reduce a corporate website to nothingness” (Walker 1999).
Social Engineering.
Currently, social engineering is the most common method adopted by corporate hackers (Schlesinger 2002).
Below are two recent cases involving business rivalry:
Alibris (U.S. Department of Justice 1999a)
In 1999, Alibris, an Internet Service Provider was charged in a U.S. federal court with intercepting customer communications and possessing unauthorized password files. It was alleged that the primary purpose of the interception was to gain a competitive advantage for its other online business.
77
Princeton University (Barbaro 2002; The Straits Times 2002c)
A more recent case involved Stephen LeMenager, the director of admissions at Princeton University. According to a Washington Post report, LeMenager admitted to snooping into Yale University admissions website and peeking into the online files of Yale applicants to learn whether they had been admitted.
Network hackers
For the individual hacker who can gain access to the personnel records of a company, there is a wealth of opportunity. Contained within corporate personnel records are, in most cases, the complete life histories of employees. Salaries, credit records, social security numbers, medical records, and performance reviews, are just a few of the personal record items a company keeps on their employees. Add to that the names, addresses, phone numbers of every employee along with the names of their spouses and children. If any of this information is
78
stolen then there is great potential for credit card fraud, blackmail and extortion. The following profiles some of these cases:
In one of the latest and largest intrusions, a hacker managed to break into a database containing approximately 8 million Visa, MasterCard and American Express credit card numbers (Krim 2003). This case is still under FBI investigation.
Tse Thow Sun (U.S. Department of Justice 2002e)
On April 9 2002, a Singaporean named Tse Thow Sun who resides in Chicago was charged in a U.S. court for theft of trade secrets. It was alleged that Sun contacted the president of Language Line Services in Monterey, California in March 2002 and offered to sell to him proprietary information of Language Line Service’s chief competitor, Online Interpreters, for $3 million. Attorneys for Language Line Services promptly contacted the FBI. With the continuing assistance of individuals from both companies, the FBI arranged a meeting on March 24, 2002. At that meeting, Sun provided certain documents to prove that he
79
had access to the trade secrets of Online Interpreters and was subsequently arrested.
The following are cases involving Russian hackers.
“No one should underestimate Russian hackers. They are a threat to the world” Sergei Pokrovsky, Editor-In-Chief of Hacker Magazine (Walker 1999)
Vladimir Levin (Trigaux 1998b; The Straits Times 2000d)
Vladimir Levin
80
[Source: http://tlc.discovery.com/convergence/hackers/bio/bio_09.html]
A Mathematician from St Petersburg, Vladimir Levin, transferred US$12 million from Citibank accounts by hacking bank workers’ passwords. Levin was later arrested at London's Heathrow Airport. In February 1998, Levin was sentenced to three years in prison by a U.S. judge and ordered to pay Citibank $240,000 in restitution.
Maxim (The Straits Times 2000a; Knight 2000c; Westbrook 2000)
In a highly publicized case, a 19-year-old Russian reportedly stole 300,000 credit card numbers from CD Universe, an Internet music retailer and demanded a $100,000 ransom on February 2000. The hacker, using the name Maxim, sent an e-mail to the New York Times boasting about his exploits and gave the numbers for 198 credit cards as proof of the theft. Verifying that the numbers were real,
81
The New York Times contacted the credit card owners. However, CD Universe refused to give in to his demands. When denied the money, he posted 25,000 of the numbers on a Web site. Based on media reports, Maxim was never caught.
Vasiliy Gorshkov and Aleksey Ivanov (U.S. Department of Justice 2001d, 2001g, 2001p, 2002m)
In October 2002, the U.S. federal court sentenced Vasiliy Gorshkov to three years in prison for operating a computer hacking scam to defraud U.S. Internet service companies. According to Federal investigators, Gorshkov, a computer programmer and his colleague, Aleksey Ivanov a.k.a. "subbsta" defrauded more than 40 businesses in 10 states. Investigators say the two hacked into business email systems from Russia, and then contacted the companies posing as "security consultants" and offering to fix the problems for fees as high as $5,000. Ivanov is currently facing trial for charges which include: making unauthorized intrusions into computer systems owned by companies in the United States; transmitting threats to damage those computer systems, attempting to extort money and employment from these companies; and stealing credit card numbers and merchant account numbers. If convicted of all the charges in the indictment, Ivanov faces a maximum possible penalty of 90 years in federal prison.
82
However, not every individual is motivated by monetary gain, some are driven by the need to expose security weaknesses in commercial sites. Recently, a hacker known as "Fluffi Bunni" defaced the website of SANS (System Administration, Networking, and Security) Institute (Attrition.org 2001a). SANS Institute is a cooperative research and education organization founded in 1989, which is well known for providing security seminars and training to more than 96,000 system administrators, security professionals, and network administrators around the world. On the defacement, it asks, "Would you really trust these guys to teach you security?"
Still others may be driven by political or humanistic causes, fame, and revenge or simply out of curiosity.
Script Kiddies
Contrary to popular belief, the majority of external hackers are script kiddies, popularly known as amateurs as shown in Figure 2.7 below. This is in stark contrast with the general perception that hack attacks on computer networks are
83
the work of sophisticated hackers who spend hours writing complicated code and meticulously probing a target computer for a security hole to breech.
A typical script kiddie is a 12–16 year old boy who is not computer-savvy. These days, there is little need for script kiddies to know a great deal of programming to get inside a computer system. Script kiddies do most of their hacking by downloading free tools such as hacking software, hacking scripts, and step-by-step instructions which are readily available from the World Wide Web (Bearden 1998). A 1999 report indicated that 30,000 websites offering free advice and tutorials on ‘How to Hack’ could be found on the Internet (Christensen 1999). An example of such a website can be found at (http://www.totse.com/en/hack/hack_attack/162745.html). The website, posted by self-professed hacker Richard "Terminalkillah" Evans, offers potential hackers the information needed on “How to hack a Hotmail Account”. The availability of such tools makes it far easier for wannabe script kiddies to acquire the skill set needed to break into remote computers. With the wide availability of such tools, Professor of Computer Science at Cornell University Fred Schneider believes that “if somebody wanted to launch an attack, it would not be at all difficult” (Christensen 1999).
Figure 9 below shows that script kiddies are by far the biggest threat on the Internet at the current time. They are responsible for about 90% of all external hacking activity.
84
FIGURE 2.7
[Source: http://www-cs.etsu.edu/gotterbarn/stdntppr/stats.htm]
What makes these novice hackers so dangerous is not the vast amount of knowledge they possess, but rather their lack of understanding of the full impact of their exploits (Bearden 1998; Wilson 1998; Martinez 1999; Dube 2000; The Associated Press 2000). It was this very naiveté that brought the Internet down in 2000. In a widely publicized case, MafiaBoy, then a 15-year-old hacker from Canada would not have been so devastating had he had some programming skills
85
or a full understanding of what he was doing. MafiaBoy, whose identity is protected under Canadian law, was sentenced to eight months in a juvenile detention center and fined $250 Canadian dollars for his misdeeds, which included “denial of service” (DoS) attacks on 1,200 CNN-hosted web sites (Dube & Ross 2000; Knight 2000a; Knight 2000j; Segan 2000; ZDNet UK 2000b; The Associated Press 2001b).
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service (CERT Coordination Center 1999; Campbell 2000; CNET News 2000; Hamilton 2000; Shankland 2000). Examples include:
attempts to "flood" a network, thereby preventing legitimate network traffic
attempts to disrupt connections between two machines, thereby preventing access to a service
attempts to prevent a particular individual from accessing a service
attempts to disrupt service to a specific system or person
86
An example of a typical “distributed denial of service” (DoS) attack is shown in Figure 2.8 below.
FIGURE 2.8 A DoS ATTACK
The DoS attacks initiated by Mafiaboy alarmed Internet users around the globe, cost web sites millions of dollars in revenue, and shook the electronic commerce industry because of the ease with which major sites were made inaccessible (The
87
Straits Times 2001b; Houle & Weaver 2001; Householder et al 2001; The Canadian Press 2001).
Most script kiddies are not doing it for money but simply for fun, out of boredom, or in pursuit of notoriety. They love to boast about their abilities to compromise systems to their peers or to other Internet users through Internet Relay Chat (IRC) forums (Seah 1999) which was exactly how MafiaBoy was caught. He repeatedly went on Internet chat rooms bragging about the attacks he launched.
Psychologists suggest that underlying the psyche of script kiddies may be a deep sense of inferiority. Consequently the shut down of a major site might give them a sense of power. According to psychologist Jerrold Post, “It’s a population that takes refuge in computers because of their problems sustaining real world relationships. Causing millions of dollars of damage is a real power trip” (Quittner 2001a).
Software Pirates
Software pirates are people who participate in the illegal copying and distribution of copyrighted software. This activity centers on the thousands of computer bulletin board systems (BBS) that specialize in pirated software. BBS are personal
88
computers that have been equipped with a telephone modem and special software. Having access to these systems allows the pirate to copy, or “download,” commercial software programs. But not everyone participates in these activities for a profit, there are those who copy and download pirated commercial software just to share it with their friends. These people are known in the hacker parlance as “wares puppies.” Many justified their acts by saying that the software programs are too expensive and they cannot afford to buy them (Yu 2002).
Software piracy is a growing concern among software publishing companies. Interestingly, findings from the Business Software Alliance (BSA) 2002 Survey revealed that many Americans are software pirates, resulting in “billions of dollars in lost revenues for the U.S. economy and thousands of jobs lost annually” (Business Software Alliance 2002).
Phreakers
Phreakers specialize in using technology to fool the phone companies’ switches with the aim of making free calls all over the world. Phreaking was widely publicized when the exploits of John Draper, the “father of phreaking,” were publicized in a 1971 Esquire magazine article (Meyer 1989; Trigaux 1998a; Markoff 2001). John Draper became a national figure after being one of the first
89
to discover that the toy whistle in a cereal box could trick the telephone network into giving free telephone calls. Widely known as “Captain Crunch,” Draper was arrested repeatedly for his phone tampering throughout the 1970s. Recently, Draper set up an Internet security software and consulting firm with a few partners, aimed at protecting the online property of corporations (Markoff 2001).
Unlike Draper, most phreakers today learn of technical methods and stolen or faked codes through confidential relationships with experienced phreakers. Most people involved with phreaking know nothing about actually getting these codes or what the technical instructions they receive actually mean. They simply follow the instructions and advice they receive from other experienced phreakers for their illegal exploits.
John Draper
[Source: http://www.nytimes.com/2001/01/29/technology/29CAP.html]
90
Virus Creators
Virus creators write codes that attempt to reproduce themselves on other systems without authorization. Viruses are a very real problem for both organization and individual computer users. Some viruses delete data on the hard drive and on floppy drives, making information inaccessible without the virus in memory. Others cause the system to reboot without warning, causing the loss of any unsaved work. It may also be transferred unknowingly from one computer to another.
According to Sophos (2002), a world leader in corporate anti-virus protection, 3,279 new computer viruses were detected in the first six months of 2002 alone. During this period, the single most prevalent virus was Klez-H.
The majority of virus writers are driven by the need to seek media attention (The Straits Times 2000e). Filipino Onel de Guzman, suspected creator of the “I Love You” or “Love Bug” virus that crippled millions of computers worldwide in May 2000, apparently wanted the world to know that he is a brilliant hacker (Knight 2000b; Knight 2000d; Manalo 2000; Oo 2000; Wakefield 2000; ZDNet UK 2000a; Manalo 2001). Although there was widespread global media coverage on
91
Guzman, his hopes of rising to greater international notoriety were short-lived by the inability of the Philippines authorities to prosecute him because of insufficient evidence. The case against Guzman was weakened because, at the time, the Philippines did not have laws governing computer hacking (ZDNet UK 2000c; Shimeall 2001). Suspicions linking Guzman as the author of the "ILOVEYOU" virus arose primarily because he had proposed to submit as his graduation thesis a "Trojan horse" program that steals passwords, much like the "ILOVEYOU" virus (Baguioro 2000; Manalo 2000; The Sunday Times 2000b). In his "Trojan horse" thesis proposal, the reason cited by de Guzman for conducting the thesis study is so that "... people, specially Internet users, can get Windows passwords, such as Internet accounts, to spend more time on the Internet without paying" (Guzman). Russel Diona, thesis committee chairman and dean of the College of Computer Sciences rejected Guzman’s thesis proposal where he was once a student (Manalo 2000). Interestingly, Guzman is considered by many in his home country as a hero, admired for his technical prowess (The Straits Times 2000f). A poll conducted in 2000 revealed that the majority of Filipino citizens were proud that the Love Bug originated from the Philippines (Sophos 2000).
ONEL De GUZMAN
92
Onel de Guzman standing beside a "jeepney" near his neighborhood in Manila
[Credit: Mark Landler for The New York Times]
The “Love Bug,” which reportedly caused an estimated US$10 billion in damages (Computer Economics 2002a) as it paralyzed computers around the world, would have landed Guzman in prison in some countries, had he been successfully prosecuted. Unlike Guzman, computer programmer David L. Smith was the first virus writer to be successfully prosecuted in the United States. Smith, the creator of the Melissa virus that hit companies on Friday March 26, 1999, was sentenced to 20 months in federal prison in May 2001 (U.S. Department of Justice 2001c). In his guilty pleas, Smith acknowledged that the “Melissa” virus, named after a Florida stripper he knew, caused $80 million in damages (U.S. Department of Justice 1999b; The Straits Times 1999).
93
DAVID SMITH
[Source: http://www.cnn.com/TECH/computing/9904/02/melissa.arrest.03/index.html]
Hacktivists
Hacktivists are people who hack for a cause and are somewhat equivalent to “freedom fighters.” Their activities are usually described as hacktivism, a marriage of hacking and political activism (National Infrastructure Protection Center 2001; The Straits Times 2000h). Hacktivists have a wide range of goals and objectives, including exposing government corruption or fundamental violations of human rights.
94
The most common type of cyber-protest by hacktivists comes in the form of Web page defacements, which involves replacing the original Web sites with their own statements. An example of which is shown in Figure 2.9 below. On September 19, 1996, hackers broke into the CIA Web site, changing the home page by altering graphics, posting obscenities and changing the agency's name to "Central Stupidity Agency."
FIGURE 2.9 CIA WEB DEFACEMENT
95
[Source: http://www.cnn.com/TECH/specials/hackers/]
Classic examples of hacktivism would be the September 11 terrorist attacks on America and the recent Iraqi war (Devi 2003; Reuters 2003) that illuminated ebusinesses vulnerabilities to political events. Overnight, hacktivists with their own political agendas waged a cyberwar around the globe, resulting in organizations being innocent victims in the crossfire. Although the total economic impact to all corporate victims around the world may be unaccountable, Computer Economics (2002b) estimates the financial costs to corporate America alone could be as high as US$15.8 Billion.
96
While some hacktivists need to express their strong political messages, others are led to hack into corporate sites which they feel have violated human rights. An example of website defacement in protest of human rights in China is shown in Figure 2.10 below.
FIGURE 2.10
HUMAN RIGHTS WEB DEFACEMENT
[Source: http://www.cnn.com/TECH/specials/hackers/]
97
Cyber forensics expert Marc Rogers and leading psychologist Jerrold Post have identified some basic behavioral trends of hacktivists. Rogers suggests one characteristic is that they tend to minimize or misconstrue the consequences of their activities, rationalizing that their behavior is really performing a service to society, sometimes referred to by researchers as the ‘Robin Hood Syndrome’ (Quittner 2001a). They may also tend to dehumanize and blame the victim sites they attack. Post further suggests some hacktivists share a sense of ‘ethical flexibility’, which means that since human contact is minimized over the computer, hacking activities become like a game where the serious consequences can be easily ignored (Quittner 2001a).
Social Engineers
Social engineers are people who use a technique based on attacking the weakest link in the entire phone system: the human being. The object is to get information or access to systems that are normally only used by privileged users (Lemos 2000).
Legendary hacker Kevin Mitnick who won the title of "World's Most Notorious Hacker" in the 1999 Guinness Book of World Records (Poulsen 1999) was well known for his excellent social engineering skills. He famously stole confidential
98
code from large companies by simply tricking staff into revealing network passwords (The Sunday Times 2000a; Broersma 2002). In a recent interview with 60 Minutes, Mitnick acknowledged that his success with hacking into some of the world’s most secured websites including Sun Microsystems, Motorola, and Qualcomm was largely due to his social engineering skills as he had very limited programming skills (CBS News 2000). In a recent speech, Mitnick said: "Through social engineering, I gained the ability to obtain any number, listed or unlisted” (Lemos 2000).
KEVIN MITNICK
Kevin Mitnick during the interview on 60 Minutes [Source: CBS News.com]
99
The following is a typical example of social engineering by a phreaker cited from an unpublished book by Swedish author Walleij (undated).
100
P = Phreaker V = Innocent victim T = The victim's telephone T: Ring! V: Hello! P: Hello, is this Mr. X? V: Yes... who's calling? P: Good morning, this is Noam Chomsky at the Accounts Security Division of the Chase Manhattan Bank. How are you doing this morning? V: Er... just fine. What's the problem? P: We have a situation here right now involving our databases. Your Chase Visa card is currently unusable due to the loss of a large portion of our customer files. If you would give me your card number and PIN, we can restore your account immediately. V: Just a minute, who did you say you were? P: My name is Noam Chomsky, and I'm with the Accounts Security Division of Chase Manhattan Bank. There's a situation here... (repeats what he just said) V: (Suspicious) I wasn't aware of this. Is there a number I can call you back on? P: Sure, no problem. I appreciate your carefulness. Give me a call back at 800-555-5555, (fake number that connects to a phone booth or that has been programmed into the phone company switches by P himself, which he can remove at will without trace. Naturally, it's not his home phone number). V: Thanks! Talk to you in a moment. T: Click. Silence. Buzz... P: Chase Manhattan Bank, Accounts Security Division, Noam Chomsky speaking. How can I help you? V: Great! This is Mr. X. I was afraid you were a scammer. OK, my Visa card number is XXXX... and my PIN is XXXX. P: (Pauses, writing). Thank you. We will restore your account as soon as possible. Please refrain from using your card during the next 24 hours. Goodbye, and thank you for your cooperation. V: Goodbye. T: Click.
101
External Consultants
With recent cyber attacks wreaking considerable and well-publicized havoc on businesses, security concerns have now reached the boardroom. This is resulting in increased pressure on IT staff to ensure security of data and to mitigate future costs associated with security threats. However, handling security in-house is challenging for many companies often due to the lack of resources and expertise of their in-house staff - many of whom are not trained in the ever-changing world of security. To ease the burden, some large corporations have taken a novel and controversial stance of “turning to the expertise of their former nemesis, the hacker, to fine tune and update their security features” (Trigaux 1998c). More specifically, these reformed hackers, some of whom have been convicted, are being hired to examine and strengthen the security of these organizations by closing ‘port holes’ and constructing ‘firewalls’ within their computer systems (TLC 2003). Besides scrambling with their competitors for the services of this limited pool of talents, these white hat hackers do not come cheap for corporations. White hat hackers sometimes known as ethical hackers, especially
102
those backed by big corporate and consulting names, regularly charge $20,000 to $200,000, depending on the depth of their attack and the size of the business client's network. However, the presence of hackers with a dark past within legitimate companies has become a controversial topic. Some companies say they would never employ someone with a dark past (Strassmann & Taschek 2000). There is certainly the issue of trust. The uncomfortable nature of hackers' past behavior leads them to question whether they would make trustworthy outsourcers for any company. "Would you trust an ex-burglar or an ex-arsonist?" asked Ken Lindup, a senior consultant at security specialist SRI Consulting at a recent security conference (Trigaux 1998c). He advises organizations to “avoid the temptation” of hiring security experts who are past convicts (Trigaux 1998c). Law-enforcement and security experts say many companies have become vulnerable to theft by relying on consultants, contract workers or outside companies to maintain and operate their computers (International Herald Tribune 1998). The following are recent cases involving external consultants:
Christopher Scott Sandusky (U.S. Department of Justice 2002f)
On April 17, 2002, Christopher Scott Sandusky pleaded guilty in the United States
103
District Court in Las Vegas to three-counts of Unauthorized Access to a Protected Computer. Sandusky admitted that during those unlawful accesses, he knowingly transmitted codes or information and impaired Steinberg Diagnostic Medical Imaging (SDMI)’s system by changing the administrative passwords, locking personnel out of their own system, and crippling the business of SDMI. Sandusky had been terminated from employment with a computer consulting business which assisted in setting up SDMI’s computer system.
Claude R. Carpenter II (U.S. Department of Justice 2001k)
On July 24, 2001, Claude R. Carpenter II, pleaded guilty to intentionally causing damage to the computer systems of Internal Revenue Service (IRS).
On March 13, 2000, Carpenter began work as a systems administrator for Network Resources, a subcontractor to the IRS. His responsibilities included monitoring three computer servers maintained at the IRS’s computer center. Within a brief time, Carpenter was admonished for inappropriate action and comments, for repeatedly arriving at work late, leaving before the end of his shift and not being available for system responses and customer requests. His supervisor discussed these issues with him on April 3, 2000. Carpenter had two other meetings in April with supervisors where he was advised that any further
104
problems with attitude or timeliness would be grounds for dismissal. Carpenter continued to be late for work. On May 4, Carpenter disrupted the computer system utilized by system administrators. On May 18, following a dispute between Carpenter and a co-worker, Carpenter’s supervisor prepared and sent to the project manager a draft letter of dismissal for Carpenter. Carpenter’s supervisor did not print out the letter or give it to Carpenter.
On May 18 and 19, Carpenter logged into one of the servers without authorization and proceeded to access his supervisor’s computer profile, modifying the profile and inserting several lines of destructive computer code. Carpenter inserted the same lines of active destructive code onto three other servers, so that once it executed, it would wipe out all of the data on all three servers. Carpenter then tried to conceal his activities by turning off system logs, removing history files and seeking to have the destructive code overwritten after execution to make it impossible for system administrators to determine why the data was deleted. The next day Carpenter was dismissed, after describing to the project manager the draft dismissal letter which was located on his supervisor’s computer. During the following two weeks Carpenter called the system administrator room several times to ask if "everything was ok," "if the machines were running ok," or "if anything was wrong with the servers." After Carpenter’s activities were discovered, IRS and the project managers shut down the three computer servers in order to remove the destructive code and reestablish the security and integrity of
105
the system. Also, it was later discovered that Carpenter lied about his previous work history, criminal history and use of illegal drugs in his job application.
If convicted, Carpenter faces a maximum penalty of 10 years imprisonment and a fine of $250,000 for his misdeeds.
Contrary to popular belief, the real dangers to corporate networks and systems are not from external hackers but rather from the careless and malicious acts of individuals within the organization (Anderson 1972; Loch et al 1992; Bassham & Polk1994; Knowles 1996, Simpson 1996; Winkler 1997; Chan 1999, Kerstetter 1999; Leong 1999; Knight 1999b; Bruck 2000; Harrison 2000; Rohland 2000; Neal 2001; Null 2001; TechTV 2001; Tee 2001; Verton 2001; Broersma 2002; Oracle 2002; Regan 2002a; The Straits Times 2003). Of all the internal human threats, experts believe company insiders pose the greatest threats.
Company Insiders
Security expert Ira Winkler, “insiders are a company's biggest concern, from a
106
security perspective. There is no close second” (Winkler 1999). Echoing Mitnick’s views, leading former hacker Weld Pond said in a recent interview with ABC News, “People should be worried about insiders at a company more than outsiders. This is how most security breaches occur” (ABC News 2001). Findings from the CSI/FBI 2001Information Security Survey indicated company insiders committed seventy percent of hacking cases (Computer Security Institute 2001). Every year businesses lose serious money to insiders and only minuscule amounts to external hackers (TechTV 2001b).
According to security experts at IBM, every office has at least one insider (Arizona Central 2001). What makes company insiders particularly the most dangerous attackers and pose the greatest threats to any company is primarily because they have the most intimate knowledge of the system, the most likely to know what actions might cause the most damage, the most access to the systems that would probably not be questioned and most likely to have specific goals and objectives (Bassham & Polk 1994; Winkler 1997; International Herald Tribune 1998; Benson 2000a).
A company insider may be an employee, an ex-employee, a temporary consultant, or a planted worker who is disgruntled or driven by financial gains.
107
Disgruntled Employees
Disgruntled workers are mainly those people who believe their employers under appreciate them or that they have been somehow mistreated. One of the ways that these people seek revenge for perceived wrongs would be to hack into their companies’ systems and networks.
Despite more than 80 percent of cases not being reported (Winkler 1997), the following are recent cases of disgruntled former employees who have been successfully prosecuted in the United States:
Timothy Lloyd (Trigaux 1998c, U.S. Department of Justice 1998, 2000, 2002b)
Timothy Lloyd was a former chief network administrator of Omega Engineering Corp., which manufactures sophisticated, heat-sensitive probes and measuring devices. In August 1995, the company demoted him. Lloyd was terminated from Omega on July 10, 1996, after working for the company for approximately 11 years. On July 30, 1996, two weeks after he was fired, Lloyd unleashed a computer programming "time bomb" that deleted critical company files. Federal prosecutors put the direct costs of his high-tech mayhem to Omega in excess of $10 million in damage and lost productivity.
108
On February 26, 2002, Lloyd was sentenced to 41 months in prison for his crimes.
Michael Whitt Ventimiglia (U.S. Department of Justice 2001a)
On March 20, 2001, Michael Whitt Ventimiglia pleaded guilty to one count of intentionally damaging protected computers. Ventimiglia admitted that that in the early morning hours of May 15, 2000, while an employee of GTE, Ventimiglia entered his place of employment, the GTE Network Service Support Center (NSSC), and entered certain commands into three different multi-state GTE network computers used in interstate commerce and communication. These commands caused the computers to delete electronic information stored on their hard disk drives and prohibited anyone from interfering with this destruction of data. The damage amounted to a cost to GTE of at least $209,000.
If convicted, Ventimiglia faces a maximum of five years imprisonment and a fine up to $250,000.
Michael Normington (McAlearney 2001a)
Three weeks after his resignation, Michael Normington deleted files and defaced
109
his company's Web site. Normington admitted taking out his frustrations by breaking into the site, erasing files and redirecting traffic to a pornography site. He also posted "derogatory comments" about his former company's customers and employees. He will serve six months in prison and pay $38,000 in restitution.
Patrick McKenna (U.S. Department of Justice 2001h)
Patrick McKenna, who was fired by Bricsnet on Friday, October 20, 2000, hacked into his former employer’s computer server on two occasions. The first time was the evening of Friday, October 20, 2000, the day he was fired. The second was the following morning, Saturday, October 21, 2000. McKenna remotely accessed the computer server of his former employer, via the Internet, without authorization and caused extensive damage including deleting approximately 675 computer files and sending emails to over one hundred (100) clients with defamatory remarks about his former company.
On June 18, 2001, McKenna was sentenced to 6 months in federal prison for "unauthorized computer intrusion," or "hacking," into the computer database of his former employer, Bricsnet U.S. He was also ordered to pay $13,614.11 in restitution for the damage he caused.
110
Herbert Pierre-Louis (U.S. Department of Justice 2001p)
On September 6, 2001, Herbert Pierre-Louis was found guilty of two counts of knowingly sending a computer virus to cause damage to computers used in Purity Wholesale Grocers, Inc.
On June 18, 1998, while still employed as a computer hardware technician for Purity, Pierre-Louis used confidential passwords to access and place a virus at critical locations within Purity’s computer system. The virus put Purity’s computer system out of operation for several days and ultimately cost the company over $75,000. Pierre-Louis had been reprimanded by his supervisor for work related problems ten days before the virus was transmitted.
If convicted, Pierre-Louis faces a maximum sentence of three and a half years in federal prison, a fine of up to $250,000, and mandatory restitution.
Melissa S. Brown (U.S. Department of Justice 2001q, 2001w)
111
According to Court documents filed in U.S. District Court, Melissa S. Brown admitted that on April 14, 2001, she remotely logged onto the computer system of her employer, Christian & Timbers. During the session, Brown logged onto the company’s computer system using the user ID and password of a co-worker, without the knowledge or authorization of the co-worker, and changed the password of the company’s Chief Information Officer who was on vacation at the time, thus preventing the CIO from gaining log-on access to the company computer. Losses incurred by Christian & Timbers as a result of Brown’s actions amounted to $15,346.71. On December 14, 2001, Brown was sentenced to three years probation for the damage she caused Christian & Timbers.
John Michael Sullivan (U.S. Department of Justice 2001e)
On April 13 2001, John Michael Sullivan, a former employee of Charlotte-based Lance, Inc., was sentenced to 24 months’ imprisonment for knowingly causing the transmission of a computer code that disrupted and damaged Lance’s computer link with its sales force across the nation.
According to testimony presented at the trial, Sullivan was hired by Lance on September 23, 1996, to develop part of a computer program to be used by Lance’s national sales staff to collect sales, inventory, and delivery information and transmit it by means of a telephone modem to its headquarters in Charlotte, North
112
Carolina. Testimony revealed that Sullivan was demoted by Lance on May 8, 1998 because of poor performance on the job. On May 22, 1998, Sullivan resigned his position with Lance. His last day at Lance was June 2, 1998.
On May 12, 1998, Sullivan inserted part of a "code bomb" including a date trigger in the software which he wrote for hand held computers used by the company’s 2000 sales representatives in the field. Sullivan’s "logic" or code bomb was triggered at noon on September 23, 1998 and caused the field staff’s computers to become inoperative. Lance’s operations were disrupted for several days and its direct loss as a result of Sullivan’s conduct was more than $100,000. Washington Leung (U.S. Department of Justice 2002d)
Washington Leung was a former employee in the Human Resources department at Marsh Inc., an insurance company located in Manhattan. Leung was terminated from Marsh due to a complaint made by a female co-worker of him harassing her because she rebuffed his romantic advances. In January 2001, Leung used a password belonging to another employee at Marsh to obtain unauthorized access to Marsh’s computer database and deleted approximately 800 files. In March 2002, Leung was sentenced in a Manhattan federal court to 18 months in prison for his misdeeds.
Richard Eitelberg (U.S. Department of Justice 2002g)
113
Richard Eitelberg was charged on April 26 2002 with the unauthorized intrusion of the computer network of his former employer, MP Limited LLC ("MP"), an apparel manufacturer and designer based in Manhattan.
According to the Complaint, Eitelberg was hired as the controller at MP on September 1, 2001. In connection with his work at MP, Eitelberg was given the password to permit him to remotely access the MP computer system from his home. On its computer network, MP manages different databases relating to its business, including its customers' orders.
Eitelberg stopped working at MP on February 1, 2002. On April 11, 2002, an MP employee accessed the MP database containing customer orders, and found that the records of all of MP's orders had disappeared. The computer records at MP allegedly indicated that Eitelberg accessed the MP computer system using a password from at or about 9:21 P.M. until at or about 9:46 P.M. on April 10, 2002, and that orders in the database were deleted during this computer session. According to the Complaint, AT&T phone records indicated that between February 27, 2002, more than three weeks after Eitelberg stopped work at MP, and April 10, 2002, the phone line registered to the wife of Eitlberg, and located at his residence was used to call MP's modem connection approximately 13 times, including the call made on April 10, 2002.
114
If convicted of unauthorized computer intrusion, Eitelberg faces a maximum possible sentence of five years in prison and a fine of $250,000.
Raymond Blum (U.S. Department of Justice 2002h)
Raymond Blum, a former Chief Technology Officer of Askit.com, ("Askit"), a Manhattan-based computer consulting company, was arrested on May 16 2002 on charges of transmitting threats via the Internet to his former employer at Askit. As Chief Technology Officer, Blum had access to all computer system passwords and information necessary to operate Askit's computer networks. In February 2002, shortly after Blum's departure from the company, Askit began to experience computer and telephone voicemail problems: there was unusual network traffic on its computer system which caused its computer network to fail; Askit's e-mail servers were flooded with thousands of messages containing pornographic images; and Askit's voicemail system was altered so that certain customers calling the company were directed to a pornographic telephone service. At the time of this activity, Blum and Askit were in a dispute concerning the severance terms of Blum's employment contract with Askit.
Following the intrusions directed against their computer and voicemail systems, Askit's Chief Executive Officer (the "CEO") and its President (the "President")
115
began receiving threatening communications in various forms. For example, the CEO received an e-greeting card expressing sympathy at his "recent loss and bereavement." The President received an e-greeting card containing an image of a box which, shortly after being displayed on the President's computer screen and accompanied by a creaking sound, opened to display a voodoo doll with skeletonlike features. The doll had pins stuck through various parts of the doll's body and was wearing a name tag which identified the doll as being the President.
In addition, in April 2002, Blum posted messages on Askit's web site devoted to answering customer questions containing statements such as "You are doomed!" and "die."
On April 29, 2002, Askit's President received an e-mail message telling him to "say goodbye to anyone who pretends to care about you” and this message was traced to a computer at Home Box Office, Blum's present place of employment.
If convicted, Blum faces a maximum sentence of five years in prison and a $250,000 fine.
116
Glenn Cazenave and Amaya Marinella (U.S. Department of Justice 2002j) On August 2, 2002, Glenn Cazenave and Amaya Marinella, former employees of Commerce One, an international software development company, were indicted on federal charges of conspiring to enter the company’s computer systems and unlawfully delete a $2.6 million software package that was being developed for a foreign client.
Cazenave was hired to run Commerce One’s engineering department, and Amaya was an employee of the company supervised by Cazenave. While Cazenave was initially assigned to lead the multi-million dollar “Memec” project, he was soon taken off the project and later was terminated by the company.
After Cazenave was terminated, Amaya allegedly provided Cazenave with the administrator password for the Commerce One server where the Memec project was located so that Cazenave could delete the project file. Using the password he received from Amaya, Cazenave deleted the entire Memec project file on February 21, 2001. However, Commerce One personnel were able to retrieve the deleted information, a move which limited the company’s losses to the cost of investigating the intrusion and ensuring that the system was no longer vulnerable to such attacks.
117
If convicted, Cazenave and Marinella each face a maximum possible sentence of 10 years in federal prison.
Roger Duronio (U.S. Department of Justice 2002p)
Roger Duronio, a disgruntled computer systems administrator for UBS PaineWebber was charged on December 17 2002 with using a "logic bomb" to cause more than $3 million in damage to the company's computer network, and with securities fraud for his failed plan to drive down the company's stock with activation of the logic bomb.
As one of the company's computer systems administrators, Duronio had responsibility for, and access to, the entire UBS PaineWebber computer network. He also had access to the network from his home computer via secure Internet access. Duronio, who repeatedly expressed dissatisfaction with his salary and bonuses at Paine Webber resigned from the company on Feb. 22, 2002.
The Indictment alleges that, from about November 2001 to February, Duronio constructed the logic bomb computer program. On March 4, as planned, Duronio's program activated and began deleting files on over 1,000 of UBS PaineWebber's
118
computers. It cost PaineWebber more than $3 million to assess and repair the damage.
In anticipation that the stock price of UBS PaineWebber's parent company, UBS, A.G., would decline in response to damage caused by the logic bomb, Duronio also purchased more than $21,000 of "put option" contracts for UBS, A.G.'s stock, according to the charging document. A put option is a type of security that increases in value when the stock price drops.
If convicted, Duronio faces a maximum penalty of 10 years in federal prison and a $1 million fine.
Andy Garcia (U.S. Department of Justice 2003a)
Andy Garcia, a former employee of Viewsonic Corporation was arrested on February 6 2003 on federal charges of hacking into the company’s computer system and wiping out critical data, acts that shut down a computer server that was central to the company’s foreign operations.
119
Viewsonic Corporation is a manufacturer of computer monitors that generates more than $1 billion a year in revenues. Garcia was the network administrator at Viewsonic’s Walnut office, where he was in charge of several computer servers and had access to system passwords for management employees.
According to court documents, on April 14, 2002, approximately two weeks after Garcia was terminated, Garcia allegedly accessed Viewsonic’s computer system and deleted critical files on one of the servers that he had maintained while employed by the company. The loss of these files rendered the server inoperative, and Viewsonic’s Taiwan office was unable to access important data for several days.
If convicted, he faces a maximum possible sentence of 15 years in federal prison.
Richard W. Gerhardt (U.S. Department of Justice 2003f) On March 13 2003, Richard Gerhardt pleaded guilty to unauthorized access to the network computer system of Nestle USA while employed as an information systems consultant.
On five separate occasions between August 12, 2001, and June 10, 2002, Gerhardt gained access to the Nestle network computer system without authorization and in
120
excess of his authorized access. Gerhardt admitted to downloading approximately 5,000 user account passwords from Nestle's system, which forced the firm to conduct a damage assessment of, verify the security of, and restore the integrity of its computer system.
Gerhardt used a password-cracking software called "L0phtCrack" to retrieve the passwords for user accounts on the system. Gerhardt then created a database containing the user account passwords and stored the database in a file on a computer server connected to the system and in a file located on a laptop computer issued to him by Nestle.
Gerhardt admitted that he ran at least one password recovery utility program while on the system, then stored the results in at least one .zip file, creating a file which contained passwords he had obtained.
Without authorization, Gerhardt loaded and installed a program called "pwdump.exe" on the Nestle network computer system and on the laptop computer issued to him by Nestle. The "pwdump.exe" program is associated with an automated command that, at a preset time each day, communicated to other computers on the Nestle network computer system and downloaded active accounts and passwords. Gerhardt admitted that, on June 3, 2002, he caused the output from the "pwdump.exe" program to be stored on a computer server connected to the Nestle computer network system. Approximately 5,000
121
passwords associated with users of the Nestle computer network system were accessed and stored by Gerhardt.
On June 4, 2002, Gerhardt used a dial-up connection to log onto the Nestle network computer system from a remote location. While on the system, Gerhardt created a new and unauthorized administrator account.
Gerhardt's hacking activity resulted in a loss to Nestle USA of about $10,000.
Under the plea agreement, Gerhardt agreed to perform 250 hours of community service, either during a term of supervised release following a prison sentence or as a condition of probation, by speaking to public groups, advising them of the dangers associated with computer hacking, and publicly discouraging others from engaging in computer hacking conduct by warning them that those who engage in such conduct can suffer a federal felony conviction.
If convicted, Gerhardt may be subject to a sentence of up to five years in federal prison without parole, plus a fine up to $250,000.
Kenneth Patterson (U.S. Department of Justice 2003d)
122
On February 26, 2003, Kenneth Patterson was indicted on charges of Password Trafficking and Computer Damage.
According to the indictment presented to the court, Patterson, a former employee of American Eagle Outfitters, was charged with trafficking in passwords and similar information that would have permitted others to gain unauthorized access to the American Eagle Outfitters computer network, when Patterson posted and maintained at a Yahoo hacker group posting board the username and password combinations of certain legitimate American Eagle Outfitters users together with detailed instructions on how to hack into the wide area network of American Eagle Outfitters using those passwords.
Patterson was also charged with a series of computer intrusions into the American Eagle Outfitters computer network from November 27, 2002 through December 1, 2002. These intrusions were attempts to deny computer services to American Eagle Outfitters stores in the United States and Canada during the beginning of the Christmas shopping season. These denial of service attempts were quickly identified by American Eagle personnel and corrective actions were implemented that limited their intended economic impact.
If convicted, Paterson faces a maximum sentence of 11 years in prison, a fine of $350,000, or both.
123
Alan Giang Tran (U.S. Department of Justice 2003j)
On April 18 2003, Alan Giang Tran, a former employee of Airline Coach Service and Sky Limousine Company pleaded guilty to a federal charge of hacking into the companies' computer system and wiping out critical data. The hack wiped out the companies' customer database and other records and effectively shut down the companies' computer server, Internet-based credit card processing system, and website.
According to court documents, Airline Coach Service and Sky Limousine are jointly owned companies with a combined gross annual revenue of approximately $8.5 million. Tran was the network administrator at the companies' facility in Inglewood, where he had administrator-level passwords and privileges for all of the companies' computer operations. Tran was recently terminated by the companies. On January 5, 2003, the companies' computer system was attacked; passwords on the system were changed and specialized software applications were deleted. Because employees could not use the computer system, the companies were unable to dispatch drivers to pick up clients and the companies suffered thousands of dollars in losses. Federal investigators executed a search warrant at Tran's home, where they found several computers, a file folder marked "retaliation" and information regarding the companies' computer systems.
If convicted, Tran faces a maximum sentence of 10 years in federal prison.
124
Just about every employee may also be targeted for his or her knowledge of, or ability to gain access to, valuable proprietary or sensitive information.
Suzanne Scheller (U.S. Department of Justice 2001v)
While an employee with a financial institution, Suzanne Scheller accessed her company’s computer system and searched for potential customers for a friend who was starting a real estate business. After identifying prospects, Scheller then provided the friend with the customer account information. On November 30, 2001, Scheller was sentenced to a term of thirty-six months probation.
125
Financial Gain
If money is the insider’s ultimate aim, the corporate environment offers so much information that has potential value. Information that has tremendous value include customer lists that can later be sold to a competitor or company trade secrets such as formulae, manufacturing details, merger or acquisition plans, marketing details, or advertising campaigns that can later be used to form another company. Other employees may be approached for the expertise they personally possess in relation to specific scientific work or projects they may be involved in. Employees with legitimate access to classified reports, computer systems passwords or R & D projects can be recruited to steal or copy the information. Here are some recent cases of company insiders driven by financial gain who have been prosecuted or convicted in the United States:
Makeebrah Turner (U.S. Department of Justice 2001m, 2001s, 2002a)
Makeebrah Turner pleaded guilty on October 9, 2001 of computer fraud charges. While an employee of the Chase Financial Corporation, Turner illegally accessed her company’s computer systems. In doing so, she was able to obtain 68 credit card account numbers and other customer account information. Turner admitted
126
that the financial information was distributed and transmitted to one or more individuals. It was then used to fraudulently obtain goods and services valued at approximately $99,636.08, without the knowledge or consent of the account holders.
Brian Keith West (U.S. Department of Justice 2001r)
On September 24 2001, Brian Keith West pled guilty to intentionally accessing and obtaining information without authorization. From his former employer’s (Oklahama ISP) place of business, West penetrated a security hole in the website of the Poteau Daily News and Sun, employed a user ID and password, and downloaded computer files of value. West reported to the newspaper editor that he had penetrated the website, accessed the site using a username and password, and downloaded several files by accident. The website owner reported the unauthorized access to law enforcement authorities.
Subsequent investigations revealed that West had downloaded the computer files for financial gain as he was in the process of rewriting the files, and intended to market the revised software program.
The offense to which West pled guilty is a misdemeanor which is punishable by a
127
term of imprisonment not exceeding one year. However, under the United States Sentencing Guidelines, West will be eligible for probation.
Peter Morch (U.S. Department of Justice 2001b)
Peter Morch, a former Cisco Systems engineer was arrested by federal authorities on charges of stealing some blueprints for an optical networking product. Morch who had joined Cisco rival Calix Networks, was charged with stealing trade secrets. On March 21, 2001, Morch, a resident of San Francisco and a citizen of Canada and Denmark, pleaded guilty.
Geoffrey Osowski and Wilson Tang (U.S. Department of Justice 2001d, 2001n, 2001u)
On November 26 2001, former Cisco Systems, Inc., accountants Geoffrey Osowski and Wilson Tang were each sentenced to 34 months in prison for unauthorized access to the computer systems of Cisco Systems in order to illegally issue almost $8 million in Cisco stock to themselves.
128
In pleading guilty, Osowski and Tang admitted that between October 2000 and March 27, 2001, they participated together in a scheme to defraud Cisco Systems in order to obtain Cisco stock that they were not authorized to obtain. As part of the scheme, they exceeded their authorized access to computer systems at Cisco in order to access a computer system used by the company to manage stock option disbursals, used that access to identify control numbers to track authorized stock option disbursals, created forged forms purporting to authorize disbursals of stock, faxed the forged requests to the company responsible for controlling and issuing shares of Cisco Systems stock, and directed that stock be placed in their personal brokerage accounts.
Osowski and Tang further admitted that the first time that they did this, in December 2000, they caused 97,750 shares of Cisco stock to be placed in two separate Merrill Lynch accounts, with 58,250 of the shares deposited in an account set up by Osowski and 39,500 shares deposited in an account set up by Tang. In February 2001, they caused two additional transfers of stock, in amounts of 67,500 shares and 65,300 shares, to be transferred to brokerage accounts in their names. The total value of the Cisco stock that they took on these three occasions was approximately $7,868,637.
129
Nicholas Daddona (U.S. Department of Justice 2001g, 2002c)
On March 11 2002, Nicholas Daddona was sentenced in a United States District Court to 5 months of home confinement with electronic monitoring to be followed by 36 months of probation. Daddona was convicted of stealing trade secrets from his former employer, Fabricated Metal Products, Inc. While employed by FMP, Daddona began working for a competitor, Eyelet Toolmakers, Inc., without FMP’s knowledge. Daddona admitted that he stole unique engineering plans stored on FMP’s computers and delivered them to Eyelet and associated entities.
Richard Glenn Dopps (U.S. Department of Justice 2002k)
Richard Glenn Dopps pleaded guilty on September 9 2002 to one felony count of obtaining information from a protected computer. In pleading guilty, Dopps admitted to illegally accessing the computer system of his former employer and reading the e-mail messages of company executives for the purpose of gaining a commercial advantage at his new job at a competitor.
Until February 2001, Dopps was employed by The Bergman Companies (TBC), a contracting firm based in Chino. After leaving TBC to go work for a competitor, Dopps used his Internet connection to gain access to TBC’s computer systems on
130
more than 20 occasions. Once Dopps was inside the TBC systems, he read e-mail messages of TBC executives to stay informed of TBC’s ongoing business and to obtain a commercial advantage for his new employer. Dopps’ unauthorized access into TBC’s computer system caused approximately $21,636 in damages and costs to TBC.
If convicted, Dopps faces a maximum sentence of five years in prison and a $250,000 fine.
Bret McDanel (U.S. Department of Justice 2003g)
Bret McDanel, a former employee of Tornado was sentenced on March 25, 2003 to 16 months in federal prison for maliciously bombarding his former employer’s computer system with thousands of email messages.
McDanel, who used the moniker "Secret Squirrel", sent thousands of email messages and overloaded the Tornado computer server. Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there.
131
The evidence presented during the bench trial showed that McDanel, who worked at Tornado from June 1999 until February 2000, committed the crime to retaliate against Tornado (Tornado folded in the fall of 2002). According to court documents, McDanel harbored resentment against his former employer and that he planned to start a competitor messaging company.
During the trial, the government also presented evidence that McDanel had attacked the computer system of another former employer in New Jersey in 1997. McDanel was indicted in September 2002 in New Jersey in connection with the alleged 1997 conduct.
Patrick J. Murphy (U.S. Department of Justice 2003h)
On April 2 2003, Patrick Murphy was indicted on six counts of Theft of Trade Secrets. According to the indictment, Murphy stole trade secrets relating to computer code for designing computer chip features, and wireless computer networks specifications, from his former employers, Jasmine Networks, Inc.
If convicted, Murphy faces a 10-year imprisonment and a fine of $250,000.
132
Charmaine Northern (U.S. Department of Justice 2003e)
On March 10 2003, Charmaine Northern pleaded guilty to obtaining confidential customer account information and making fraudulent transactions. During the plea hearing, Northern admitted that during the period from January 22, 2001 through October 26, 2002, while she was employed as a member service representative of Schools Federal Credit Union in Sacramento, California, she used the credit union computer to obtain customer account information, including names, social security and driver's license numbers and addresses, to open accounts in the names of others and incur unauthorized charges. Some of the credit card accounts were opened on the Internet. After the credit cards were established in the names of other customers, Northern used the credit cards to make numerous purchases. The estimated amount of the fraudulent transactions is approximately $53,376.
If convicted, Northern faces a maximum sentence of five years of incarceration; a fine of $250,000; and a three-year term of supervised release.
133
Oleg Zezev (U.S. Department of Justice 2003c)
Oleg Zezev, a.k.a. "Alex," a Kazakhstan citizen, was convicted on February 2003 on charges that he schemed to hack into Bloomberg L.P.'s ("Bloomberg") computer system in order to steal confidential information, and then attempted to extort $200,000 from Bloomberg by threatening to disclose the confidential information to Bloomberg's customers and the media in an effort to harm Bloomberg's reputation.
According to the evidence at trial, Bloomberg L.P. is a multinational financial data company that provided its customers in the international financial community with timely financial information and trading data through a computer network. The company was founded in 1981 by Michael Bloomberg, currently Mayor of the City of New York, who also was the President & Chief Executive Officer of Bloomberg, Inc., the general partner of Bloomberg.
According to the evidence introduced at trial, Zezev was the chief information technology officer at Kazkommerts Securities ("Kazkommerts") located in Almaty, Kazakhstan. In the Spring of 1999, Bloomberg provided database services to Kazcommerts. As a result, Kazcommerts was provided with Bloomberg's software needed to gain access to Bloomberg's services over the Internet. Those services were cancelled by Bloomberg in 1999 because Kazcommerts did not pay its bill.
134
The evidence at trial demonstrated that in March 2000, Zezev manipulated Bloomberg's software to bypass Bloomberg's security system in order to gain unauthorized access to Bloomberg's computer system so that he could pose as different legitimate Bloomberg customers and employees. On 11 separate occasions during March 2000, Zezev illegally entered Bloomberg's computer system and accessed various accounts, including Michael Bloomberg's personal account as well as accounts for other Bloomberg employees and customers. Zezev copied various information from these accounts including: e-mail in-box screens, Michael Bloomberg's credit card numbers and screens relating to internal functions of Bloomberg. He also copied various internal information from Bloomberg that was only accessible by Bloomberg employees.
According to the evidence at trial, on March 24, 2000, Zezev sent Michael Bloomberg an e-mail from Kazakhstan using the alias "Alex" attaching various screens he had copied from Bloomberg's computer system demonstrating his ability to enter the Bloomberg computer system as any user. He wrote in an attachment to the e-mail that he had "all possibilities. I can log under the name of any Bloomberg user including Super Users such as yourself." He then asked for payment and threatened: "There a lot (sic) of clever but mean heads in the world who will use their chance to destroy your system to the detriment of your worldwide reputation." Zezev ended the letter with "Your security and reputation are in your hands." The evidence at trial established that Michael Bloomberg then
135
decided to contact the FBI. Under the FBI's direction, Michael Bloomberg communicated with Zezev via e-mail during the Spring and Summer of 2000.
The evidence demonstrated that Zezev sent an e-mail on April 17, 2000, to Michael Bloomberg threatening that if Michael Bloomberg did not send him $200,000 he would disclose to the media and Bloomberg's customers that he was able to gain unauthorized access to Bloomberg's computer system.
According to the evidence at trial, Michael Bloomberg, acting in conjunction with FBI agents, sent Zezev e-mails saying that if Zezev wanted the money he would have to meet with Michael Bloomberg and some of Bloomberg's computer specialists in London and explain to them how he was able to break into Bloomberg's computer system.
The evidence demonstrated that the e-mails themselves came from two Hotmail accounts which Zezev had registered under a false name. The e-mails were traced back to Kazkommerts Securities, where Zezev worked. After receiving the first email, Bloomberg computer specialists were able to piece together how Zezev had broken in, and rewrote the software on the Bloomberg system to prevent him from accessing the system again.
The evidence showed that in August 2000, Zezev and an associate, Igor Yarimaka (who has also been indicted on attempted extortion and conspiracy charges)
136
traveled from London to meet with Bloomberg. On August 10, 2000, Michael Bloomberg, Tom Secunda, the Head of Technology at Bloomberg, and a British undercover agent posing as Michael Bloomberg's bodyguard met with Zezev and Yarimaka in London. The meeting was recorded by an undercover videotape. At the meeting, Zezev introduced himself as "Alex". Michael Bloomberg told Zezev and Yarimaka that they were extorting his company. Zezev and Yarimaka were arrested after the meeting.
The evidence demonstrated that On August 12, 2000, after, Zezev and Yarimaka were arrested, Michael Bloomberg's e-mail account received more threatening emails. In one of these e-mails, a co-conspirator states that he has not heard from Zezev and Yarimaka for 24 hours, and if Bloomberg does not do something about it, "I begin severe measures against you!!!! The truth about you is learned with all world!!!"
On May 17, 2002, Zezev and Yarimaka were extradited from England to the United States to face the charges in the Indictment.
Zezev faces up to 5 years in prison on the conspiracy charge, up to 20 years in prison on the interference with commerce by using extortion charge; 2 years in prison for the extortion of a corporation using threatening communications charge; and 1 year in prison for the unauthorized computer intrusion charge.
137
Zezev faces a maximum fine of $250,000 or twice the gross gain or loss resulting from the crime for each count.
James Comey, the United States Attorney for the Southern District of New York, stated: "The Internet is a powerful communication tool in helping international commerce. This case demonstrates law enforcement's commitment to prosecute vigorously those individuals, wherever they are located, who seek to abuse this tool to their own ends. It further illustrates how important it is that victims of cybercrime report these kinds of crimes to the FBI."
Dorian Thomas, Daryen Simmons and David King (U.S. Department of Justice 2003k)
Dorian Thomas, Daryen Simmons and David King were indicted on May 8, 2003 on 22 counts of conspiracy, bank fraud, and identity theft charges.
Former financial institution employee Thomas is charged with one count of conspiring (1) to obtain unauthorized computer access to financial institution information, (2) commit computer fraud, (3) unlawfully use a means of identification of another person, and (4) commit bank fraud. According to the indictment, Thomas obtained the confidential member profile information of account holders through financial institution computers and provided it to others,
138
including King. The confidential member profile information included the original account holder's name, address, date of birth, driver's license number, social security number, credit card account information, account balance information, and other personal information. The indictment states that Thomas was compensated for providing the confidential member profile information by King and others.
The indictment charges Simmons with conspiring with Thomas and King, seven counts of bank fraud, one count of attempted bank fraud, and three counts of unlawful use of a means of identification of another person. King is charged with the same conspiracy and ten counts of bank fraud. According to court documents, Simmons and King made and obtained false identification documents in the names of the original account holders along with fictitious financial instruments bearing the names and/or account information of the original account holders.
If convicted, Thomas, Simmons and King each face a maximum sentence of up to thirty years, a five year term of supervised release, and a one million dollar fine on each bank fraud count; up to fifteen years, a three year term of supervised release, and $250,000 fine on each identity theft count; and up to five years, a three year term of supervised release, and a $250,000 fine on the conspiracy charge.
139
However, most insiders are rarely caught and if they are, they can simply quit. They know that chances of their companies taking legal action against them are very slim, in particular those working in bank and credit card companies. They know that their employers fear the implications that negative publicity will generate. The announcements that banks have loopholes in their computer systems would have unimaginable consequences.
A company’s highly sensitive information can also be lost through less sinister ways than theft. According to a leading hacker, “it is negligence, ignorance, indifference, and laziness of people in organizations that create a loophole, much to the glee of information thieves” (Maria 1999c).
Careless Employees
The majority of errors made by employees are the result of poor training, but some highly trained personnel have also made mistakes from time to time. Many highly confidential computer files are accidentally deleted with frightening regularity in almost every organization. In a recent research conducted by Network Associates, 71 percent of IT managers thought their colleagues were not taking security seriously and pointed to a lack of IT skills within the workforce (Knight 2000h).
140
In a recent case, human error at Microsoft created a security hole that, for at least a month, permitted outsiders to view phone numbers, street addresses, and other personal information on the company’s customers (Richman 2001).
Careless employees who lose their mobile devices such as notebooks, Palm, and other handheld computers, or who have them stolen, are also increasingly putting their companies at high risks. This is especially true when critical or confidential corporate information is stored in these devices.
However, a recent case has shown that careless employees are not the only ones putting their corporate data at risks. In September 2000, Qualcomm Chairman Irwin Jacobs had his laptop computer, which held many company secrets, stolen from a hotel lectern in Irvine, California (Benesh 2000). Qualcomm is a Fortune 500 company listed on NASDAQ Stock Exchange.
Negligent Employees
Negligence on the part of employees has also been another major contributory factor to the loss of critical data. Author of the book Corporate Espionage Ira Winkler (Winkler, 1997), contends that many insider thefts result from malicious employees just walking around the company’s premises, taking valuable
141
information from other people’s desks and unlocked filing cabinets based on his years of experience as a professional.
Ignorant Employees
Each time an employee uses the company network for activities such as sending emails, posting a message to a newsgroup, subscribing to a mailing list, and web browsing, he or she is innocently at risk of exposing information about the company. This is primarily because many companies troll the Internet with the ultimate aim of obtaining highly sensitive information such as trade secrets and marketing data (Baskin 1998).
Planted Workers
Employees are planted in rival companies with the mission to compromise key employees, tap into computer databases, intercept communications to gain highly sensitive and confidential information or to disrupt normal business operations.
142
Telecommuters
Telecommuters posed the greatest challenge to security administrators, as they tend to behave differently when working from home, even if policies are in place (Berinato 2000). Research studies have found that telecommuters tend to disable security and at the same time, technologies such as anti-virus software tend to be less rigorously updated, and others, such as encryption, are hardly used at all. This behavior, experts say, pose great security risks to companies as hackers can either access information off the home hard drive or use that computer to find their way back into the corporate network.
A summary of the various types of insider breaches is shown in Figure 2.11 below.
143
FIGURE 2.11 INSIDER BREACHES
144
Electronic theft, sabotage, or intentional destruction/disclosure of proprietary data or information
Physical theft, sabotage, or intentional destruction of computing equipment
Installation/use of unauthorized hardware/peripherals
Use of company computing resources for personal profit (gambling, spam, managing personal e-commerce site, online investing)
Abuse of computer access controls
Installation/use of unauthorized software
Use of company computing resources for illegal or illicit communications or activities (porn surfing, e-mail harassment)
Fraud
[Source: CSI/FBI 2001 Survey] 145
2.5.3
Limitations of Existing Solutions
To improve their security odds, in preventing sensitive information and trade secrets from getting into the wrong hands, some companies have taken their own security initiatives by erecting a network of defenses. Currently, measures commonly adopted by organizations which are also highly recommended by security experts in warding off cyber attacks are anti-virus software, authentication, authorization, encryption, authentication, hard-to-crack passwords, and firewalls (Sproles and Byars 1998; Standler 1999; Harrison 2000; BusinessWeek 2001; TechTV 2001; Ong 2002).
According IDC’s latest report, the market for security-related hardware, software, and services will continue to experience healthy growth, swelling to more than $45 billion in revenue by 2006 from just $17 billion in 2001 (Roberts 2003). However, survey results over the years offer compelling evidence that the majority of companies continue to experience intrusions, net abuse and theft of trade secrets despite increased spending on measures such as firewalls and encryption. Findings from the Information Security Magazine (ISM) 2000 Survey conducted by Information Security Magazine found that nearly every company experienced
146
unauthorized use of their computer systems or has been infected with viruses or worms despite having safeguards in place (Gold 2001).
Leading security experts and researchers all acknowledged that technology led security solutions are no longer efficient or sufficient in preventing cyber attacks (Farmer 1996; Longstaff et al 1997; Winkler 1997; Ellison et al 1999; Knight 1999b; Maria 1999c; Cross 2000; Benson 2000b; Bridis 2000; Edwards 2000; Power 2000; Fonseca 2001; Schneier 2001; Blakley 2002; Germanow et al 2002; ABC News 2002). Schneier (2001) further warned, “the majority of companies who have tried technological approaches to computer security have paid for their mistakes”. Asked as to why security technologies often fail, security experts attribute it to the following factors:
Inherent Insecurity of the Internet
The fundamental problem is that the Internet is designed and built to facilitate the sharing and distribution of data and therefore, security was never an important design consideration (Benson 2000b; Bener Bort 2001; Acohido 2002; Thomas 2002). Gary Kessler, vice president of Hill Associates Inc., a telecommunications
147
consultancy suggests, “The Internet is known to be riddled with security holes. It's trivial to launch an attack on the Internet” (Bort 2001). Without a secured Internet, experts contend that it is virtually impossible for organizations to avoid security problems and resolve computer security incidents regardless of the kinds of measures they have adopted (Bort 2001).
Flaws and Weaknesses of Security Technologies and Software
Richard Pethia, director of Carnegie Mellon University's CERT Coordination Center, said: "Today's commercial off-the-shelf technology is riddled with holes. Software and design practices used today do not yield software that is resistant to attack and end-users can't keep pace” (Thibodeau 2001). This is primarily because “in the rush to beat competitors to market, product security plays second fiddle to adding new (and possibly insecure) features” (Lemos 1999). As a result, vendors force out security technologies that are ill designed, written, and tested (Farmer 1996; Lemos 1999; Lemos 2000; Allen 2001; Acohido 2002).
Bugs in Software
148
Another major problem is that the majority of software products including antivirus software have bugs (Lipson and Fisher 1999; Wearden & Knight 2000; Wildstrom 2000a, 2000b; Schneier 2001; Acohido 2002; Germanow et al 2002; Lemos 2002; Siew 2002). Microsoft has often been criticized for bugs in all of its software programs such as Internet Explorer (Regan 2002b), Hotmail (Knight 1999a) and Messenger (The Straits Times 2002b). According to a study commissioned by the National Institute of Standards and Technology (NIST), software bugs are so prevalent that they cost the American economy almost $60 billion each year (TechTalk 2002).
Ever-Changing Security Threats
Security threats are changing ever so rapidly and are increasingly becoming sophisticated and complex. Viruses, for example, are growing in sophistication and can propagate themselves faster and more effectively (Legard 2001a). This makes it difficult for security technologies to keep up with the ever-changing nature of security threats. Furthermore, technical security solutions tend to be reactive in the sense that they are the last step in the process. They help to solve the problems that were already identified (Rayner 1992). For example, it was found that the increasingly popular intrusion-detection systems are simply ill equipped to protect against newly developed, unfamiliar threats to the network. This is primarily because intrusion detection systems can only detect the specific
149
attacks they have been programmed to identify ((McHugh et al 2001; Stiennon & Easley 2002). However, “new security threats and flaws are discovered all the time that require an immediate attention to prevent hackers from exploiting them” (Messmer 2002), which accounts for their ineffectiveness.
Availability of sophisticated hacking tools
Hacking tools are becoming increasingly sophisticated and at the same time becoming increasingly user friendly and widely available. As a result, even unsophisticated novice hackers can use them to launch massive attacks, some of which security technologies were not able to detect (Pethia 2000; The Straits Times 2000f). The inherent insecurity of the Internet, flaws and weaknesses in security technologies and software may suggests why even the world’s most secured networks including NASA, U.S. Air Force and the Pentagon can be easily hacked into. Statistics from the General Accounting Office (GAO) revealed that in 1997 alone, the Pentagon was hacked 250,000 of which 160,000 was successfully penetrated (Bener 2000; The Straits Times 2000n; The Asssociated Press 2001a; The Straits Times 2001a; The Straits Times 2001c). A recent GAO report further
150
revealed that 22 of the largest federal agencies “have serious computer security weaknesses” (The Straits Times 2002d). However, is security a technological problem? Of late, there has been everincreasing frequency, urgency, and volume from world’s leading security experts and former hackers voicing their beliefs that security is more than just a technological problem and hence, technical solutions alone may not be enough to address what is deemed to be a people problem. 2.5.4
Security as a People Problem
“Security is a people problem, not a technology problem. Installing security products improves security, but only if they are installed correctly and in the right places. The problem is that most network devices are misconfigured, and users make all sorts of mistakes.” Schneier (2001)
In 2001, CERT reported that for all incidents and exposures fully investigated, 99% had one thing in common – a known vulnerability or misconfiguration that was exploited (Qualys 2003). Dunn (1990) suggests office workers are familiar
151
with the security requirements of a filing cabinet but not necessarily those of an information system.
“Bottom line--no product you can buy from any vendors will protect you completely from the most serious threat to your network and your business… the people.” Schlesinger (2002)
Kevin Mitnick, “the world’s most infamous hacker, feared by the public as an evil techno-genius, adored by computer hackers as a martyr, dubbed by the press “the Most Wanted Hacker in America” (Winkler 1997) and who calls himself “the James Bond of Hackers” (ABC News 2002) said in a recent interview with ABC News:
“Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems” Mitnick (Ng 2001; ABC News 2002).
Testifying before the U.S. Senate recently, Mitnick told lawmakers:
152
“People, not machines, were the weak link in security” (The Straits Times 2000d)
Shimomura, who helped the FBI capture Mitnick said recently: “Even the best security in the world is useless in the face of careless users who give away passwords and IDs” Shimomura (Chng 2002). “Many companies spend hundreds of thousands of dollars to ensure corporate computer security. The security protects company secrets, assists in compliance with federal laws, and enforces privacy of company clients. Unfortunately, even the best security mechanisms can be bypassed through Social Engineering” Winkler (1997)
“Ignorant or malicious users do more damage to system security than any other factors”. Farmer (1996)
153
The next section deals with organizational perspectives of security and its risks. Experts believe that it is the naïve understanding, behaviors, attitudes and beliefs of organizational members towards security specially those of senior management’s, which have led to lax security and incompetent site management in organizations.
2.6
ORGANIZATIONAL PERSPECTIVES OF SECURITY
As discussed in this chapter, the consequences of cyber attacks can be highly detrimental to any organization. Given its importance, information security should become a major concern for organizations. Yet, few of them have fully grasped the implications or know how to address it.
2.6.1
Views of Security and its Risks
Unconcerned about cyber attack risk
154
Recent research studies have found that the majority of organizations, both large and small, held a lackadaisical view towards security or its consequences. A 2001 Jupiter Executive Survey conducted by Jupiter Media Metrix revealed that 87.9 percent of companies polled said direct financial loss in the event of a security breach is not a major concern for them (NUA 2001c; Oettinger 2001).
Similar findings were revealed in the Computer Sciences Corporation (CSC)’s 2001 survey involving more than 1,000 executives worldwide. The majority of those polled said that security practices and policies are not considered a top priority in their organizations (Computer Sciences Corporation 2001; NUA 2001b). When asked to choose from a list of security issues that were most important to their company, eliminating system vulnerabilities to reduce the risk of security breaches only ranked fifth. Survey results revealed the following weaknesses among the organizations polled:
46% do not have a formal information security policy in place;
59% do not have a formal compliance program supporting their information systems (IS) function;
68% currently do not regularly conduct security risk analyses or security status tracking.
155
Similarly, in U.K., a recent survey conducted by security firm Network Associates revealed that seventy percent of IT managers polled said that their senior executives were not wise to the importance of security risks and were failing to implement proper safeguards and procedures (Knight 2000g).
View security as an added expense
Security administrators and senior management in organizations face two conflicting issues: “cost of designing secure systems and the need for designing secure systems” (Bener 2000). Traditionally, senior management’s primary decision-making role is predominantly to determine how much direct funding and other resources to grant to the organization’s security administrators for the rather loosely defined purpose of “beefing up security” to some vaguely articulated industry stand level of practice (Lipson & Fisher 1999; Gordon & Loeb 2002). In the minds of upper management, the perceived link between security funding and the business bottom line is tenuous at best. As a result, the high costs of security implementation and small budget all serve as a deterrent to security administrators in designing any sort of security systems or in the hiring of security expertise (Farmer 1996; Fonseca and Harreld 2001).
156
The belief that information is of little importance
Despite information being the lifeblood of an organization, most organizations undervalue their information assets. Security expert Woodward (2003) said: “Many companies still do not appreciate the value of information, and how much it is at risk from Internet technologies. They have simply not thought through the consequences of losing corporate information. They happily spend money on the physical security of their buildings and contents, but neglect the security of their information, the loss of which may be much more damaging financially than the loss of actual physical assets”.
Security policies impede productivity
With the supreme emphasis on productivity and performance, organizations normally find that putting together a security policy that restricts both users and attacks as time consuming and unproductive (Benson 2000b). Employees also become disgruntled at the heavy security policies making their work difficult for
157
no discernable reason. Another common attitude among organizational members is that if no secret work is being performed, why bother implementing security (Knight 2002k).
Business above security The Internet is a new and highly profitable medium of communications and many people believe that waiting too long to solve the security problems can mean a loss of business to competition. The cost of losing to competition is higher than the cost of dealing with complex security issues (Bener 2000). Hence, security considerations have always lagged behind in the rush to set up e-commerce sites (Quittner 2001). Even when administrators know there are security needs, they do not have the time; daily operational concerns and keeping systems functioning take priority over securing systems (Allen 2001). Furthermore, with the great emphasis on functionality on the Internet, many e-commerce organizations found that the implementation of security technologies limit the functionality and ease of use for their employees and customers when conducting transactions (Bener 2000; Hernan 2000).
Complexity of Security Systems
158
The designers of Information Systems in organizations face a trade off between complexity and assurance of security, because as security measures are increased, an information system becomes more complex and difficult to use (Bener 2000). Formal security systems are designed through the use of technology to prevent hackers from intruding into the companies’ information systems. Technical solutions to design secure systems involve complex design decisions at each level of IT (ie. hardware, operating system, applications, user) in use within the organization (Gollman 1999). Security people have to somehow secure and manage thousands of workstations, servers, passwords, nodes, and networks.
Unaware of legal risks
The business leadership may be unaware of the legal liabilities of insecurity in their organizations. Findings from a recent survey conducted by security firm Integralls revealed that nearly a third of Britain’s leading company directors remain unaware of the legal implications of insecurity despite that half of the FTSE 100 company directors’ admittance that their companies have been the victim of corporate hacking. (Knight 2002g).
159
Belief that security breaches are externally led
Research studies have shown that the majority of organizations may be unaware or misinformed about where the real vulnerabilities lie in their network systems. Findings from the KPMG 2001 Global
[email protected] revealed that seventy-nine percent of CEOs, CIOs and other senior management from public and private companies in 12 countries said they believed breaches to their networks and systems would most likely be perpetrated through the Internet or other external access (KPMG 2001; NUA 2001a). As discussed in this chapter, the greatest risk to the security of any company is from internal perpetrators. In reality, disgruntled or former employees, or contract workers, are most likely to commit an attack, or cause a security breach. The misconception that external hackers are the major source of security threats may have stemmed from extensive media coverage of external perpetrators as opposed to the rare publicity given to company insiders (Lemos 1999a, 1999b). Alan Brill, managing director of Kroll Associates Inc., a New York-based security consultancy to Fortune 500 companies, suggests that the tendency of organizations to look at outside attacks primarily because “it is more difficult to accept the reality that real incidents are traced to real insiders” (Knowles 1996). Brill added by saying that statistics on internal security breaches are difficult to find because such incidents are hardly reported and corporations do not detect every problem. Based on his years of professional experience as a
160
security consultant, Brill further indicated that computer security problems involve someone inside the corporation about 90 percent of the time.
Belief that only large corporations are targets of hackers
Expressing his views on the attitudes of small and medium sized companies towards security, David Walsh, managing director of insurance company Clickforcover, said: "The complacency of small to medium sized businesses towards system-related risk gives serious cause for alarm” (Knight 2000e). Maria (1999b) suggests that the lack of concern for security by small businesses may be due to them believing they are unlikely targets of corporate hackers. Experts believe that this belief may have stemmed from the extensive media coverage given mainly to large victimized corporations such as Microsoft, NASA, the Pentagon and Yahoo (Lemos 1999a, 1999b). Conversely, experts warned that small companies are increasingly becoming the prime targets of corporate hackers (ABC News 2000; Ravindran 2000; Giannacopoulos 2002). A closer examination of an archived list of hacked commercial websites around the globe posted on the Internet by attrition.org (2001a) further revealed that when it comes to cyber attacks, the size of a company matters very little.
2.6.2
Managing Security
161
When managing security, many companies are “rushing headlong” into adopting security measures without careful planning and proper understanding of their security needs. As a result, companies are increasingly putting themselves at greater risks. Some of the common mistakes made by organizations when managing security, include:
Over-reliance on external consultants
There has been an increase in the number of organizations outsourcing their security needs in recent years. A recent Forrester Research survey indicated that outsourcing was growing faster than internal IT security operations (Fonseca & Harreld 2001).
The over-reliance on security companies to maintain and operate their organizations’ computer systems has in most cases, resulted in ignorant organizations over purchasing goods and services from either clueless and/or unscrupulous vendors that they do not need (Kassen 2002). Security businesses without the knowledge and expertise necessary to provide good security solutions scamming both small businesses and large corporations into spending money on equipment, software, and services they do not need. As a result, companies end up
162
overbuying from suppliers and security consultants, not knowing how to configure the equipment and software correctly, and still ending up with systems that are not secure. Ultimately, companies continue to be vulnerable to attacks which could cause damage to the customer base, the core enterprise systems, and the very business itself. (Kassen 2002).
Security Policies
In generating security policies and procedures, Knowles (1996) and Conry-Murray (2002) suggests that Chief Information Officers make five major mistakes:
1.
failure to understand what needs protecting
2.
failure to thoroughly comprehend technologies
3.
failure to determine the value of corporate information
4.
failure to get senior management approval
5.
failure to initiate a continuing security program
Security Education and Training
Findings from the recent InformationWeek Global Information Security Survey fielded by PricewaterhouseCoopers revealed that only 27% of U.S. companies
163
have conducted security training for system and network administrators (See Figure 2.12 below).
FIGURE 2.12 LAX TRAINING
[Source: http://www.informationweek.com/story/IWK20021018S0010]
The study also revealed that though many small companies, those with annual revenue up to $50 million, have focused their spending on deploying security applications, only 18% say they have invested in security training. Midsize companies, with annual revenue of $50 million up to $500 million, fare slightly better, at 26%. Large companies, with revenue of $500 million or more, do better still, with 35%.
164
Commenting on the results, Lloyd Hession, chief security officer at Radianz, which runs a network for the financial-services industry, said: "This shows that most companies still view security as something you buy, such as firewalls and antivirus, and forget about" (Hulme 2002).
The numbers support Hession's observation: 82% of companies bought antivirus software and 78% network firewalls, but only 22% of companies have an employee security-awareness campaign and only 13% have user security training classes (Hulme 2002).
Other misconceptions when managing security include:
The false belief that close questioning during recruitment interviews can detect signs of untruths.
A false confidence in the effectiveness of reference checking as a sufficient “safety check” on the job applicant’s background.
The need to fill vacancies is allowed to supersede thorough background checks.
165
Overlooking a required background verification because of heavy workload.
A once-only background verification or security check with no further continuous monitoring of employees’ activities and behaviors.
Over-reliance on outsourcing to headhunters and recruitment agencies to supply “safe” recruits.
Apathetic or poorly informed security guards and/or IT personnel.
Using unqualified people to maintain security and providing neither the training nor the time to make it possible to do the job properly.
The next section of this chapter will look at research directed at identifying specific leadership behaviors leading to organizational success in information security. It will provide a number of suggestions of leader actions and responsibilities found to be effective in successful security initiatives. The suggestions will be reviewed to discover common threads and concepts, and to relate leader behaviors to the traits and perceptions identified in this section.
166
2.7
TOWARDS A HOLISTIC APPROACH
When managing information security, senior managers need to develop a comprehensive holistic approach, embracing both the human and technical dimensions (Accenture 2001, Computer Security Institute 2001 and Schneier 2001). In the words of Kevin Mitnick, “computer security must include more than updated software or firewalls to keep hackers out” (Bridis 2000). His advise to the government and the private sectors is to place greater emphasis on managing employees rather than just focusing on security technologies in beefing up their computer security (The Straits Times 2000c). Whilst no security measure can detect or counter corporate hacking (Bener 2000), experts believe that there are proactive steps that the business leadership can take in minimizing their security risks. 2.7.1
The Leadership Role
Research studies conducted over the years have shown that senior managers can have a profound impact on security in their organizations. For instance, results from a 1999 security survey conducted by the Singapore Institute of Management revealed that the higher the level of senior management support for security, the lower the number the security incidents occurring (Teo, Lim and Mula 1999a, 1999b). Coles (2002) contends that the majority of security breaches are caused by
167
people and it is leadership that can help to reduce these people problems, thus reducing the number and severity of security breaches. Hence, the key to achieving effective security in organizations lies with leadership. In leading their organizations towards achieving security effectiveness, security experts and researchers suggest that it requires a radical change in the way senior managers think about security. It requires a fundamental change in paradigms of the values, beliefs, assumptions and perceptions about security. They must truly believe that their organizations’ future is dependent on effective security. Only then, can appropriate security measures be adopted to deal with the real security issues. In changing their paradigms, security experts (Winkler 1997; Lipson and Fisher 1999; Accenture 2001; Schneier 2001; Allen 2002) suggest senior managers must first:
embrace themselves as security change catalysts
accept that information security is their sole responsibilities
lead by example by ensuring that IS is given top priority in all current and future business activities and initiatives
168
consider leadership in security matters as an integral part of their roles and effectively communicate its importance to staff
continuously keep abreast with the latest security issues
come to grips with the fact that security is a people problem, not technology
consider security a normal part of the responsibility of every employee
clearly define and assign security roles and responsibilities and ensure adequate resources are allocated to fulfill these
show visible sponsorship and direction, written communications, and staff meeting time with regard to security
169
create, enforce, and regularly review security policy
work closely with their staff in combating computer crime.
recognize the benefits of having a security corporate culture.
acknowledge that information security is not an option. In some cases, it is a legal requirement.
be critically aware of the real dangers of corporate hacking to their organizations and perhaps their tolerance of security practices, and reasons for them, in their organizations
provide adequate human resources and empower those tasked with enterprise-wide information security
170
ensure sufficient annual budget allocations to security training
involve and empower every member of the organization on issues related to security.
Walking the Talk
Rather than just lip service, leaders and managers must take proactive steps in making security a top priority in their organizations. The first step is to build a security conscious organization. By doing so, it can help prevent malicious and careless acts of all personnel before they occur, resulting in reducing their organizations’ security risks, measurably.
Recommended ways to nurturing a security corporate culture to supplementing and complementing the existing technical security solutions in the adoption of a holistic approach for security effectiveness in organizations (Winkler 1997; Blackhouse & Dhillon 1999; Williams 1999; Rohland 2000; Glendalesystems.com Ltd. 2001; Computer Security Institute 2001; Bruck 2002) include:
171
2.7.2
Nurturing a security corporate culture
Over the past decade, a great deal has been written about organizational culture and the important role it plays in successful performance. Moorhead & Griffin (2001), leading authorities on corporate culture, defined “organizational culture as the set of values that helps the organization’s employees understand which actions are considered acceptable and which are unacceptable”. As security is a “people problem”, the goal is to develop security corporate culture and human capability through individual and organizational learning – the process of changing, obtaining feedback, reflecting, and making further changes. By improving the organization’s competencies in areas such as information protection and communication, it can result in increased security awareness and thereby improve security. How then can an organization nurture a securityorientated culture successfully?
Nurturing a security-orientated culture can never be just another system, managerial style, or motivational gimmick applied at the lowest levels of the
172
organization. Rather, the incorporation of a true security orientated culture goes well beyond lip service and entails a cultural transformation that is driven by the redefinition of managerial roles. It is not enough for senior executives to be supportive of such change by their subordinates. They must change themselves. This managerial change cannot be accomplished by simply using quality tools and techniques. It requires a fundamental change in the values, beliefs, and assumptions about how security should be managed. Senior leaders and managers must also recognize that nurturing a security corporate culture is a continuous and long-term process as most people are bound to resist change. To change the attitudes and behaviors of employees towards achieving an effective security corporate culture, leaders and managers must effectively communicate clearly what the change is all about and its importance so that employees are made to feel they are part of the change and the change will improve all aspects of their lives, both professional and personal lives.
Empowerment And Participation
The most important aspect of any successful incorporation of security culture is the involvement of all the people working for or with the organization. These people represent the greatest threats and the most effective means of overcoming Information Security threats. Information Security breaches could be accidental or
173
possibly deliberate. Either way, the impact on the organization could be devastating. In order to involve every member towards achieving effective security, empowerment and participation must be the hallmark of any organization wanting to make security a core component of corporate culture. Empowerment is the process of enabling workers to set their own goals, make decisions, and solve problems with regard to security. Participation occurs when employees have a voice in decisions about security issues. In other words, involve every member of the organization on security matters. Every effort must be made to get all personnel emotionally committed to improving the organization's security.
Orientation
Winkler (1997) suggests that employees should be orientated to feel right from the beginning that they owe it to their customers and to the company to handle all computer activities in a safe and secure manner. During orientation, new recruits should be informed of the company’s stand and policies regarding security issues. Additionally, they should be educated and made aware of the impact and penalties of corporate hacking.
2.7.3
Training
174
Due to inadequate training, confidential data and critical information has been lost, damaged and compromised through human errors and negligence. To minimize these security risks, adequate budget must be set aside to provide training for all personnel. Training must be conducted on a regular and continuous basis for every member of the organization. Traditionally, most of the emphasis on security training has been technically inclined. However, to achieve security effectiveness, Winkler (1997) suggests security training has to involve more than improving technical skills, it should be broadly viewed as a way of creating greater security awareness. Examples of training to be made available may include:
Technical Training
All personnel should be technically trained to a level competence that matches their duties and responsibilities. Where personnel are poorly trained, their lack of knowledge risks the organization’s computer operations and information systems, which may result in substantial damage.
Training in New Systems
175
All users should be adequately trained for the use of all new and enhanced systems. Where training is not updated, apparently small problems can escalate due to inadequate knowledge
Security Awareness Training
It only takes a single lapse to put your organization’s data and information resources at risk. Therefore, it is vital that all personnel awareness of Information Security risks is developed to the point that it almost becomes second nature. Furthermore, it is also critical that all employees are aware of how these risks may be overcome within their day-to-day job functions. Key components of the training include:
Types of security measures that can be undertaken, and what to do in case of an emergency
Create awareness of the importance of engaging in continuous improvement activities aimed at keeping up-to-date with information security
Discuss current case studies of actual attacks
Ethical and safe computing practices access.
176
Additionally, Schlesinger (2002) suggests employees be trained to be made critically aware of the dangers of social engineers. As mentioned earlier, social engineers are people who use a technique based on attacking the weakest link in the entire phone system: the human being. One of the most effective ways for preventing social engineering intrusions is awareness. Other suggested ways of countering social engineering, include:
Learn the perpetrators' secrets
Train everyone in the organization to recognize warning signs, like people who ask for sensitive information but refuse to give contact information.
Beware of someone trying to use intimidation, or, contrarily, flattery, to extract information; make sure your employees are confident and wary enough that such tricks fail.
When one of your colleagues stops a social engineering exploit, let others in the company know, in case the infiltrator tries again.
Hold an annual training session to heighten security awareness, and test once in a while to be sure people remember the lessons.
177
2.7.4
Communications
Information Dissemination
Empowerment through information dissemination where all employees are kept well informed of the latest developments surrounding security issues around the world through the company's intranet based information system, corporate website and communication materials such as weekly or monthly bulletins, and E-mail.
Staff awareness of Information Security issues can fade, unless it is continually reinforced. Such lack of attention may lead to lax attitudes towards security, resulting in the exposure of critical and sensitive information to outsiders. Experts at Glendalesystems.com Ltd. (2001) suggest that organizations adopt the following initiatives to serve as constant reminders:
Provide regular and relevant Information Security awareness communications to all personnel by various communication channels, such as electronic updates, briefings, and newsletters. The primary purpose is to serve as constant reminders to all personnel of their responsibilities, made aware of existing security threats and alert them of new threats.
178
Organize and involve all personnel in ongoing Information Security awareness initiatives. These may range from formal company Information Security briefings, focus groups, and Computer Based Training to ad hoc Information Security notices, pamphlets, posters, and signs. Additionally, these sessions offer excellent opportunities for the security task management to seek valuable feedback from participants on security measures that the organization has adopted.
Set up an intranet based information system to keep all personnel interested in Information Security issues.
Introduce screen saver programs which pass on different Information Security messages to all personnel.
Open Communications
Provide ample opportunities for employees to freely express themselves on matters related to information security. Face-to-face communication such as open dialogue sessions, brainstorming sessions, and weekly meetings should be held among members of the committee and employees. These sessions provide a forum
179
where the latest developments in computer security and the industry can be discussed and feedback sought. During these sessions, members of the committee should be encouraged not just to participate in making decisions on issues related to information security (ranging from training to product recommendations) but are also encouraged to be responsible for those decisions. Recommendations must also be considered seriously and changes to be made where necessary.
Hotline
Winkler (1997) suggests creating a hotline that enables whistle blowing. This will make it easier for all personnel to report any unusual external activities or to advise management of co-workers fraudulent activities without having to confront them directly. For example:
A guard finds someone in an area he should not be in
An employee finds his or her co-worker going through her desk or someone else’s.
180
2.7.5
Rewards System
No workplace is more secured than an organization filled with motivated employees excited about achieving security effectiveness. In order to encourage greater employee involvement and participation in achieving organizational security goals, recognition must be given to employees for their security efforts. Rewards can be in many forms, such as incentives, or for the security ideas that have been successfully implemented, the people behind the ideas should be acknowledged, and how their ideas have had a positive impact on the organization should be highlighted in the organization’s weekly or monthly meetings. In other words, successful ideas must be celebrated and broadcasted forcefully to other colleagues.
2.7.6
Formulating and Implementing Security Policies
A firm foundation is required to develop a security-orientated culture and experts believe that foundation is an organizational security policy that covers all the necessary contingencies (Glendalesystems.com Ltd. 2001; Landwehr 2001; Conry-Murray 2002). A security policy is simply a set of rules defined to meet an organization’s goal to secure a computer or the information it possesses. The aim
181
is to reduce the risk of, and minimize the effect of security breaches by establishing ground rules under which all personnel should abide by.
Components of a Security Policy
Allen (2002) states that security policies should be developed, deployed, enforced and reviewed that satisfy business objectives. In other words, a security policy should be a wide-ranging document which is about managing the business as a whole, managing it securely and protecting the company's key asset - its information. A comprehensive organizational security policy encompasses and addresses all the key security topic areas such as security risk management, critical asset identification, physical security, system and network management, authentication and authorization, access control, vulnerability management, incident management, awareness and training, and privacy. (Allen 2002). In addition, the policy must provide a plan for responding to security attacks, and that plan must be rehearsed through dry runs and other simulated methods.
Policy Planning
Before any security policy plan can be developed, an organization must be aware of the dangers to which it is exposed to, the risks and likelihood of such events
182
taking place, and the impending impact the organization. Hence, the first step in planning for a security policy is to perform a security risk assessment (Glendalesystems.com Ltd. 2001, Allen 2002).
The Security Risk Assessment function involves a three-step process:
Having a clear and proper understanding of what security means to the organization
Gaining a detailed understanding of the potential security threats
Making a proactive analysis of the consequences of security breaches in relation to risks
The primary purpose is to identify the following:
The nature and value of the Information Assets or Business Assets 1. The threats against those assets, both internal and external 2. The likelihood of those threats occurring 3. The impact upon the organization.
183
Based on this understanding and analysis, the next step is to create a carefully planned policy for implementing and integrating enterprise wide security best practices. Standards are then needed to explain why the policy is needed and the surrounding issues. Careful monitoring of the entire security plan is required on a continuous basis. In the process, flexibility in making adjustments to the security plan is a necessity, reflecting the ever changing unsecured environments and the uniqueness of the organization in ensuring its success.
The next stage is to put the tools in place through which the policy will be carried out such as firewalls, authentication and encryption. Unfortunately, Woodward (2001) laments that in many cases the tools come first and the reasons for installing them are not communicated.
More importantly, the policy should be kept current. Security is an ongoing issue, the risks change continuously and your policy should be regularly reviewed. In any organization, there will always be a trade-off between the need for security and the need to let the business operate efficiently.
Policy Implementation
184
If the organization does not employ security experts, experts suggest bringing in an outside consultant. Organizations should be prepared to respond to the consultant's recommendations. Bearing in mind that even with the best of consultants, a security breach is inevitable. However, preparing ahead of time is the only way to minimize an organization security risks and its future (Winkler 1997).
If organizations do not wish to engage the services of consultants, for whatever reasons, experts at Glensystems.com Ltd. (2001) suggests that organizations take the following six steps for effective implementation of security policies:
Step 1 – Appointment of a Security Policies Officer
The security task force is responsible for overseeing the entire process of implementing security policies, from its inception to actual implementation. However, a member of the security task force must be appointed to take the overall responsibility for ensuring that the appropriate Information Security safeguards are in place, that Policies are agreed and rolled-out, and that all users of information within the organization understand their responsibilities and duties.
185
Step 2 – Review, Amend and Adapt
If there are existing security policies, the appointed security officer should then review them carefully and then discuss the scope of the Policies with his or her colleagues who represent each of the key functional / business areas. Policies should then be amended and updated accordingly to reflect current organizational security needs. For organizations that do not have any security policies in place, there is a comprehensive range of Security Policies that can be purchased over the Internet. Seek out only those that are based upon renowned international standards such as ISO 17799. Upon purchase, the same procedures apply. Modify, amend and expand on the recommended security policies that are best suited to the organizational security needs.
Step 3 – Confirm / Endorsing the Policies
Confirm the amended and updated policies in consultations with other members of the security task force and the head of Human Resources / Personnel as employment contracts may need to be amended to reflect the mandatory need for compliance with the organization’s policies. Upon confirmation, seek the endorsement of top management. For Policies to be effective, with compliance
186
mandatory, they must be supported and endorsed by the Board of Directors or similar governing body.
Step 4 – Implementation Planning
Meetings with other members of the Security Task Force are to be held until an agreement is reached on precisely how compliance will be achieved and the management procedures to be put in place to monitor and manage the process.
Step 5 – Communicate the Policies
The Policies will now have been discussed, agreed and passed by the Board of Directors. All Policies should now be communicated to all personnel via the Intranet or similar.
Step 6 – Implement / Comply with the Security Policies
Implementation, compliance and follow up are now required. Ensure that every member of the organization read the Security Policies carefully and then sign to demonstrate their acceptance and acknowledgement. This goal can be
187
accomplished through a combination of briefings at the time of hiring; notices in the employee handbook; and frequent reminders through posters, e-mail, and Web sites.
Selling Security Policies
Management needs to make the policy reflect the ethics and philosophy of the company and to show employees that the Board of Directors is committed to making it work. They also should make it clear that they expect everyone in the company to share this commitment.
The single most-important element in the successful implementation of security policies is the cooperation and commitment of employees. Hence, senior management needs to sell the value of a security policy to employees as they are unlikely to cooperate if they do not. To communicate the importance of security policies, senior managers need to explain:
the importance of information;
the reasons for security policies;
188
why things have to be done in a certain way;
emphasize the benefits of security.
The Importance of Information
Senior managers must make it clear that an essential part of the company's success will come through the proper and best use of information. They should stress that information needs to be properly managed and protected and that senior management will be actively involved in drawing up a security policy to do this.
Reasons for Security Policies
Senior managers need to stress that the policy is about corporate commitment to protecting the company's information, which will be a key factor in business growth and so protecting jobs.
Why things need to be done in a certain way
When explaining why things need to be done in a certain way, senior managers should state clearly to employees that the policy is not just bureaucratic, annoying
189
rules which slow everything down and cause inconvenience. It is not about the company operating a policy of constantly monitoring the behavior of its staff, but it is a key element in carrying forward the company's ethics and corporate standards, and is for the benefit and prosperity of the vast majority of honest and responsible employees. The Benefits of Security
One important benefit to security measures which senior leaders and managers can point out is that they provide additional information which is extremely useful for various aspects of the business (Conry-Murray 2002). For instance, internal monitoring can give an excellent picture of how the company's intranet is being used - which parts are effective and which are not. In turn, such information will help organizations plan a better intranet, making information more easily and more readily available to employees. This is particularly useful for sales and marketing departments; monitoring will tell them who is using the organization’s website, so they can follow up on sales leads.
In addition to technical measures and incorporating a security corporate culture, other supplementary security measures that organizations can adopt include:
190
2.7.7
Supplementary Security Measures
Outsourcing For organizations without the knowledge, experience and manpower in managing security in-house, enlisting the help of a professional security-consulting firm can have its benefits. Besides assessing what security products organizations need to meet individual business objectives, consultants can also help businesses develop a security policy addressing a multitude of issues (Blakley 2002; Bycroft 2002). Other benefits include cost savings, expertise help, and 24 hour monitoring and management of security incidents (Rohland 2000; Bycroft 2002).
Hacker Insurance
A typical hacker policy covers against external hacking, miscreant employees, viruses, extortion and a host of other threats to an organization networks (Hiscox 2002), as shown in Figure 2.13 below. A million dollar coverage in computer security losses may cost as much as $20,000 in annual premiums; the cost rises to $75,000 for $10 million in losses (Edwards 2000). Proponents of hacker
191
insurances suggest that the price of premiums is comparatively small as opposed to having financial piece of mind (Edwards 2000; Gonzalez 2000; Mabin 2000).
FIGURE 2.13
SUMMARY OF A TYPICAL HACKER INSURANCE
192
The policy offers coverage for claims arising out of any:-
2.8
•
negligent act, error or omission, negligent misstatement or negligent misrepresentation,
•
unintentional breach of any implied statutory term concerning necessary quality, safety or fitness,
•
unintentional breach of an implied contractual duty to use reasonable care and skill,
•
unintentional breach of warranty of authority, breach of duty, breach of trust, breach of confidence, misuse of information or breach of privacy,
•
unintentional breach of a written contract with a client to design, produce or supply software due to the software either not conforming in all material respects to the written specification forming part of the contract or failing to meet any implied statutory term concerning necessary quality, safety or fitness,
•
unintentional infringement of any intellectual property right,
SUMMARY
In the first chapter of this thesis, I defined information security and the need for a people approach to security. The parameters of security problems facing
193
organizations were discussed and it was understood that an important parameter is the human elements. The question about the people issues led to an important aspect of security management, people management. In-depth understanding and knowledge of the people issues affecting security in organizations is essential to the design of the holistic security management model. Therefore, the people issues have to be carefully identified and examined prior to the design of such a model.
In this chapter, I explained the importance of security in relation to critical business needs. Organizations are highly dependent on the Internet for their critical daily operations and electronic commerce. Considering the toehold that the Internet has on organizations it is doubly important that organizations are able to secure their networks and systems. The advent of the Internet for electronic commerce removes the boundaries which exist in conventional information network systems. Together with the need to comply with legal and regulatory requirements with regard to secured information, this raises concerns about security.
The concepts of environmental risks were also discussed in this chapter. Two broad categories of risks, namely external and internal risks were discussed. At this stage, it was important to identify participants of the corporate hacking community. Within the organizational security risks environment, there are participants with different roles. These participants are broadly grouped as external perpetrators and individuals within organizations. However, in the
194
borderless world of the Internet, there are numerous individuals and groups involved in cyber crime.
In section six of this chapter, organizational perspectives of security and its risks were discussed. The level of security in organizations depends to a large degree on how senior management view and manages security and its risks. With senior managers’ profound impact on security in their organizations, the key to having a more secured organizational environment lies with leadership.
In section seven, security strategies that organizations can adopt in minimizing their security risks were discussed. The need for effective security has never been more important. The ability to have a secured organizational environment can spell the difference between an efficient and effective organization and one that continually falls behind or struggles in vain to keep up. Nowhere is this more apparent than in today’s fast changing and hyper-competitive business environment. This literature review has made it possible to pinpoint many of the viable people issues in this area of security, as well as making some of the problem areas more clear by giving them definition and a historical foundation from which to extrapolate. In addition, this review provides a framework for discussion and identification of where these issues come from, and what their origins are.
195
CHAPTER 3
3.1
THE METHODOLOGY
INTRODUCTION
This chapter provides an overview of the strategy which was used to conduct this research and derive the data necessary to answer the research question posed in chapter one. In the sections that follow, research approaches in information
196
security, the methodology, the research design and stages of the empirical work will be explained.
3.2
SECURITY AS A MULTI-DISCIPLINARY TOPIC
Information security is fast becoming a multi-disciplinary domain. The field of information security research now includes various approaches (Figure 3.1). Most of these approaches now recognize that a range of legal, social, cultural and psychological factors shape security. All these approaches offer valuable insights in understanding the human factors contributing to security.
FIGURE 3.1 CONTEMPORARY RESEARCH APPROACHES TO SECURITY
Technical
Approaches
Organizational Computer Science
Research
Sociology Manageme
197
Science Law Psychology
Information Management Science
Security
Behavioral Approaches
Security exists in organizations and as an academic subject. Loudon and Loudon (1996) describe security as sociotechnical systems that although composed of machines, devices, and hard physical technology, they require substantial social, organizational, and intellectual investments to secure them effectively. Land (1992) argues that security is essentially social systems. A good example of this is the studies of human-computer interaction. Research in this area shows the need for understanding the social and organizational issues that play an important role in implementing and selecting security systems. Whyte et al (1997) and Winfield (1986) argue that in order to implement successfully an information security
198
system within an organization, security administrators and users should understand each other better and work cohesively.
Organizations can be defined in both formal and informal terms. Mullins (1996) identifies the difference between the formal and informal organizations as a feature of the degree to which they are structured. The formal organization is deliberately planned and created and is concerned with the co-ordination of activities. Within the formal organization, informal organization is always present. The informal organization arises from the interaction of people within the organization, their psychological and social needs and the development of groups with their own relationships and norms of behavior, irrespective of those defined in the formal structure. According to Morgan (1995) over time a system of cohesive groups with overlapping memberships is created in any organization. The groups may have significant power and may be in a position to influence other formal groups or even the formal structures. Failure to understand these generates uncertainty, creates complexity and introduces security risks (Backhouse and Dhillon 1994, 1996).
As Liebenau and Backhouse (1990) point out security issues arise when we do not understand the informal organization very well. They describe information as communicated within the organization through formal and informal structure and channels. As mentioned earlier, security breaches occur both when communication breaks down and when the informal organization is not known or
199
well understood. During the process of informal communication within the organization, a perception of security risk is formed. Therefore the degree of security is determined as a function of security risk perception which is formed through risk communication.
In essence, security is a human problem and social in nature (Jackson and Carter 1992). Security is communicated within the organization to form security perception among the different individuals as part of the cultural context of the organization. At the very least, through communication, an additional piece of information may reduce uncertainty and increase levels of knowledge and capacity to act, or understand (Fulk et al 1991).
The research in this thesis attempts to study such ideas in the theory and practice of information security. Looking at security from the above perspective raises questions as to how individuals’ perceptions of risk can affect security in their organizations. Many of these issues are also relevant to other information security research areas particularly in the development and implementation of security measures. Therefore for the research in this thesis, there is a need to collect evidence from security professionals’ criteria for deciding which security management approach is adopted in organizations, to understand how security is perceived as a practice within organizations and based on this, understand what human factors contribute to insecurity, and to understand the impact of security management and security practices on organizations and their employees.
200
3.3
RESEARCH
PARADIGMS IN INFORMATION SECURITY
Dhillon and Backhouse (1999) have identified two broad research paradigms in information security – positivist and interpretive. In addition, these authors found that 97% of security research fall under the positivist paradigm.
3.3.1
Positivist Approaches
Positivist approaches to IS can be characterized as analytical, value-free and grounded in positivism. Most security approaches grounded in this paradigm draw mechanical and biological analogies (Veen et al 1994). As Backhouse & Dhillon (1996) and Dhillon & Backhouse (1999) described, positivist approaches in IS can be broadly be classified into three categories:
Checklists Risk Analysis Security Evaluation
201
Checklists
Checklists are used in auditing computer systems and/or data centers. They are designed to cover all possible threats to a computer program. Checklists ask for “what can be done rather than what needs to be done” (Baskerville 1993). Checklists cover disaster recovery planning, access controls, change controls, passwords, contingency planning, and physical security. Typical examples in this category are the IBM’s 88 point security assessment questionnaire (IBM 1972), the SAFE Checklist (Krauss 1972; Krauss 1980) and the Computer Security Handbook (Hoyt 1973; Krause & Tipton 1997; Hutt et al 1988). As Dhillon (1995) describes “many of the prevalent security checklists were constructed as evaluation guidelines, enabling an analyst to check the computer based system and determine the necessity of existing controls and the possibility of implementing new ones”. Although checklist approaches are still widely used in accessing information security, they are procedural in nature and therefore are inadequate to understand and capture the changes in the human context. “Procedures are constantly changing and for this reason offer little in the way of analytical stability” (Dhillon 1995). Checklists are generally used as a foundation of risk identification and rarely regarded as equal to the human expertise (Powell and Klein 1996).
202
Risk Analysis
Risk analysis has become the flagship of modern security management and has enabled organizations to justify their costs for new security systems while avoiding the implementation of unnecessary and expensive controls.
Courtney (1977) and Fitzgerald (1978) pioneered the risk analysis technique in their research and they are followed by others in later years such as Parker (1981), Saltmarsh and Brown (1983), Fisher (1984), Badenhorst and Eloff (1990), Birch and McEvoy (1992, 1995), Krueger (1993), Kailay and Jarratt (1994). Practically, all researchers of information security use risk analysis in one form or the other (Baskerville 1991). As mentioned in Chapter 1, risk analysis is a technique to establish necessary controls. It is a tool used for selecting the minimum set of controls necessary for the security of an information system (Baskerville 1991). Risk analysis provides a means of critically forecasting the financial benefits versus the initial investments. Such management science principles laid the foundation for techniques that were proposed by researchers such as Courtney (1977) and Wong (1977). The US Department of Commerce declared risk analysis based on Courtney’s technique as government standard (US Department of Commerce 1979). Consequently, this technique has been widely used and forms the basis of a number of proprietary variants (Badenhorst & Eloff 1990).
203
Risk analysis has prompted many researchers to identify the necessary controls that are needed to build a secure information system. For example, Birch and McEvoy (1992) developed the Structured Risk Analysis method (SRA). They were able to demonstrate how SRA can be used to perform security and safety orientated risk analysis in specific environments. Recent years have also seen the emergence of automated risk analysis methodologies, such as CRAMM (CCTA Risk Analysis and Management Methodology), used to conduct reviews. Another widely used automated security risk analysis tool is RISKPAC (Computer Security Consultants 1988). Besides seeking to provide a balance between quantitative and qualitative risk analysis, RISKPAC also calculates annualized loss expectancy, thereby adhering to Courtney’s conventional risk analysis. The methods suggest that if security risks are understood in advance and the countermeasures are developed accordingly, then it would be possible to construct secure information networks and systems. All risk analysis approaches are statistical and scientific in nature, and they methodically follow pre-defined structured steps.
The opportunities offered by risk analysis have also been a subject of interest to researchers. Merten et al (1982) looks at the technique from a managerial perspective while Boockholdt (1987) cites its importance in establishing security and integrity controls. Saltmarsh and Browne (1983) and Gallegos et al (1987) differentiate between risk analysis and risk assessment, the former being the
204
process of identification while the latter determines the degree of exposure. Using this differentiation, they comment on the usefulness of risk analysis in establishing the monetary value of risks. Baskerville (1991), however, takes a different view. He appreciates the utility of the technique in establishing the feasibility of information systems control but he feels that its predictiveness is of less value and its real usefulness lies in being an effective communication tool, especially between security and management professionals. Baskerville (1998) feels that the “best approach to the development of security design and development methodology would be to nest it with an existing, established, successful overall information systems analysis and design methodology”.
Risk analysis had had an influence on a number of other approaches. Notable among the earlier work is Parker’s program (Parker 1981) and Fisher’s methodology (Fisher 1984). Both approaches use risk analysis as a means to design controls. However, Parker introduces a different kind of analysis, the “exposure analysis”, which he claims eliminates the elements of guesswork and consensus determination. He also proposes an alternative threat method. Loch et al (1992) have gone further to develop a four-dimensional model of IS which focuses on threat identification. Warman (1993) also considers the various threat categories but gives priority to the social aspects in establishing security.
Criticism of risk analysis as a basis for developing secure systems has always been strong. Landwehr (2001) argues that it serves little to prevent security breaches as
205
mathematical models of risk analysis are reactive in the sense that they are the last step in the process. They help to solve the problems that were already identified. Clements (1977) regarded classical probability theory as inappropriate for assessing the security risks because threats are invariably random in nature. He proposed a methodology based on the theory of fuzzy sets for evaluation of data processing installations. More recently, researchers have critically analyzed the technique of risk analysis (Willcocks & Margetts 1994; Beck 1992; Baskerville 1991). They believe that over-reliance on risk analysis as a technique in the design of secure information systems has negative consequences and there are few benefits in using the technique for predictive modeling.
Information Security Evaluation
Another category of research in computer security is in security evaluation methods, whose rationale stems from the need to measure security (Longley 1991). Although it is often difficult to place a value on the level of security, a number of techniques exist which help in grading the security of systems. Early work on establishing such levels of assurance was sponsored by the US Department of Defense. The emphasis was to prevent ‘unauthorized disclosure of information’. Among the various models of secure systems, the Bell La Padula Model (Bell & La Padula 1976) was the most prominent. The model deals with
206
mandatory and discretionary access control with the primary objective of preventing illegal disclosure of information.
In 1983, the National Computer Security Center in USA published the Trusted Computer Systems Evaluation Criteria, targeted at Automatic Data Processing systems. These provided computer vendors with an evaluation procedure to develop trusted computer systems. Today, these criteria form an integral part of the US Department of Defense security procedures. Recently, research has been carried out to improve and supplement these evaluation criteria. For example, Chokhani (1992) expands upon these criteria and proposes an Information Security (INFOSEC) approach to such an evaluation. Hoffman et al (1978) adopted a different basis for security evaluation. They proposed an automated tool, SECURATE, which is a design and selection process. The system automates the security analysis process and provides detailed ratings of a system security profile. SECURATE calculates the security ratings on the basis of fuzzy set theory and ultimately outlines the strengths and weaknesses in system design. However, critics have contested the statistical validity of fuzzy metrics. Besides the US, evaluation criteria have been established in other countries as well. In the UK, for example, the Department of Trade and Industry and the Government Communications Headquarters produced a series of ‘Green Books’. These were specifically intended for the Commercial Computer Security Centre.
207
In an attempt to harmonize the work on information security standards in Europe, France, Germany, the Netherlands and the United Kingdom decided to combine the best features of each of the national initiatives. As a consequence, in May 1990, the first draft of the Information Technology Security Evaluation Criteria was issued. The text is being referred to as the ‘White Book’. Evaluation criteria, while having found public approval, still fail to provide answers to many important questions and are unacceptable to a body of researchers in the area (McLeen 1990). Furthermore, it is still very much rational/objective and fails to address organizational issues (Backhouse and Dhillon 1996).
As discussed in Chapter 2, information security is seen as a business risk management responsibility. Organizations are responsible for the information they own, and they must establish and document a process for the granting and denying access to and the distribution of information (Norman 1983). Since information is now seen as one of the most valuable assets of the organization, security over database access has gained more importance over the years (Backhouse and Dhillon 1996).
Existing IS evaluation approaches have assumed that information systems are objective and rational, and thus capable of being evaluated by the use of objective and rational tools and techniques. Hence, as with checklists and risk analysis methods, the research conducted with evaluation method in security is based on the positivist research paradigm that is scientific in nature and assumes that
208
investigation of security issues can be made objectively and rigorously (Klein and Lyytinen 1985).
According to Backhouse & Dhillon (1996), the underlying principles of most risk analysis and evaluation based information systems security approaches can be enumerated as follows:
1. that the organizations and the information systems are considered in terms of strict boundaries which differentiates them from each other and from the environment. 2. that information systems and security management are conceptualized as being procedural in nature and hence focus on the input, throughput, output and feedback mechanisms. 3. that organizations and their information systems are considered secure if the needs of models (subsystems) are satisfied (i.e. by having secure subsystems, we can have a secure organization). 4. that different models (that help in securing parts of an information system) are mutually interdependent. 5. that overall security can be achieved by analyzing the behavior of constituent elements of the system.
Of late, positivist approaches in security have come under strong criticisms. Recently Angell (1993; 1994), while discussing the impact of globalization on
209
today’s businesses, takes a radical stance on the implications for the security of information systems. He criticizes the positivist perspective on the grounds that logic, rationality and technology are the vehicles of cognitive dominance that lead to the alienation of humans. This in turn becomes a barrier to the achievement of full ‘humanness’. Angell criticizes the positivist approaches to security on basis of ‘sheer complexity’, ‘profound uncertainty’ and ‘linear thinking’ on part of the security managers. Underlying this criticism is his concern with the ‘pathology of consciousness’, because of which men see themselves to be trapped within a mode of social organization that is created and supported in their everyday lives.
Baskerville’s (1988) earlier work in designing information systems security was highly structured and mechanistic. In recent years he has been highly critical of the positivist approach, especially in relation to his ideas in risk analysis (Baskerville, 1991). As he describes, one of the weaknesses of the risk analysis method is that the probability of calculation can be meaningless if the original estimates are incorrect (Baskerville 1991). He argues that risk analysis is subjective in nature although it hides behind statistics, and therefore is subject to social misuse. Hence, he suggests that risk analysis should be used as an effective communication tool between the security professionals and business managers when deciding to invest in IS.
Despite the criticisms, the majority of the work in security research remains locked within the positivist paradigm. Therefore, security aspects of information
210
systems are often considered as ‘after-thoughts’ to system design, development and implementation. There are, however, occasional efforts by a few researchers who have increasingly looked towards the interpretivist approach for a suitable theory of knowledge.
3.2.3
Interpretive
Approaches
There has been little research in information systems security that can be termed as interpretivist in nature (Backhouse and Dhillon 1999). Generally positivists do not even acknowledge the existence of such research efforts (ibid.). For them the approaches are ‘abstract’ and ‘too general’. However, because of increasing dissatisfaction with the prevalent security approaches, there is a growing body of researchers who have begun to consider interpretive approaches in their efforts to develop secure information systems (Backhouse and Dhillon 1999). Recent work by Willcocks and Margetts (1994) emphasizing the importance of social aspects of information security marks a growing trend towards interpretivist approaches. Strens and Dobson (1993) state that an ideal security policy should clearly define the responsibilities of different stakeholders within the organization. Although they begin with an interpretivist paradigm in mind, the very usage of Searle’s and Austin’s (1962) concepts in a mechanistic, linear manner shows there is an inclination towards positivism. In recent years, Baskerville (1991) has shown an
211
increased tendency towards interpretivism, especially in relation to his ideas in risk analysis. Backhouse & Dhillon (1993, 1994, 1996, 1999) also approach information security from an interpretivist point of view using semiotics and communications acts and they argue security breaches in organizations occur when communication breaks down. Dhillon and Backhouse (1999) further argue “an interpretivistic analysis of information systems security is certainly advantageous as it provides a holistic view of the problem domain, rather than simplistic, one-dimensional, explanation abetted by the positivists”.
In the security field, the question of which research methodology is most appropriate has been a concern for some time. Walsham argues on the character and validity of knowledge gained via interpretive research and introduces the terms of ‘Appropriateness’ and ‘Replacement’. By ‘Appropriateness’, he means that interpretive research is better suited to gain in-depth information in the area of research and to the extreme, ‘Replacement’ means that the positivist approach should be replaced by interpretivism (Walsham 1995). The justification for the research in this thesis is based on appropriateness. In this research, the humanistic nature of the topics under study determined the appropriateness and suitability of the research methods chosen. Other issues considered are the expected contributions of this research and its use to the academic community as well as to the professional community.
212
The overall research methodology described in this thesis is influenced by an interpretivist epistemology. This means that the security phenomena, such as the people issues affecting security in organizations, are regarded not as being objective reality but as being the result of interpretations or sense making by people of the reality around them.
3.3
THE RESEARCH DESIGN
3.3.1
Research Strategy
For the empirical part of the research, a combination of interpretivist and positivist methodologies in a multi- methodological approach was adopted, as suggested by Mingers (1997). Mingers argues that the traditional attitude of isolationism by security researchers in defending their paradigm as the “correct one” is pointless. He contends that “each research approach focuses on different aspects of reality and, therefore, it is best to try to combine several together in a single piece of research or intervention in order to gain the richest appreciation of the situation” (Mingers 1997). I agree with Mingers’ position, especially because in an applied field such as information security, it is important to achieve a balance between rigor and relevance (Myers, 1997) and often the best way to achieve such a balance is to use a multi-paradigm design. Such a view is also consistent with Lee’s (1991) when he argues that positivist and interpretivist
213
designs are not mutually supportive, but they are mutually supportive within the same study. Another important distinction regarding the research methodology is between qualitative and quantitative methods. Quantitative methods rely on formal methods, which try to reduce the complexity of a given organizational set up to a simpler model, measurable by means of numerical designations. Qualitative methods use sources such as interviews, documents, texts or participant observation as well as the researcher’s own impressions and reactions. Both qualitative and quantitative research designs can be positivist or interpretivist, depending on the researcher’s epistemological foundations. In this thesis, both types of methods have been used under an interpretivist epistemological background (See Figure 3.2).
214
FIGURE 3.2 THE TRIANGULATION OF RESEARCH METHODS
Interpretation of In-depth Interviews (Qualitative)
Descriptive Results of Web Survey (Quantitative)
Inferential Results of Web Survey (Quantitative)
Interpretivist epistemological background
The web survey that was carried out produced quantitative data, which was analyzed both as descriptive and inferential statistics. These two methods, in turn, were used in the triangulation method – the interpretation of 8 in-depth web interviews compiled and summarized into the IS Issues database (See Appendix 4). Triangulating means comparing and cross-checking results through different methods of analysis.
215
3.3.2
Objectives of the
Empirical Research
The primary objective of the empirical part of this research is to determine what security professionals perceived are the most problematic security issues especially the people issues affecting security in organizations. Findings from this research can then be used to help identify human related issues affecting security in organizations and improving security in real life settings. It is further hoped that:
For security researchers, this understanding could act as an impetus to further research adopting a holistic approach to the study of information security. For government officials, and business leaders and managers, the findings of this research could create greater awareness of the importance of the human elements when considering and managing security in organizations. For security developers and researchers who study information security management techniques and methods, this research could offer a basis for modifications of their existing technical models into developing holistic security management models.
At its most fundamental level this is a cross-sectional study designed to collect data on issues surrounding security in organizations. A cross sectional study was
216
determined to be especially useful since the primary purpose was to gather pertinent information on individual attitudes and explore areas for further research.
3.3.3
Stages of the
Empirical Work
The empirical work was conducted in three stages and involved an in-depth analysis and reviews of the security issues especially the people issues which exist for organizations. (See table 3.1 below for description of the stages).
217
TABLE 3.1
STAGES OF THE EMPIRICAL WORK
STAGE 1
STAGE 2
o Design “Issues Database”.
o Design initial interviews.
o Design initial categorization of security issues for database.
o Interview security practitioners to determine shared meanings, definitions, measures, and variables.
o Identify as many of the problems and factors which affect security as possible from the literature, general interviews, observation, and content analysis of world wide web discussions (and other sources as applicable).
o Reevaluation of database categorizations, sub categories, and issues based on interviews.
218
STAGE 3 o Develop a comprehensive survey to be sent to all security researchers and practitioners. o Identify crucial people issues which impact security. o Collect, analyze, and create reports from the data gathered in the survey and interview process.
Gaining Entry
In stage one—a literature review was conducted to identify the prevalent security issues affecting organizations since security problems were first detected. These issues were extremely important in that they provide a foundation for current issues. The initial research conducted in the first stage of the study also included the identification and observation of current trends relating to security countermeasures. Specific attention was placed on organizations in the private sectors and their adoptions of security measures. The information garnered from this portion of stage one is reflected in the literature review, description of the issues, and the issues database.
Possibly the most crucial portion of stage one involved the creation of an IS Issues Database (See appendix 4). The information derived was from a series of informal interviews conducted with security professionals and former hackers from all over the world since early 1999, way before I started on this research. Another large portion of the data derived for this database was made up of pertinent literature on security and the review and analysis of discussion forums on the World Wide Web. The information gathered was categorized in the database for ease of use and updated throughout the process of this research.
219
IS Issues Database
The original categorization system was structured around seven issue areas based on informal interview responses and the initial literature review, these were: organizational issues (budgeting, corporate culture, management support, security management, company policy, security planning and security policy); environmental risks issues (external and internal security threats, politics, competition); legal and regulatory issues (those issues related to software privacy, secured information, data protection, privacy and legal mandates/rules such as ISO 17799); security technologies (specific issues like network security, encryption, security software program); leadership issues (issues relating to senior management concepts, perspectives, behaviors, beliefs and management styles, contracting, budgets, and strategic planning); and personnel issues (those issues pertaining to training, internal organizational politics, and expertise or skill levels).
The database serves, throughout the course of the research, not only as an evaluation tool by which to categorize the issues discussed specifically in this study, but also as a continuous working foundation for more extensive research on a broad range of IS issues.
Stage Two
220
The second stage of this project provided a key bridge between the initial gathering of general information with regard to security and the final description of the most problematic and fundamental people issues specific to security in organizations.
Stage two involved the design and conduct of interviews to gather more in-depth qualitative data. Walsham (1993) states that the method must be ‘appropriate and rich’. The evidence needs to be interpreted in a real life setting in an important application domain for the organization where security management and practices must be applicable. Thus, it was determined useful to gather information on issues affecting security in organizations from people who are directly involved in the practical work of security in organizations. Hence, the selection of security practitioners as interviewees as opposed to researchers. Much of the design for this interview was garnered from the review of the literature, preliminary interviews with interested professionals/practitioners, and issue identifications from stage one. The interview questions were prepared beforehand and, by design, structured with open-ended questions.
221
Interview Questions 1. How do you define Information security? 2. What do you perceive as the role of IS in organizations? 3. What are the most problematic people issues facing organizations with regard to security? 4. Who do you perceive as posing the greatest human threats to security in organizations? 5. In your opinion, what measures can organizations take to improve their security effectiveness?
The interview by questionnaire is such that only a limited set of predefined questions can be raised with an underlying tendency towards quantitative rather than qualitative data. Hence, to gain deeper insights on organizational security issues, the questionnaire was emailed together with an IS Issues Database attachment to a small, select group of 8 security practitioners. Interviewees were asked to respond to the interview questions and are free to agree, disagree and make changes to the IS Issues database. In most cases, several interviews took place with the same respondent.
The primary objectives were to explore additional concepts, factors, and ideas for the research and probable explanation underlying some of the key issues identified in the original IS Issues database. Feedback and suggestions from interviewees
222
also provided additional qualitative data on the people issues surrounding security in organizations. In interpretivist research it is important to capture such details and this would only be possible given flexible questioning during the data capture. Therefore, in this research interviewing is preferred to just a questionnaire based interview. The interview approach brings the respondent and me closer, it helps me to capture the rich context, and it helps to identify subtle differences in respondents’ beliefs and perceptions. Each interviewee’s answers were entered into a database for content analysis and review. The information garnered was used to enhance the database created in stage one as well as to serve as a framework for the design of the descriptive survey in stage three.
One of the most important findings from the analysis of the data derived from the survey and interviews was the reformulation of a breakdown of security issue types. These were then used as a primary categorization tool. Sub-categories were added from the various issue types.
Issues in the database were then re-categorized to make the information contained more understandable and useable as a future resource for IS issues study. After a careful review, a final set of categories was then designed which – when combined with the issues themselves as a sub-category – provides a more complete and usable system by which to organize the multitude of issues affecting security in organizations. Finally, the issues are broadly categorized into two areas: external threats and internal threats.
223
External threats issues reflect external risk factors that can adversely affect security in organizations, either directly or indirectly. Sub-categories of external threats issues comprise of environmental risks issues and human threats. Internal threats issues reflect risk factors within the organizational environment that can have a profound impact on security. Sub-categories of internal threats issues comprise organizational issues, security management issues, senior managers issues, personnel issues and human threats issues.
Table 3.2 below provides a representation of the final categorization of issues for use in this research. Appendix Three provides general descriptions and characteristics of the 29 main issues relevant to this study.
TABLE 3.2
EXTERNAL AND INTERNAL THREATS ISSUES
EXTERNAL THREATS ISSUES SUB CATEGORY
ISSUE TYPE
224
Environmental Risks Issues
Third Party Ever Changing Security Threats Political Economic Legal Media Social Existing Solutions Inherent Internet Flaws Rapidly changing technologies
External Human Threats
External Consultants Competitors Hacktivists Script Kiddies Competitors Phreakers Virus Creators Software Pirates Social Engineers
INTERNAL THREATS Organizational Issues
Organizational Support Organizational Directives Budgeting Organizational Culture Organizational IT Expertise
225
Organizational security Expertise Leadership Adequate staffing Communications Change Security Management Issues
Planning Policy Role responsibility Internal security systems Interdepartmental coordination Training
Senior Management Issues
Individual Support Individual IT Expertise Individual Security Expertise Involvement Commitment Resistance to Change
Personnel Issues
Individual IT Expertise Individual Security Expertise Security Awareness Training Role Ambiguity Resistance to Change
Internal Human threats
Careless Employees Disgruntled Employees Malicious Workers
226
Planted Workers Telecommuters Temporary Consultants
Stage Three
The third and final stage of this study consisted of the development and conduct of a survey instrument. Galliers (1990) suggests surveys are used to obtain snapshots of a situation at a particular point in time. In general, questionnaires are used to obtain information and deductions are made in reference to events that occur at different time frames. It is possible to analyze a number of variables through the use of surveys.
Surveys are used more to obtain quantitative information in the positivist research paradigm. Thus, they are likely to gather very little insight regarding the causes behind the phenomena under study. On the other hand, if the surveys are designed carefully then they are a good means of looking at far greater number of variables and they enable the researcher to describe and analyze the situation from different viewpoints (Galliers 1990).
227
In this research, the survey was designed to be more specific and detailed than the interview conducted in stage two. The responses and issue information garnered from both of the first two stages were used in the production of this survey. This instrument was designed to provide a descriptive view of the perceptions of security professionals with regard to security in organizations. The content validity of the questions used for this survey was initially established by ensuring that the concepts addressed were grounded in fact or established theory as well as verifying through the stage two interviews that there was a common understanding among this particular respondent group. Interpretation of the findings was done in the interpretive paradigm both in the interviews and the survey. Responses given in the interviews were interpreted as facts and perceptions based on my own judgment to validate for meaning as well as the human context.
As mentioned earlier in this chapter, the survey together with the IS Issues Database attachment was emailed to each potential respondent, with a cover letter addressed specifically in the individual’s name. Each respondent was asked to submit the completed survey electronically. After two weeks an email reminder to encourage participation was sent to the respondents who had not submitted their survey. Finally, after one month, a final email reminder was sent to the remaining respondents.
228
One of the problems with web survey is response. To encourage participation, a survey report of the findings will be emailed to all those who responded to the survey. A copy of the actual e-cover letter is contained in Appendix 1.
The survey was broken into three parts - general descriptive information, specific issue information and demographic information. In the first part of the survey respondents were asked to identify the kinds of security measures that organizations make use of, their perceived role and level of security in organizations. In addition, their opinions were sought on how organizations can improve their security effectiveness. In the second part of the survey each respondent was asked to rank how problematic an issue was with regard to achieving security effectiveness in organizations. In the third part of the survey, each respondent was asked their country of origins, years of security experience, and job title. INFORMATION SECURITY HUMAN FACTORS SURVEY
1. This survey is part of a doctoral research study designed to identify what factors most influence effective security in organizations. Your answers to the survey items will be consolidated to determine which human factors affect security in organizations.
229
2. Please answer the survey questions and submit the survey before March 28, 2003 for inclusion in the research findings.
3. All respondents will be kept completely anonymous.
4. Please be as specific as possible in Part I. Your answers are critical to the study and your suggestions will be included in the recommendations section of the final report. 5. If you have any questions about this survey, contact me at
[email protected]
6. Please don’t hold back — be honest — say anything you feel is important.
Thank you for your serious consideration of the survey items, and for your comments, suggestions and ideas.
230
Part I
1. What kinds of security measures do organizations make use of? (Please check all that apply, and feel free to add any additional security measures not listed.)
Anti-virus software
Authentication
Authorization
Encryption
Firewalls
Hacker Insurance
Implementation of Security Policies
231
Incorporating Security Culture
Outsourcing
Password Management
People Management
Security Awareness Training
Other:
2. What do you perceive as the “role” of security in organizations?
Avoiding bad press or reputation due to security breaches
Avoiding legal and regulatory liability issues concerning security breaches
Meeting international security standards (e.g. ISO 17799)
232
Nice to have rather than the need to have
Protecting Customers’ information
Securing networks and systems
Other:
3. Please list two of the greatest threats to security in organizations.
4. Who do you perceive as being responsible for security in organizations?
5. Please list the 3 issues that you feel are inhibiting security effectiveness in organizations. (1)_____________,
(2) _____________,
(3) __________
6. Overall, how would you rate the effectiveness of security in organizations (0 being ineffective, 10 extremely effective) _______________
233
7. How can organizations improve their security effectiveness?
_________________________________________________________________
Part II
For the following eight sections please rate on a scale of 0-10, how problematic the issues listed are with regard to security in organizations. (0 being not at all problematic, 10 being extremely problematic) Please feel free to add and rate additional issues for each section.
(1) External Environmental Risks Issues
234
Availability of Effective Solutions
_______________
Economic Slowdown
_______________
Hyper Competition
_______________
Ineffective Laws
_______________
Inherent Internet Flaws and Weaknesses
_______________
Media Misrepresentations
_______________
Political Crisis
_______________
Rapidly changing security technology
_______________
Ever changing security threats
_______________
Other:
_______________
(2) Existing Technological Solutions Issues
235
Bugs in Security Software
_______________
Difficult to Implement
_______________
High Acquisition Cost
_______________
Inherent Flaws in Security Technologies
_______________
Lack of Holistic Planning Model
_______________
Lack of Holistic Security Management Model
_______________
Requires Security Expertise
_______________
Other:
_______________
(3) External Human Threats Issues
Competitors
_____________
External Consultants
_____________
236
Script Kiddies
_____________
Social Engineers
_____________
Software Pirates
_____________
Phreakers
_____________
Virus Creators
_____________
Other:
_____________
(4) Organizational Issues
Adequate Staffing
_____________
Budgeting
_____________
Communication
_____________
Interdepartmental Coordination
_____________
Leadership
_____________
Organizational Culture
_____________
Organizational Directives
_____________
237
Organizational IT Expertise
_____________
Organizational Security Expertise
_____________
Organizational Support
_____________
Resistance to change
_____________
Other:
_____________
(5) Security Management Issues
Failure to upgrade Systems
_____________
Lack of security awareness training
_____________
Lack of Security Corporate Culture
_____________
Lack of security policy
_____________
No Formal Security Plan
_____________
Reliance on Outsourcers
_____________
Role Ambiguity
_____________
Other:
_____________
(6) Senior Managers’ Issues
238
Individual Support
_____________
Individual IT Expertise
_____________
Individual Security Expertise
_____________
Lack of Commitment
_____________
Lack of Involvement
_____________
Resistance to Change
_____________
Other:
_____________
(7) Personnel Issues
Individual IT Expertise
_____________
Poor Communications
_____________
Lack of funds
_____________
Lack of Management Support
_____________
239
Lack of Training
_____________
Role Ambiguity
_____________
Lack of Rewards and Recognition
_____________
High workloads
_____________
Uncertain policies and priorities
_____________
(8) Internal Human Threats Issues
Careless Employees
______________
Disgruntled Employees
______________
Ignorant Employees
______________
Malicious Workers
______________
Planted Workers
______________
Telecommuters
______________
Temporary Consultants
______________
240
Other:
______________
Part III:
1. What is the name of the country from which you are responding?
2. What is your job title?
3. Number of total years experience in the security field?
More than 15 years
11-15 years
7 – 10 years
241
– 6 years
Less than 3 years
Not sure
Please add any additional comments, explanations, or issues below. Please contact Rita Goh at (65) 6244-2002 or Email:
[email protected], to ask questions or discuss topics related to this survey/study.
Thank you for taking the time to answer the questions in the survey.
Sample and Population
The general population set used in this research was made up of security professionals from 12 countries. The sample to be surveyed was taken mainly from the following lists posted on the Internet:
242
Center for Cryptography Computer and Network Security (University of Wisconsin, Milwaukee) [http://www.cccns.uwm.edu/] Cambridge University Computer Security Group [http://www.cl.cam.ac.uk/Research/Security/]
Centre for Computer Security Research, University of Wollongong, NSW, Australia [http://www.cs.uow.edu.au/ccsr/]
Computer Security and Industrial Cryptography (COSIC) Group [http://www.esat.kuleuven.ac.be/cosic/]
Cryptography and Computer Security Service [http://www.ulb.ac.be/di/scsi/] Information Security Group, Royal Holloway, University of London [http://www.isg.rhul.ac.uk/] Information Security and Telecommunications Laboratory, Pohang, Korea [http://wooly.postech.ac.kr/] A careful review of the sample’s bios, included in the listings, revealed that the Korean Cryptographers' Homepages sample were all graduates of either U.S. or U.K universities. The sampling frame [http://dosan.skku.ac.kr/~sjkim/Kr-Cryptographer.html] for the survey comprised mainly of professors, researchers and lecturers from the Departments of Computer Science, IT Security and Information Security and security practitioners ranging from independent consultants, those working in security companies to those engaging in consultancy work for both small and
243
large public and private corporations. A review of the sample’s educational and professional backgrounds was deemed necessary to ensure that there is no language problem and enough security expertise to make their responses viable. Questionable participants were contacted directly via email to determine their viability for the research. The final number of those to be surveyed who met the specific criteria was a combined total of 245 security professionals.
Response Rate
Out of the 1,420 security experts who were surveyed for their response to a series of IS questions, a total of 245 completed questionnaires were submitted. This gives a response rate of 17 per cent, reflecting the interest and cooperation of respondents for the survey. Appendix Two provides a complete listing of the participants surveyed in this study.
3.4
LIMITATIONS AND ASSUMPTIONS
The research method used in this thesis for the collection of data, Web based interviews and web surveys have often been criticized on the grounds that they lack face-to-face interactions. Are such “interviews” real, some ethnographic and action researchers may ask? How can you learn about what people are doing,
244
saying and feeling without meeting them, or without spending time amongst them?
It was clear to me when I began the research that the traditional interview techniques would have to be modified to some degree to enable their efficient use in the non-physical environment of the Net. For example, the action research staple, the face-to-face interview, is not possible in its traditional form when the participants are distributed around the globe. Given the size and locality, it seems paradoxical that one need not travel in order to reach or interview them.
The complexity of organizational security issues under study requires an in-depth understanding of the various risks, organizational dynamics and, risk and industry sectors. Each company and sector will have its own set of unique human related security problems. For example, organizations in the financial sectors are highly likely to experience different and greater human related security risks than those in the manufacturing sectors. The very broad scope of this research has necessitated providing only an overview of the typical elements of human related issues impacting security in organizations. The decision was made to perform such a broad study, as opposed to one that was more narrowly targeted, was because security is a fairly new phenomenon and the human approach to the study of organizational security is virtually a new concept which means there is currently very little published work in this field, and such a study would act as a catalyst to further research.
245
Another issue in this research was my bias. As mentioned earlier in this chapter, I started researching on organizational security issues 4 years ago, long before beginning this research. Hence, the long familiarity with the topic had predisposed me to certain judgments and opinions about security and its risks in organizations. However, for this type of research, understanding of the people issues affecting security in organizations was more important than my bias.
One of the inherent limitations in survey research is the subjectivity of each respondent. No matter how carefully written or completely tested, each survey is vulnerable to differing interpretations of the questions. Because of the descriptiveinterpretive purpose of this survey and because the main focus of this research was not to statistically prove relationships between issues but to determine the most problematic ones, this particular limitation is recognized and accepted in this study. In addition, it is possible that some responses were the result of defensiveness, apathy, or ignorance of a particular respondent which will be further discussed in Chapter 5.
3.5
SUMMARY
This chapter presented and justified the interpretive approach for this research. Both positivist and interpretivist approaches were discussed and compared. Since
246
the people issues related to organizational security could only be interpreted, the interpretive approach was deemed more appropriate.
The last section of the chapter explains the research design. Primary data consisted of literature accumulated over a four-year period, and the secondary data consisted of email interviews with security practitioners. In order to understand the impact of people on security in organizations, a survey was conducted with security professionals. The purpose of the survey was to understand the attitudes and perceptions of security professionals towards human related issues affecting security in organizations.
CHAPTER 4
4.1
RESULTS AND DATA ANALYIS
INTRODUCTION
The previous chapter explained how the web survey was conducted. This chapter summarizes the results of the survey. As discussed in Chapter 3, this survey was used to complement the findings and analysis of the interviews compiled into the IS Issues Database. The main objective of the survey was to understand security
247
professionals’ views and opinions on issues affecting security in organizations.
Analysis of data is provided for each part of this study, and is organized around the survey questions presented and advanced methodologically in chapter three.
Security Measures in Place Perceived role of security Top 2 Potential Threats Top 3 Organizational Inhibitors Security Role Responsibility Security Rating Improving Security Effectiveness External Environmental Risks Existing Solutions Issues External Human Threats Organizational Issues Security Management Issues Senior Management Issues Personnel Issues Internal Human Threats
248
4.2
PROFILE OF SURVEY RESPONDENTS
As indicated in Chapter 3, the most common problem in web survey research is non-response error. In this survey, response rate was quite high (17%), way above the current norm of 11% response rate for web based surveys (Zikmund 2002).
Out of the 1,420 security professionals from 12 countries who were surveyed for their response to a series of questions pertaining to organizational security issues, 245 from 10 countries responded. Figure 4.1 provides a breakdown of the percent representation of all the respondents and their country of origins.
FIGURE 4.1 RESPONDENTS BY COUNTRY
249
J apan 2%
Ger many 2%
Kor ea 3%
Si ngapor e 4% Swi t zer l and 3%
Canada 4% Bel gi um 2% Uni t ed St at es 46%
Aust r al i a 3%
Uni t ed Ki ngdom 31%
Of the 245 polled, 151 were security researchers representing 61 percent and 94 security practitioners representing 39 percent of the total respondents respectively, as shown in Table 4.1.
TABLE 4.1
Responden t Type
Total Surveyed
RESPONDENTS BREAKDOWN
Percent of Total Surveyed
Total Respondent s
250
Percent of Total Surveyed
Percent of Total Respondents
Researchers Practitioners Total
448 972 1420
32% 68% 100%
151 94 245
10% 7% 17%
61% 39% 100%
As shown in table 4.1, this survey achieved a 17% return, representing an overall interest and cooperation of respondents for the survey. The response from security practitioners is not particularly high however, due to a number of significant factors, it is an acceptable return. As discussed in Chapter 3, this survey was designed to determine individual perceptions of human related security issues in organizations. This type of inquiry requires quite a bit of thought on the part of security practitioners, as they are more inclined towards the technical issues in their practical work. In addition, the study targeted practitioners who typically have less time and inclination for surveys that may or may not impact their work directly. Finally, a number of the security practitioners may feel they do not have the expertise necessary to address the human related questions being asked. A total of 66 of these professionals have over seven years of security experience. Table 4.2 provides a breakdown of the percent representation of all the respondents and their security experience. In the absence of a better criterion for assessing respondent’s expertise on the human aspects of security, returns from this category of respondents provide the best answers to questions concerning the people issues affecting security in organizations. The data collected by the survey hence provide a good indication of the attitudes and behaviors of individuals within organizations towards security.
251
TABLE 4.2
RESPONDENTS SECURITY EXPERIENCE
Expertise Levels
Number of Respondents
Percentage
More than 15 years
6
3
11-15 years
22
9
7 – 10 years
38
15
3 – 6 years
125
51
Less than 3 years
42
17
Not sure
12
5
Total
245
100
Table 4.2 shows the breakdown of expertise levels of respondents. The small number of the respondents with more than 15 years of security experience – 6 or 2.5% is expected considering that the security industry is relatively young. The
252
largest group of respondents is those with 3-6 years of experience - 125 of the total respondents, or 51%. This is not surprising considering the phenomenal growth of the security industry in the past 5 years.
4.3
ANALYSIS OF GENERAL DATA
A number of the questions which security practitioners and researchers were asked for a response were designed specifically to determine important background information about the current security environment in organizations and to ascertain some of the more important situations which might shed some light on the issues being discussed.
4.3.1
Security Measures In Place
The first of the background questions dealt with the kinds of security measures organizations have in place (represented in table 4.3). This information is very useful in determining the risk perceptions of organizations. All the respondents (100%) indicated the installation of Anti-virus software in the workplace, with 85 percent indicating the adoption of firewalls and 65 percent indicating the use of encryption. Only 10 percent of respondents indicated the provision of security awareness training with 12 percent of respondents indicating the adoption of
253
people management in organizations.
TABLE 4.3
SECURITY MEASURES IN PLACE
Existing Security Measures
Number of Responses
Percentage
Anti-virus software
245
100
Authentication
96
39
Authorization
120
49
Encryption
159
65
Firewalls
208
85
5
2
96
39
7
3
96
39
54
22
Hacker Insurance Implementation of Security Policies Incorporating security culture Outsourcing Password Management
254
People Management 29
12
24
10
Security Awareness Training
While this is certainly not a complete listing of the possible security measures which could be used by organizations, it does provide a good indication of the kinds of security measures that are currently being adopted by organizations of all sizes. The results show that external breaches are of a greater concern to organizations than those perpetuated internally as anti-virus software, firewalls and encryption are measures designed primarily to ward off outside attacks.
4.3.2
Perceived Role of Security
Respondents were asked what they perceived is the “role” of security in organizations (represented in Table 4.4 and Figure 4.2) in order to understand security professionals’ opinions about the importance of information security in organizations. 48 percent of those surveyed indicated that organizations viewed the role of security as a nice to have rather than a need to have.
Although organizations recognize that the security of information is a key business issue in the modern e-business world as indicated by 28 percent of the
255
respondents, they may be unaware of the legal implications of insecurity as only 2 percent of the respondents indicated that organizations viewed security as a legal requirement. Negative publicity as a result of insecurity is also not a major concern for organizations as indicated by 6 percent of the respondents.
TABLE 4.4
PERCEIVED ROLE OF SECURITY
Role of Security Avoiding bad press or reputation due to security breaches
Number of Responses 15
Percentage 6
Avoiding legal liability issues concerning security breaches
5
2
Meeting International Security Standards (e.g. ISO 17799)
12
5
Nice to have rather than the need to have
117
48
Protecting customers’ information
57
23
Securing networks and systems
39
16
Total
245
100
FIGURE 4.2 PERCEIVED ROLE OF SECURITY
256
Ot her s 5%
Avoi di ng bad press or r eput at i on due t o secur i t y br eaches 6%
Avoi di ng l egal l i abi l i t y i ssues concer ni ng secur i t y br eaches 2%
Secur i ng net wor ks and syst ems 16% Meet i ng I nt er nat i onal Secur i t y St andar ds ( e. g. I SO 17799) 5%
Pr ot ect i ng cust omer s' i nf ormat i on 23%
4.3.3
Ni ce t o have rat her t han t he need t o have 43%
Top 2 Potential Threats
This particular survey question asked the respondents to list what they perceived to be the two most critical potential threats impacting security in organizations. A content analysis of the responses to this question showed that former employees (69%) and poor implementation of security policies (48%) as two of the greatest potential threats. Table 4.5 shows a complete breakdown of the respondent answers to this question.
257
TABLE 4.5
TOP TWO POTENTIAL SECURITY THREATS
Potential Threats
Number of Responses
Percentage
Current Employees
54
22
Denials of Attacks
76
31
Former Employees
169
69
Hackers
96
39
Lack of Employee Awareness
49
20
Outsourced Service Providers
44
18
Poor Implementation of Security Policies
118
48
Systems Administrators
24
10
Vendor Products with Weak Security Controls
71
29
4.3.4
Top 3 Organizational Issues
258
This particular survey question asked the respondents to list what they perceived to be the three most important issues inhibiting security effectiveness in organizations. A content analysis of the responses to this question showed that the top 3 inhibiting issues as budget constraints (75%) lack of employee security awareness training (72%) and lack of Strategic/Formalized Security Policies (69%). Three other issues in this category also received substantial response as being of great concerns: lack of management support, responsibility ambiguity and lack of competent security personnel. Table 4.5 provides a complete listing of all the other key issues and their response rates.
TABLE 4.6
TOP THREE ORGANIZATIONAL ISSUES
259
Inhibiting Organizational Issues Budget Constraints Lack of Competent Security Personnel Lack of Employee Security Awareness Training
Number of Responses 184 118 176
Percentage 75 48 72
Lack of Management Support
161
66
Lack of Strategic/Formalized Security Policies
169
69
Staff Resistance Unclear Responsibilities
78 145
32 59
Others
25
10
4.3.5
Security Role Responsibility
This particular survey question asked the respondents who they perceived is responsible for security in organizations. 45 percent of respondents indicated that the Head of the IT Department is responsible for computer security in organizations. Only 6 per cent of the respondents indicated that organizations have a formal security administrator or security officer job appointment. 12 per cent of the respondents indicated the delegation of the security role as a secondary appointment basis. 10 per cent of the respondents indicated that organizations do not draw up this responsibility at all.
260
TABLE 4.7
SECURITY ROLE RESPONSIBILITY
Security Responsibility
Number of Responses
Percentage
Computer Operations Manager
15
6
Designated staff from other departments
43
18
Head, IT Department or equivalent
110
45
MIS Manager or equivalent
37
15
None
25
10
Security Administrator
15
6
Total
245
100
Results from Table 4.7 shows that the sole responsibility of security lies with employees and not senior management.
4.3.6
Security Rating
In this particular question, respondents are required to rate the effectiveness of security in organizations on a scale of 0-10, 0 being least effective, 10 being
261
highly effective. For ease of reference scaled data has been collapsed into three groups: ineffective (0-3), somewhat effective (4-6), and highly effective (7-10). Table 4.8 and Figure 4.3 show the results of respondents’ perceptions of security effectiveness in organizations:
TABLE 4.8
SECURITY RATING
Effectiveness
Number of Responses
Ineffective Somewhat Effective Highly Effective Total
Percentage
167 51 27 245
68 21 11 100
A high percentage (68%) of the respondents rated security in organizations as ineffective, 51 (21%) perceived security in organizations as somewhat effective, and only 27 (11%) of the respondents rated organizational security as highly effective. This clearly shows that there is a critical need for organizations to improve their level of security.
FIGURE 4.3 SECURITY RATING
262
Hi ghl y Ef f ect i ve 11%
Somewhat Ef f ect i ve 21%
I nef f ect i ve 68%
It was observed that security practitioners rate the level of security in organizations to be somewhat effective or below. In contrast, respondents who rated security in organizations as highly effective were all security researchers.
4.3.7
Improving Security Effectiveness
Respondents were also asked on their opinions on how organizations might improve their security effectiveness. A content analysis was performed on the 245
263
responses that were received. Appendix 4 provides a complete listing of the responses to this particular survey question. For ease of reference, responses were broadly categorized into three areas: technical, non-technical and holistic. A breakdown of these areas and the responses is found in Table 4.9 and Figure 4.4.
Technical Areas
Technical areas comprise mainly of security technologies and software such as anti-virus software, encryption and firewalls. Other technical areas deemed important to respondents were: SSL, PKI, biometrics and intrusion detection systems as being capable of providing significant improvements to the level of security in their organizations. It is interesting to note that the majority of respondents (83 per cent) who rated technical security improvement areas were security practitioners. General Areas
General areas cover a wide range, from areas such as law enforcement to nontechnical areas such as security awareness training and education for employees. General areas of security controls deemed significant to respondents were: more stringent laws and greater cooperation between the authorities and the business community. Internal security measures include security awareness and training,
264
password management, application access control, physical access control and program change control.
Holistic Areas
Holistic areas encompass security solutions embracing both the technical and human dimensions of security. It is interesting to note that only five respondents indicated the adoption of a holistic approach to improving security effectiveness in organizations.
TABLE 4.9 IMPROVING SECURITY EFFECTIVENESS
Improvement Areas
Number of Responses
Percentage
Technical
60
25
General
180
73
Holistic
5
2
265
Total
245
100
FIGURE 4.4 IMPROVING SECURITY EFFECTIVENESS
266
Hol i st i c 2%
Non Techni cal 73%
Techni cal 25%
4.4
ANALYSIS OF PRIMARY DATA
The eight questions of this portion of the research focuses on the determination of the most problematic issues facing organizations with regard to them achieving security effectiveness. Table(s) 4.15 – 4.17 provide a representation of the responses to these questions. For each of the three questions respondents were
267
asked to rate each issue given on a scale of 0-10 with 0 being not at all problematic and 10 being extremely problematic. For ease of reference the scale responses have been collapsed into three categories where “Not Problematic” represents scales 0-3, “Somewhat Problematic” represents scales 4-6, and “Highly Problematic” represents scales 7-10.
4.4.1
Impacting External Environmental Risks
Respondents were asked to rate 9 issues with regard to external environmental risks. Of all the issues, the issue of economic slowdown was perceived by the largest number of respondents (53%) as being highly problematic. Two other issues in this category also received substantial response as being highly problematic: political crisis, with a 48% response rate and ever changing security threats, with 47%. All of the 9 issues were perceived as being at least somewhat problematic with the exception of rapidly changing technology – which 66% of the respondents viewed as not problematic with regard to external environmental risks. Table 4.10 provides a complete listing of the 9 issues and their response rates.
TABLE 4.10 EXTERNAL ENVIRONMENTAL RISKS
268
Issue
Availability of Effective Solutions
Not Problematic (0-3)
Somewhat Problematic (4-6)
Highly Problematic (7-10)
29%
47%
24%
14%
33%
53%
17%
36%
47%
29%
52%
19%
33%
33%
34%
21%
45%
34%
35%
49%
16%
33%
19%
48%
66%
22%
12%
Economic Slowdown Ever changing security threats Hypercompetition Ineffective Laws Inherent Internet Flaws Media Misrepresentations Political Crisis Rapidly changing technology
269
It is interesting to note that the top issues with regard to external environmental risks are economic slowdown and political crisis. Issues which have become worse in recent times due to the global economic crisis and the recent Iraqi war. Results show that respondents’ risk perceptions may have been influenced by the wide media coverage of these events at the time this survey was conducted.
4.4.2
Existing Solutions Issues
In table 4.11, seven existing technical solutions issues are listed with their appropriate response rates. All of the issues with regard to this category were viewed as at least somewhat problematic. 60 percent of the respondents did not view the difficulty of implementation as a problem for organizations. The highest rating went to the issue of bugs in security software with 69 of the respondents placing it in the highly problematic range. However, 23 did not respond to this question, all of whom are security practitioners.
270
TABLE 4.11 EXISTING SOLUTIONS ISSUES
Issue
High Acquisition Cost
Not Somewhat Problematic Problematic (0-3) (4-6)
Highly Problematic (7-10)
26%
46%
28%
60%
31%
9%
14%
31%
55%
7%
24%
69%
17%
50%
33%
19%
47%
34%
29%
48%
23%
Difficult to Implement Inherent Flaws and Weaknesses in Security Technologies Bugs in Security Software Requires Security Expertise Lack of Holistic Planning Model Lack of Holistic Security Management Model
271
4.4.3
External Human Threats
Respondents were asked to rate 9 external perpetrators whom they regard as posing the greatest threat to organizations. Of all the perpetrators, virus creators were perceived by the largest number of respondents (59%) as being highly problematic. Two other perpetrators in this category also received substantial response as being highly problematic: script kiddies, with a 46% response rate and social engineers, with 47%. All of the seven external perpetrators were perceived as being at least somewhat problematic with the exception of phreakers – which 51% of the respondents viewed as posing little threats to organizations.
TABLE 4.12 EXTERNAL HUMAN THREATS
External Human Threats
Not Somewhat Problematic Problematic (0-3) (4-6)
Highly Problematic (7-10)
Competitors
34%
45%
21%
External Consultants
38%
43%
19%
272
Phreakers
51%
30%
19%
Script Kiddies
18%
36%
46%
Social Engineers
36%
24%
40%
Software Pirates
34%
36%
30%
Virus Creators
13%
28%
59%
4.4.4
Organizational Inhibitors
Respondents were asked to rate 11 organizational issues which can impact security. Resistance to change was perceived by 63 percent of the respondents (63%) as being the most problematic. Four other issues in this category also received substantial response as being highly problematic: budgeting, with a 55% response rate; leadership, with 54%; and, communication and organizational support with 47% each.
273
TABLE 4.13 ORGANIZATIONAL INHIBITORS
Issue
Not Problematic (0-3)
Somewhat Problematic (4-6)
Highly Problematic (7-10)
Adequate Staffing
17%
47%
36%
Budgeting
19%
26%
55%
Communication
12%
40%
47%
Interdepartmental Coordination
27%
61%
12%
Leadership
16%
30%
54%
23%
53%
24%
28%
60%
12%
24%
60%
16%
28%
55%
17%
14%
39%
47%
16%
21%
63%
Organizational Culture Organizational Directives Organizational IT Expertise Organizational Security Expertise Organizational Support Resistance to change
274
4.4.5
Security Management Issues
In table 4.14, seven security management issues are listed with their appropriate response rates. All of the issues with regard to this category were viewed as at least somewhat problematic. However, 54 percent of the respondents did not view reliance on outsourcers as a problem for security management in organizations. The highest rating went to the issue of lack of security awareness training with 53 percent of the respondents placing it in the highly problematic range. Four other issues in this category also received substantial response as being highly problematic: no formal security plan, with a 48% response rate; lack of security corporate culture, with 46%; lack of formal security plan, with 45% and role ambiguity at 44%.
TABLE 4.14 SECURITY MANAGEMENT ISSUES
Issue
Not Somewhat Highly Problematic Problematic Problematic (0-3) (4-6) (7-10)
Failure to upgrade systems
24%
50%
26%
Lack of security awareness training
22%
25%
53%
Lack of Security Corporate Culture
21%
33%
46%
275
Lack of security policy
16%
40%
44%
No Formal Security Plan
12%
40%
48%
Reliance on Outsourcers
54%
28%
18%
Role Ambiguity
22%
34%
44%
It has been observed that the lack of security awareness training was also earlier cited by respondents as one of the top 3 inhibitors to achieving security effectiveness in organizations.
4.4.6
Senior Managers’ Issues
Respondents were asked to rate 6 issues related to senior managers’ attitudes, behaviors and beliefs towards security which can affect the level of security in their organizations. Lack of involvement was perceived by 72% of respondents as the most problematic with regard to senior managers issues. Two other issues which received substantial response as being highly problematic were: lack of commitment, with a 56% response rate and lack of support with 53%. All of the 11 issues were perceived as being at least somewhat problematic. However, 62
276
percent of the respondents did not view senior managers’ lack of IT expertise as of a major problem.
TABLE 4.15 SENIOR MANAGERS ISSUES
Not Problematic
Somewhat Problematic
Highly Problematic
(0-3)
(4-6)
(7-10)
Individual IT Expertise
62%
22%
16%
Individual Security Expertise
29%
48%
23%
Individual Support
18%
29%
53%
Lack Commitment
14%
30%
56%
Lack Involvement
2%
26%
72%
Resistance to Change
24%
55%
21%
Issue
277
4.4.7
Personnel Issues
Respondents were asked to rate 6 barriers which employees face with regard to security in their organizations. Lack of management support was perceived by the largest number of respondents (61%) as the most problematic limiter. Two other inhibiting factors cited by respondents as being highly problematic were: lack of security awareness training, with a 56% response rate and lack of funds with 53%.
TABLE 4.16 PERSONNEL ISSUES
Issue
Not Problematic (0-3)
Somewhat Problematic
Highly Problematic (7-10) 41
High workloads
16
(4-6) 43
Individual IT Expertise
16
52
32
Lack of funds
22
31
47
13
26
61
Lack of Rewards and Recognition
14
48
38
Lack of Security Awareness Training
12
29
59
Poor Communications
20
38
42
Lack of Management Support
278
Role Ambiguity
10
48
42
Uncertain policies and priorities
21
45
34
4.4.8
Internal Human Threats
The final set of data deals with the human security threats within organizations. Table 4.17 shows a breakdown of these threats and their respondent ratings. Of all the internal human threats, careless employees was perceived by 62 percent of respondents as posing the greatest threat to organizations. Two other internal perpetrators in this category which received substantial response as being highly problematic: malicious workers, with a 59% response rate and disgruntled employees, with 57%. All of the seven internal human threats were perceived as being at least somewhat problematic with the exception of planted workers – which 54% of the respondents viewed as posing little threat to organizations.
279
TABLE 4.17 INTERNAL HUMAN THREATS
Human Threats
Not Somewhat Problematic Problematic (0-3) (4-6)
Highly Problematic (7-10)
Careless Employees
11
27
62
Disgruntled Employees
10
33
57
Ignorant Employees
26
31
43
Malicious Workers
22
19
59
Planted Workers
54
33
13
Telecommuters
18
40
42
Temporary Consultants
15
32
53
4.5
SUMMARY
280
This chapter is devoted to the findings of the web survey. The perceptions of the respondents with regard to a variety of issues surrounding security in organizations were displayed and analyzed. As explained in Chapter 3, this survey was used to complement the in-depth interviews.
The purpose of the survey is to uncover the most problematic people issues with regard to security in organizations from the perspectives of security professionals. I accept the sample bias that respondents are technically orientated individuals. However, as professionals in the security industry, and as researchers and consultants to organizations in both the public and private sectors, respondents’ opinions helped in the general analysis of the human related security issues and provides a more complete picture of the real life security situations in organizations.
Chapter five will expand on the information gathered here and discuss some of the more striking aspects of the data.
281
CHAPTER 5
5.1
SYNTHESIS OF FINDINGS OF THE INTERVIEWS AND SURVEY
INTRODUCTION
The chapter synthesizes the findings and analyses of the web survey presented in Chapter 4 with the findings of the interviews compiled into the IS Issues Database. The objective is to apply the theories by the support of the insights gained from the results of the interviews and the survey with the aim of reaching a conclusion to the main research question posed in Chapter 1.
This chapter will begin with a discussion on the environmental conditions in which the in-depth interviews and web survey was conducted. Throughout the time this research was conducted, I identified three main conditions that I believe may have effects on the participants and impacted the results of the survey. The three main effects of the general environmental conditions were identified in
282
previous chapters. The first one is the forces against human approach to security. The second one is the risk perception of organizations on information security, particularly security threats. The third main effect is the magnitude and frequency of and risk communication that takes place about security.
5.2
ENVIRONMENTAL CONDITIONS
5.2.1
Technological Forces
First, as stated in previous chapters, security researchers and practitioners emerged from and operate in a highly technical environment. Hence, there is the tendency to be too narrowly focused on the technological issues involved. For instance, despite people being acknowledged as the weakest link in the computer security chain, security consultants continue to recommend technical solutions to solving security problems involving people. When asked how organizations can improve their security effectiveness, one interviewee said:
“The easiest path for an enemy to get information from a targeted system may be to steal a backup tape, retrieve hard-copy output from a dumpster, or simply steal the victim’s laptop. Anyone concerned about overall computer security for the system must not ignore such possibilities, and indeed there are technical countermeasures for some of them. For example, we may encrypt the backup tape
283
and secure the encryption key so that the backup tape is of no practical use to the enemy, or we may encrypt the entire hard drive of the laptop”.
The other critical environmental factor was risk communication.
5.2.2
Risk Communication
Risk communication, which affected the results of the survey, was the amount and magnitude of communication that was taking place in the environment on the subject of security especially security threats. Various sources in the environment, ranging from daily newspapers and PC magazines carrying stories about the latest computer virus epidemic or about high profile denial-of- service attacks to government and professional institutions warning organizations about the external security threats when conducting and transacting business on the Internet.
5.2.3
Risk perception
In today’s world, almost all of the professional organizations depend on information systems and to protect themselves, they develop different levels of technical security systems for possible outside attacks. Those who responded to the survey questions were all professionals researching and working for private or public companies around the globe and hence, they are exposed to the hidden
284
messages of security risks as externally led everyday. Sensing the intensity of and the need for technical solutions, these people build up a perception of information security as technology led.
All the three factors complemented each other in the sense that the risk messages related to the human elements of security were diminished by these factors. The competitive pressure in the security industry and the popularity of technical solutions forced security companies of thinking of ways to find technical solutions. The frequent reception of security messages related to technical information security from various sources, created second thoughts on the importance of the human elements.
All of the above three factors were deduced from the findings of the survey, which were explained in Chapter 4. These factors developed pre-judgments with respondents of the survey influencing their risk perceptions. The environmental conditions were applicable to both security researchers and practitioners.
5.3
WEB SURVEY
The web survey provided a quick, inexpensive, and efficient means of collecting this information as far as the population is concerned. With the web survey, large
285
amount of data can be collected at little costs. The interviewer effects and bias were also minimized in that each respondent received the same questionnaire. The survey also provided descriptive and inferential (correlation) analyses.
5.3.1
Descriptive Analysis
Descriptive analysis is provided for the frequency distributions, calculation of averages and percentage distributions of the number of actual responses and percentages through the interpretation and classification of open-ended questions. In the descriptive analysis, I did not use cross tabulation since I believed that percentage distributions were adequate and separating the respondents into groups was not relevant as far as the research question was concerned.
5.3.2
Inferential Analysis
Inferential analysis provided for identifying relationships between different data items. In many cases, two variables are interrelated. The correlation coefficient indicates the strength of the relationship of the two variables with each other. Correlation on the other hand does not provide an explanation for causality. In the survey, I did not seek for causality. Rather, the objective of the survey was to determine the most disempowering human factors affecting security in organizations.
286
5.4
INTERPRETATION OF THE FINDINGS: A SYNTHESIS
Analysis from the findings in the survey presented in Chapter 4 revealed the following security weaknesses of organizations viewed by respondents as highly problematic, key issues include:
View security as of little importance Lack of senior management involvement Lack of management support Lack of security awareness training Budget constraints Lack of security policies Poor implementation of security policies Disgruntled former employees Careless employees Organizational members’ resistance to change Ineffective security
287
Each issue is viewed individually with regard to its fundamental issues in order to better ascertain the singular impact of each one has on the most problematic people issues affecting security in organizations.
Views of Security
The information created, processed and used by any organization is one of its most valuable assets. To compromise this asset could severely impact company’s customers, constitute a breach of laws and regulations, and negatively affect the company. Hence, the consequences of insecurity can be highly detrimental for any organization. Yet, survey results show that the business leadership in organizations still held a lackadaisical view towards security or its consequences. When asked to choose from a list of what they perceived is the role of security in organizations, 48 percent of respondents indicated that organizations viewed the role of security as a nice to have rather than a need to have. One interviewee commented:
"I think there are a lot of companies that still believe there are no threats directed at their companies. I truly believe the greatest threat to the security of a company is a belief on the part of senior management that there is no threat."
288
Furthermore, organizations may be unaware of the legal implications of insecurity as only 2 percent of respondents indicated that avoiding legal and regulatory liability issues concerning security breaches was a major concern for organizations.
Lack of Senior Management Involvement
Given the all-encompassing importance of information security, senior managers should be involved in all of its aspects. Yet, survey results show that senior managers are reluctant to involve themselves in tackling security issues in their organizations. The most problematic issue regarding senior managers was the lack of involvement, with a high 72% response rate. Furthermore, survey results show that the responsibility of security lies solely with employees, especially those from the Information Technology Department. This is a dangerous and potentially expensive practice. Information security analysis and planning is essential to nearly every important business decision. Whatever security measure is being contemplated, or a new security system is being proposed, these are all business situations in which senior managers play a crucial role. Furthermore, senior managers’ lack of involvement can create a number of problems for administrators, which can increasingly put their organizations at greater risks.
289
Irrespective of the appointment, formalize or otherwise, the staff assuming the security role must be equipped and updated with the necessary knowledge and skills to undertake the task. Unfortunately, security tasks tend to be foisted off to people who do not have time or training to deal with them.
Today one of the most heard complaints among systems administrators is that there just not enough time to stay current on the latest, increasingly sophisticated threats to their organizations or to test and install patches and fixes for the record number of security vulnerabilities in vendors’ software. As one interviewee stated:
“Systems administrators are being asked to be security people. Let’s say you’re a 20-person company, with one system administrator who is trying to maintain all your systems and do your security, that’s a lot to ask. As a result, many administrators do not give adequate importance to the security concerns of their organizations”.
Lack of Security Awareness Training
The lack of security awareness training was rated as the most problematic issue with regard to security management in organizations. Without proper security awareness training, administrators may not be aware of security risks and how
290
these risks may be overcome within their day-to-day job functions. As one interviewee said:
“Currently, the knowledge that the majority of network and system administrators have about protecting and security systems typically comes from experience and word-of-mouth, not by training”.
Survey results clearly illustrate how senior managers and those responsible for security in their organizations may be misinformed or unaware of where their real vulnerabilities lie. The most common protection methods used by organizations as indicated by 100 percent of the respondents are anti-virus software, with 85 percent indicating firewalls. These measures are designed specially to ward off outside attacks. Documented evidences have shown that a company is at greater risk from being the victim of an internal security breach than an external attack. In reality, disgruntled or former employees, or contract workers, are most likely to commit an attack, or cause a security breach. Yet, survey results show that these internal security threats are receiving very little attention from senior managers and security administrators. As one interviewee stated:
“I think there’s been a lot of false security. “Organizations think ‘Heck, if I just put up a firewall, everything will be fine.’ Except that they’re not.”
291
Misinformed senior managers, poorly trained and/or poorly qualified, and technically inclined system administrators are often the cause of this misconception and ignorance.
As mentioned earlier in this chapter, the responsibility of security is delegated to employees mainly from the IT Department and these people come from technical backgrounds and hence may be ignorant of the human aspects of information security. For organizations, this means that the adoption of security measures is likely to remain restricted to the technical aspects. As a consequence, organizations are caught in a situation where technological solutions are incorporated into human problem situations by technical staff with very little consideration of the people implications. As one interviewee said:
“If security administrators had understood that most security breaches are committed by those who possess intimate knowledge of the systems they are attacking, they might have handled their security issues very differently”.
The misconception that security threats are external may have led organizations to the adoption of inappropriate and ineffective security measures. As one interviewee commented:
292
“Limiting the line of defense to routine measures like firewall and anti-virus software often results in a false sense of security, which can easily cost companies millions of dollars in damages and clean-up from attacks”.
Lack of Management Support
Lack of management support was viewed by 61% of the respondents as the most problematic with regard to issues that personnel faced. Effective security requires the active support of senior corporate leadership. Research studies conducted over the years have shown that the higher the level of management support for security, the lower the number the security incidents occurring. The lack of management support can serve as a great deterrence for security administrators in carrying out their job responsibilities properly and effectively. Lack of management support may be due to senior managers’ naïve understanding of the importance of security and the consequential results of insecurity to their organizations.
Budget Constraints
293
Budget constraint is viewed by 75 percent of respondents as the most crucial factor inhibiting organizations from protecting the networks and systems. Traditionally, senior management’s primary decision-making role is predominantly to determine how much direct funding and other resources to grant to the organization’s security administrators. However, with organizational views of security as a nice to have rather than a need to have and without management support, it is highly unlikely that budget given to security will be given top priority. Companies have been reluctant to spend money on security because it is extremely difficult to prove that security serves the bottom line. For many companies, security has been viewed as overhead. As one interviewee said:
“With no clear benefit visible to upper management, the resulting security funding is typically inadequate to meet even the limited technical goals of security administrators”.
With budget constraints, pressures on security administrators with respect to cost savings may lead to difficulties in designing effective security. This would leave organizations critically exposed. Lack of Security Polices
294
The lack of security policies has been rated as one of the top three inhibitors to organizations achieving security effectiveness. Having security policies in place is a must for any company. Security policy provides the rules of the game in computer security. This means that organizations without security policies will have little or no foundation upon which to base standards and procedures in managing people and the procedures they use. As a result, decisions are likely to be inconsistent and security holes will be present - ready to be exploited by both internal and external persons alike. As one interviewee said:
“The absence of a security policy makes it difficult for administrators to justify and marshal the necessary resources to control or forestall any potential vulnerability or perpetration”.
The absence of an organizational security policy makes it difficult for security managers to justify and marshal the necessary resources to control or forestall any potential vulnerability or perpetration. As those responsible for security, administrators are often tasked with developing security policies. However, the failure in developing security policies may be due to administrators’ lack of time and training. Furthermore, without management involvement and support, there are little incentives and directives for them to formulate one.
295
Poor Implementation of Security Policies
Poor implementation of security policies was viewed by 48% of respondents as one of the top two security threats within organizations. Like the absence of security policies, poor implementation of security policies may be due to administrators’ lack of time and training. Besides, as one interviewee stated:
“The driving force behind effective implementation of policies must come from the top.”
Without management involvement and support, administrators would face much difficulty in implementing policies as other employees may simply not recognize administrators have the authority to dictate to them and may refuse to cooperate. Some employees may feel, “If management is not bothered about security, why should I?”
Resistance to change
296
Resistance to change was rated by 63% of respondents as the most problematic of organizational issues. People are bound to resist change. Even for administrators who are serious about security and are willing to act as change catalysts, effecting change without management involvement and support can pose great difficulties for them as the impetus for change must come from the top.
Former Employees Former employees were viewed by 69% of respondents as the number one potential threat to organizations.
Retrenchment is the buzzword these days. Due to the tougher global economy and intense international and domestic competition, companies are now resizing, downsizing, restructuring, reorganizing, reengineering or merging in an attempt to become more efficient, cut expenses, or in some cases to simply make more shortterm profits to boost competitiveness. This means that job security is now a thing of the past. Companies are being forced to lay off thousands of workers, some of whom have axes to grind with their former employers. For instance, one interviewee commented that during economic downturns, “ex-employees are under even greater pressure to commit fraud, theft of proprietary information on their former employers networks”.
297
Job loss, whether through retrenchment or termination can be a traumatic experience for most people. The tendency is to dwell on bad feelings toward the former employer and the negative aspects of the former job. This can especially be the case when retrenched workers perceive others as being responsible for things that happened to them. For example, they feel betrayed when job loss is due to “down-sizing” which has nothing to do with their job performances. Unfortunately, the majority of personnel managers are trained to hire but not fire. The emotional impact on retrenched workers is most devastating yet it is often neglected and forgotten by management. The mishandling of termination, lack of exit interviews, and non-cancellation of former employees’ user IDs and passwords are contributory factors to former employees committing security breaches and the ability to do so.
Careless Employees
Careless employees have been rated by 62% of respondents as posing the greatest security threats to their organizations. Due to human errors and misconfiguration, confidential data and information such as trade secrets, marketing plans and customer lists has been lost, damaged and compromised. An interviewee added,
298
“Malicious hackers and viruses are in fact far less of a threat to corporate networks and systems than employees who accidentally delete their own files”.
The majority of errors made by employees are the result of poor training. As regards to the lack of security training in organizations, an interviewee put it,
“The misconception that security can be guaranteed simply by purchasing antihacking such as firewall and anti-virus software without the need for security training and education about best practices is held by most organizations”.
Ineffective Security
Survey results revealed that security in organizations is in a poor state of health. A high percentage (68%) of respondents rated security in organizations as ineffective. As shown in the results of the survey, ineffective security may be due to a myriad of factors. In summing it all up, one interviewee said:
299
“The poor state of security in organizations is because senior management doesn't want to take responsibility".
5.5
SUMMARY
The chapter began with the explanation of the environmental conditions that surrounded respondents. The analysis showed that the environmental conditions that respondents are in had an impact on the results of the survey. The environmental conditions created a pre-judgment on risk perceptions for both security researchers and practitioners. Environmental conditions were important to understand and analyze since decisions are based on respondents’ sense making of the ‘reality’ surrounding them.
The chapter discussed a synthesis of the interviews analysis and the web survey analysis, and drew some conclusions from the outcome of the research. The chapter synthesized the analyses and findings of the survey with direct quotations from the interviews as well as my own observations.
The analysis showed correlation of some of the responses either with the IS Issues Database or with the other responses within the questionnaire. The major conclusion that could be drawn from the inferential analysis was that there was a
300
high correlation between senior managers’ behaviors, beliefs, perspectives, conceptions and views towards security and security in their organizations. A significant portion of security issues rated by respondents as highly problematic in organizations points toward senior managers’ lack of involvement, commitment, support, and knowledge regarding security and its risks. Subsequently, the majority of these respondents also perceived the level of security in organizations as being ineffective This meant that the higher the level of priority placed on security by senior managers, the lower is their level of security risks.
301
CHAPTER 6
6.1
CONCLUSIONS AND RECOMMENDATIONS
INTRODUCTION
Information security is not just about technology. Security is about business. The consequences of ignoring the importance of security can be catastrophic for any organization, large or small. It can lead to compromised networks and systems resulting in lost productivity, loss of sales revenues, increased clean-up costs, negative publicity, and losses to third parties. As discussed in Chapter 2, organizations with the ability to manage security effectively can reap numerous competitive advantages and benefits including cost savings, positive corporate image, customer trust and loyalty, enhanced business opportunities, and increased productivity. All of which will be manifested in an improved bottom line and an increase in investment returns for organization.
More importantly, security is about people. Organizations that ignore or forget the human elements when seeking solutions may adopt incomplete solutions. Considering the role in which people play in creating and defending security
302
problems in organizations, the significance of the human factors and their impacts must not be ignored.
This chapter will provide some conclusions on the most problematic people issues with regard to security in organizations. In addition, this chapter will provide recommendations for a holistic view of security management.
6.2
CONCLUSIONS
The primary focus of this study was to determine what people issues security professionals perceived as being the most problematic with regard to security in organizations.
What are the most problematic people issues facing organizations with regard to security?
303
6.2.1
HUMANISTIC NATURE OF SECURITY PROBLEMS
Human related security issues are extremely problematic and complex in organizations. They involve all the individuals who make up the organization, from top-level managers to clerical staff. Effective security in organizations entails the commitment and involvement of business leaders and managers in making security top priority. Furthermore, the business leadership must recognize that any approach to security management which hopes to be ultimately successful must take into account not just the technical dimensions but more significantly, the human dimensions of security.
It has been shown that a multitude of integrated people issues exist which have an impact on an organization’s ability to effectively manage security. This research has identified the most problematic people issues which organizations faced that are ingrained in security and these include: uncommitted and uninvolved senior managers; unqualified, untrained and careless employees; former disgruntled employees and organizational members’ resistance to change. Hence, to achieve security effectiveness, these key people issues must be addressed. The next section will provide some recommendations as to how senior managers can address these issues, in leading their organizations towards a more secured environment.
304
6.3
RECOMMENDATIONS
6.3.1
The Business Leadership
The answer to effective security in organizations lies with leadership. To improve their organizations’ security odds, leaders and managers have to change the way they think about security. It requires a fundamental change in the values, beliefs, and assumptions about security and how it should be managed. They must truly believe that their organizations’ future is dependent on effective security. When senior management understands the importance of security, it becomes a priority for everyone in the organization.
The most important aspect of successful security management in any organization is the involvement of senior management. Key components of a effective security program include the nurturing and incorporation of a security corporate culture, the proper planning and implementation of security policies, the provision of security training and education, all of which require the active participation and
305
support of senior management. Hence, it is only with senior management’s total commitment, involvement and support in all aspects of security and its management that effective security can be achieved in organizations.
6.3.2
Specific Security Strategies
Unqualified personnel An organization that wants to avoid hiring unqualified individuals who are of security risks must take the utmost care with how it chooses organizational members. Such employees will be given access to the organization’s Information Systems. Poor pre-employment screening methods can lead to employment of a person with unsuitable or even possibly fictitious credentials. To avoid hiring individuals who are unqualified who can pose potential security risks, careful screening of potential employees is vital. The primary aim is to ensure that only qualified people with certified information security skills manage network systems. The following are some of the precautionary measures organizations can take:
Prior to hiring staff, verification checks should be carried out. These should include: a minimum of two references and verification of the major aspects of the candidate's curriculum vitae, for example by checking the
306
candidate's academic qualifications.
Appropriate checks should also be carried out on contract and temporary staff. Employment agencies who provide staff to organizations may have similar checks in place, but it is advisable to verify them.
Untrained/Careless Workers
Untrained and careless workers have often been the major causes of security breaches in organizations. Hence, adequate budget must be set aside to provide training and education in all aspects of security where personnel awareness of Information Security risks is developed to the point that it almost becomes second nature. Staff awareness of Information Security issues can fade, unless it is continually reinforced. Such lack of attention may lead to lax attitudes towards security, resulting in the exposure of critical and sensitive information to outsiders. Hence, regular training and ongoing security awareness initiatives must be conducted.
Former Employees
307
Former employees have been cited as one of the greatest security threats to organizations. Thus, training on how to conduct exit interviews must be provided for all managers. Most companies invest a great deal of time, effort and money to attract, retain, motivate and reward their employees. Yet, it is very rare that these companies extend this same effort to the process of firing their employees. In the majority of companies, managers are trained to hire and not fire. Essentially, termination is treated as one of those unpleasant necessities that are not discussed in polite company. For many corporations, it is evidence of failure and something best forgotten. Organizations have undoubtedly paid a high price for the neglect of this aspect of personnel management.
Former employees such as the likes of Michael Normington, Suzanne Scheller, Makeebrah Turner, Peter Morch and Timothy Lloyd (Chapter 2), pose the greatest threats primarily because they have the most intimate knowledge of the system, with the capability and ability to cost the most damage to their organizations. The majority of former employees who commit security breaches are disgruntled employees. Disgruntled employees can present a significant risk as they are still deemed trusted employees, but their potential to inflict damage is high. Any problems aired should be noted and resolved. Management must respond quickly yet discreetly to indications of employee disaffection. Where the aggrieved person's behavior and actions are perceived as likely to threaten the organization’s security, notify a member of the Security Task Force and, in conjunction with
308
Personnel Department, consider whether to suspend access to information and systems in order to prevent any potential breach of security. Conducting Exit Interviews
Exit interviews must be conducted with employees who are retrenched or terminated, and even temporary or outsource personnel, in order to detect disgruntled workers. Whatever the reasons for terminations or retrenchments, managers need to understand it is a traumatic experience for the majority of employees and this experience can be mentally, physically, financially, and emotionally harmful for some. Besides a good support system, fair compensation and benefits, managers can help ease the pain is by conducting effective exit interviews with a display of sensitivity. Without an exit interview or one that is poorly conducted, there will be resentment and unhappiness that may pose security risks to the companies. Thus, it is critical that exit interviews are conducted in a humane manner. Organizations without the expertise to conduct exit interviews can seek outside help.
Moorhead & Griffin (2001) contends that a carefully planned interview is critical to the success of the termination. The following are suggestions on how to conduct an exit interview effectively but humanely.
309
Always hold the interview on a Monday or Tuesday – never on a Friday at 5pm. Individuals need a chance to come back to the office and talk about the termination. The employee will not have to spend the entire weekend worrying about why their termination occurred.
The manager should tell the individual within the first three minutes of the termination interview that they are being asked to leave. The remainder of this time should be spent allowing the individual to express his or her feelings.
Managers who implement terminations should never be defensive. They should not have to argue or persuade the individual that the termination is justified.
Managers should also avoid making remarks like: “I know how you feel” or “You will find this a real blessing in disguise”.
Managers should state the facts as they know them. They should try to give two or three good reasons why the individual was terminated. These reasons should not be debated, argued or even discussed in such a manner as to give the person hope that he or she will be reinstated.
310
Benefits being offered should be written out in a statement and handed to the individual during the interview. People often do not remember what was said at the time. A written statement will be helpful when discussing the situation with their family.
If possible, it is better to state that this is a job elimination and staff reduction. Managers should avoid any comments that make reference to an individual’s personal traits or habits. Such comments will often lead to arguments and bitterness.
Do not make promises you can’t keep, for example, “I may be able to get a job with Peter from ABC Company”. If you are unable to deliver the job, the person feels they have been fired all over again.
Even if more than one person is to be let go, do not conduct a group announcement. An individual announcement allows the person privacy to express their feelings. This is an important part of the healing process. Groups can get out of control.
Should an individual want to see the manager who conducted the termination a day or two later, the request should be granted. It is advisable for the terminating manager to see the individual one more time. The employee can complete the termination process and sever the
311
relationship with the company. Individuals may feel that they did not have an opportunity to air their views as the meeting was unexpected and they were not prepared.
Resistance to Change
No matter how carefully changes in security are introduced into an organization, resistance will always be present. Machiavelli (1952) expressed the change dilemma quite well in The Prince:
“It must be considered that there is nothing more difficult to carry out, nor more doubtful of success, nor more dangerous to handle, than to initiate a new order of things. For the reformer has enemies in all those who could profit by the old order, and only lukewarm defenders in all those who could profit by the new order. This lukewarmness arises partly from fear of their adversaries, who have the laws in their favor, and partly from the incredulity of mankind, who do not truly believe in anything new until they have had an actual experience of it”.
312
Once a security corporate culture is created which values information security and accepts the necessity of change, then actual organizational changes which facilitate this culture can take place. Lewin (Moorhead & Griffin 2001) provides a model of social and organizational change incorporating three stages: unfreezing, changing, and refreezing. He describes unfreezing as an increase of organizational receptivity to a possible future change. Moving refers to the choice of a particular course of action and then following it. Finally, refreezing is described as reinforcing the equilibrium of the organization at the new level following the change.
This process for adapting to change refers to organizations but it is also applicable to the individuals and groups within the organization as well. People become accustomed to a particular work process or way of doing things. They are trained to perform within certain parameters and become comfortable with their abilities. To effectively introduce a new way of performing their duties, it is first important to prepare them for acceptance of a proposed change. This is what Lewin refers to as unfreezing. Forced imposition of change without preparation is nearly always a big mistake. Once individuals have been prepared change can be introduced with less disruption and resistance. Lewin stresses how important refreezing is as a final step, to ensure solidification and understanding of new methods. This approach with regard to security requires substantial commitment from top
313
management, an advanced training design, and major interdepartmental coordination.
Change of any kind is problematic then, not just for individuals and organizations but for those who propose to implement it as well. In any security development and deployment process it is critical to overcome as much resistance to change as possible. To do this an understanding of the reasons for change must be garnered. Winkler (1997) identifies four reasons particular to the change brought on by security: loss of privacy; lack of trust and understanding; uncertainty; impeding job functions; low tolerance of change; views that there is no particular need for new security measures; and fear of change. These types of fears may manifest themselves in role ambiguity. If an individual is unsure of how a change may affect him/her, the change is more likely to be resisted. Resistance to change is an inevitable issue in security planning and implementation and it is only through identification of sources of resistance and understanding its nature that it can be dealt with effectively.
Resistance to change is a powerful reaction to security policies implementation. How people adjust and react to security policy change depends a great deal on their background, education, and experience with security in general. As is often the case when security measures are introduced—resulting in changes in procedures, habits, and communications within the organization—individuals
314
often experience frustration and confusion with regard to their security roles and jobs.
One of the best ways to deal with resistance to change in relation to security policies implementation is through continuous—needs based—training efforts. In the 1990s Dhillon (1995) reviewed training as an aid to organizational adaptation to security policy change. He found several characteristics relating to this area. In one regard, he found that the lower the level in the organization that training took place, the more specific the nature of the training. He also found that at the lower levels the amount of training for security applications increased. A second observation focused on top management and how they received information about security developments. Dhillon found that frequently it was internal sources (i.e. MIS personnel) who briefed these managers on existing security measures and upcoming trends. The move towards providing managers with outside informational seminars is relatively new. From his observations, Dhillon concluded that those individuals in middle management positions were more often the recipients of security specific training than those in the top ranks. The nature of this training appeared to be far more technical than the more general information received by executives. At the time of Dhillon’s study, few organizations were providing training for employees which offered a holistic view of security across the organization.
315
6.3.3
FUTURE RESEARCH DIRECTIONS
Suggestions for further research
1. Corporate hackers themselves are worthy of separate study. The profiles of corporate hackers described in this work were derived predominantly from the study of literature taken from the Internet. A future study could contrast the various types of corporate hackers in order to identify similarities and distinctions between them. 2. Very little is known about the behavior of actual attackers. Research into the behavior of hackers could significantly increase our understanding of the motivations behind security attacks and incidents. 3. Future research on the contrasting impact of corporate hacking between organizations of different sizes, different industries and, public and private sectors is recommended. 4. This research has shown that senior managers play a pivotal role with regard to security in their organizations. For example, in most cases, senior managers’ lack of commitment in information security affects the level of security in their organizations. Therefore, new research could analyze the characteristics of effective security senior managers in more detail with the aim of validating or modifying the human issues security framework developed in this research. 5. The people issues must be studied individually and in greater detail — within the context of security management —in order for organizations to
316
formulate strategies in tackling the human issues.
6. The research model used in this study has proven to be extremely helpful in determining the primary humanistic issues which are problematic to security in organizations. In addition it has allowed for the creation and future use of a security issues database which may serve as background material for subsequent research in this area. However, further refinement or redesign of this model in future research might allow for additional important insights regarding issues affecting security in organizations.
7. Research on developing a human security management model and a holistic security management model is recommended.
8. The complexity of the human nature of security seems to require detailed explanation. Alternative research methodological techniques need to be utilized in order to learn more about the people issues affecting security in organizations. Action research and case study approaches are recommended.
9. Finally, for future research, it might prove preferable to engage in face-toface interviews with each respondent as opposed to email interviews.
317
GLOSSARY The field of information security is full of terminology, which may be unfamiliar to the layperson. The rapidly changing nature of security makes the task of keeping up with the jargon very difficult. The use of acronyms to describe everything from specific hardware to integrated systems makes the task even more complex. In addition many of the terms and definitions vary widely depending on the nature of the literature or source and the time period in which they are discussed. Following is a list of the terminology and acronyms as they are used in this proposal. Access Control Access control refers to the rules and deployment mechanisms which control access to information systems, and physical access to premises. Anti-Virus Program Software designed to detect, and potentially eliminate, viruses before they have had a chance to wreak havoc within the system, as well as repairing or quarantining files which have already been infected by virus activity Audit Log Computer files containing details of amendments to records, which may be used in the event of system recovery being required. Enabling this feature permits subsequent review of all system activity, and provides details of user’s identity and activities. Business Assets The term Business Assets, as it relates to Information Security, refers to any information upon which the organization places a measurable value. By implication, the information lost, stolen, corrupted or in any way compromised would result in loss, damage or even business collapse. By identifying and valuing the business assets in an organization, and the systems which store and process them, an appropriate emphasis may be placed upon safeguarding those assets.
318
Business Continuity Plan (BCP) This is a plan to ensure that the essential business functions of the organization are able to continue in the event of unforeseen circumstances. The BCP will identify the critical people (roles / functions), information, systems and other infrastructure, e.g. telephones, which are required to enable the business to operate. The BCP will lay out a detailed plan which, if called upon, should be executed to assure minimum additional disruption. Cryptography Cryptography is the technology that allows computer users to keep information secret. The subject of cryptography is primarily concerned with maintaining the privacy of communications, and modern methods use a number of techniques to achieve this. Encryption is the transformation of data into another usually unrecognizable form. The only means to read the data is to de-crypt the data using a (secret) key, in the form of a secret character string, itself encapsulated within a pre-formatted (computer) file. Data Encryption Data encryption is a means of scrambling the data so that is can only be read by the person(s) holding the ‘key’ - a password of some sort. Without the ‘key’, the cipher cannot be broken and the data remains secure. Using the key, the cipher is decrypted and the data is returned to its original value or state. Decryption The process by which encrypted data is restored to its original form in order to be understood/usable by another computer or person. Logical Access The process of being able to enter, modify, delete, or inspect, records and data held on a computer system by means of providing an ID and password. Password Management Package A piece of software that is used to control password functions, often for several different application systems simultaneously.
319
PGP Software called Pretty Good Privacy, developed by Philip Zimmermann, encrypts e-mail and files to keep them secure. Physical Access The process of obtaining use of a computer system, - for example by sitting down at a keyboard, - or of being able to enter specific area(s) of the organization where the main computer systems are located. Physical Security Physical Protection Measures to safeguard the Organization’s systems. Including but not limited to restrictions on entry to premises, restrictions on entry to computer department and Tank, locking/disabling equipment, disconnection, fireresistant and tamper-resistant storage facilities, anti-theft measures, anti-vandal measures, etc. PKI Where encryption of data is required, perhaps between the organization’s internal networks and between clients and representatives, a means of generating and managing the encryption keys is required. PKI, or Public Key Infrastructure, is the use and management of cryptographic keys - a public key and a private key - for the secure transmission and authentication of data across public networks. Segregation of Duties A method of working whereby tasks are apportioned between different members of staff in order to reduce the scope for error and fraud. For example, users who create data are not permitted to authorize processing; Systems Development staff are not allowed to be involved with live operations. This approach will not eliminate collusion between members of staff in different areas, but is a deterrent. In addition, the segregation of duties provides a safeguard to your staff and contractors against the possibility of unintentional damage through accident or incompetence - ‘what they are not able to do (on the system) they cannot be blamed for’.
320
SSL The secure sockets layer protocol encrypts webpages to provide secure transactions. SSH The Secure Shell program lets systems administrators access remote servers safely. Tiger teams A tiger team is a group of people who attempt to get past the defenses of a system or an organization that they work for, in order to test its defenses.
321
BIBLIOGRAPHY
ABC News (2000, February 18). Vandals Continue to Attack Smaller Web Sites; Investigation Goes Global. [Online]. Available: http://abcnews.go.com/sections/tech/DailyNews/webattacks000218.html [Accessed 2001, July 16]. ABC News (2001, February 9). A Tangled Web. [Online]. Available: http://more.abcnews.go.com/sections/tech/DailyNews/cyberchat0209.html [Accessed 2002, November 5]. ABC News (2002, May 8). A Chat with Kevin Mitnick. [Online]. Available: http://abcnews.go.com/sections/tech/DailyNews/chat_000508mitnick.html [Accessed 2002, November 18]. Accenture & CERIAS (2001). CERIAS Security Visionary Roundtable: Call to Action. [Online]. Available: http://www.cerias.purdue.edu/news_and_events/events/securitytrends/accenture_c ta_1q2001.pdf [Accessed 2002, March 17]. Acohido, B. (2002). Research group finds holes in Net security. USA Today, February 13, p.1b. Allen, J., et al (2000). Improving the Security of Networked Systems. CERT Coordination Center, Carnegie Mellon University [Online]. Available: http://www.stsc.hill.af.mil/crosstalk/2000/oct/allen.asp [Accessed 2002, May 19]. Allen, J. (2001). CERT System and Network Security Practices. CERT Coordination Center, Carnegie Mellon University [Online]. Available: http://www.cert.org/archive/pdf/NCISSE_practices.pdf [Accessed 2002, May 19]. Allen, J. (2002 July). Common Sense Guide for Senior Managers: Top Ten
322
Recommended Information Security Practices. Internet Security Alliance. Anderson, J.P. (1972). Computer Security Technology Planning Study Volume II. Electronic Systems Division, Air Force Systems Command [Online]. Available: http://csrc.nist.gov/publications/history/ande72.pdf [Accessed 2000, May 31]. Andress, M. & Fonseca, B. (2000). Manage people to protect data. InfoWorld [Online]. Available: http://www2.infoworld.com [Accessed 2001, May 13]. Angell, I. O. (1993). Computer security in these uncertain times: the need for a new approach. In The tenth world Conference on Computer Security, Audit and Control, COMPSEC, (pp.382-388). London, UK: Elsevier Advanced Technology. Angell, I. O. (1994). The impact of globalization on today's business, and why Information System Security is strategic. In The 1994 Annual Congress of the European Security Forum, Hyatt Regency, Cologne, October 10. Arizona Central (2001, September 7). Beware! Some of Your Co-Workers Could Be Hackers, Ibm Says. [Online]. Available: http://www.antionline.com [Accessed 2002, March 9]. ASIS / PricewaterhouseCoopers (1999). Trends in Proprietary Information Loss. American Society for Industrial Security. [Online]. Available: http://www.asisonline.org/spi.pdf [Accessed 2001, June 30]. Attrition.org (2001a). The SANS Institute defaced. [Online]. Available: http://www.attrition.org/security/commentary/sans.html [Accessed 2002, July 12]. Attrition.org (2001b, May 17). Defacement Counts and Percentages, by Domain Suffix. [Online]. Available: http://www.attrition.org/mirror/attrition/country.html [Accessed 2002, July 12]. Austin, J. L. (1962). How to do things with words. In J. O. Urmson & M. Sbisa (Eds.), Cambridge, MA: Harvard University Press. Backhouse, J., & Dhillon, G. (1993). A conceptual framework for secure information systems. In The tenth world conference on Computer Security, Audit and Control, COMPSEC, (pp.158-168). London, UK: Elsevier Advanced Technology. Backhouse, J., & Dhillon, G. (1994). Corporate computer crime management: a research perspective. In Tenth IFIP International Symposium on Computer Security, IFIP Sec '94, Curacao.
323
Backhouse, J. & Dhillon, D. (1996). Structures of Responsibility and Security of Information Systems. European Journal of Information Systems, 5, pp.2-9. Backhouse, J. & Dhillon, D. (1999). Working towards principles for information security management in the 21st century. The LSE Computer Security Research Centre [Online]. Available: http://csrc.lse.ac.uk/docs/ISSecurity.pdf [Accessed 2001, February 7]. Badenhorst, K., & Eloff, J. (1990). Computer security methodology: risk analysis and project definition. Computers and Security, 9, pp.339-346. Baguioro, L. (2000). I wrote plan for ‘Love Bug’ thesis, says Filipino. The Straits Times, May 12, p.34. Baldwin, R.W. (1987). Ruled Based Analysis of Computer Security. Ph.D. Thesis, Massachusetts Institute of Technology [Online]. Available: http://theses.mit.edu/Dienst/UI/2.0/Describe/0018.mit.theses/1987-129 [Accessed 2001, January 14]. Barbaro, M. (2002, July 30). Princeton Apologizes for Web Breach. Washington Post [Online]. Available: http://online.securityfocus.com [Accessed 2003, January 3]. Baskerville, R. (1988). Designing information systems security. New York: John Wiley & Sons. Baskerville, R. (1991). Risk analysis: an interpretive feasibility tool in justifying information systems security. European Journal of Information Systems, 1(3), pp.121-130. Baskerville, R. (1993). Information systems security design methods: implications for information systems development. ACM Computing Surveys. 25(4), pp.375414. Baskin, C. (1998, August 8). It pays to be paranoid online. PC World [Online]. Available: http://www.cnn.com/TECH/computing/9808/06/paranoid.idg/index.html [Accessed 1999, April 17]. Bassham, L.E. & Polk, W.T. (1994, March 10). Threat assessment of malicious code and human threats. National Institute of Standards and Technology [Online]. Available: http://csrc.nist.gov/publications/nistir/threats/index.html [Accessed 1999, June 30].
324
Batten, L. (2000). Security for future computer environments. 1st Australian Information Security Management Workshop, Deakin University, Melbourne, pp.1-7. Bearden, T. (1998, August 5). Computer Security and Hackers. PBS [Online]. Available: http://www.pbs.org/newshour/bb/cyberspace/jan-june98/hackers.html [Accessed 1999, April 10]. Beck, U. (1992). Risk Society. London: Sage. Bell, D.E. & LaPudula, L.J. (1976). Secure Computer System: Unified Exposition and MULTICS Interpretation. The MITRE Corporation [Online]. Available: http://csrc.nist.gov/publications/history/bell76.pdf [Accessed 2002, October 26]. Bener, A. Y. (2000). Risk Perception, Trust and Credibility: A Case In Internet Banking. Ph.D. thesis, London School of Economics and Political Sciences. Benesh, P. (2000, October 12). Corporate Espionage Taking Over Where Cold War Spying Left Off. [Online]. Available: http://www.infowar.com/class_2/00/class2_101200a_j.shtml [Accessed 2001, February 18]. Benson, C. (2000a). Security Threats. Microsoft Corporation [Online]. Available: http://www.microsoft.com/technet [Accessed 2001, May 30]. Benson, C. (2000b). Security Strategies. Microsoft Corporation [Online]. Available: http://www.microsoft.com/technet [Accessed 2001, May 30]. Benson, C. (2000c). Security Planning. Microsoft Corporation [Online]. Available: http://www.microsoft.com/technet [Accessed 2001, May 30]. Bequai, A. (1987). Technocrimes-the computerisation of crime and terrorism. MASS: Lexington Books. Berinato, S. (2002). Teleworking causes serious security threat. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2082658,00.html [Accessed 2002, December 15]. Birch, D. & McEvoy, N. (1992). Risk analysis for information systems. Journal of Information Systems, (7), pp.44-53. Blakley, R. (2002, July). Companies look to long-time networkers to combat cyberthreats. SC Magazine [Online]. Available: http://www.scmagazine.com/scmagazine/sc-online/2002/article/31/article.html [Accessed 2003, January 23].
325
Boockholdt, J. L. (1987). Security and integrity controls for microcomputers: a summary analysis. Information and Management, 13(1), pp.33-41. Bort, J. (2001). Security: A false sense of security. LAN Times [Online]. Available: http://www.lantimes.com/98/98jul/807b023a.html [Accessed 2002, May 6]. Bridis, T. (2000, March 2). Wanted: Hacker to Advise. The Associated Press [Online]. Available: http://more.abcnews.go.com/sections/tech/DailyNews/hackerconsulted000302.ht ml [Accessed 2001, June 16]. Broersma, M. (2002, March 20). CERT warning: Oldest IM tricks work best. ZDNet UK [Online]. Available: http://zdnet.com.com/2100-1105-864508.html [Accessed 2003, January 18]. Bruck, M. (2002, April 1). Security Threats From Within. Entrepreneur Magazine [Online]. Available: http://www.entrepreneur.com/article/0,4621,298386,00.html [Accessed 2002, November 3]. Business Software Alliance (2002). Survey spotlights growing problem of online software piracy. [Online]. Available: http://www.bsa.org/resources/2002-0529.117.pdf [Accessed 2003, February 20]. BusinessWeek (2001, December 4). A New Twist in Computer Security Tools. [Online]. Available: http://aol.businessweek.com/technology/content/dec2001/tc2001124_8753.htm [Accessed 2002, March 11]. Bycroft, A. (2002, January). The Advantages of Outsourcing Information Security Management. [Online]. Available: http://secinf.net/info/misc/outsorcing.htm [Accessed 2003, January 31]. Campbell, T. (2000). Demystifying Web Attacks. ABC News [Online]. Available: http://more.abcnews.go.com/sections/tech/Geek/geek000214.html [Accessed 2001, April 14]. CBS News (2000, June 9). A Hacker for Fun, not Profit. 60 Minutes [Online]. Available: http://www.cbsnews.com/stories/2000/01/20/60minutes/main151514.shtml [Accessed 2002, November 10].
326
CERT Coordination Center (1999). Denial of Service Attacks. Carnegie Mellon University [Online]. Available: http://www.cert.org/tech_tips/denial_of_service.html [Accessed 2000, May 15]. CERT Coordination Center (2002). CERT/CC Statistics 1988-2002. [Online]. Available: http://www.cert.org/stats/cert_stats.html [Accessed 2003, February 17]. Chan, T.L. (1999). Computer hacking often an inside job. The Straits Times, August 3, p. 8. Chng, G. (2002). Weak links will be punished. Computer Times, December 11, p.39. Chokhani, S. (1992). Trusted Products Evaluation. Communications of ACM, 35(7) July, pp.66-76. Christensen, J. (1999, April 6). Bracing for guerrilla warfare in cyberspace. CNN [Online]. Available: http://www.cnn.com/TECH/specials/hackers/cyberterror/ [Accessed 2000, January 8]. Cimino, K. (2000, June 14). Who’s Responsible for Internet Security?. [Online]. Available: http://siliconvalley.internet.com/news/article.php/3531_394691 [Accessed 2001, May 18]. Clements, D. P. (1977). Fuzzy ratings for computer security evaluation. Unpublished Ph.D. thesis, University of California, Berkeley. CNET News. (2000, February 9). How a “denial of service” attack works. [Online]. Available: http://news.com.com/2100-1017-236728.html [Accessed 2001, October 16]. Coles, R. (2002, October 3) Security needs more leadership. 360 Degrees [Online]. Available: from http://www.cw360.com [Accessed 2003, March 13]. Computer Economics (2002a, January 4). Malicious code attacks had $13.2 billion impact in 2001. [Online]. Available: http://www.computereconomics.com/article.cfm?id=133 [Accessed 2002, September 3]. Computer Economics (2002b, April 2). The Computer Economics Security Review 2002. [Online]. Available: http://www.computereconomics.com [Accessed 2002, September 3].
327
Computer Sciences Corporation (2001, November 19). CSC Survey reveals inadequate information security practices among companies worldwide. [Online]. Available: http://www.csc.com/newsandevents/news/1584.shtml, [Accessed 2002, September 3]. Computer Security Consultants (1988). Using decision analysis to estimate computer security risk. Ridgefield, Conn: Computer Security Consultants. Computer Security Institute (2001, March 12). Financial Losses Due to Internet Intrusions, Trade Secret Theft and Other Cyber Crimes Soar. [Online]. Available: http://www.gocsi.com/prelea/000321.html [Accessed 2002, July 21]. Computer Security Institute (2002, April 7). Cyber Crime bleeds U.S. corporations, surveys shows; financial losses from attacks climb for third year in a row. [Online]. Available: http://www.gocsi.com/press/20020407.html [Accessed 2002, July 21]. Computer Times (1999). Better sales with IT Security. September 1, p.34. Conry-Murray, A. (2002, July 1). Strategies & Issues: Security Policies in a Time of Terror. Network Magazine [Online]. Available: http://www.networkmagazine.com/article/NMG20020106S0001 [Accessed 2002, October 11]. Courtney, R. (1977). Security risk analysis in electronic data processing. In AFIPS Conference Proceedings NCC. AFIPS Press, pp.97-104. Cramer, M.L. (1996, December 21). Information Warfare. Georgia Institute of Technology [Online]. Available: http://www.infowar.com/survey/infowar.html [Accessed 1999, June 13]. Cross, S.E. (2000). Cyber Security. Carnegie Mellon University [Online]. Available: http://www.cert.org/congressional_testimony/Cross_testimony_Mar2000.html [Accessed 2001, July 12]. CyberAtlas (2001, December 13). Internet, Computer Security Concerns Americans. [Online]. Available: http://cyberatlas.internet.com/big_picture/geographics/print/0,,5911_939161,00.ht ml [Accessed 2002, November 22]. Davis, B. (1997, September 8). Security Survey: Is it Safe? InformationWeek [Online]. Available: http://www.informationweek.com/647/47iuss.htm [Accessed 1999, June 13].
328
Devi, C. (2003) Hacktivism rises in era of cyberwar. New Straits Times, March 31, p.2. Dhillon, G. (1995). Interpreting the management of information systems security. Department of Information Systems, London School of Economics and Political Science, p. 28. Dhillon, G. & Backhouse, J. (1999). Managing for secure organisations: a critique of information systems research approaches. The LSE Computer Security Research Centre [Online]. Available: http://www.csrc.lse.ac.uk/docs/IsApproaches.pdf [Accessed 2002, September 13]. Dube, J. (2000, February 16). ‘Mafiaboy’ Suspected. ABC News [Online]. Available: http://more.abcnews.go.com/sections/tech/DailyNews/webattacks000216.html [Accessed 2000, September 18]. Dube, J. & Ross, B. (2000, April 19). ‘Mafiaboy’ Arrested. ABC News [Online]. Available: http://more.abcnews.go.com/sections/tech/DailyNews/webattacks000419.html [Accessed 2000, September 18]. Edwards, C. (2000, July 10). Protection Money. The Associated Press [Online]. Available: http://more.abcnews.go.com/sections/tech/DailyNews/hackinsurance000710.html [Accessed 2001, October 23]. Ellison, R.J., et al (1999). An Approach to Survivable Systems. [Online]. Available: http://www.cert.org/easel/nato1.doc [Accessed 2000, June 26]. Evoy, S. (2001, October 2). Comments on Legislative Proposals to Protect National Security and their impact on the Communications Infrastructure. Computer Professionals for Social Responsibility [Online]. Available: http://www.cpsr.org/issues/ICACComments.html [Accessed 2002, December 04]. Farmer, D. (1996, December 18). Security Survey of Key Internet Hosts & Various Semi-Relevant Reflections. [Online]. Available: http://www.fish.com/survey/ [Accessed 1999, March 12]. Fisher, R. (1984). Information systems security. Englewood Cliffs: Prentice-Hall. Fitzgerald, J. (1978). EDP risk analysis for contingency planning. EDP Audit Control and Security Newsletter 6 (August), pp.1-8.
329
Fonseca, B & Harreld, H. (2001, January 29). Users turn to security outsourcers. ComputerWorld [Online]. Available: http://www.computerworld.com.au [Accessed 2002, April 19]. Fonseca, B. (2001, November 23). Survey: Corporate IT still vulnerable to computer attack. The Industry Standard (Australia) [Online]. Available: http://www.thestandard.com.au [Accessed 2002, January 7]. Forcht, K. and Wex, R. (1996). Doing Business on the Internet: marketing and security aspects. Information Management and Computer Security. Fulk, J.; et al. (1991). Emerging Theories of Communications in Organisations. Journal of Management. 17(2), pp. 407-446. Information Gallegos, F., et al (1987). Audit and control of information systems. Cincinnati: South-Western. Galliers, R.D. (1990) Choosing Appropriate Information Systems Research Approaches: A Revised Taxonomy. The Information Systems Research Arena of the 90s: Challenges, Perceptions and Alternative Approaches. Proceedings from the IFIP TC 8, WG 8.2 Working Conference, Copenhagen. Germanow, A., et al (2002, February). The Injustice of Insecure Software. [Online]. Available: http://www.atstake.com/research/reports/acrobat/atstake_injustice.pdf [Accessed 2002, December 20]. Giannacopoulos, P. (2002). Why Security Matters for Small and Medium-Size Businesses. Strategic Finance, 83(8) February, pp.27-29. Glendalesystems.com Ltd. (2001). RUSecure Information Security Policies v2. U.K. Gold, S. (2001, October 9). 88% Of Firms Nailed By Viruses, Worms In Last Year – Survey. Newsbytes [Online]. Available: http://www.newsbytes.com/news/01/170960.html [Accessed 2002, November 18]. Gollmann, D.; Meadows, C. A. & Okamoto, E. (2001). Editorial. International Journal of Information Security, 1(1), pp.1-2. Gonzalez, E. (2000, February 10). Hacker Insurance. Scripps Howard News Service [Online]. Available: http://more.abcnews.go.com/sections/tech/DailyNews/webattacks_insurance0002 10.html[Accessed 2002, July 20].
330
Gordon, L.A. & Loeb M.P. (2002). Return on Information Security Investments: Myths vs. Realities. Strategic Finance, 84(5) November, pp.26-31. Guzman, O. (undated). Onel de Guzman’s rejected thesis proposal at AMA Computer College. [Online]. Available: http://www.geocities.com/afdb/onel.htm [Accessed 2002, November 16]. Halbert, D. (1994, April 25). Computer Technology and Legal Discourse: The Potential for Modern Communication Technology to Challenge Legal Discourses of Authorship and Property. Murdoch University Law School [Online]. Available: http://www.murdoch.edu.au/elaw/issues/v1n2/halbert.txt [Accessed 1999, January 18]. Hamilton, T. (2000, April 6). DoS: The story behind the story. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2078260,00.html [Accessed 2001, June 9]. Harrison, A. (2000, October 2). Stopping Attacks at Their Source. Computer World [Online]. Available: http://www.computerworld.com/securitytopics/security/story/0,10801,51554,00.ht ml [Accessed 2001, November 19] Hernan, S. (2000). Security Often Sacrificed for Convenience. CERT Coordination Center [Online]. Available: http://www.stsc.hill.af.mil/crosstalk/2000/oct/hernan.asp [Accessed 2001, June 1]. Hinde, S. (2000, January). The future for Computer Audit and Security. Information Systems Auditor [Online]. Available: http://www.intnews.com/internal_audit.htm [Accessed 2001, March 23]. Hiscox (2002). Hackers. [Online]. Available: http://www.hiscox.com/ifyb/hackers.asp [Accessed 2002, December 22]. Hoffman, J., et al (1978). SECURATE – Security evaluation and analysis using fuzzy metrics. In AFIPS National Conference Proceedings, 47, pp.531-540. Hoffman, D.T., et al (1999) Building Consumer Trust Online. Communications of The ACM, 42(4), pp. 80-85. Householder, A., et al (2001). Managing the Threat of Denial-of-Service Attacks. Carnegie Mellon University [Online]. Available: http://www.cert.org/archive/pdf/Managing_DoS.pdf [Accessed 2002, June 20]. Houle, K.J & Weaver, G.M. (2001). Trends in Denial of Service Attack
331
Technology. Carnegie Mellon University [Online]. Available: http://www.cert.org/archive/pdf/DoS_trends.pdf [Accessed 2002, June 20]. Howard, J. D. (1997). An Analysis of Security Incidents on the Internet 1989 1995. Ph.D. Thesis, Carnegie Mellon University [Online]. Available: http://www.cert.org/research/JHThesis/Start.html [Accessed 2002, June 20]. Hoyt, D. (1973). Computer security handbook. New York: Macmillan. Hsiao, D., et al (1979). Computer security. New York: Academic Press. Hulme, G. (2002). Security training still a business afterthought. InformationWeek [Online]. Available: http://www.informationweek.com/story/IWK20021018S0010 [Accessed 2002, December 17]. Hutt, A., et al (1988). Computer security handbook (2nd ed.). New York: Macmillan. International Herald Tribune (1998, February 19). Cyberburglars Weave a Web Around Globe: Computer Espionage Booms as Rivals and Governments Target Corporate Databases. [Online]. Available: http://netsecurity.about.com [Accessed 1999, January 18]. Jackson, N. & Carter, P. (1992). The Perception of Risk. Risk: Analysis, Assessment, and Management. Ansell, J. & Wharton, F. West Sussex, John Wiley & Sons Ltd. Kailay, M., & Jarratt, P. (1994). RAMeX: a prototype expert system for computer security risk analysis and management. In Tenth IFIP International Symposium on Computer Security, IFIP Sec '94, Curacao. Kerstetter, J. (1999, January 18). Beating back biggest risk – the ‘inside job’. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2070508,00.html [Accessed 1999, June 23]. Klein & Lyytinen (1995) The Critical Theory of Juergen Habermas as a basis for a theory of information systems. Research methods in information systems. E. Mumford, R. Hirschheim, G. Fitzgerald and A.T. Wood-Harper. Amsterdam, North Holland. Knight, W. (1999a, August 31). Hotmail ‘glitch’ an inside job? ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2073375,00.html [Accessed 2000, August 15].
332
Knight, W. (1999b, October 25). Blundering employees are biggest threat to corporate data. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2074642,00.html [Accessed 2000, August 15]. Knight, W. (2000a, April 19). "Mafiaboy" arrested in Canada for DoS attacks. ZDNet UK [Online]. Available: ttp://news.zdnet.co.uk/story/0,,s2078515,00.html [Accessed 2001, November 18]. Knight, W. (2000b, May 11). ILOVEYOU suspect says it was an accident... Maybe. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269s2078890,00.html [Accessed 2001, November 18]. Knight, W. (2000c, May 16). Biggest Hacking Fraud Ever. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2076252,00.html [Accessed 2001, November 18]. Knight, W. (2000d, June 30). LoveBug suspect charged. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2079892,00.html [Accessed 2001, November 18]. Knight, W. (2000e, July 4). Small business owners unaware and complacent over hacking and fraud threats, says report. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2079943,00.html [Accessed 2001, November 18]. Knight, W. (2000f, July 11). Hacking Will Cost World $1.6 Trillion This Year. ZDNet UK (Online). Available: ttp://news.zdnet.co.uk/story/0,,s2080075,00.html [Accessed 2001, November 18]. Knight, W. (2000g, July 17). Company directors ‘exposed’ to computer crime. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269s2080212,00.html [Accessed 2001, November 18]. Knight, W. (2000h, November 23). Workers clueless about security. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2082738,00.htm [Accessed 2001, December 17]. Knight, W. (2000j, December 7). Mafiaboy arrested by police again. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2083034,00.html [Accessed 2001, December 17]. Knowles, A. (1996). The enemy within. CIO Magazine [Online]. Available: http://www.cio.com/archive/061596/security.html, June 15 issue [Accessed 2000, May 29].
333
Konrad, R. (2000, June 29). Leaks and geeks: International espionage goes high tech. [Online]. Available: http://news.cnet.com/news/0-1003-200-2174240.html [Accessed 2001, June 9]. KPMG (2001, March 29). E-fraud: is technology running unchecked? [Online]. Available: http://www.kpmg.com [Accessed 2002, March 13]. KPMG LLP (2001). New Strategies for Success in E-Business: Managing Risks to Protect Brand, Retain Customers, and Enhance Market Capitalization. [Online]. Available: http://www.kpmg.com/Rut2000_prod/Documents/9/IRM_EB.pdf [Accessed 2002, April 28]. Krauss, L. (1972). SAFE: Security audit and field evaluation for computer facilities and information systems. New York: Amacon. Krauss, L. (1980). SAFE: Security audit and field evaluation for computer facilities and information systems (Revised ed.). New York: Amacon. Krause, M. & Tipton, H.F. (1997). Handbook of Information Security Management. CRC Press LLC [Online]. Available: http://www.cccure.org/Documents/HISM/ewtoc.html [Accessed 1999, January 18]. Krebs, B. (2002a, January 11). Computer Security Vulnerabilities Double in '01CERT. Newsbytes [Online]. Available: http://www.newsbytes.com/news/02/173590.html [Accessed 2002, December 7]. Krebs, B. (2002b, April 8). Businesses Loath To Report Hack Attacks To Feds – FBI. Newsbytes [Online]. Available: http://www.newsbytes.com/news/02/175718.html [Accessed 2002, December 7]. Krim, J. (2003, February 19). 8 Million Credit Accounts Exposed. TechNews [Online]. Available: http://www.washingtonpost.com [Accessed 2003, March 1]. Krueger, K. (1993). Internal controls by objectives: the functional control by objectives. Proceedings from the ninth IFIP International Symposium on Computer Security, IFIP/Sec ’93, Deerhurst, Ontario, Canada. Land, F. (1992). The Informations System Domain. Information Systems Research: issues, methods, and practical guidelines. Galliers R. London, Blackwell Scientific, pp. 6-13. Landwehr, C.E. (2001). Computer Security. Springer-Verlag, July 27.
334
Laudon, K. & Laudon, J. (1996). Management Information Systems: Organization and Technology. New Jersey, Prentice-Hall Inc. Lee, A. (1991) Integrating Positivist and Interpretive Approaches to Organizational Research. Organizational Science, 2(4), pp.342-365. Legard, D. (2001a, September 20). Viruses are getting faster, tougher. CNN [Online]. Available: http://www.cnn.com/2001/TECH/internet/09/20/faster.virus.idg/index.html [Accessed 2002, June 11]. Legard, D. (2001b, September 28). EFF: New law will treat hackers as terrorists. IDG [Online]. Available: http://www.idg.net/spc_701279_190_9-10025.html [Accessed 2002, June 11]. Lemos, R. (1999a, July 6). Does the media cause hacking? ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2072531,00.html [Accessed 1999, October 21]. Lemos, R. (1999b, July 6). Does the media cause hacking? Part 2. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2072532,00.html [Accessed 1999, October 21]. Lemos, R. (1999c, July 9). Security expert blasts shoddy software. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2072598,00.html [Accessed 1999, October 21]. Lemos, R. (2000). Businesses consider ‘hacking insurance’. ZDNet [Online]. Available: http://www.zdnet.com/zdnn/stories/news/0,4586,2600511,00.html [Accessed 2001, July 30]. Lemos, R (2002, November 21). Windows flaw jeopardises millions of PCs and servers. [Online]. Available: http://www.silicon.com [Accessed 2003, February 10]. Leong, C.T. (1999). Computer hacking often an inside job. The Straits Times August 3, p. 8. Liebenau, J. & Backhouse, J. (1990). Understanding Information. London, Macmillan. Lipson, H.F. & Fisher, D.A. (1999). Survivability – A New Technical and Business Perspective on Security. CERT Coordination Center [Online].
335
Available: http://www.cert.org/archive/pdf/busperspec.pdf [Accessed 2002, August 22]. Loch, K. D., et al (1992). Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly (6), pp.173-186. Longley, D. (1991). Formal methods of secure systems. In W. Caelli, D. Longley, & M. Shain (Eds.), Information security handbook. New York: Stockton Press, p.707-798. Longstaff, T.A., et al (1997) Security of the Internet. Carnegie Mellon University [Online]. Available: http://www.cert.org/encyc_article/tocencyc.html [Accessed 1999, January 18]. Machiavelli, N. (1952). The Prince. Translated by Luigi Rice, Rev ERP Vincent. New York. Manalo, D. (2000, May 10). New 'Love' bug suspect named. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2078882,00.html [Accessed 2001, June 11]. Manalo, D. (2001, May 10). A Year Ago: New 'LoveBug' suspect named. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2086102,00.html [Accessed 2001, June 11]. Maria, S.S. (1999a). Taking Hacker to Court Not So Easy. The Straits Times, October 7, p. 34. Maria, S.S. (1999b). Clueless about Net flaws. The Straits Times, October 17, p. 26. Maria, S.S. (1999c). Many servers easy prey to hackers. The Straits Times, October 17, p. 4. Markoff, J. (2001, January 29). From outlaw to consultant. New York Times [Online]. Available: http://www.nytimes.com/2001/01/29/technology/29CAP.html [Accessed 2002, December 7]. Martinez, M.J. (1999, February 4). The Great Hacker Divide. ABC News [Online]. Available: http://abcnews.go.com/sections/tech/DailyNews/hackers990203.html [Accessed 1999, May 6].
336
McAlearney, S. (2001a). Former Web-Site Developer Gets Six Months in Prison. Security Wire Digest [Online]. Available: http://www.infosecuritymag.com/digest/2001/08-13-01.shtml#2c, 3(63) August 13 [Accessed 2002, July 2]. McAlearney, S. (2001b). U.K. Firms reluctant to prosecute attackers. Security Wire Digest [Online]. Available: http://www.infosecuritymag.com/digest/2001/11-08-01.shtml#2c, 3(86) November 8 [Accessed 2002, July 2]. McHugh, J., et al (2001). Intrusion Detection: Implementation and Operation Issues. CERT Coordination Center [Online]. Available: http://www.stsc.hill.af.mil/crosstalk/2001/jan/mchugh.asp [Accessed 2002, April 5]. McLeen, J. (1990). Specification and modelling of computer security. Computer, 23(1), pp.9-16. Merten, A., et al (1982). Putting information assets on a balance sheet. Risk Management (January). Messmer, E. (2002, June 17). Newcomers angle for security role. Network World [Online]. Available: http://www.nwfusion.com/news/2002/0617newcomers.html [Accessed 2002, November 22]. Meyer, G. R. (1989). The Social Organization of the Computer Underground. Master’s Thesis, Northern Illinois University [Online]. Available: http://sun.soci.niu.edu/theses/gordon [Accessed 1999, January 18]. Middleton, J. (2001, November 23). Cyber crime treaty signed. VNU Business Limited UK [Online]. Available: http://www.vnunet.com/News/1127115 [Accessed 2002, March 24]. Mingers, J. (1997) Combining Research Methodologies in Information Systems: multi-paradigm methodologies. Paper presented at the European Conference on Information Systems, Cork, Ireland. Moorhead, G. & Griffin, R. (2001). Organizational Behavior. Houghton Mifflin, New York, p. 222, 485. Morgan, G. (1995). Images of Organizations. Newbury Park, CA, Sage Publications. Mullins, L. (1996). Management and Organizational Behavior. London, Pitman.
337
National Infrastructure Protection Center (2001). Cyber Protests: The Threat to the U.S. Information Infrastructure. October. Neal, D. (2001, May 9). Hackers Work from Within. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,s2085542,00.html [Accessed 2002, July 17]. Nelson, J. (1998, January 12). U.S. firms ’97 losses to spies put at $300 billion. React Networks Services Inc. [Online]. Available: http://www.reactnetwork.com/article2.html [Accessed 1999, January 18]. Ng, M. (2001). The Killing Net. MyNet, December/January, p.6. Norman, A. (1983). Computer insecurity. London: Chapman and Hall. NUA (2001a). Executives unaware of internal security risks. [Online]. Available: http://www.nua.org/surveys/index [Accessed 2002, May 15]. NUA (2001b). Computer Science Corp: Executives unaware of cyber attack risk. [Online]. Available: http://www.nua.org/surveys/index [Accessed 2002, May 15]. NUA (2001c, October 10). Jupiter Media Metrix: US firms undervalue digital assets. [Online]. Available: http://www.nua.com [Accessed 2002, May 15]. NUA (2002, April 8). Newsbytes: American companies fail to report intrusions. [Online]. Available: http://www.nua.com [Accessed 2002, December 5]. NUA (2003, April 3). eMarketer: Worldwide B2B revenues to pass one trillion. [Online]. Available: http://www.nua.com [Accessed 2003, May 1]. Null, C. (2001). Is hacker threat real? LAN Times [Online]. Available: http://www.lantimes.com/98/98mar/803b007a.html [Accessed 2002, July 8]. O’Brien, B. (2002, March 29). Hacker-proof server: Myth or reality? [Online]. Available: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2859424,00.html [Accessed 2002, November 25]. Oettinger, R. (2001, October 10). Online Security Invasions: US Companies More Concerned With Impact On Customer Confidence Than Direct Financial Loss, Reports Jupiter Media Metrix. [Online]. Available: http://www.jmm.com/xp/jmm/press/2001/pr_101001.xml [Accessed 2002, May 22].
338
Ong, D. (2002). Network security: 10 ways to a more secure network. Computer Times, December 25, p.16. Oo, G.L. (2000). Love is in the ether: Virus hits computers worldwide. The Straits Times, May 6, p.4. Oracle (2002, March 7). Employees cause biggest headache for UK business says Oracle research. [Online]. Available: http://www.icarix.net [Accessed 2003, January 18] Parker, D. (1981). Computer security management. Reston: Reston Publishing. Pemberton, J. M. (2002). Targets of Opportunity: Information Security: The Human Factor. Information Management Journal, 36(1) Jan/Feb, p.79. Perera, R. (2001, November 26). 30 countries sign cyber crime treaty. Computerworld [Online]. Available: http://www.computerworld.com.au [Accessed 2002, February 23]. Pethia, R.D. (2000). Internet Security Issues. Carnegie Mellon University [Online]. Available: http://www.cert.org/congressional_testimony/Pethia_testimony25May00.html [Accessed 2001, October 21]. Porter, M. (1980). Competitive Strategy. The Free Press, New York, U.S.A Poulsen, K. (1999, August 10). Mitnick gets 46 months, ₤2,558 fine. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2073021,00.html [Accessed 2001, August 28]. Powell, P. and Klein, J. (1996). Risk management for information systems development. Journal of Information Technology 11, pp.309-319. Power, R. (2002). Computer Security Issues & Trends. Computer Security Institute, 3(1), spring issue. Quittner, J. (2001a). Hacker Psych 101. TLC Discovery [Online]. Available: http://tlc.discovery.com/convergence/hackers/articles/psych.html [Accessed 2002, August 12]. Quittner, J. (2001b). Hackers: Methods of Attack and Defense. TLC Discovery [Online]. Available: http://tlc.discovery.com/convergence/hackers/articles/method.html
339
[Accessed 2002, August 12]. Rasch, M. (2001, November 25). Ashcroft's Global Internet Power-Grab. Security Focus [Online]. Available: http://online.securityfocus.com [Accessed 2002, August 12]. Ravindran, N. (2000). Corporate Espionage. Today’s Manager Magazine [Online]. December/January Issue, available from htttp://www2.sim.edu.sg [Accessed 2001, September 2]. Rayner, S. (1992). Cultural Theory and Risk Analysis. Social Theories of Risk. Kirmsky S. and Golding D. Westport, CT, Greenwood Publishing Group, Inc. Regan, K. (2002a). Insiders pose greatest ID theft risk. Security Wire Digest, 4 (90), December 5. Regan, K. (2002b). Microsoft revises IE flaw to critical after criticism. Security Wire Digest, 4 (92), December 12. CNN (2003, March 29) Iraq war sparks tit-for-tat hacker attacks. [Online]. Available: http://www.cnn.com [Accessed 2003, April 2]. Richman, D. (2001). Security Hole Leaks Microsoft Customer Records, Seattle Post [Online]. Available: http://www.antionline.com [Accessed 2002, May 14]. Roberts, P. (2003, February 4). Security Market to hit $45 billion by 2006. InfoWorld [Online]. Available: http://www.infoworld.com/article/03/02/04/HNsecure_1.html?security [Accessed 2003, February 14]. Rohland, P. (2000). Caught in the Act. Entrepreneur Magazine [Online]. Available: http://www.entrepreneur.com/article/0,4621,274526,00.html, June Issue [Accessed 2001, November 7]. Saltmarsh, T., & Browne, P. (1983). Data processing - risk assessment. In M. Wofsey (Eds.), Advances in computer security management. Chichester: John Wiley & Sons, pp.93-116. SANS Institute (1998). NSA Glossary of Terms NSA Glossary of Terms Used in Security and Intrusion Detection 1998. [Online]. Available: http://www.sans.org/newlook/resources/glossary.htm [Accessed 2002, August 18]. SC Security Magazine (1998). Corporate Security: The Way Ahead. [Online].
340
Available: http://www.scmagazine.com/scmagazine/1998_11/cover/cover.html, November Issue [Accessed 2000, May 26]. Schneier, B. (2001). Managed Security Monitoring: Network Security for the 21st Century. Counterpane Internet Security Inc. [Online]. Available: http://www.counterpane.com/msm.pdf [Accessed 2002, August 18]. Schlesinger, L. (2002, April 1). Your Biggest Threat. ZDNet [Online]. Available: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2859492,00.html [Accessed 2002, August 18]. Schultheis, R & Sumner, M. (1995). Management Information Systems: The Manager’s Views. Irwin McGraw-Hill, USA. Seah, L. (1999). Some hack so they can brag. The Straits Times, July 6, p.8. Searle, J. R. (1987). Speech Acts: an essay in the philosophy of language. New York, NY: Cambridge University Press. Security Magazine (1999, September 27). Security @ the Millennium. [Online]. Available: http://www.securitymag.com [Accessed 2002, July 2]. Segan, S. (2000, April 20). Tracking ‘Mafiaboy’s’ Steps. ABC News [Online]. Available: http://more.abcnews.go.com/sections/tech/DailyNews/webattacks000420.html [Accessed 2002, August 18]. Shankland, S. (2000, February 14). ‘Mixter’ discusses web attacks. ABC News [Online]. Available: http://abcnews.go.com/sections/tech/CNET/cnet_mixter_000214.html [Accessed 2002, August 18].
Shehata, A. (2002). Strengthening System Security to Prepare for HIPAA. Nelson Publishing [Online]. Available: http://www.healthmgttech.com/archives/hipaa0902.htm [Accessed 2002, August 18]. Shimeall, T., et al (2001a). Intelligence Analysis for Internet Security: Ideas, Barriers and Possibilities. Carnegie Mellon University [Online]. Available: http://www.cert.org/archive/html/spie.html [Accessed 2002, August 18]. Shimeall, T., et al (2001b). Countering cyber war. Carnegie Mellon University [Online]. Available: http://www.cert.org/archive/pdf/counter_cyberwar.pdf
341
[Accessed 2002, August18]. Siew, A. (2002). Glitches in anti-virus program confuse users. Computer Times, September 4, p.3. Simpson, R. L. (1996) Security threats are usually an inside job. Nursing Management, 27 (12), December, p.43. Sophos (2000, August 1). Sophos Anti-virus six month summary. [Online]. Available: http://www.sophos.com/pressoffice/pressrel/us/20000801roundup.html [Accessed 2001, September 7]. Sophos (2002, July 1). Windows 32 viruses rule the waves. [Online]. Available: http://www.sophos.com/pressoffice/pressrel/uk/20020701sixmthtopten.html [Accessed 2002, August 18]. Sproles, J. & Byars, W. (1998). Cyberterrorism. [Online]. Available: http://www-cs.etsu.edu/gotterbarn/stdntppr/index.htm [Accessed 1999, January 18]. Standler, R. B. (1999). Computer Crime. [Online]. Available: http://www.rbs2.com/ccrime.htm [Accessed 2001, July 20]. Stiennon, R. & Easley, M. (2002, August 30). Intrusion Prevention Will Replace Intrusion Detection. Gartner [Online]. Available: http://www.gartner.com/reprints/intruvert/109596.html [Accessed 2003, February 14]. Strassmann, P. & Taschek, J. (2000). It gets really scary when hackers join security firms. eWEEK [Online]. Available: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2420340,00.html [Accessed 2003, February 14]. Strens, R., & Dobson, J. (1993). How responsibility modelling leads to security requirements. In 16th National Computer Security Conference, Sept. 20-23, Baltimore, Maryland: National Institute of Standards & Technology/National Computer Security Centre, pp.398-408. Sung, G. (2001). Businesses play dirty in global high stakes. The Straits Times, June 15, p.5. TechTalk (2002). InfoSec best practices for executives. 10, p.26. TechTV (2001a). ‘Cybercrime’ Glossary. [Online]. Available: http://www.techtv.com/cybercrime/aboutus/story/0,23008,3363041,00.html
342
[Accessed 2002, August 18]. TechTV (2001b, July 27). Business Security Tips. [Online]. Available: http://www.techtv.com/cybercrime/internetfraud/story/0,23008,2127598,00.html [Accessed 2002, August 18]. Tee, E. (2001). More to fear from staff than hackers. The Straits Times, January 26, p.15. Teo, H.W., et al. (1999a). Computer Security in Singapore – Threat or Promise? Today’s Manager Magazine [Online]. Available: http://www2.sim.edu.sg, August/September Issue [Accessed 2001, April 9]. Teo, H.W., et al (1999b). Computer Security and Practices in Singapore 1999. Singapore Institute of Management, Continental Press, Singapore. The Associated Press (2000, August 4). ‘Mafiaboy’ Pleads Not Guilty. [Online]. Available: http://abcnews.go.com/sections/tech/DailyNews/webattacks000804.html [Accessed 2002, August 18]. The Associated Press (2001a). “Government Flunks Hacker Test”. CBS News [Online]. Available: http://www.cbsnews.com/now/story/0,1597,317495412,00.shtml [Accessed 2002, August 18]. The Associated Press (2001b). Teen-age computer hacker ‘Mafiaboy’ gets eight months in juvenile center. [Online]. Available: http://www.antionline.com [Accessed 2002, August 18]. The Canadian Press (2001). Mafiaboy Case Highlights That Hacking Is Easy, Widespread, Hidden. [Online]. Available: http://www.antionline.com [Accessed 2002, August 18] The Straits Times (1999). The Man Behind Melissa Virus. December 11, p. 8. The Straits Times (2000a). 300,000 credit-card numbers stolen from the Net. January 12, p.4. The Straits Times (2000b). New hacking tools uncovered. February 26, p.15. The Straits Times (2000c) Internet ‘Destroyer’, March 4, p.6 The Straits Times (2000d). Hack, it's just a job for the Russians. March 8, p. 6. The Straits Times (2000e). No one-size-fits-all description for virus writers.
343
May 9, p.42. The Straits Times (2000f). Mixed Pride over 'I Love You' Creator. May 15, p. 43. The Straits Times (2000g). Global effort to fight cybercrime with laws. May 16, p.45. The Straits Times (2000h). Political hackers pose threat. November 6, p.6. The Straits Times (2000j). Nasa hacker pleads guilty. December 5, p.20. The Straits Times (2001a). Govt websites ‘vulnerable to hackers’. January 4, p.10. The Straits Times (200lb). Web attacks a jolt for e-commerce. February 17, p. 6. The Straits Times (2001c). US govt agencies not hacker-proof. September 14, p. 11. The Straits Times (2002a). Safeguard and prosper. January 7, p.22. The Straits Times (2002b). Latest Microsoft messenger programs open to hackers. May 10, p.14. The Straits Times (2002c). Princeton hacks into Yale online files on students. July 27, p.25. The Straits Times (2002d). Hacker sends Nasa into a spin after cracking files. August 13, p.8. The Straits Times (2003). Cyber crime often an inside job. Tech & Science, January 28, p. H9. The Sunday Times (2000a). ‘Hacker from hell’ out of US jail. January 23, p.2. The Sunday Times (2000b). Philippine police close in on Love Bug suspect. May 7, p.1 The Sunday Times (2001). Shanghai task force cracks down on hackers. December 16, p.27. Thibodeau, P. (2001, September 27). Terrorism fight could prompt new cyberattacks against U.S. companies. ComputerWorld [Online]. Available: http://www.infoworld.com/articles/hn/xml/01/09/27/010927hnnewthreat.xml [Accessed 2002, December 10].
344
Thomas, O. (2002). Get Over Those Feelings of Online Insecurity. [Online]. Available: http://www.business2.com/articles/mag0,1643,42946,00.html [Accessed 2002, December 10]. TLC.com (2003, April 8). Hackers: Outlaws and Angels. [Online]. Available: http://tlc.discovery.com/tuneins/hackers2.html [Accessed 2003, February 14]. Trigaux, R. (1998a). A history of hacking. St. Petersburg Times [Online]. Available: http://www.sptimes.com/Hackers/history.hacking.html [Accessed 1999, January 18]. Trigaux, R. (1998b). The underbelly of cyberspace. St. Petersburg Times [Online]. Available: http://www.sptimes.com/Hackers/underbelly_of_cyberspace.html [Accessed 1999, January 18]. Trigaux, R. (1998c). Hidden dangers. St. Petersburg Times [Online]. Available: http://www.sptimes.com/Business/61698/Hackers__third_in_a_s.html [Accessed 1999, January 18]. US Department of Commerce (1979). Guideline for automatic data processing risk analysis. Federal Information Processing Standards Publication FIPS 65 No. US Department of Commerce, National Bureau of Standards, Washington, DC. U.S. Department of Justice (1998, February 17). Former Chief Computer Program Designer Arraigned for Alleged $10 Million Computer “Bomb”. [Online]. Available: http://www.cybercrime.gov/lloydpr.htm [Accessed 2001, December 22]. U.S. Department of Justice (1999a, November 22). Internet Service Provider charged with intercepting customer communications and possessing unauthorized password files. [Online]. Available: http://www.cybercrime.gov/alibris.htm [Accessed 2001, December 22]. U.S. Department of Justice (1999b, December 9). Creator of ‘Melissa’ Computer Virus Pleads Guilty to State and Federal Charges. [Online]. Available: http://www.usdoj.gov/criminal/cybercrime/melissa.htm [Accessed 2001, December 22]. U.S. Department of Justice (2000, May 9). Former Network Administrator Guilty Of Unleashing $10 Million Programming Timebomb. [Online]. Available: http://www.cybercrime.gov/njtime.htm, [Accessed 2001, December 22].
345
U.S. Department of Justice (2001a, March 20). Ex-GTE Employee Pleads Guilty to Intentionally Damaging GTE Computers. [Online]. Available: http://www.cybercrime.gov/VentimigliaPlea.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001b, March 21). San Francisco Man Arrested on Charges of Trade Secrets Theft. [Online]. Available: http://www.cybercrime.gov/morch.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001c, May 1). Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison. [Online]. Available: http://www.cybercrime.gov/melissaSent.htm, [Accessed 2002, April 6]. U.S. Department of Justice (2001d, April 4) Two Men Indicted on Conspiracy to Commit Computer and Wire Fraud via Unauthorized Access to Cisco Stock. [Online]. Available: http://www.cybercrime.gov/OsowskiIndict.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001e, April 13) Former Lance, Inc. Employee Sentenced to 24 Months and Ordered to Pay $194,609 Restitution in Computer Fraud Case. [Online]. Available: http://www.cybercrime.gov/SullivanSent.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001f, May 7). Russian National Arrested and Indicted for Penetrating U.S. Corporate Computer Networks, Stealing Credit Card Numbers, and Extorting the Companies by Threatening to Damage their computers. [Online]. Available: http://www.cybercrime.gov/ivanovIndict.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001g, June 6). Man Indicted for Theft of Trade Secrets from Fabricated Metal Products Inc. [Online]. Available: http://www.usdoj.gov/criminal/cybercrime/DaddonaIndict.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001h, June 18). Hampton Man convicted and Sentenced for Hacking into Former Employer’s Computer Server. [Online]. Available: http://www.cybercrime.gov/McKennaSent.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001j, June 20). Russian Computer Hacker Indicted in California for Breaking into Computer Systems and Extorting Victim Companies. [Online]. Available from http://www.cybercrime.gov/ivanovIndict2.htm [Accessed 2002, April 6].
346
U.S. Department of Justice (2001k, July 24). Lusby, Maryland Man Pleads Guilty to Sabotaging IRS Computers. [Online]. Available: http://www.cybercrime.gov/carpenterPlea.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001m, August 7). Former Chase Financial Corp. Employees Indicted for Unlawful Access to Chase Manhatten Bank and Chase Financial Corp. Computer Systems. [Online]. Available: http://www.cybercrime.gov/TurnerIndict.htm, [Accessed 2002, April 6]. U.S. Department of Justice (2001n, August 20) Former Cisco Accountants Plead Guilty to Wire Fraud via Unauthorized Access to Cisco Stock. [Online]. Available: http://www.cybercrime.gov/OsowskiPlea.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001p, September 6). Jury Convicts Herbert PierreLouis of Sending Computer Virus to Destroy Purity Wholesale Grocers Inc.’s Computer Systems. [Online]. Available: http://www.cybercrime.gov/pierre-louis_Convict.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001q, September 14). Woman Pleads Guilty to Computer Fraud via Unauthorized Access of Employer’s Computer System. [Online]. Available: http://www.cybercrime.gov/brownPlea.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001r, September 24) Brian K. West, Employee of Oklahoma ISP, Pleads Guilty to Unauthorized Access Charge Under 18 U.S.C. S 1030(a)(2)(c). [Online]. Available: http://www.cybercrime.gov/WestPlea.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001s, October 9). Former Chase Financial Corp. Employee Pleads Guilty to Unlawful Access to Chase Manhattan Bank to Defraud Chase Financial Corp. and Chase Manhattan Bank. [Online]. Available: http://www.cybercrime.gov/turnerPlea.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001t, October 10). Russian Computer Hacker Convicted by Jury. [Online]. Available: http://www.cybercrime.gov/gorshkovconvict.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001u, November 26) Former Cisco Systems, Inc. Accountants Sentenced for Unauthorized Access to Computer Systems to Illegally Issue Almost $8 Million in Cisco Stock to Themselves. [Online]. Available: http://www.cybercrime.gov/Osowski_TangSent.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001v, November 30). Former Financial Institution
347
Employee Sentenced for Unauthorized Computer Access to Customer Account Information in Latest Bank Fraud/Identity Theft Prosecutions. [Online]. Available: http://www.cybercrime.gov/schellersent.htm [Accessed 2002, April 6]. U.S. Department of Justice (2001w, December 14). Chardon, Ohio Woman Sentenced for Computer Fraud via Unauthorized Access of Employer's Computer System. [Online]. Available: http://www.cybercrime.gov/brownSent.htm [Accessed 2002, April 6]. U.S. Department of Justice (2002a, February 19). Former Chase Financial Corp. Employees Sentenced for Scheme to Defraud Chase Manhattan Bank and Chase Financial Corporation. [Online]. Available: http://www.cybercrime.gov/williams_turnerSent.htm [Accessed 2002, December 20]. U.S. Department of Justice, (2002b, February 26). Former Computer Network Administrator at New Jersey High-Tech Firm Sentenced to 41 Months for Unleashing $10 Million Computer "Time Bomb". [Online]. Available: http://www.cybercrime.gov/lloydSent.htm [Accessed 2002, December 20]. U.S. Department of Justice (2002c, March 12). Man Sentenced for Theft of Trade Secrets from Fabricated Metal Products Inc. [Online]. Available: http://www.usdoj.gov/criminal/cybercrime/daddonaSent.htm [Accessed 2002, December 20]. U.S. Department of Justice (2002d, March 27). U.S. Sentences Computer Operator for Breaking into Ex-Employer’s Database. [Online]. Available: http://www.cybercrime.gov/leungSent.htm [Accessed 2002, December 20]. U.S. Department of Justice (2002e, April 9). FBI Sting Nabs Trade Secret Thief Offering to Sell OnLine Interpreters’ Information. [Online]. Available: http://www.cybercrime.gov/sunIndict.htm [Accessed 2002, December 20]. U.S. Department of Justice (2002f, April 17). Nevada Cybercrime Task Force Nabs Hacker. [Online]. Available: http://www.cybercrime.gov/sanduskyPlea.htm [Accessed 2002, December 20]. U.S. Department of Justice (2002g, April 26) U.S. Charges Engineer with Computer Intrusion, Destruction of Database at Manhattan Apparel Company. [Online]. Available: http://www.cybercrime.gov/eitelbergArrest.htm [Accessed 2002, December 20]. U.S. Department of Justice, (2002h, May 16) Former Chief Technology Officer Arrested For Transmitting Threats Via The Internet. [Online]. Available: http://www.cybercrime.gov/blumArrest.htm [Accessed 2002, December 20].
348
U.S. Department of Justice (2002j, August 2) San Fernando Valley Residents Indicted In Scheme To Hack Into Software Firm Computer and Delete $2.6 Million Project. [Online]. Available: http://www.cybercrime.gov/cazenaveIndict.htm [Accessed 2002, December 20]. U.S. Department of Justice (2002k, September 9) San Gabriel Valley Man Pleads Guilty to Illegally Accessing Former Employer’s Computers. [Online]. Available: http://www.cybercrime.gov/doppsPlea.htm [Accessed 2002, December 20]. U.S. Department of Justice (2002m, October 4). Russian Computer Hacker Sentenced to Three Years in Prison. [Online]. Available: http://www.cybercrime.gov/gorshkovSent.htm [Accessed 2002, December 20]. U.S. Department of Justice (2002n, December 4). Computer Crime and Intellectual Property Section (CCIPS). [Online]. Available: http://www.cybercrime.gov/cccases.html [Accessed 2002, December 20]. U.S. Department of Justice (2002p, December 17). Disgruntled UBS PaineWebber Employee Charged with Allegedly Unleashing "Logic Bomb" on Company Computers. [Online]. Available: http://www.cybercrime.gov/duronioIndict.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003a, February 6). Former Employee of Viewsonic Arrested on Charges of Hacking into Company's Computer, Destroying Data. [Online]. Available: http://www.cybercrime.gov/garciaArrest.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003b, February 20). Ex-employee of Airport Transportation Company Arrested for Allegedly Hacking Into Computer, Destroying Data. [Online]. Available: http://www.cybercrime.gov/tranArrest.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003c, February 26).U.S. Convicts Kazakhstan Hacker of Breaking Into Bloomberg L.P.'s Computers and Attempting Extortion. [Online]. Available: http://www.cybercrime.gov/zezevConvict.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003d, February 26). Former Employee of American Eagle Outfitters Indicted on Charges of Password Trafficking and Computer Damage. [Online]. Available: http://www.cybercrime.gov/pattersonIndict.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003e, March 10). Woman Convicted for Unauthorized Computer Access to Customer Account Information in Credit
349
Union Fraud Prosecution. [Online]. Available: http://www.cybercrime.gov/northernPlea.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003f, March 13). St. Joseph Man Pleads Guilty in District's First Computer Hacking Conviction. [Online]. Available: http://www.cybercrime.gov/gerhardtPlea.htm, [Accessed 2003, May 16]. U.S. Department of Justice (2003g, March 25). Computer Spammer Sentenced To Federal Prison. [Online]. Available: http://www.cybercrime.gov/mcdanelSent.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003h, April 2). San Jose, California Man Indicted for Theft of Trade Secrets and Computer Fraud. [Online]. Available: http://www.cybercrime.gov/murphyIndict.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003j, April 18). Ex-employee of Airport Transportation Company Guilty of Hacking into Company's Computer. [Online]. Available: http://www.cybercrime.gov/tranPlea.htm [Accessed 2003, May 16]. U.S. Department of Justice (2003k, May 12). Three Indicted in Conspiracy to Commit Bank Fraud and Identity Theft. [Online]. Available: http://www.cybercrime.gov/thomasIndict.htm [Accessed 2003, May 16]. Verisign (2002). Guide to Securing Your Website for Business. [Online]. Available: http://www.verisign.com/resources/gd/secureBusiness/index.html [Accessed 2002, December 27]. Verton, D. (2001, July 11). Analysis: Insiders a major security threat. CNN [Online]. Available: http://www.cnn.com/2001/TECH/industry/07/11/insider.threat.idg/index.html [Accessed 2002, December 27]. Vizard, M. (2001, February 21). Beyond firewalls. Computer World [Online]. Available: http://www.computerworld.com.au [Accessed 2002, December 27]. Veen, A. M. et al (1994). SMART: structured multidimensional approach to risk taking for operational information systems. In Tenth IFIP International Symposium on Computer Security, IFIP Sec '94, Curacao. Wakefield, J. (1999). Chinese hackers sentenced to death. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2070343,00.html [Accessed 2000, June 20].
350
Wakefield, J. (2000, August 21). Man accused of Love Bug hack goes free. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269s2080935,00.htm [Accessed 2001, April 15]. Walker, M. (1999). Russia, hack zone. The Straits Times, October 25, p.33. Walleij, L. (Undated). Copyright Does not Exist, Unpublished book [Online]. Available: http://home.c2i.net/nirgendwo/cdne/mainindex.htm [Accessed 1999, January 18] Walsham, G. (1995). The Emergence of Interpretivism in IS Research. Information Systems Research, 6(4), pp.376-394. Warman, A. (1993). Computer security within organisations. London: Macmillan. Wearden, G. & Knight, W. (2000, September 15). Microsoft slammed over WinMe bug. ZDNet UK [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2081434,00.html [Accessed 2002, December 27]. Weber, R. (1988). EDP Auditing: conceptual foundations and practice (2nd ed.). New York: McGraw-Hill. Webopedia (2002). Webopedia Online Computer Dictionary. [Online]. Available: http://www.webopedia.com [Accessed 2002, December 20]. Westbrook, T. (2000, January 24). Russian Crackers. ZDNet UK [Online]. Available: http://comment.zdnet.co.uk/story/0,,t479-s2112812,00.html [Accessed 2001, May 26]. Whipp, R., & Pettigrew, A. (1992). Managing change for competitive success: bridging the strategic and the operational. Industrial and Corporate Change, 1(1), pp.205-233. Whyte, G. et al., (1997). Understanding user perceptions of information systems success. Journal of Strategic Information Systems. 6, pp.35-68. Wildstrom, S.H. (2000a). The secrets & lies of cyber-security. Business Week, September 18. Wildstrom, S.H. (2000b). When software wreaks havoc. Business Week, October 9, p.9. Willcocks, L., & Margetts, H. (1994). Risk assessment and information systems. European Journal of Information Systems, 3(2), pp.127-139.
351
Williams, J. (1999, January 25). Infowar: Corporate Hacking. About.com Inc. [Online]. Available: http://netsecurity.about.com/library/weekly/aa012599.htm?once=true& [Accessed 2002, February 26]. Wilson, T. (1998, March 30). Network IT Wages War with Hackers. CMP Publications [Online]. Available: http://netsecurity.about.com [Accessed 1999, January 18]. Winfield, I. (1986). Human Resources and Computing. London, William Heinemann Ltd. Winkler, I. (1997). Corporate espionage: what it is, why it is happening in your company, what you must do about it. Prima Publishing, USA. Winkler, I. (1999, February 16). Is Your Coworker a Spy? [Online]. Available: http://www.techtv.com/cybercrime/spyfiles/story/0,23008,2114569,00.html [Accessed 2001, March 13]. Wong, K. (1977). Risk analysis and control. Manchester: National Computing Centre. Woodward, D. (2001). Security policy management in the Internet age. Information Systems Auditors [Online]. Available: http://www.intnews.com/information_systems_audit.htm [Accessed 2002, July 22]. Young, K. (1999). Online Security Threatens Banks. The Banker. September, pp.21-23. Yu, E. (2002) Overpriced software makes users unwilling ‘thieves’. Computer Times, November 27, p.64. ZD Net UK (2000a, May 9). 'Love Bug' suspect released. [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2078845,00.html [Accessed 2001, September 25]. ZD Net UK (2000b, June 8). 'Mafiaboy' may face yet more charges. [Online]. Available: http://news.zdnet.co.uk/story/0,,s2079403,00.html [Accessed 2001, September 25]. ZD Net UK (2000c, June 8). Philippines drops case against 'Love Bug' suspect. [Online]. Available: http://news.zdnet.co.uk/story/0,,t269-s2079407,00.html
352
[Accessed 2001, September 25]. Zikmund, W. (2002). Business Research Methods. Ohio, South-Western, USA.
APPENDIX 1
E-Cover Letter
Subject Line: Information Security Human Factors Project
Dear ……, I am Rita Goh from Preston University (Singapore Campus) and would like to invite you to participate in my PhD survey. General Information on Project: The project is to identify the most problematic people issues with regard to security in organizations and examining the best possible ways in which these issues could be addressed. The primary objective of this project is to create
353
greater awareness amongst organizations on the importance of a holistic approach when seeking security solutions. All information will be archived and used in my PhD Dissertation on the inhibiting human factors affecting security in organizations. The information collected and used in the PhD Dissertation will be kept strictly confidential, and you will remain completely anonymous throughout data processing. The final report will be made available to you once all analyses are completed. However, this line will be kept open for as long as you wish to discuss human related security issues. Participation is voluntary. If at any time you wish to discontinue your participation in this study, please contact me. Thank you very much for your consideration. If you have any questions or comments, feel free to contact me. Hopefully we can work together to make the Internet a safer place to surf and conduct business. Best regards Rita APPENDIX 2
No.
Respondent Title
Respondents List
Organization
Years of Security Experience
UNITED STATES 1.
Assistant Professor
UC Berkeley
3 – 6 years
2.
Associate Professor
University of Maryland
Not sure
3.
Consultant
Aladdin Knowledge Systems
11-15 years
354
4.
Consultant
SystemExperts Corporation
More than 15 years
5.
Consultant
Cryptography Research Inc.
3 – 6 years
6.
Consultant
Cisco Systems Inc.
Less than 3 years
7.
Chief Information Officer
Oracle Corporation
More than 15 years
8.
Chief Scientist
Lumeta Corporation
Not sure
9.
Chief Scientist
IBM T.J. Watson Research Center
Less than 3 years
10.
Cryptographer
Arcus Data Security
3 – 6 years
11.
Cryptologist / Consultant
Okiok Data
11 – 15 years
12.
Cryptography Researcher
AT & T Labs Research
Less than 3 years
13.
Cryptography Researcher
Bell Laboratories
3 – 6 years
14
Cryptography Researcher
Stanford University
Less than 3 years
15
Cryptography Researcher
IBM T.J.Watson Research Center
11 – 15 years
16
Cryptography Researcher
UC San Diego
3 – 6 years
17
Cryptography Researcher
Lumeta Corporation
7 – 10 years
18
Cryptography Researcher
International Association for Cryptologic Research (IACR)
Not sure
19
Cryptography Researcher
University of Illinois
More than 15 years
355
20
Director of IS Consultancy
QCC Information Security
Not sure
21
Director of Security Assessment Services
Internet Security Systems
More than 15 years
22
Information Security Director
Charles Schwab and Co.
3 – 6 years
23
IT Security Analyst
Space Hellas S.A.
11 – 15 years
24
IT Security Consultant
TruSecure Corporation
Less than 3 years
25
IT Security Specialist
AT&T Security Software
Not sure
26
IT Security Specialist
AT&T Security Software
More than 15 years
27
Ph.D. student
Texas A&M University
7 – 10 years
28
Principal Security Consultant Principal Security Consultant
Symantec Security Services
3 – 6 years
QinetiQ Trusted Information Management
3 – 6 years
30
Principal Scientist
SRI International
More than 15 years
31
Professor
Brown University
7 – 10 years
32
Professor
University of Iowa
Less than 3 years
33
Professor
Georgetown University
Not sure
34
Professor
Yale University
11 – 5 years
35
Professor
UC Davies
Not sure
36
Professor
Massachusetts Institute of Technology (MIT)
More than 15 years
37
Professor
Florida State University
7 – 10 years
38
Professor
Massachusetts Institute of Technology (MIT)
3 – 6 years
29
356
39
Professor
UC San Diego
Less than 3 years
40
Professor
University of Minnesota
Not sure
41
Professor
Florida Atlantic University
7 – 10 years
42
Professor
California Institute of Technology
More than 15 years
43
Research Fellow
Purdue University
More than 15 years
44
Researcher
Stanford University
3 – 6 years
45
Researcher
UC Berkeley
Less than 3 years
46
Researcher
UC Berkeley
Not sure
47
Research Scientist
7 – 10 years
48
Research Scientist
Sun Microsystems Inc. . RSA Laboratories
49
Research Scientist
Lucent Technologies Inc.
More than 15 years
50
Research Scientist
Yale University
11 – 15 years
51
Research Scientist
Harvard University
Less than 3 years
52
Research Scientist
Courant Institute
More than 15 years
53 Secur Security Analyst
John Hancock
3 – 6 years
54
Security Analyst
Symantec Corporation
3 – 6 years
55
Security Consultant
Detcom Information Security
Less than 3 years
56
Security Consultant
Mainstay Security Products
7 – 10 years
57
Security Consultant
Arcot Systems
More than 15 years
58
Security Consultant
Authentica Inc.
Less than 3 years
59
Security Consultant
Authentify Inc.
11 – 15 years
60
Security Consultant
Modulo Security Solutions
7 – 10 years
357
3 – 6 years
61
Security Consultant
NCider Security Consulting
11 – 15 years
62
Security Consultant
Netegrity Inc.
Less than 3 years
63
Security Consultant
NetScreen Technologies Inc.
Not sure
64
Security Consultant
Bruck & Associates Inc.
Not sure
65
Security Consultant
Network Audit Systems Inc.
7 – 10 years
66
Security Consultant
Network Security Corporation
Less than 3 years
67
Security Consultant
Network Security Systems Inc.
Not sure
68
Security Consultant
Network-1 Security Solutions
11 – 15 years
69
Security Consultant
NFR Security
3 – 6 years
70
Security Consultant
Certicom Corporation
7 – 10 years
71
Security Consultant
Celo Communications Inc.
More than 15 years
72
Security Consultant
NTRU Cryptosystems
7 – 10 years
73
Security Consultant
Checkpoint Software
Not sure
74
Security Consultant
Citadel Securix
Less than 3 years
75
Security Consultant
ClickNet Security Technologies
7 – 10 years
76
Security Consultant
Collins Consulting Group
More than 15 years
77
Security Consultant
Palace Guard Software
Not sure
78
Security Consultant
Pallisade Systems Inc.
3 – 6 years
79
Security Consultant
Counterpane Internet Security
7 – 10 years
80
Security Consultant
CyberGuard Corporation
11 – 15 years
81
Security Consultant
Recourse Technologies
Less than 3 years
82
Security Consultant
CyberSafe Corporation
Less than 3 years
358
83
Security Consultant
CygnaCom Solutions
7 – 10 years
84
Security Consultant
Datakey Inc.
More than 15 years
85
Security Consultant
Datum eBusiness Solutions
3 – 6 years
86
Security Consultant
DCT Network Security
Not sure
87
Security Consultant
RSA Security Inc.
3 – 6 years
88
Security Consultant
Digital Signature Trust Co.
Less than 3 years
89
Security Consultant
Safewww Inc.
11 – 15 years
90
Security Consultant
E-Lock Technologies
7 – 10 years
91
Security Consultant
e-Security Inc.
Not sure
92
Security Consultant
Secure Computing
More than 15 years
93
Security Consultant
Secure Summit Inc.
More than 15 years
94
Security Consultant
eEye Digital Security
3 – 6 years
95
Security Consultant
Ensure Technologies
Less than 3 years
96
Security Consultant
Entegrity Solutions
Not sure
97
Security Consultant
Entrust Technologies
11 – 15 years
98
Security Consultant
ESecurityOnline.com
More than 15 years
99
Security Consultant
Security Awareness Inc.
7 – 10 years
100
Security Consultant
Security Automation Inc.
Less than 3 years
101
Security Consultant
SecureLogix Corp.
3 – 6 years
102
Security Consultant
Securit-e-Doc Inc.
Not sure
103
Security Consultant
Predictive Systems
Less than 3 years
104
Security Consultant
Pelican Security Inc.
11 – 15 years
359
105
Security Consultant
PC Guardian
3 – 6 years
106
Security Consultant
PGP Security
11 – 15 years
107
Security Engineer
Cryptography Research Inc.
Not sure
108
Security Engineer
SecureCiRT.com
Less than 3 years
109
Senior Security Sales Engineer
Guidance Software Inc.
More than 15 years
110
Technical Director
Johns Hopkins University
7 – 10 years
111
Technology Analyst
SmartAxis
7 – 10 years
UNITED KINGDOM 112
Chief Security Engineer
Vodafone Ltd
More than 15 years
113
Chief Technology Officer
Hewlett-Packard Laboratories
7 – 10 years
114
Chief Technology Officer
Visa International
Less than 3 years
115
Chief Technology Officer
Concept Technologies
3 – 6 years
116
Computer Forensic Scientist
Forensic Science Service
Not sure
117
Consultant
Primary Key Ltd.
Not sure
118
Consultant
Concept Technologies
Less than 3 years
119
Cryptographer
Racal Research Ltd
11 – 15 years
120
Cryptography Consultant
Kryptosec
3 – 6 years
360
121
Cryptography Researcher
University of Cambridge
More than 15 years
122
Cryptography Researcher
University of Cambridge
3 – 6 years
123
Cryptography Researcher
Cypherspace Internet Security
7 – 10 years
124
Cryptography Researcher
University of London
7 – 10 years
125
Director of Information Security E-Business Security Analyst
Information Risk Advisory Services
Not sure
Crestco Ltd
Less than 3 years
127
Global IT Security Director
Reuters Ltd
7 – 10 years
128
Group Security Adviser
Prudential PLC
11 – 15 years
129
Information Security Consultant
InfoSec
More than 15 years
130
Information Security Consultant
AMS
11 – 15 years
131
Information Security Consultant
Concept Technologies
3 – 6 years
132
Information Security Consultant
Securedot Ltd.
Not sure
133
Information Security Management Consultant
Newbrit Technology Ltd
Not sure
134
Information Security Manager
Cazenove & Co.
3 – 6 years
135
Information Security Specialist
Baring Asset Management
7 – 10 years
126
361
136
IT Forensic Consultant
Insight Consulting Limited
Less than 3 years
137
IT Security Contractor
Freelance
11 – 15 years
138
IT Security Engineer
Barclays PLC
11 – 15 years
139
IT Security Manager
Barclays Capital
7 – 10 years
140
Junior Research Fellow
University of Oxford
Not sure
141
Lecturer
University of Cambridge
More than 15 years
142
Lecturer
University of Cambridge
7 – 10 years
143
Lecturer
University of London
3 – 6 years
144
Network Security Consultant
Fujitsu Services
Not sure
145
Network Systems Administrator
Secureworld Ltd
7 – 10 years
146
Penetration Tester
Defcom Security
Less than 3 years
147
Post Doctoral Research Assistant
University of London
More than 15 years
148
Post Doctoral Research Assistant
University of London
3 – 6 years
149
Postdoctoral Research Fellow
University of Glamorgan
11 – 15 years
150
PhD Candidate
University of London
3 – 6 years
151
PhD Candidate
University of Kent
Not sure
152
PKI Analyst
beTRUSTed
Less than 3 years
153
Principal Security Analyst
Oracle
7 – 10 years
362
154
Professor
University of London
Not sure
155
Project Security Analyst
Egg PLC
More than 15 years
156
Research & Development Engineer
Hewlett-Packard Laboratories (Internet Security Solutions Division)
3 – 6 years
157
Research Scientist
QinetiQ
7 – 10 years
158
Risk Management Specialist
KPMG Information Risk Management
Less than 3 years
159
Security Analyst
Merrill Lynch HSBC
11 – 15 years
160
Security Evaluator
Syntegra
Not sure
161
Security Consultant
Cylink Consultancy
7 – 10 years
162
Security Consultant
Systems Assurance
3 – 6 years
163
Security Consultant
AMS (UK) Ltd.
3 – 6 years
164
Security Consultant
Computer Associates
11- 15 years
165
Security Consultant
Evolution
More than 15 years
166
Security Consultant
Echelon Consulting Limited
Not sure
167
Security Consultant
Accenture
3 – 6 years
168
Security Consultant
DEFCOM Security
7 – 10 years
169
Security Consultant
PricewaterhouseCoopers
Less than 3 years
170
Security Research Engineer
Toshiba Research Europe Ltd
11 – 15 years
171
Security Specialist
KPMG
Less than 3 years
172
Security Specialist
KPMG
More than 15 years
363
173
Senior Security Auditor
ABN Amro Bank
7 – 10 years
174
Senior Security Consultant
PricewaterhouseCoopers
Not sure
175
Senior Security Manager
Deloitte & Touche
11 – 15 years
176
Smart Card Security Architect
Datacard Group
Less than 3 years
177
Security Architect Consultant
Deloitte & Touche
Less than 3 years
178
Security Product Manager
COLT Telecom
More than 15 years
179
Security Software Engineer
Lucent Technologies
11 – 15 years
180
Security Specialist
Unisys
3 – 6 years
181
Security Specialist
BT Laboratories
Not sure
182
Security Specialist
Propero Ltd
7 – 10 years
183
Security Technologist Hewlett-Packard Ltd
More than 15 years
184
Technical Consultant
Context Information Security Ltd
Less than 3 years
185
Technology Risk Consultant
Andersen
Not sure
186
Technical Security Consultant
Secure Systems Integration Ltd.
3 – 6 years
187
Technology Risk Consultant
Andersen
7 – 10 years
AUSTRALIA
364
188
CTO
Ericsson
More than 15 years
189
Director
University of Wollongong
11 – 15 years
190
Head of Security Unit DSTC Pty Ltd
3 – 6 years
191
Professor
Queenslan University of Technology
Not sure
192
Professor
Deakin University
More than 15 years
193
Professor
Monash University
7 – 10 years
194
Professor
University of South Australia
11 - 15 years
195
Security Consultant
Xamax Consultancy Pty Ltd
3 – 6 years
BELGIUM 196
Head of Corporate & Information Security
S.W.I.F.T.
Less than 3 years
197
Professor
Katholieke Universiteit Leuven
7 – 10 years
198
Professor
University of Leuven
More than 15 years
199
Security Manager
Europay International
3 – 6 years
200
Security Engineer
Internet Security Systems (ISS)
Not sure
201
Security Consultant
PricewaterhouseCoopers
11 – 15 years
CANADA 202
Cryptography Researcher
McGill University
More than 15 years
203
Cryptographer
CRYPTOCard
3 – 6 years
365
204
Consultant
Zero-Knowledge Systems Inc.
Not sure
205
Professor
University of Waterloo
7 – 10 years
206
Professor
Institut Canadien de Recherche Advancee (IC RA)
More than 15 years
207
Security Consultant
LGS Security Services
11 – 15 years
208
Security Consultant
Alcatel
11 – 15 years
209
Security Consultant
Corporate Risk Management Suite
Not sure
210
Technical Adviser
BCI
3 – 6 years
GERMANY 211
IT Security Consultant
Secorvo Security Consulting GmbH
Less than 3 years
212
Professor
Technische Universität Darmstadt
7 – 10 years
213
Professor
Ruhr-Universität-Bochum (RUB)
11 – 15 years
214
Professor
Johann Wolfgang Goethe-University
More than 15 years
JAPAN 215
Professor
University of Tokyo
More than 15 years
216
Professor
University of Tokyo
Not sure
217
Professor
Kyushu University
7 – 10 years
218
Professor
Tohoku University
11 – 15 years
366
KOREA 219
Executive Vice President & COO
INFOSEC Technologies Co. Ltd.
More than 15 years
220
IS Senior Consultant
Korea Securities Computing Corporation
Less than 3 years
221
IT Security Consultant
Korean Information Security Agency (KISA)
Not sure
222
Junior Security Consultant
Future Systems, Inc.
Less than 3 years
223
President
Park and Partners
11 – 15 years
224
PKI System Engineer
The Electronics and Telecommunications Research Institute (ETRI)
7 – 10 years
225
Professor
SungKyunKwan University
More than 15 years
226
Security Network Engineer
Nextelecom
3 - 6 years
SINGAPORE 227
Associate Professor
National University of Singapore
11 – 15 years
228
Chief Technology Officer
PrivyLink International Ltd
Less than 3 years
229
Information Security Consultant
PrivyLink Pte Ltd
3 – 6 years
230
IT Security Consultant
CET Technologies Pte. Ltd.
7 – 10 years
367
231
Information Security Specialist
StarHub
Not sure
232
Principal Security Architect
Standard Chartered Bank
Less than 3 years
233
Security Consultant
Sun Microsystems
11 – 15 years
234
Security Consultant
e-Cop.net
7 – 10 years
235
Security Consultant
Sensecurity Institute
7 – 10 years
236
Security Consultant
Sensecurity Institute
Less than 3 years
237
Security Consultant
Systems Access Pte. Ltd.
3 – 6 years
SWITZERLAND 238
Cryptography Researcher
IBM Zurich Research Laboratory
More than 15 years
239
Cryptography Researcher
IBM Zurich Research Laboratory
More than 15 years
240
Professor
Institute of Theoretical Computer Science
7 – 10 years
241
Researcher
Federal Institute of Technology
11 – 15 years
242
Security Analyst
Zurich Financial Portal & Online Bank 3 – 6 years
243
Security Specialist
Theissen Security System Ltd.
Less than 3 years
244
Senior Research Scientist
IBM Zurich Research Laboratories
Not sure
245
Senior Researcher
Institut für Theoretische Informatik
7 – 10 years
368
APPENDIX 3
Description of Issues
Adequate Staffing In one sense, this issue is tied to general personnel issues in that it requires the recruitment and training of individuals for security and support staff positions within the organization. More specifically, it deals with the need for enough of these types of employees to make security planning, implementation and management feasible and effective. Adequate staffing is a quantity and quality issue. Adequate staffing issues relate to number of qualified staff, employee/individual IT and security expertise, recruitment, budgeting, leadership and training.
Budgeting Issues IT and security technologies are expensive at a number of levels. This issue refers to the myriad of problems facing security administrators with regard to budgeting and its impact on security. Budget concerns for security require definition and measurement of operating costs, investment costs, training costs and the possible/achieved benefits of security. This issue includes organizational support, leadership, management support, training, rapidly changing technology, everchanging security threats, existing systems, security planning and management. Communication Issues Communication issues refer to the ability of those responsible for security to interact, communicate, disseminate and share information with regard to security. Communication is important in all phases of security, but is especially crucial in planning, policies implementation, security role responsibility, organizational goals and objectives of security, and motivation, in ensuring that there are shared
369
meanings as to the importance of security. Without effective communication, organizational members may lack a sense of purpose and disorientated towards organizational security goals and objectives in achieving security effectiveness. Hence, to achieve effective security, its implications need to be conveyed to organization staff so all can appreciate how it will affect their work in the future. Communication issues are related to leadership, organizational and management support, senior managers issues, and personnel issues.
Economic Issues Due to the global economic slowdown and intense international and domestic competition, companies are now resizing, downsizing, restructuring, reorganizing, reengineering or merging in their attempts to become more efficient, cut expenses, or in some cases to simply make more short-term profits. All of which will force organizations to cut or freeze security spending which can have a profound impact to achieving effective security. The lack of funding and attention on security can place them in greater danger of failing to protect the integrity, availability and confidentiality of their data and communications. Economic issues include senior managers issues, organizational and management support and budgeting.
External Consultants This issue has become particularly important to organizations who often do not have the adequate and expert staff to address security issues within their organizations. Outside consultants are typically hired to act as advisors on various issues as well as to provide the security hardware and software for the organization. In terms of security, an important factor to consider in the use of external consultants is what the role of that consultant will be. In other words, will the individual or firm in question be asked to act as an advisor or a complete security service provider? The use of external consultants must be reviewed in the context of the whole organization’s directives as well as the planning of security and their implementation. The external consultant issue is related to individual/organizational expertise, organizational directives, security planning, security implementation, and existing systems.
External Environment Risks Issues
370
External environmental risks issues are externally led macro level issues that can have an impact on security in organizations either directly or indirectly. Changes in the political climate, ineffective laws, misrepresented media reports, the unavailability of effective solutions are some of the issues related to external environmental risks issues. Existing Security Solutions Existing security solutions issues are primarily those related to the effectiveness of technical security systems that are available such as security technologies and software, and its impact. Currently, there are no foolproof solutions that organizations can adopt and those that are available have been known to be ineffective. Compounding the woes of ineffective security solutions are the lax attitudes of organizations towards security which make them easy preys to hackers. Existing security solutions issues are related to senior managers issues, budgeting, training,
Individual IT Security Expertise The issue of individual security IT expertise speaks to the technological savvy of each person within the organization. It is typical for an organization to employ individuals with a very diverse range of IT security competence. It is also typical that some of these individuals will have a willingness and desire to learn more about technology and how to use specific IT, and others will be quite resistant to adapting to new technologies. This issue is related to training, resistance to change, organizational support, and leadership.
Individual Support This issue refers to the support of individuals within the organization whether in favor of security or against. People at all levels of the organization have an impact on security - the more support available throughout the ranks, the more effective the implementation of security policies will be. Individuals can hinder progress at a number of junctures in the implementation process. It is therefore, essential to recognize the importance of this issue at the outset. The individual support issue includes resistance to change, training, leadership, and organizational support.
Interdepartmental Coordination
371
This issue relates to the degree an organization is able to coordinate its implementation of security policies across departments. Personnel from the IT department usually assumed the primary job responsibility for security. With little senior management involvement, this highly centralized arrangement often leads to security administrators having difficulties coordinating formalized security planning and implementation among other problems across departments. Interdepartmental coordination is related to organizational structure, planning, standardization, budgeting, and internal leadership.
Internal Security Systems The security systems already in place within an organization may have a profound impact on security. Typically, these systems require the regular replacement of old hardware, and upgrading of software and features. More often than not, an organization has a significant investment in hardware and software but provide little and no training. One of the major causes of security breaches is that security systems are outdated or users make all kinds of mistakes and configuration errors. In these cases the stakes are very high with regard to security. The issue of internal security systems is related to training, resistance to change, rapidly changing technologies, and interdepartmental coordination.
Lack of a Strategic/Formal Security Plan This issue has become one of the more problematic with regard to security management and implementation. Pressure for quick solutions to very complex security problems has only served to work against formal security planning in organizations. Strategic security planning is viewed by many as “the foundation of effective security”. The successful implementation of security measures in an organization depends heavily on the strategic analysis of the organization’s security needs and objectives. Organizations, which do not make use of formalized planning with regard to security, may find themselves without direction in a rapidly changing unsecured environment. Lack of a strategic/formal plan issues is related to organizational directives, organizational support, internal leadership, interdepartmental coordination, and planning models.
Lack of Holistic Planning and Security Management Models
372
This issue speaks to the availability and use of integrated planning and security management models with elements of the technical and human dimensions. There have been many debates on the ability of technical planning and security management models to enhance the success of security implementations. What is available are the many technical security models which addresses the issues of how to manage networks and systems. Currently, no holistic planning and security management models are available that addresses organizations’ specific human needs and issues on how to plan and manage the proliferation of human related threats affecting them. Lack of a planning model relates to strategic planning, existing solutions, ever changing security threats and rapidly changing technology.
Leadership issues Leadership issues reflect those areas that require the interaction, commitment, involvement and direction of the organization’s board of directors and top management. This issue area reflects the premise that organizational change occurs from the executive level down, necessitating the involvement of top management in all areas of security. One of the problems with security and the workplace is that not everyone is ready or willing to become part of a security conscious organization. In many situations, leadership from top can help to enhance effective security by example. Internal leadership issues include training, individual expertise, organizational support, personnel issues, and resistance to change. Legal and Regulatory Issues This issue refers to any state or federal mandates which affect organizations with regard to information technology and it’s planning, procurement, and implementation. In addition it may also refer to any written procedures specific or internal to organizations meeting international standards such as ISO 17799.
Management Support This issue refers to the support of top management within the organization whether in favor of security or against. However, people at all levels of the organization have an impact on security - the more support available throughout the ranks, the more effective security will be. Individuals can hinder progress at a number of junctures in the security policy implementation process. It is therefore essential to recognize the importance of this issue with regard to security policy
373
implementation at the outset. The individual support issue includes resistance to change, training, leadership, and support.
Organizational Culture
This issue is intangible and particularly hard to explain because the culture of an organization is mainly a perception. However, for security to be effective the right kind of culture or environment is required. In most cases this means an organization must consistently find a common ground between individuals and security objectives within the organization. Organizational culture issues include: organizational support, leadership, organizational directives, and organizational IT and security expertise.
Organizational Directives This issue refers to the missions, objectives, and plans which a particular organization may possess with regard to security. Directives serve as guidelines for future security plans and actions of the organization. These directives must be strategic and well defined in order to facilitate effective security throughout the organization. Organizational directives relate to security role responsibility, leadership, security planning, organizational support, organizational IT security expertise, budgeting, and rapidly changing security technologies.
Organizational IS Expertise This issue refers to the overall security savvy of the organization. In addition, it could also refer to how supportive in its nature the organization may be. That is, whether or not an organization focused financial and human resources to enhance organizational members’ security expertise to stay ahead of newly created and sophisticated security threats. Organizational IS expertise is related to organizational support, organizational culture, individual IS expertise, individual support, existing systems, and rapidly changing technology.
Organizational IT Expertise This issue refers to the overall technological savvy of the organization. In addition, it could also refer to how progressive in its nature the organization may
374
be. That is, whether or not this is an institution that has focused resources to enhance organizational members’ IT ability to stay on the cutting edge of technological developments. Organizational IT expertise is related to organizational support, organizational culture, individual IT expertise, individual support, existing systems, and rapidly changing technology.
Organizational Security Culture Like organizational culture, this issue is particularly hard to define because of its intangibility. However, for security to be effective the right kind of culture or environment is required. In most cases this means an organization must nurture and incorporate a security orientated culture. Organizational culture issues include: organizational support, leadership, organizational directives, and organizational security expertise.
Organizational Support Successful and effective implementation of security measures relies heavily on the support of every single member of the organization. This issue refers to an organization’s predilection toward supporting strategic security vision, planning and implementation at all levels from shareholders, investors to employees--which in turn will allow it to achieve security effectiveness. The organizational support issue includes: budgeting, organizational directives, organizational culture, management and individual support.
Personnel Issues Personnel issues are the limiting factors or obstacles that employees face in preventing them from achieving security effectiveness within the organizations. Issues such as lack of management support, lack of communication and lack of training.
Politics
375
Changes in the global political climate can have an impact on security in organizations. Government officials and business leaders must recognize and address the external political ramifications affecting security in their organizations. Security activities in general are political by nature (i.e. privacy, security, confidentiality, and data availability, and data integrity). This issue includes personnel issues, interdepartmental coordination, organizational culture, and external consultants.
Rapidly Changing Security Technology This issue refers to the difficulties of managing security due to the rapidly changing nature of security technologies. Information Security Technologies are developed and enhanced so swiftly that an organization may find its planned--for acquisitions are obsolete before the ink on the purchase orders are dry. The changing nature of security technology in general is a primary cause of a multitude of security management conflicts from development to implementation. Rapidly changing security technology issues are related to budgeting, management support, internal security systems, training, individual and organizational security expertise.
Resistance to Change This issue is generally seen as a human resources issue. Part of resistance is couched in fear: fear of security; fear of being displaced by security policies and fear of the unfamiliar. Many individuals (especially those in support staff positions) have a pervasive fear that the implementation of security policies may impede their job functions. Even more predominant in today’s organization is the fear of change. Individuals are often put off by the extra work and effort required in learning new software or a whole new security system. These issues are significantly impacted by the human conditions related to interactions, personal feelings, and perceptions. Resistance to change includes training, individual expertise, security culture, existing systems, individual and organizational leadership.
Security Management Issues
376
Issues characterized as security management relate specifically to administrators and their role in the functional operations of security in organizations, as in budgeting, personnel management, network and systems management and implementation of security policies. In essence, any issues which require specific attention or directives from an administrator with regard to security. It does not matter how well designed or whatever the latest and most sophisticated an information system that an organization has if it does not have the right personnel it requires to fully manage security and the people they manage. Managing people is one of the most important issue areas and in many cases one that is chronically ignored. Security management issues include resistance to change, leadership, organizational IS expertise, training, recruitment, and retention of competent security personnel.
Senior Managers Issues In general, senior management issues provide a window for viewing a variety of senior management behaviors and concepts towards security and its management. Those characterized as senior management issues speak to senior managers’ attitudes, beliefs, perceptions towards security, such as: security risks, adoption of security measures, security knowledge, security threats and security management. For example: What are top management beliefs about security threats? Are they different from what they really are? What impact does it have on security countermeasures adopted? These are just a few of the kinds of questions that are spoken of within the contexts of senior management issues.
Training This issue is of particular importance regardless of the kind of security measure currently being adopted within an organization. As careless employees pose one of the greatest threats to security in organizations, it has become crucial to make sure that adequate training is provided for all employees. Lack of training can act as a powerful restraint to effective security and overall organizational success. Training issues include: resistance to change, rapidly changing security technology, ever changing security threats, retaining quality employees, decisionmaking and individual/organizational IT and IS expertise.
377
APPENDIX 4 DATABASE
IS ISSUES
EXTERNAL THREATS ISSUES ENVIRONMENTAL RISKS ISSUES
378
Third Party
Visitors, consultants, suppliers, vendors
Politics
Political crisis – protests through hack attacks Terrorism through cyber attacks Hacktivism – organizations ending up as innocent victims of cyberwar attacks
Legal
No standardization of international cybercrime laws High legal costs Difficulty in prosecuting hackers due to the complex nature of hacking Ineffective laws
Economic
Hypercompetiton breeds rivalry amongst companies Hypercompetition creates frantic need to gain competitive edge through illegal means Mergers, acquisitions, strategic partnerships and alliances Decreased security spending in times of economic slowdown High dependency on the Internet for daily business activities Increased Internet connectivity due to globalization Enhanced value of information due to a knowledge based economy
Media
Wide spread coverage of external security breaches Focus reporting mainly on large corporate victims of hackers
Natural Disasters
Earthquakes, hurricanes, floods, lighting and fire can cause severe damage to computer systems
379
New Technologies
New technologies such as wireless devices introduce new unknown security issues
Existing Solutions
Ineffective Lack of Commercial Holistic Security Planning Model Lack of Commercial Holistic Security Management Model Rapidly changing security technologies - Always need “latest” technologies Newly developed security technologies introduced new security problems Intrusion detection systems not equipped to cope with newly created sophisticated hack attacks and viruses Flaws and weaknesses in security technologies Bugs in security software Outsourcing can generate savings in resources but carries high risk of breach confidentiality Failure to address people problems
Internet
Built and developed without security in mind Facilitate free sharing of hacking related information Lack regulations Phenomenal growth in the number of users worldwide has been accompanied by a corresponding increase of hackers Phenomenal growth in the number of e-commerce companies has been accompanied by a corresponding increase in credit card transactions Inherent flaws and weaknesses
380
EXTERNAL HUMAN THREATS
ISSUE DESCRIPTION
Network Hackers
Targets banks and financial institutions for financial gain
Script kiddies
Targets Internet Service Providers (ISPs) preventing legitimate users from using their services
Software Pirates
The illegal copying and distribution of copyrighted software by software pirates affect businesses in the software publishing, movie and music industries
Phreakers
Free phone calls made by phreakers through the use of technology caused huge financial losses for telephone companies
Virus creators
Viruses are rampant causing an organization’s files along with vital information to be deleted, making information inaccessible to employees and customers
Hacktivists
Targets government and commercial websites in protest of their violating human and animal rights
Social Engineers
Highly sensitive and confidential organizational information have been stolen by social engineers, simply by tricking employees into revealing network passwords
External Consultants
Many companies have become vulnerable to theft of valuable information and trade secrets by relying on external consultants for their security needs
INTERNAL SECURITY THREATS
ORGANIZATIONAL ISSUES
ISSUE DESCRIPTION
381
Interdepartmental Coordination
Non-cooperation between the security, IT, and human resources departments; or worse still, inter-departmental feuds
Support
Lack of support from directors / shareholders
Directives
Lack of Tactical, strategic operational security goals and objectives Security role ambiguity
IT Expertise
Lack of competent IT personnel
Security Expertise
Lack of competent security personnel Using unqualified people to maintain security and providing neither the training nor the time to make it possible to do the job properly
Budgeting
Lack of financial resources High acquisition costs of security technologies High implementation costs of security technologies
Culture
Lack of Security Corporate Culture Authoritative leadership
Directives
Competitive Advantage
Communications
Top down communication Failure to communicate the importance of security Poorly informed security guards and/or IT personnel
Training
Lack of IT Training Non provision of security awareness training and training for all employees
382
SECURITY MANAGEMENT ISSUES
ISSUE DESCRIPTION
Outsourcing
Over reliance on consultants, contract workers, or external security companies
Recruitment
The false belief that close questioning during interviews can detect signs of untruths Fail to screen potential employees thoroughly A false confidence in the effectiveness of reference checking as a sufficient safety check on the job applicant’s background The need to fill vacancies is allowed to supersede thorough background checks Overlooking a required background verification because of heavy workload A once only background verification or security check with no further continuous monitoring of employees’ activities and behaviors Over-reliance on outsourcing to headhunters and recruitment agencies to supply “safe” recruits
Security Policy
Failure to establish and institute a security policy Outdated Security Policies Poor Implementation of security policies
Role Responsibility
Security is the sole responsibility of the IT/ Security department Role Ambiguity No appointment of security task force
Security Plan
Lack of a strategic / formal security plan
383
Internal Security Systems
Failure to upgrade Seek mainly technical solutions Outdated
Training
Lack of Technical Training Lack of Security Awareness Training
SENIOR MANAGERS ISSUES Individual Security Expertise
ISSUE DESCRIPTION
Lack of Security knowledge Naïve about the real dangers of corporate hacking to their organizations and also their tolerance of security practices, and reasons for them Unaware of the benefits of having a security corporate culture Unaware of the legal implications of insecurity Failed to come to grips with the fact that security is a people problem
Individual Support
Not directly involved in the management of security Lack commitment Failure to provide adequate financial and human resources and empower those tasked with enterprise wide security
Beliefs
Information is of little value Security impedes productivity
384
Security technologies limit functionality of e-business Transactions Security breaches are externally led Only large corporations are targets of hackers Views
View security as of little importance Security training / education is expenditure and not investment Security as an added expense Security purely as a technological implementation issue rather than a business issue The perception that security is the sole responsibility of the security manager or administrator
PERSONNEL ISSUES
ISSUE DESCRIPTION
Individual IT Expertise
Lack of IT skills
Individual Security Expertise
Lack security expertise
Training
Lack of security awareness training Lack of technical training
Communications
Poor Communications Dearth of security information
Organizational Directives
Uncertain policies and priorities
Lack of Management Support
Lack of supervisors’ support
Leadership
Poor leadership
385
Lack of senior management support Lack of senior management involvement Interdepartmental Coordination
Non cooperation from fellow colleagues Lack team spirit
Inadequate Staffing
High workloads
Motivation
Lack of rewards and recognition Inadequate pay and benefits
HUMAN THREATS ISSUES
ISSUE DESCRIPTION
Disgruntled Employees Disgruntled employees hack into their companies’ systems and networks to seek revenge for perceived wrongs causing information and financial losses Temporary Consultants Highly sensitive information and confidential have been stolen by temporary consultants to be sold to a rival company or to be used to form another company Planted Workers
Planted workers have stolen critical information and caused disruption of business operations to rival companies
Malicious Workers
Malicious workers are those who hack into their organizations’ either for money or to seek revenge
Careless Employees
The majority of errors made by careless workers are the result of poor training
Ignorant Employees
Ignorant workers such as those who unknowingly give away password to social engineers are the result of poor security awareness training
386
Negligent workers
In a similar vein, negligent workers such as those who lose their notebooks and handheld computers which contain valuable company information are the result of poor security awareness training
Teleworkers
Working from home, telecommuters tend to adopt a lax attitude towards security, increasingly putting their companies at great risks
Appendix 5
Improving Security Effectiveness
Participants’ Responses
TECHNICAL
387
1.
Invest in network intrusion detection systems and host-based security systems, as well as virus and worm protection
2.
Anti-virus software and firewalls must be updated regularly.
3.
Encryption is the most effective way to achieve data security
4.
Keep your sensitive data offline, on non-networked machines that aren't dial-up-accessible.
5.
Encryption. Without the decryption key, getting at content is virtually impossible.
6.
A holistic approach combining intrusion detection and a vulnerability scanner.
7.
Identification, authentication and authorization
8.
The solution is to design secure networks and to secure the computers that are being compromised to launch the distributed attacks from.
9.
Encryption and authentication processes are the way to go.
10.
The implementation of PKI solutions will undoubtedly help to improve security
11.
Keep up with security bugs
12.
Perform simulation attacks on networks and systems.
13.
Matching fingerprints and facial features in a database
14.
Packet filtering is very, very important, and should be done on all critical systems.
15.
Absolutely no services that aren't vital to running the system should be run. There should be no exceptions.
16.
Use PKI software
17.
Regular network & system monitoring and alerting
18.
The system should be secured using as many of the latest technological techniques and software tools as possible.
388
19.
Improve the security of your site by breaking into it.
20.
Fingerprint-identification
21.
Use of software specially designed for an e-commerce environment
22.
Increased use of encryption technology
23.
Regular third party audits and upgrading of security software
24.
Biometrics
25.
Encryption, firewalls and intrusion detection systems
26.
Lock up data with latest security technologies and software
27.
Encryption and Biometrics
28.
Penetration testing
29.
Invest in Internet filtering and monitoring technology
30.
Password management
31.
Four basic components to improved security – anti-virus, anti-hackers, authentication and access control
32.
Access control
33.
Authorization
34.
Vulnerability testing
35.
Data encryption
36.
VPN
37.
Wireless security
38.
Adopting security technologies that help automate key processes while enhancing overall management and control
39.
Web content filters
389
40.
Encrypt data that need to be kept secret.
41.
Installation of virus protection software is a must
42.
Establish a policy that all mobile computers must use the desktop firewall and a VPN
43.
PKI authentication
44.
Security could be most improved by regular system testing
45.
Anti-virus program and good password management practices
46.
The best weapon to improve security is a firewall which will hide and disguise an organization’s presence on the Internet.
47.
Encryption and firewalls
48.
Smart cards and access control
49.
PKI/Digital Certificates
50.
Digital certificates and virtual private networking
GENERAL 51.
Security auditing and monitoring should be done on a regular and ongoing basis.
52.
Better utilization of outside expertise.
53.
Security auditing
54.
Small companies should demand that developers and suppliers of security products do more to develop, market and package security products which address their needs at an affordable price.
55.
Enterprise security management
56.
Monitoring and audits by third party
390
57.
Regular security audits by external specialists
58.
Organizations should place greater emphasis on security as a core competency rather than an added expense.
59.
To be fully effective, information security must be treated as fully equal to all other business issues.
60.
View information needs to business value
61.
Small companies need to demand better security from their vendors, whether they are their ISPs, hardware, or software providers.
62.
As long as organizations are connected to the Internet, there’s no such thing as security. It called control access. If you control the access, everything should be fine. However, if you lose control of the access, that’s when there are problems.
63.
Security strategy should prevent hackers accessing system but not staff members from doing their jobs.
64.
Virtual and physical access control
65.
Develop a security policy that spells out specifically the value of the information and the steps the company is willing to take to protect it.
66.
Have a contingency plan in place
67.
Organize activities to instill computer security awareness in employees
68.
Better security "out of the box" from the OS and program vendors.
69.
Greater cooperation is needed between the business sector and the government
70.
Engage security professionals to test systems
71.
Vigilance, vigilance, vigilance
72.
Centralized security management
73.
Effective password management
391
74.
System controls must be measured, managed and monitored continuously to ensure that they evolve in step with the organization
75.
If possible, the same people who set up the system should administer it, or at least help monitor it.
76.
Security must become a corporate governance issue.
77.
Implementing a security management approach that supports e-business objectives of protecting and enhancing revenues, limiting liability, and preserving brand integrity
78.
Companies need to provide people with the ability to be responsible. But, first of all, senior management must want to take responsibility.
79.
Adequate security staff
80.
Increased legal remedies
81.
To be secure, organizations need to keep things simple and small.
82.
Concerted efforts of the business community in working jointly with the authorities.
83.
Increased monitoring and increased awareness
84.
The first step is to define and develop an information security plan.
85.
Establish a policy compliance program
86.
Security policies and spending should be driven by both business leadership and security management
87.
Security comes from understanding systems, goals and methods
88.
Regular performance of information security risk assessment, analysis and security status tracking
89.
Engage a third party security provider
90.
Nurture a security corporate culture
91.
Involve every member of the organization in all aspects of security
392
92.
Involving and empowering every employee in issues related to security
93.
Government intervention
94.
Ensure every member of the organization is kept well informed of the latest security issues on a regular basis
95.
Senior managers must first understand security, its dimensions and potential repercussions
96.
Provide security awareness training and education for all employees.
97.
Organizations should make information security top priority
98.
Managed monitoring of people and processes
99.
Actively monitor network and system activities
100. Organizations should be critically aware of the real dangers of hackers to their organizations and perhaps their tolerance of security practices, and reasons for them. 101. A secured network is a well-administered one 102. Keep security simple 103. Manage risk, not risk avoidance 104. Effective security is the result of both technology and policy 105. Security administrators need to decide how much time, money, and effort needs to be spent in order to develop the appropriate security policies and controls. 106. The organization’s board must establish a clear policy that addresses security risk management 107. Engage ethical hackers to test for errors in installation and implementation 108. Appoint a security task force 109. A comprehensive security policy should be created and adhered to. It is the single most important part of keeping your site secure, without exceptions.
393
110. Constant monitoring and trend analysis 111. Define and develop a formalized security plan, and conduct regular security audits 112. Senior management must accept that information security is their sole responsibilities. 113. Have business continuity plans in place that outline steps to take in the event of a security breach 114. Tight internal security, allied to strong technical safeguards should prevent the vast majority of such incidents. 115. More physical and logical access controls 116. Security can be improved by a combination of cautious, guarded, awareness, together with a modern anti-virus package and regular updates - every two weeks is recommended. 117. Physical access restriction to critical computing facilities 118. Form a security team reporting directly to senior management 119. Perform regular tests on business continuity plans 120. Companies should run their information security through a continuous loop that focuses on constant improvement. 121. The entire subject of Information Security is based upon Access Control, without which Information Security cannot, by definition, exist. 122. Security administrators should work closely with other departments in combating computer crime. 123. Competent security personnel, adequate budget dollars, and adequate training 134. Companies should develop and adopt corporatewide security policies. 135. A comprehensive security program
394
136. Perform regular security audits on e-commerce systems 137. Security tools such as encryption techniques, along with up to date policies and procedures and provide greater clarity for the responsibility for security management 138
It’s all about risk management and segregation of duties
139. Implement a comprehensive security program which includes use of encryption, firewalls, intrusion detection systems, incident response procedures, computer forensic response guidelines, monitoring and external audits 140. Acknowledgement by organizations that information security is not an option. In some cases, it is a legal requirement. 141. Continued education of the system and security administrators of the site is essential. 142. Organizations must come to grips with the fact that security is above all, a people problem. 143. Adequate financial and human resources must be provided and empower those tasked with enterprise-wide information security. 144. Continuous monitoring. Consistency is the key to effective security. 145. When hiring new employees in sensitive areas or who will have access to sensitive area, do a thorough background check. 146. Establish and institute a security policy. 147. A wide-ranging security policy which covers managing the business as a whole, and managing it securely. 148. Senior management need to be informed about information security, what security solutions meet certain business requirements, and what business reasons justify security solutions. 149. Proper resources, financial and otherwise, must be allocated to the personnel who are responsible for keeping the system secure.
395
150. Adequate financial resources to be invested into building a solid security system 151. Security awareness training and education for every member of the organization and proper security guidelines 152. Greater involvement from senior management on security issues 153. An annual review of security needs and effectiveness, also update existing security plan to accommodate needs. 154. Creation of strategic security plan. 155. Security needs to be nurtured, grown and permeated throughout the organization 156. Security needs monitoring, refining, adherence, and disciplinary action for non-adherence. 157. Security must be applied consistently at four levels: policy, business process, applications and infrastructure 158. Become proactive in designing confidentiality, integrity, availability and security for today’s and tomorrow’s environments 159. The impetus for security must come from top management 160. Better communication and training, involvement with management and users. 161. More user department involvement. 162. Needs senior managers’ active involvement in drawing up a security policy 163. Information-security training for system and network administrators can substantially boost security effectiveness. 164. More formalized security planning with special emphasis on plan for the training needed in order to switch to alternate systems. 165. We will be developing a comprehensive vision and strategic plan for security in the next 6 months.
396
166. Organizational members to be taught what their respective roles and what their responsibilities are. 167. A concisely written security manual of the dos and don’ts of corporate information and computer resources 168. Assign high priority to implementing security policies 169. Make security policies and procedures widely known to all members of the organization 170. Monitoring user compliance of security policies 171. Managing people and processes 172. Create a security task force committee. 173. Create tiger teams. 174. Educate potential users and solicit actual needs. 175. Strong ID and password systems can minimise intrusions. 176. Continue emphasis on long term security planning. 177. Use a password management package 178. Development of security policies and procedures must include temporary personnel, consultants, contractors, business partners, vendors and all who have some access to corporate data. 179. Conduct regular and ongoing security awareness programs 180. To hire an external security consultant. 181. To prepare in advance rather than crisis emergency management. 182. Formalize the planning and objectives better. 183. Institute a formal process to be followed each year. 184. Better use of experts, internal and external. 185. Make effective use of a planning committee.
397
186. Organizations need a formal plan and needs analysis. 187. Prevention is better than cure. It is cheaper and far more effective in the long run to invest in preventing a security breach 188. Better interdepartmental coordination. 189. Developing goals and plans for a period of 5 years into the future. 190. Establish a planning group. 191. Contact additional consultants to get a broader range of opinion on which system is best for us. 192. In preventing security breaches, the first thing that organizations need to do is to measure and analyze previous breaches 193. Security should be driven by business needs, not IT needs 194. A formalized strategic security plan. 195. Adopt Intrusion and detection techniques 196. Security policy is a must 197. Standardization and planning 198. Need top management involvement 199. More communication with departments. 200. Organize security with one person to make decisions, create a security department. 201. Appoint committee to develop program for approval and implementation by board. 202. Communicating importance of need. 203. More formalized security plan with more coordination across departments. 204. Conduct ongoing awareness programs through newsletters and annual reviews to keep employees informed of new security threats and their potential impact on the company
398
205. Communicate the benefits of protecting corporate assets 206. The key to effective security is authentication and encryption 207. Approval and total commitment of upper management in making security top priority 208. Hiring an external auditor to assess your company’s security infrastructure and vulnerability. 209. Create a thorough, concise security policy that covers employee, temporary personnel, consultants, contractors and customers’ access, authorization and responsibility. 210. Have upper management sign off on the policy and make the heads of each line of business responsible for its enforcement. 211. Concerted efforts of the business community in demanding that vendors ensure that systems and products are made more secure. 212. Hiring an external consultant 213. Maintain a record of everyone who logs on and off the system. When something goes wrong, an audit record can be a valuable clue to what happened. 214. Remove access and authorization for all departing employees and remind them of obligations to refrain from using the organization’s confidential information. 215. When planning security, involve senior management, network administrators, and various department supervisors 216. Develop and implement holistic security policies 217. Effective security requires good policies, efficient processes, and trained people, in addition to hardware and software. 218. Greater utilization of existing information available. 219. Improve needs analysis and formalize planning process. 220. Have a formal compliance program in place 221. Define roles and responsibilities for all participants.
399
222. Establish formal security and review processes. 223. Create a committee of staff and experts to determine needs and design the security plan. 224. Make use of external consultants to facilitate implementation, hire staff to follow up. 225. Complete study/needs analysis and implement a formal plan. 226. Need to improve, too decentralized when managing security. 227. Have a security analysis done. 228. A strong cryptographic system that provides authentication and encryption. 229. The only option for improving security effectiveness is awareness. 230. Regular reviews of disaster recovery and business continuity plans 231. If the stakes are high, consider e-business insurance 232. The trick for dealing with and overcoming security problems is early detection. The earlier organizations know, the easier it for them to stop the damage. 233. Only strong authentication such as biometrics or smart cards can stop the would-be intruder from accessing your network. 234. Laws requiring companies to notify customers of actual and suspected security breaches to their networks and systems. 235. Ensuring that policy clearly designates who is to respond to the incidents, what authority these individuals have in responding to incidents, and what actions are permissible and forbidden. 236. Cyber security, physical security, personnel security and all other dimensions of security should be rolled up into an enterprise-wide security program 237. Greater cooperation should be fostered between law enforcement and the private sector
400
238. Measuring security performance according to recognized standards such as ISO 17799 and other emerging leading practices articulated by industry analysts and professional associations 239. Develop business plans that include recovery strategies in the event of a break-in 240. First line of defence – encryption, last line of defence – cyber insurance
HOLISTIC 241. Developing security programs that integrate people, process and technology while optimizing resources to improve productivity 242. Information security requires a whole-hearted organizational commitment of resources (financial, human and technological) to an enterprise-wide program designed to evolve and adapt to new dangers. 243. Pay attention to all aspects of security: personnel security, physical security and home security. 244. Attend to the issues of training, staffing, budgeting as well as bulking up with the latest proven technologies 245. Security should be designed to make best use of the facilities provided by technology, but must also cover the people and the processes.
401
