Information Security
•Age-old concept
•Consists of 4 basic parts -
•Availability: Accessibility of information for a purpose.
•Integrity: Completeness, wholeness, and readability of information, and the quality of being unchanged from a baseline state.
•Authenticity: Validity, conformance, and genuineness of information.
•Confidentiality: Limited observation and disclosure of knowledge only to authorized individuals.
•Technological advances both help and hinder its progress.
Computer Security
Where does computer security come in?
•It is just a new dimension of information security albeit a dynamic one.
•Brought into force by the rapid and extensive diffusion of digital computing and networking technologies
•Growth in the volume of valuable information
•At the same time, avenues by which it may be compromised have increased many-fold.
Interpretations
•Computer security in terms of information security basics:
•Availability: Database Server up at all times. Denial of service attacks.
•Integrity: ?
•Authenticity: Man-in-middle attacks.
•Confidentiality: Password and other methods of Authentication.
Tradeoff – Usability vs Security
•Capability for managing, processing, and communicating information has increased.
•Securing these technologies and the information is difficult and expensive.
•Costs involved –
•planning, designing, and implementing safeguards,
•participation of everyone in the organization.
•The second cost limits the freedom to use the technology to its fullest extent.
•Fundamental tension between security and usability:
•Security requires that information and access to it be tightly controlled
•Advantage of the information technologies is their ability to enable the free flow of information.
•In competitive industries, usability is a priority over security.
Problems of Security
•Good statistics on computer-related crime are rare.
•Management has to be convinced to spend actual resources to address hypothetical losses.
•Security initiatives are of uncertain and poorly quantified benefit, resulting in
•Reduce computer usability and worker productivity.
•Not providing any tangible benefits.
•Address the issue of computer security gurus.
•Computer security risks, like other fields, requires -
•Managing an open and rational process.
•Increase dependence on quantified costs and benefits.
Definition of Risk
•A formal risk framework - useful tool for decomposing the problem of risk management.
•Risks are assessed by
•evaluating preferences,
•estimating consequences of undesirable events,
•predicting the likelihood of such events, and
•weighing the merits of different courses of action.
•Risk = {(L1, O1), . . . , (Li, Oi), . . . , (Ln, On)}
an ordered pair of outcomes and likelihoods.
•Li’s are the likelihoods of the outcomes Oi’s.
Risk Management
•A policy process wherein
•Alternative strategies for dealing with risk are weighed and
•Decisions about acceptable risks are made.
•Policy options have varying effects on risk, including
•reduction,
•removal, or
•reallocation
•An acceptable level of risk is determined and a strategy for achieving that level of risk is adopted.
•Decision-making process involves
•Cost-benefit calculations,
•Assessments of risk tolerance, and Quantification of preferences.