The Meaning of Security

Week 1: Chapter 1: The meaning of Security

The cultural legacy: Business prevention

• Security has a bad reputation, especially information security. No one really likes or appreciates the “security guys”.  They are also called the ‘business prevention’ department. So the questions are to ask as to why this is so are: how did it happen?; why did we get this reputation?; and what did we do wrong?. Are the terms SECURITY and SECURE not defined properly?
• SECURITY is a relative term. There is actually no absolute scale of security or insecurity. Both terms only have a meaning when you are discussing something valuable. Something valuable that is in some shape or form, at risk and needs to be secured. Then the questions arise, how much security is needed, which depends upon the value and upon the operational risk. The other question is how do you measure the operational risk.

Measuring and Prioritizing Business risk

• Now SECURITY is used to protect things that are of value. So, in a business environment, things of value are known as ASSETS. If the assets are damaged or destroyed in some way, they this business will suffer the impact. In order to prevent threats, in which, crystallize into loss events, a layer of protection needs to be implemented in order to keep the threats away from the assets. Now if the assets are poorly protected, meaning the security is poor, then that allows a vulnerability to the threat. In order to improve protection as well as reduce the vulnerability, security controls need to be introduced which can either be technical or procedural.
• OPERATIONAL RISK ASSESSMENT is the process of identifying business assets, recognizing threats, assessing the level of business impact and analyzing the vulnerabilities. OPERATIONAL RISK MITIGATION is when you apply suitable controls to gain balance between security, usability, cost as well as other business requirements. OPERATIONAL RISK MANAGEMENT is when risk assessment and risk mitigation are jointly comprised.
• The main thing that we have to understand here is that risk management is all about identifying and prioritizing the risks through the risk assessment process as well as applying levels of control in line with those priorities. Now what we actually get from risk assessment is a set of business requirements for security and control, ranked in order of priority. These are usually expressed as a series of control objectives, which means that they are an abstract description of business requirements for control. These are used to drive the selection of risk mitigation approaches anywhere from broad security and control strategies to logical security services, to physical security mechanism as well as eventually the security products, tools and technology components.
• Another term that comes to mind, instead of the term ‘control objectives’ is ‘ENABLEMENT OBJECTIVES’. This term means that security is primarily all about business enablement and not all about business prevention.

Information Security as the Enabler of Business

• Information security professionals just want a better reputation because their investments in information security are a key success factor for business. Their information security strategy is critical to not only current but future business growth as well. The no longer want to be known as ‘business prevention’ department, but the “business enabling’ department. In order for that to happen, they must do their job properly. Now there are several KEY TECHNOLOGIES that are changing the way business will be done in the future. They are:

• The Internet and the World Wide Web with all its services and protocols, especially the emerging ‘web services’ protocols
• Mobile handset with sophisticated communications and processing capabilities
• Web-enabled digital television and the prospect of other web-enabled domestic appliances, especially for delivering entertainment and information services
• The client server distributed architectures and advanced middleware products
• High-bandwidth digital communications
• Advanced data networking protocols
• Wireless communications
• Public key infrastructure
• Network computing, thin clients, and mobile code

• As a result of these technologies, the major change that we will be seeing is the continued migration of both the point of sale as well as the point of delivery right into the premises of the customer. This is actually called B2C (BUSINESS TO CONSUMER), which is what electronic business or digital business actually means. Essentially, people can buy something or transact business without having to make a physical visit. They can do everything without leaving their house. A few clicks with their mouse and it is all completed. Now B2B (BUSINESS TO BUISNESS) is more of when businesses make digital transactions from one organization to the other. Because of all of this, there a re a number of possible threats, impacts, as well as vulnerabilities that will arise. Lack of customer confidence is a major obstacle to digital business and eBusiness development.  Such major business risks can include:

• Disclosure of private, personal information (bank accounts, medical history personal information)
• Fraudulent buyers
• Fraudulent sellers
• Theft or payment of authorization details (credit card data)
• Errors or mistakes on a large scale (you ordered how many?)
• Disputes that are difficulty to resolve because everyone refuses to take responsibility
• Frustration and loss of confidence in systems that do not work properly

• There are a few firms that have experienced some of these risks that I have mentioned firsthand.

• Page 7: The Wrong Accounts

• Retail online banking
• Online banking security breaches are very damaging to reputations.

• Page 7: In Denial

• Major public utilities company
• Public relations management is just as important as technical expertise in the protection of reputation.

• Page 8: Failure to Deliver

• Another banking tale
• Scaling and capacity planning are critical issues with respect to service availability.

• Page 9: A Texting Problem

• Electronic government, an electronic interface for handling personal tax returns.
• Electronic government will only succeed if the citizens can have confidence in the correct operation of the systems.

• Page 10: Disintegration

• An Insurance group suffering major problems in launching its new service.
• System integration is a major challenge in the delivery of legacy back-end service through new front-end portals.

• Now this is when we need to prove how good we are. We need to take the technology that is proved as well as we need:

• A good understanding of the business needs and risks
• Strategic architectures
• Project management
• System integration
• Security management policies and practices
• Enterprise-wide security culture and infrastructure.

Adding Value to the Core Product

• INFORMATION AND COMMUNCATION TECHNOLOGY (ICT) is what is impacting the industry in the two following ways:

• The products themselves are incorporating more and more embedded ICT systems
• The support of these products is very information-intensive, and the supply of this support information is becoming more automated.

• Electronics is what is becoming an integral part of many products; online information available to customers is a key aspect of product support.

• Page 11: Safety Assurance

• Customer confidence in safety-critical systems is created and maintain through a comprehensive assurance programme.
• Key goal is ASSURANCE

• Page 11: Raising Expectations

• Product support during and after delivery
• New ways of working enabled by new technology have a significant impact on customer expectations.

• Now with these case studies, customer decisions are affected by perceptions of service. Customer confidence will only be maintained if these services are secured to an appropriate level, taking into account the business risks.

Empowering the Customers

• What customer empowerment is, is giving the customer choices, which in turn is empowering them. So, what happens is that, these information systems become important competitive factors for the suppliers because the customers will use their power to select those suppliers who can meet the challenge of providing these benefits.

• Page 12: Supplying Power to the Customer

• Understanding the concept of customer service is critical to business success in the new economy.
• CUSTOMER SERVICE

• INFORMATION SECUIRTY is a critical component; it can deeply affect perceptions of customer service. Customers will evaluate suppliers on many levels. So, where inline information systems are involved, this means that the quality, reliability, integrity, and availability of such information services will be the key factors in determining which suppliers succeed and which do not. Bottom-line here is that SECUIRTY QUALITY and INFORMTATION SECURITY are closely linked.

Protecting Relationships and Leveraging Trust

• Business relationships are based upon TRUST. When someone does business with another, at whatever level, that person eventually establishes some level of trust in the other party. Trust is quite essential and a pre-requisite when doing business. It is entirely a relationship thing. Trust is not created through technical systems even though technical systems are used to protect the trust in the relationship that already exists. Trust is through some mutual knowledge between the parties.

• Page 14: Trusted Sources

• If you trust the source of an information service, you must also be sure you can are talking to the authentic trusted party and not to an impostor.

• When it comes to trust, trusted third parties act as intermediaries to introduce business partners to one another. They are very important when it comes to setting up digital business networks.  Essentially what this means is that two parties trust the third party, transitive trust, and it is their job to convince the other two parties to trust each other. This is all usually achieved by the trusted party issuing an entity with some certified credentials; digital certificate which is certified by a digital signature of the trusted third party.

Chapter 1 Summary: What does SECURITY MEAN? page 16

• SECUIRTY is all about protecting business assets and goals. It means providing a set of business controls that are matched to the business needs. This in turn, is derived from an assessment and analysis of business risks. Risks management’s objective is to prioritize risks to focus on those that require mitigation.
• RISK is a concept that is complex, and for any given course of action there is a risk that is associated with it or not. Therefore, one should make sure not to mitigate a specific risk, whilst unintentionally increasing the overall risk to the wider range of the business goals and objectives.
• Secure information services is what empowers customers, which enables them to do business more easily, as well as providing them with enhanced services that will have competitive value. Security in business information systems also protects and leverages the trust that exists between business partners, which allows them to establish relationships and to do business in new ways using new technologies.