A Management Perspective on Risk of Security Threats to Information Systems

A Management Perspective on Risk of Security Threats to Information Systems

Information Technology and Management 6, 203–225, 2005 c© 2005 Springer Science + Business Media, Inc. Manufactured in The Netherlands.

A Management Perspective on Risk of Security Threats to Information Systems

FARIBORZ FARAHMAND ff@cc.gatech.edu SHAMKANT B. NAVATHE sham@cc.gatech.edu College of Computing, Georgia Institute of Technology, Atlanta, Georgia 30332-0280

GUNTER P. SHARP gsharp@isye.gatech.edu School of Industrial and Systems Engineering, Georgia Institute of Technology

PHILIP H. ENSLOW enslow@cc.gatech.edu College of Computing, Georgia Institute of Technology, Atlanta, Georgia 30332-0280

Abstract. Electronic commerce and the Internet have enabled businesses to reduce costs, attain greater market reach, and develop closer partner and customer relationships. However, using the Internet has led to new risks and concerns. This paper provides a management perspective on the issues confronting CIO’s and IT managers: it outlines the current state of the art for security in e-commerce, the important issues con- fronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. This methodology may be used to assess the probability of success of attacks on information assets in organiza- tions, and to evaluate the expected damages of these attacks. The paper also outlines some possible remedies, suggested controls and countermeasures. Finally, it proposes the development of cost models which quantify damages of these attacks and the effort of confronting these attacks. The construction of one such cost model for security risk assessment is also outlined. It helps decision makers to select the appropriate choice of countermeasure(s) to minimize damages/losses due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations on the whole.

Keywords: business, cost, information system, management, security, threat

Introduction

The vast growth potential of Internet-based commerce is tempered by legitimate con- cerns over the security of a system that has a large number of potentially vulnerable components. Despite the potential rewards of conducting business on the Internet, some corporations have been slow to embrace this technology. Perhaps the most important reason for both businesses and consumers to refrain from establishing and participat- ing in electronic commerce (e-commerce) is the potential for loss of assets and pri- vacy due to potential security breaches in such systems. For example, a single, highly- publicized security breach can erode confidence in the business and not only damage the reputation of the firm, but can cause widespread repercussions in the e-commerce industry.

204 FARAHMAND ET AL.

Commerce always involves payers and payees who exchange money for goods or services. Building trust between the payer and the payee on the Internet, intellectual property rights, and interactions between the payers and the payee are the new issues of commerce of our age. Security is essential in establishing this trust and interaction. These issues as well as some special considerations for the mobile e-commerce are addressed in the next part of this paper.

A very large amount of time and money has been spent to provide secure networks and many good practices have been developed to implement security measures. However, there is always the possibility of a breach of security. A list of possible attacks to the network, security measures at the database and network levels and some models for access control are presented in the Section 3 of the paper.

Regardless of all the existing countermeasures, statistics show that chances of computer security system failure are still very high. The Internet Fraud Complaint Center, IFCC (a partnership of the National White Collar Crime Center and the Fed- eral Bureau of Investigators) reports 16,775 complaints of fraud for the Jan. 1, 2001– Dec. 31, 2001 period. The majority of these frauds were committed over the Internet or similar online services. These frauds have caused serious tangible and intangible losses to the companies and e-commerce industry as a whole. The authors believe that to have a systematic study of e-commerce security issues, we first need an or- ganized classification that helps our understanding of threats. After highlighting the literature review on existing classifications, we propose a comprehensive classification for threats and countermeasures at the end of Section 4. Then we discuss the implica- tions of security incidents, review some of the existing methods to quantify their costs, and propose a risk management system to evaluate the threats and countermeasures. We also provide some recommendations to assist managers in facing the challenges of e-commerce.

1. Electronic commerce security issues

The recent burgeoning of new communication technologies and, in particular, the In- ternet explosion has brought electronic commerce to the early stages of a widespread deployment. However, businesses are concerned about trading beyond this stage, largely because of concerns about trust, intellectual property management, and security of trans- actions, and possible attacks to the network.

1.1. Trust in electronic commerce

Traditional commerce is different from electronic commerce for several reasons: (1) In traditional businesses, the location of the business, the physical inventory of goods etc., is known. (2) In most of situations, there is a personal contact between the seller and the buyer, (3) There is a clear legal framework. Lack of these can highly impact trust in electronic commerce business. Several researchers have studied trust in electronic

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 205

commerce [2,21,23,24]. Among the important factors mentioned by Manchala [23], the following stand out:

Transaction cost: The risk of a transaction could be a function of the cost of goods and services: a careful buyer gives more thought to expensive purchases. Similarly, a vendor might not worry about losing revenue on a single micro-transaction of negligible value, but the risk increases with the cost of a single transaction or the number of transactions, and so does the vendor’s attention to revenues and expenses.

Transaction history: Transaction history is similar to a person’s credit history. Just as a bank checks a person’s credit history before issuing a loan or increasing a credit limit, a customer’s transaction history can be a base for measuring trust.

Indemnity: The trust level of a transaction is increased when a trusted intermediary makes a guarantee against loss. This is especially true for new customers or vendors without transaction histories: they cannot perform expensive transactions unless guaranteed by a trusted intermediary.

McKnight et al. [24] in perhaps the most comprehensive analysis of trust in e-commerce, develop a multidisciplinary, multidimensional “web trust model” that includes four high- level constructs: disposition to trust, institution-based trusts, trusting beliefs, and trusting intentions. These are further subdivided into 16 measurable sub-constructs. The approach is demonstrated and compared with other trust constructs for e-commerce via a hypo- thetical Web site for legal advice.

1.2. Intellectual property management

Intellectual property (IP) is a legal term that refers to copyright and related rights. It is expected to play an increasing role in coming years.

There are several reasons why IP is important to e-commerce and e-commerce is important to IP. E-commerce, more than other business systems, often involves selling products and services that are based on IP and its licensing. Music, pictures, photos, software, designs, training modules, systems, etc., can all be traded through e-commerce, in which case, IP is the main component of value in the transaction. It is important because the things of value that are traded on the Internet must be protected, using technological security systems and IP laws, or else they can be stolen or pirated and whole businesses can be destroyed.

Also, IP is involved in making e-commerce work. The systems that allow the Internet to function—software, networks, designs, chips, routers and switches, the user interface, and so on—are forms of IP and often protected by IP rights. Trademarks are an essential part of e-commerce business. Similarly, branding, customer recognition and goodwill are essential elements of Web-based business, and as such are protected by trademarks and unfair competition law.

Finally, e-commerce based businesses usually hold a great deal of their value in IP; so the valuation of an e-commerce business can be affected by whether managers have protected their IP. Many e-commerce companies, like other technology companies, have

206 FARAHMAND ET AL.

patent portfolios and trademarks that enhance the value of their business. The World Intellectual Property Organization (WIPO) has also published some useful information on its homepage http://www.wipo.org/ about intellectual property and e-commerce.

1.3. Special considerations for mobile e-commerce

In the past few years there has been an explosive growth in the popularity and availability of small handheld devices like mobile phones, PDAs, etc. It is predicted that these devices will soon outnumber traditional Internet hosts like PCs and workstations. Strategy analytics, among other market research groups, predict that by 2004 there will be over one billion (109) wireless device users, some 600 million wireless Internet subscribers, and a $200 billion ($200 × 109) mobile e-commerce market [13].

In addition to contending with the usual Internet security threats in online applica- tions, wireless devices introduce new hazards specific to their mobility and communica- tion medium. They include:

• Bandwidth and memory limitations • Limited scope of the hardware due to the battery life and size limitations • Reestablished connections without re-authentication • Excellent cover for malicious users • Risk of theft of mobile devices • Likelihood of inputting private information into mobile devices The security of the Wireless Application Protocol (WAP), the protocol, which is used by many wireless applications, is also a matter of controversy. The WAP advocates argue that the Wireless Transport Security Layer (WTLS) provides a secure infrastructure for mobile e-commerce applications. However, critics believe that in the process of translating one protocol to another, WTSL to Secure Socket Level (SSL), when the data is decrypted and re-encrypted, an attacker might be able to compromise the WAP gateway by simply capturing the data when it is decrypted.

2. Network attacks and control measures for electronic commerce

In any large organization today, the corporate strategic, tactical, and operational data resides in multiple databases that are continually updated to reflect the transaction ac- tivity in the e-commerce-based applications. Networks are used to connect the users to databases (in B2C commerce) and the computer systems among themselves (in B2B commerce). Most security breaches involve accessing unauthorized data or accessing a network illegally. Security for e-commerce thus broadly translates to security of networks and databases.

To confront the threats to electronic commerce transactions, and in general to networks, the ISO (International Organization for Standardization) recommends some

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 207

security services and mechanisms in its Standard 7498-2. In the next subsection we first provide a list of network attacks which are primary threats to e-commerce. Then we consider the security measures from two aspects: database security and network security.

2.1. Network attacks

Before a manager can determine how much time and money needs to be spent on the security strategy, one should know what type of attacks may jeopardize the network and the company which is connected to that network. The most common types of attacks are:

IP spoofing attacks A hacker steals an authorized Internet Protocol (IP) address, which is a unique address for a node on a communication network. Typically, it is done by determining the IP address of a computer and waiting until there is no one using that computer, and then using the temporarily inactive IP address.

Packing sniffs The hacker listens to Transmission Control Protocols/Internet Protocol (TCP/IP) packets, which come out of the network and steal the information in them. Typical information includes user logins, e-mail messages, credit card numbers, etc.

Password attacks This is a common weak-point in any system. Hackers generally find a user with an easy password or use a special program which cycles through a range of words from a dictionary. The worst nightmare of this type of attack is when a hacker determines the system administrator password (or that of a user who has system privileges).

Sequence number prediction attacks Initially, in a TCP/IP connection, the two computers exchange a startup packet which contains sequence numbers. These sequence numbers are based on the computer’s system clock and then run in a predictable manner, which often can be determined by the hacker.

Session hi jacking attacks The hacker taps into a connection between a client and a server. The hacker then simulates the connection by using its IP address.

Shared library attacks Many systems have an area of shared library files. These are called by applications when they are required for input/output, networking, graphics, and so on. For example, a hacker may replace standard libraries for ones that have been altered, which allows the hacker to access system files and to change file privileges.

Social engineering attacks The attack is aimed at users who have little understanding of their computer system. A typical attack is where the hacker sends an e-mail message to naı̈ve users, asking for their password.

208 FARAHMAND ET AL.

Technological vulnerability attacks These normally involve attacking some part of the system (typically the operating sys- tem), which allows a hacker to access the system. A typical one is for the user to gain access to a system and then run a program which reboots the system or slows it down by running a processor-intensive program.

Trust-access attacks These allow a hacker to add their system to the list of systems which are allowed to log into the system without a user password.

2.2. Database security measures

The Requirements for security of database systems can be listed as follows.

Physical database integrity: ensures that the database is immune to physical problems such as power failures and that someone can reconstruct the database if it is destroyed through a catastrophe. Well-designed database systems use automatic recovery mech- anisms to recover from unprocessed transactions in times of failures.

Logical database integrity: ensures that the structure of the database is preserved. With logical integrity of a database, a modification to the value of one field does not af- fect other fields, for example. Today’s database systems are incorporating elaborate semantic safeguards to maintain the semantic consistency and validity of a database.

Data integrity: typically a function of two parameters: correct generation of data and correct storage and transmission.

Auditability: to be able to track who has accessed (or modified) the elements in the database

Access control: this allows the user to access only authorized data so that different users can be restricted to different modes of access (such as read or write).

Database user authentication: to ensure that every user is positively identified, both for the audit trail and for permission to access certain data.

Availability: ensures that users can access the database in general at any time and have all the data available to them for which they are authorized. For a general discussion of security issues in databases, (see Chapter 23 [6]).

2.3. Encryption and access control as security measures

Some controls to protect networks are encryption and access control:

Encryption: provides confidentiality for data. Encryption is one the most fundamental building block of secure computing and a means of maintaining secure data in an insecure environment. Two of the most important encryption algorithms are: (1) Rivest- Shamir-Adelman (RSA), and (2) Data Encryption Standard (DES) proposed by the

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 209

National Bureau of Standards in 1977 [26]. RSA was developed in 1978 [31] and since that time reigned supreme as the most widely accepted and implemented approach to public key encryption. With a public key encryption system, each user would have a key that does not have to be kept secret. The public key transformation is essentially a one-way encryption with a secret (private) way to decrypt. DES is another encryption system developed by the U.S. government in 1977. It has been officially accepted as a cryptographic standard both in the United States and abroad. Many hardware and software systems have been designed using the DES. However, recently its adequacy has been questioned [29].

Network user Authentication (or access control): assures that communication is authentic. For example, in the case of a single message, such as warning or alarm signal, it assures the recipient that the message is from the source that it claims to be from.

Among the above security measures, access control is a popularly known and heavily used technique from the managerial perspective, so we will elaborate further. Access control mechanisms must ensure that users of an Open Systems Interconnection (OSI) network can only access resources in a predefined way.

Several models have been proposed to address the access control requirements of distributed applications. Traditional access control models are broadly categorized as discretionary access control (DAC), (all the subjects and objects in a system are enumerated and the access authorization rules for each subject and object in the system are specified), and mandatory access control (MAC), (all subjects and objects are classified based on predefined sensitivity levels that are used in the access decision process) models. New models such as role-based access control (RBAC), or task-based access control (TBAC) have been proposed to address the security requirements of a wider range of applications. In TBAC models the roles represent organizational responsibilities and functions; a role-based model directly supports arbitrary, organization-specific security policies.

The DAC and the MAC models lack capabilities needed to support security re- quirements of emerging enterprises and Web-based applications [16]. For example, DAC cannot be used where classification levels are needed; MAC, although it provides high level of security, and hence high assurance, is less flexible. The RBAC models have several desirable features such as flexibility, policy-neutrality, better support for security management and administration, the principle of least privilege, and other aspects that make them attractive candidates for developing secure Web-based applications. The Na- tional Institute of Standards and Technology, (NIST) has also proposed a standard for RBAC that is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification [11]. The reference model defines the scope of the features that the standard comprises and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification de- fines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system

210 FARAHMAND ET AL.

level functionality in support of session attribute management and an access control decision process.

In conclusion, although the DAC models are currently prevalent in private industry, and MAC is popular in the government, the RBAC models are expected to provide a viable framework for adding a wide range of security requirements for large enterprises. However, several extensions to the existing RBAC models are needed to develop workable solutions to adequately address such needs.

3. Classification of security threats in e-commerce

In general, categorizing a phenomenon makes systematic studies possible. In particular, an organized classification of threats to e-commerce can help managers to build systems that are less vulnerable. An established classification would also be useful when reporting incidents to incident response teams. Lindqvist [20] recommends the following properties for the classification for information security:

• The categories should be mutually exclusive (every specimen should fit in at most one category) and collectively exhaustive (every specimen should fit in at least one category).

• Every category should be accompanied by clear and unambiguous criteria defining what specimens are to be put in that category.

• The taxonomy should be comprehensible and useful not only to experts in security but also to users and administrators with less knowledge and experience.

• The terminology of the taxonomy should comply with established security terminology (something that is not always easy to define).

3.1. A review of existing taxonomies

Literature review has identified many attempts in the classification of security threats.

Taxonomy by the Naval Research Laboratory: Landwehr [17] classifies each secu- rity flaw according to genesis (caused intentionally or inadvertently), time of intro- duction (during development, maintenance, or operation), and location (software or hardware).

The ISO has listed five major security threats and services as a reference model [15]: (1) Destruction of information and/or other resources, (2) Corruption or modification of information, (3) Theft, removal or loss of information and/or other resources, (4) Disclosure of information; and (5) Interruption of services.

Taxonomy by Neumann and Parker [25]: These authors have categorized computer misuse techniques into nine classes that are ordered from the physical world to the hardware and software and from unauthorized use to misuse of authority, etc. This

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 211

classification seems to cover most of the known techniques, covering external attacks as well as unauthorized users misusing their privileges. However, it has some shortcomings in assigning an intrusion to one class or another, or both.

DARPA’s Intrusion Detection Evaluation: Lipmann et al. [22], classified attack types into four groups: (1) Denial of Service, (2) Remote to Local (an attacker who does not have an account on a victim machine sends packets to that machine and gains local access), (3) User to Root (a local user on a machine is able to obtain privileges normally reserved for the UNIX root or super user), and 4 Surveillance/Probing. This evaluation used a reasonable, but not exhaustive, set of attacks with a limited set of actions performed as a part of each attack and also a simple network topology, and a non-restrictive security policy.

Schummacher and Ghosh [32] have defined eight pillars as the components of the information security: systematic, communication, physical, personnel, application, performance, design correctness; and nine attributes: privacy, integrity, accountability, reliability, connectivity, recovery, liability, and uncertainty. Pfleeger [29] also groups the potential threats to a network into eight categories: wiretapping, impersonation, message confidentiality violations, message integrity violations, hacking, code integrity, and denial of service.

The Authors believe that these taxonomies, although they address the most important computer security threats, either do not cover all of them or do not allow them to be considered independently.

3.2. A model for threat classification and control measures

We consider threats to a network system from two points of view: (1) Threat agent, and (2) Penetration technique. A threat is manifested by a threat agent using a specific penetration technique to produce an undesired effect on the network.

Threat agents Threat agents are classified into environmental factors, authorized users, and unautho- rized users.

Environmental Factors: Although it is common sense, one should remember to account for environmental factors. Some areas are more prone to certain environmental influ- ences and natural disasters than others. Some types of disasters, such as fire, are not geographically dependent, while others, such as tornadoes and floods, can be antic- ipated on a more regular basis in specific areas. In addition to the natural disasters, attention should be paid to the danger of mechanical and electrical equipment failure and the interruption of electrical power.

Authorized users: Authorized users and personnel engaged in supporting operations can be considered as potential threats when they exceed their privileges and authorities or commit errors, thus affecting the ability of the system to perform its mission.

212 FARAHMAND ET AL.

Personnel granted access to systems or occupying positions of special trust and having the capability or opportunity to abuse their access authorities, privileges, or trusts should be considered as potential threats.

Unauthorized users: An unauthorized user can be anyone not engaged in supporting operations who, by design, attempts to interrupt the productivity of the system or operation either overtly or covertly. Overt methods could include outright acts of sabotage affecting hardware and associated equipment, as well as subtle efforts of destruction, which could be accomplished through the manipulation of software, both systems and application.

Techniques

We classify techniques into physical, personnel (related), hardware, software, and pro- cedural.

Physical: Physical penetration implies use of a physical means to gain entry into restricted areas such as building, compound room, or any other designated area.

Personnel: Penetration techniques and methods generally deal with the subverting of personnel authorized some degree of access and privilege regarding a system, ei- ther as users or operators (operators would include system-analysts, programmers, input/output schedulers, etc.). They can be recruited by a threat agent and used to penetrate the system, operation or facility, or they themselves can become disaffected or motivated to mount an attack.

Hardware: Attacks can be mounted against hardware for the purpose of using the hard- ware as a means of subverting or denying use of the system. A physical attack against the equipment, a bug implanted within a hardware controller, or an attack against the supporting utilities, are means of subverting the system by using the char- acteristics of the hardware. Hardware, as used in this category, generally includes any piece of equipment that is part of the system, (i.e., the mainframe, peripher- als, communications controllers, or modems). It also includes indirect system sup- port equipment, such as power supplies, air conditioning systems, backup power, etc.

Software: Software penetration techniques can be directed against system software, ap- plication programs, or utility routines. Software attacks can range from discreet al- terations that are subtly imposed for the purpose of compromising the system, to less discreet changes intended to produce results such as destruction of data or other important systems features.

Procedural: Authorized or unauthorized users can penetrate the system due to lack or inadequacy of controls, or failure to adhere to existing controls. Examples of pro- cedural penetration include former employees retaining and using valid passwords, unauthorized personnel picking up output, and users browsing without being detected due to failure to diligently check audit trails.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 213

Figure 1. Combination of agents, techniques, and security measures.

At a more detailed level, the ISO 7498-2 Standard [15], lists five security con- trol measures to combat these threats: (1) Authentication, (2) Access Control, (3) Data confidentiality, (4) Data integrity, and (5)Non-repudiation. This classification is widely accepted among computer security experts, and the authors also recommend them as good control measures.

These security measures along with agents and techniques are shown in figure 1. One can use this figure to classify threats (agents and the techniques) to e-commerce and security measures to confront these threats. For example, access control is one of the security measures to confront the threats that may be caused by an unauthorized user through software. In total, there are 5 × 3 × 5 combinations of threat technique, agent, and security measure; however not all of these combinations are applicable. For example, non repudiation cannot be a security measure for the threats caused by environmental factors or by a procedural technique. We are using this three-dimensional view of threat agents, techniques, and security control measures for a better quantitative assessment and management of security risk.

4. Implication of security incidents

Every company, no matter what size, must be able to understand the financial costs involved when its security is breached. But what is a loss? Cohen [5] states that: “A complete list of things that can go wrong with information systems is impossible to

214 FARAHMAND ET AL.

create. People have tried to create comprehensive lists, and in some cases have produced encyclopedic volumes on the subject, but there are potentially infinite number of different problems that can be encountered, so any list can only serve a limited purpose”

The authors believe that the cost of a computer security incident to an organization has to be measured in terms of the impact on the business; hence identical incidents in two different organizations of the same industry or business type could have different costs. The impact may well be financial, in forms of immediate costs and losses as was briefly explained before, but much more serious are the hidden costs. For example, a computer security incident might damage an organization in terms of the following intangibles:

• The brand image, public reputation and goodwill in the market place • The financial value of business transactions • Public and customer confidence in the accuracy of business transactions • Public and customer confidence in the fraud-resistance of business transactions • The ability to maintain revenue cash flow in a timely manner • The ability to resolve disputes beyond reasonable doubt • The ability to meet the requirements of regulators

Evaluating these impacts is controversial and often extremely difficult. We sug- gest qualitative and quantitative approaches for these kinds of evaluations. However, qualitative or quantitative risk analysis in information security has its pros and cons. For example quantitative risk analysis supporters explain that the results of a quan- titative risk analysis approach are substantially based on independent objective pro- cesses and metrics and they can be expressed in a management-specific language (e.g., monetary value, percentages, probabilities). On the other hand, opponents argue that calculations can be complex (assigning costs to security risks and benefits of counter- measures is difficult) and it requires much preliminary work. Qualitative risk analysis proponents believe that in their approach the calculations are simple, it is not necessary to quantify threat frequency, and many non-technical issues are easily accounted for. The opponents of the qualitative approach argue that this method is subjective in nature and the results depend heavily on the quality of the risk management team assembled. The next sections deal with subjective assessment and quantifying the costs of security incidents.

4.1. Subjective probability assessment

In practical terms, the evaluation of security risks eventually leads to subjective as- sessment supported by guidelines or some risk assessment models. In our research, we attempt to provide a methodology by which the process can be made more systematic.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 215

Estimating the probability of attack by human threat actors using subjective evalu- ation can be complex. One should consider the following factors:

1. Motive. How motivated is the attacker? Is the attacker motivated by political concerns? Is the attacker a disgruntled employee? Is an asset an especially attractive target for attackers?

2. Means. Which attacks can affect the critical assets? How sophisticated are the attacks? Do likely attackers have the skills to execute the attacks?

3. Opportunity. How vulnerable is the computing infrastructure? How vulnerable are specific critical assets.

4.2. Possible pitfalls of subjective analysis

The authors wish to warn managers of some cognitive biases that stem from the reliance on judgmental heuristics, which may occur in subjective analysis. We classify the origins of these pitfalls into three types:

Representativeness: In the representativeness heuristic, the probability that for example Bob is a hacker, is assessed by the degree to which he is representative of, or similar to, the stereotype of a hacker. This approach to the judgment of probability can lead to serious errors, because similarity, or representativeness, is not influenced by several factors that should affect judgments of probability.

Availability: There are situations in which people access the frequency of a class or the probability of an event by the ease with which instances or occurrences can be brought to mind. For example, one may access the risk of disclosure of information among financial institutions by recalling such occurrences among one’s acquaintances. Availability is a useful clue for assessing frequency or probability, because instances of large classes are usually recalled better and faster than instances of less frequent classes. However, availability is affected by factors other than frequency or probability. Consequently, the reliance on availability can lead to biases.

Adjustment & anchoring: In many situations, people make estimates by starting from an initial value that is adjusted to yield the final answer. The initial value, or starting point, may be suggested by the formulation of the problem, or it may be the result of a partial computation. In either case, adjustments are typically insufficient. That is, different starting points yield different estimates, which are biased toward the initial values.

In spite of these pitfalls, the authors believe that subjective analysis can be employed usefully in information security assessment, even when quantitative data is not available or a formal process description is not required. Previous attempts by Pate-Cornell and Guikemma [28] as well as by Tarr [35] to quantify the likelihood of attacks provide examples of the ability of subjective thinking function without quantitative data.

216 FARAHMAND ET AL.

4.3. Scope of subjective analysis

Among information security experts there appears to be no agreement regarding the best or the most appropriate method to assess the probability of computer security incidents. There does exist, however, a hierarchy of approaches such as checklists and scenario generation techniques that require the user to have only a minimum knowledge of in- formation system security [36]. To have a well-defined scope for the checklist, one can follow the formats that are provided by British Standards, (British Security Standards 1999), or the National Security Agency, NSA.

The National Security Agency, NSA [14] suggests the following areas for infor- mation security assessment, which is more comprehensive than British Standards: (1) Information security documentation, (2) Identification and authentication, (3) Account management (establishment, deletion, expiration), (4) Session control management (ac- cess control lists, files, directions, servers, remote dial up, Internet services), (5) External connectivity, (6) Telecommunications, (7) System security administration, (8) Auditing, (9) Virus protection, (10) Contingency planning, (11) System maintenance procedures, (12) Configuration management, (13) Back up policies, (14) Labeling, (15) Media saniti- zation/Disposal, (16) Physical/Environmental controls, (17) Personnel security, and (18) Training and awareness.

4.4. Probability assessment

To derive an overall likelihood rating that a potential vulnerability may be exploited these governing factors should be considered: (1) Threat-source motivation and capability, (2) Nature of the vulnerability, and (3) Existence and effectiveness of current controls.

The likelihood that a potential vulnerability could be exploited by a given threat- source can be described as high, medium, or low. In defining these likelihoods we follow the likelihood determination by NIST [33]:

High likelihood. The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being penetrated are ineffective.

Medium likelihood. The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

Low likelihood. The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

One can also use these qualitative ratings to assign values for a quantitative eval- uation to use in the checklist. For example; High likelihood as 0.9, medium likelihood as 0.5, and low likelihood as 0.1. We can also use a more detailed scale such as: Very high, high, medium, low, and very low, and use 0.9, 0.7, 0.5, 0.3, and 0.1, respectively, for these likelihoods.

The checklist can be written in a question form and should allow three possible answers: “yes”, “no”, or “not relevant”. Questions should be asked in a way that a “yes”

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 217

answer mean that the control exists and a “no” answer means that the control does not exist. A control is relevant when both the asset to be protected and the threat exist.

For example, one critical element to evaluate data integrity can be, “Is virus detection and elimination software installed and activated?” A subordinate question for the above question could be, “Are virus scans automatic?” The answer to this question might be “yes”, “no”, or “not relevant”. A metric for this evaluation can be the percentage of systems with automatic virus scanning, which can help gauge the risk exposure caused by known viruses.

Assessing probability In this section we propose a procedure by which quantitative answers to a detailed se- curity questionnaires can be compiled into an overall vulnerability measure. Conducting the survey with the checklist, we can assess the vulnerability of each system under examination by defining the following parameters and calculations:

N (VH): Number of questions with very high importance, N (H): Number of questions with high importance, N (M): Number of questions with medium importance, N (L): Number of questions with low importance, N (VL): Number of questions with very low importance, NR (VH): Number of relevant questions with very high importance, NR (H): Number of relevant questions with high importance, NR (M): Number of relevant questions with medium importance, NR (L): Number of relevant questions with low importance, NR (VL): Number of relevant questions with very low importance; NN (VH): Number of “no” answers to relevant questions with very high importance, NN (H): Number of “no” answers to relevant questions with high importance, NN (M): Number of “no” answers to relevant questions with medium importance, NN (L): Number of “no” answers to relevant questions with low importance, NN (VL): Number of “no” answers to relevant questions with very low importance, NP: Normalized probability, IP: Index of probability, SWP: Sum of probability weights, JP: Justified probability, MW: Maximum weight, and AP: Assessed probability,

We would have:

NP = [NR(VH)/N (VH) × 0.9 + NR(H )/N (H ) × 0.7 + · · · + NR(VL)/N (VL) × 0.1] (0.9 + 0.7 + 0.5 + 0.3 + 0.1)

IP = 1/NP SWP = NN(VH) × 0.9 + NN(H ) × 0.7 + NN(M) × 0.5 + NN(L) × 0.3 + NN(V L)

218 FARAHMAND ET AL.

× 0.1 JP = SWP × IP

MW = N (VH) × 0.9 + N (H ) × 0.7 + N (M) × 0.5 + N (L) × 0.3 + N (VL) × 0.1 AP = JP/MW

For example, the checklist for the area of integrity may include 20, 40, 50, 30, and 15 questions in importance scale of very high, high, medium, low, and very low, and only 10, 30, 40, 24, and 12 may be relevant to the specific vulnerability regarding integrity. If we have 7, 25, 36, 20, and 9 “no” answers (meaning control does not exist), respectively, following the proposed method we obtain an assessed probability of AP = 0.88. This would imply that there is an 88% chance of success of data integrity incidents. The assessed probability is a number between zero and one, with zero representing an incident that definitely will not occur and one representing an incident that definitely will occur.

5. Quantifying the cost of security incidents

Before quantifying the damage that can be caused by an incident, managers should know the values of assets of the organization that are exposed to the threat. Logical and physical assets can be grouped into the following categories:

(1) Information—documented (paper or electronic) data or intellectual property used to meet the mission of an organization.

(2) Software—Software applications and services that process, store, or transmit infor- mation.

(3) Hardware—information technology physical devices.

(4) People—The people in an organization who posses skills, knowledge, and experience that are difficult to replace.

(5) Systems—Information systems that process and store information (systems being a combination of information, software, and hardware assets and any host, client, or server being considered a system).

For example, the cost of downtime per hour caused by a denial of service attack can be computed by measuring the loss as follows:

(a) Productivity (Number of employees impacted) × (hours out) × (burdened hourly rate)

(b) Revenue Direct loss, lost future revenues

(c) Financial Performance Credit rating, stock price

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 219

Table 1 Example of a scoring table for intangible damages.

Intangible damage Valuation score

Embarrassment restricted to within the project or work site 1 Embarrassment spread to other work areas of operating 1–3 group or division Embarrassment spread throughout the enterprise 3–5 Public made aware through local press coverage 5–7 Adverse national press 7–9 Major stock price impact/bankruptcy 10

(d) Damaged Reputation Customers, suppliers, financial markets, banks, business partners, etc.

(e) Other Expenses Equipment rental, overtime costs, extra shipping costs, travel expenses, etc

One approach to combining tangible and intangible losses is to use scoring tables, as shown in Tables 1 and 2.

Table 1 defines valuation scores for intangible damages that might be caused by an incident and Table 2 shows the financial loss table for these valuation scores. The values found in the tables could be the result of meetings with various departments and business units within the company and getting their expert input.

Calculating the expected cost of an incident The expected cost of an incident can be defined as:

EC = n∑

i=1 APi × Ci

where EC is the total expected cost of the incidents, APi the assessed probability of the occurrence of incident i, and Ci the cost for damage caused by incident i . For example, an unauthorized person might access the credit card numbers of clients of a financial

Table 2 Example of a scoring table for financial losses.

Intangible Damage Valuation score

Under $1M 1 Between $1M and $5M 1–3 Between $5M and $10M 3–5 Between $10M and $15M 5–7 Between $20M and $25M 7–9 Between $25M and $30M 10

220 FARAHMAND ET AL.

institution. This can cause total tangible and intangible losses of 15 million dollars to the institution. A probability of 5 percent for the occurrence of this threat results in an expected damage of: $15,000,000 × 0.05 = $750,000

We have outlined a procedure for evaluating possible losses due to security incidents based on use of questionnaires and answers given on scales of “very high” to “very low.” This procedure can form part of an overall risk assessment model that enables security managers to allocate resources in the most effective manner, as presented in the next section.

6. A risk management model

A comprehensive evaluation system is currently under development at the College of Computing, Georgia Institute of Technology incorporating the aspects of electronic com- merce and vulnerability assessment to develop a framework for addressing security risk assessment issues in organizations [8–10]. To contain the complexity and maintain focus and relevance, we will restrict ourselves to issues related to database and information system security. This system of five stages is aimed at helping managers to identify the vulnerabilities of their companies, evaluate the existing security measures in place, and to select the most appropriate and cost-effective countermeasures. This risk management model is shown in figure 2. The five stages of our risk management model are:

(1) Resource and application value analysis: This can be done in two phases: First, determine the sensitivity of information handled. The objective is to relate each application to sensitivity level based upon the most sensitive type of data processed (e.g., privacy, asset/resource, proprietary). This analysis provides the framework for subsequent analysis, so its detail and accuracy are important. Second, estimate the asset value of automated resources providing support such as physical facility, equipment and supplies, software.

Figure 2. The proposed risk management model.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 221

(2) Vulnerability and risk analysis: This analysis is in three parts: 1: Identification of vulnerabilities. Weakness or flaws in the design, implementation, or operation of the security controls of a facility, system or operation must be identified, whether through analysis of the security controls alone, or as causal factors directly related to a previ- ously identified threat. 2: Weighting of vulnerabilities: Vulnerabilities just identified should be considered in relation to another and arrayed according to seriousness and potential degree of exploitability. And, finally, 3: Assess threat probabilities: In this step, probabilities of threats are documented. This has been discussed in Section 5.4.

(3) Computation of losses due to threats and benefits of countermeasures: Losses due to threats and benefits of countermeasures can be computed by defining coun- termeasure at appropriate levels. For a countermeasure at a given level, there is the cost of the countermeasure, its effectiveness, expected damage caused by threat, probability that the threat occurs, assessing changes in threat probabilities expected benefit of countermeasure, expected loss attributed to the countermeasure set, etc.

(4) Selection of countermeasures: At this stage, the model chooses a countermeasure and level to minimize total cost. Enumerating search procedures and mathematical programming approaches can be used at this stage.

(5) Implementation of alternatives: This stage can be done in three phases. The first phase is developing and approving a plan. To develop a plan it is necessary to establish priorities for implementation. Generally, countermeasures should be implemented according to severity of the undesirable effect being countered, as determined by pre- ceding analysis. Using this as the basic criterion, other influences can be brought into consideration. Once the plan is developed, it must be reviewed and approved by se- nior management, who must be given the opportunity to review it. The second phase is implementation of countermeasures. Once the planning documents have been completed, action can commence on implementation of countermeasures. The third phase is testing and evaluation of countermeasures. Sensitive systems with strongest security requirements should have a formal test and evaluation of significant coun- termeasures immediately prior to and during initial implementation. The purpose of testing and evaluation is to ascertain, with reasonable assurance, that the proposed countermeasure produces the desired effect and will not result in undesirable side effects. This model is intended to help managers in: identifying business assets, rec- ognizing the threats, assessing the level of business impact that would ensue if the threats were to materialize, analyzing vulnerabilities, and, finally, selecting the coun- termeasure and suggesting an implementation plan. The model is our first attempt at defining this rather complex problem. The following extensions are under consider- ation: (a) incorporating more robust solution techniques for large, real-life problems, (b) differentiating countermeasures by implementation techniques, (c) considering the effects resulting from combinations of countermeasures (d) and performing sen- sitivity analysis with respect to the inputs, such as probabilities of expected threats. Current work includes a refinement of the model to incorporate actual field data collected from security-conscious e-commerce companies and further validation.

222 FARAHMAND ET AL.

7. Some recommendations

In this paper we addressed some of the security issues that a manager may face in dealing with information systems that are at the heart of e-commerce applications. However e- commerce security is an extensive area and under continuous and rapid development. We recommend that managers look at the current trends in technology, and Internet crime. We also recommend that companies have a clear understanding of their risks and the best technologies that can serve as possible countermeasures. One of the approaches to achieve these goals an e-commerce security management program. This program should include policies, procedures, and audits, as well as technological safeguards such as firewalls, encryption algorithms, authentication devices, intrusion detection systems, and network security management tools.

Managers should continue this evaluation by asking questions such as:

• What could happen and what failures might be expected if the company relies too heavily on e-commerce (as opposed to a “brick-and-mortar” approach to business)?

• What are the possible risks of losing valuable data and failure of the e-commerce information infrastructure?

• What impact would such a failure have on the business on the whole? • What are the consequences of such failures in qualitative and quantitative terms? The more the security management becomes aware of such issues, the better would be the prospects of actually using the decision models of the types that we have presented in this paper. Some of these concerns have been addressed in other papers [9,10].

8. Summary of contributions

This paper provides a summary of the security issues faced by an organization engaged in e-commerce as well as some useful information for managers to deal with these issues. The paper makes a contribution in several areas.

The first area is an introduction e-commerce security and some of its issues. We highlighted the role of trust and intellectual property management in e-commerce as well as some special considerations for the mobile e-commerce. We highlighted security measures and techniques for e-commerce and provided some technical information about security measures at the database and network level, and about access control methods.

The next area is an overview of the existing classifications of threats to e-commerce and some of their shortcomings. Then we discussed a more comprehensive classifica- tion of the threats and some security measures to confront them. In this classification, threats are considered from two points of view: 1: threat agent, and 2: threat tech- nique. Threat agent could be environmental factors, authorized users, and unauthorized users; threat (penetration) technique could be personnel, physical, hardware, software, or procedural.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 223

This paper also discusses implication of security incidents and risk analysis for e- commerce companies. It explores some methods to assist managers to evaluate the cost of security incidents. Qualitative and quantitative risk analysis methods, tangible and intangible damages, and methods for quantifying these losses have also been reviewed in this part. The classification of assets and a systematic approach to identify costs based on assessed probabilities was presented. We discussed subjective analysis for the probability assessment of threats to information systems, some possible pitfalls of this method, and a possible approach for using subjective assessment.

We believe that the cost of a computer security incident to an e-commerce company has to be measured in terms of the impact on their business; hence identical incidents in two different companies could have different costs. To evaluate these costs and measure the impact of a security incident on a company, we need a systematic approach and a comprehensive risk management system. Such a comprehensive evaluation model and system is currently under development at the College of Computing, Georgia Institute of Technology. This five-stage system is aimed at helping managers to identify the vulnerabilities of their companies and to select the most effective countermeasures. The system includes: (1) Resource and application value analysis, (2) Vulnerability and risk analysis, (3) Computation of losses due to threats and benefits of countermeasures, (4) Selection of countermeasures and (5) Implementation of alternatives. Last, we provide some recommendations to help managers in dealing with e-commerce issues in their companies.

Acknowledgment

The authors would like to express their sincere thanks to Dean Richard DeMillo of the College of Computing, Georgia Tech, Professor Gene Spafford of Purdue University, Mr. William Malik CTO of Waveset, Mr. Chris Klaus, CTO, and Mr. Tom Noonan, CEO of ISS for providing valuable advice related to this work.

References

[1] British Security Standard, BS 7799 (British Standards, 1999). [2] V. Ahuja, Building trust in electronic commerce, IT Professional 2(3) (2000) 61–63. [3] T. Bui and T.R. Sivasankaran, Cost-effectiveness modeling for a decision support system in computer

security, Computers and Security 6 (1987) 139–151. [4] R.P. Campbell and G.A. Sands, A modular approach to computer security risk management, in: AFIPS

National Computer Conference (1979) 293–303. [5] Cohen (1997) http://citeseer.nj.nec.com/lee00toward.html [6] R. Elmasri and S.B. Navathe, Fundamentals of Database Systems, ed. 4 (Addison Wesley,

2004). [7] G. Eschellbeck, Active security a proactive approach for computer security systems, Journal of Network

and Computer Applications 23 (2000) 109–130.

224 FARAHMAND ET AL.

[8] F. Farahmand, S.B. Navathe and P.H. Enslow, Electronic commerce and security—A management perspective, in: ISS/INFORMS Seventh Annual Conference on Information Systems and Technology (San Jose, 2002).

[9] F. Farahmand, S.B. Navathe, Gunter P. Sharp and P.H. Enslow, Managing vulnerabilities of information systems to security incidents, in: ACM International Conference on Electronic Commerce, ICEC 2003 (Pittsburgh, Sept. 2003) 348–354.

[10] F. Farahmand, W.J. Malik, S.B. Navathe and P.H. Enslow, Security tailored to the needs of business, in: ACM Workshop on Business Driven Security Engineering (BIZSEC) (2003).

[11] D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn and R. Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC) 4(3) (2001) 224–274.

[12] R.L. Field, Issues in the law of electronic commerce, Networker (ACM Press) 1(3) (1997) 28–37. [13] A.K. Ghosh and T.M. Swaminatha, Software security and privacy risks in mobile e-commerce, Com-

munications of the ACM 44(2) (2001) 51–57. [14] R. Henning, Security service level agreements: Quantifiable security for the enterprise? in: ACM

Proceedings of the 1999 Workshop on New Security Paradigm (Sept. 1999) 54–60. [15] ISO, Information Processing Systems—Open Systems Interconnection-Basic Reference Model, Part 2:

Security Architecture, ISO 7498-2 (1989). [16] J. Joshi et al., Security models for web-based applications, Communications of the ACM 44(2) (2001)

38–44. [17] C.E. Landwehr et al., A taxonomy of computer program security flaws, with examples, Naval Research

Laboratory (Nov. 1993). [18] C.E. Landwehr and D.M. Goldschlag, Security issues in networks with Internet access, in: Proceedings

of the IEEE 85(12) (1997) 2034 –2051. [19] S. Lichtenstein, Internet risks for computers, Computers & Security 17 (1998) 143–150. [20] U. Lindqvist and E. Jonsson, How to systematically classify computer security intrusions, IEEE Sym-

posium on Security and Privacy (1997) 154–163. [21] N. Linketscher and M. Child, Trust issues and user reactions to e-services and e-marketplaces: a

customer survey, IEEE 12th International Workshop on Database and Expert Systems Applications (2001) 752–756.

[22] R. Lipmann, et al., The 1999 DARPA off-line intrusion detection evaluation, Computer Networks 34 (2000) 579–595.

[23] D.W. Manchala, E-commerce trust metrics and models, IEEE Internet Computing 4(2) (2000) 36–44. [24] D.H. McKnight, C. Choudhury and C. Kacmar, Developing and validating trust measures for e-

commerce: An integrative typology, Information Systems Research 13(3) (2002) 334–359. [25] P.G. Neumann and D.B. Parker, A summary of computer misuse techniques, in: Proceedings of the

12th National Computer Security Conference (Oct. 1989) 396–407. National Institute of Standards and Technology/National Computer Security Center.

[26] National Bureau of Standards (NBS), Data Encryption Standards (FIPS Publ. 46, Jan 1977). [27] E. Orlandi, The cost of security, in: IEEE International Carnahan Conference on Security Technology

(1991) 192–196. [28] E. Pate-Cornell and S. Guikema, Probabilistic modeling of terrorist attacks: A system analysis approach

to setting priorities among countermeasures, Military Operation Research (Oct. 2002). [29] C.P. Pfleeger, Security in Computing (Prentice Hall, 1997). [30] R. Power, Computer security issues & trends, 2002 CSI/FBI Computer Crime and Security Survey

VIII(1) (2002). [31] R.L. Rivest, A. Shamir and L.M. Adleman, A method for obtaining digital signatures and public-key

cryptosystems, CACM 21(2) (1978) 120–126. [32] H.J. Schummacher and S. Ghosh, A fundamental framework for network security, Journal of Network

and Computer Applications (1997) 305–322.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 225

[33] G. Stonebumer, A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems (NIST Special Publications 800–30, 2001).

[34] M. Swanson, et al., Security Metrics Guide for Information Technology Systems (NIST Special Publi- cations 800-55, 2002).

[35] C.J. Tarr, Cost effective perimeter security, security and detection, European Convention on Security and Detection (1995) 183–187.

[36] C.C. Wood, et al., Computer Security: A comprehensive Control Checklist (John Wiley & Sons, 1987).

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.


Comments are closed.