Information Security
Give a summary of the article this Article below;
Issues in Informing Science and Information Technology Volume 4, 2007
Framing the Corporate Security Problem:
The Ecology of Security
Robert Joseph Skovira
Robert Morris University, Moon Twp01, PA, USA
Abstract
Security and information systems are intertwined.
The costs of secure systems are in the billions
of dollars. In the digital world, security vulner
abilities and threats work c
ontrary to the security
goals of confidentiality, integrity
, and availability of informati
on systems. The essay describes a
view of organizations and their policies, networ
k systems, operating systems, software applica-
tions, information, and people joined interactivel
y and dependently in an environment. The paper
presents an ecological conception of security.
Keywords
: Security, Information security, Secure pr
ogramming, Secure computing, Ecology
Introduction
Security and information systems are intertwined.
The complex interacti
ons and interconnections
among people, software applications, networks,
operating systems, and organizational policies
create myriads of exploitable points. Daily newspa
pers present accounts of intrusions, stolen lap-
tops, and other security breakdowns. The global im
plications of a security meltdown of apocalyp-
tic proportions has been the guise of a novel (Bro
wn, 1998). Intrusions and attempts at intruding
are happening continuously at every moment of
an information system’s life. According to
Con-
sumer Reports
(2006), in any given 24 hour period th
ere are approximately 60 million intrusion
attempts. The estimated cost of security defenses
in the face of attacks is approximately $7.8 bil-
lion for 2004-2006; the costs of spamming and viruses are approximately $5.2 billion; the costs of
spyware intrusions are approximately $2.6 b
illion. Phishing intrusions
amount approximately
$630 million (
Consumer Reports
, 2006). There are other estimates (Bodin, Gordon & Loeb,
2005; Kros, Foltz & Metcalf, 2004-2005). What the co
st is now or will be in a year’s time is any-
one’s guess. In the Information Age, where in
terconnectivity and information access and avail-
ability are paramount, malware and malicious expl
oitation of information system vulnerabilities
have become epidemic (Seshadri, Luk, Perri
g, Van Doorn, & Khosla, 2006; Whitman, 2003).
Security and security awareness are necessary elements of a secure environment, even as people
have access to required information and inform
ation resources. “Information security involves
making information accessible to those
who need the information, while main-
taining integrity and confidentiality”
(Carstens, McCauley-Bell, Malone, &
DeMara, 2004, p. 68).
Security Vulnerabilities
In the digital world, where an individ-
ual’s desk top computer is networked
not only within the organization but also
to the world via the WWW, it is safe to
Material published as part of this
publication, eith
er on-line or
in print, is copyrighted by the Informing Science Institute.
Permission to make digital or pape
r copy of part or all of these
works for personal or classroom use is granted without fee
provided that the copies are not made or distributed for profit
or commercial advantage AND that
copies 1) bear this notice
in full and 2) give the full citation on the first page. It is per-
missible to abstract these works so
long as credit is given. To
copy in all other cases or to re
publish or to post on a server or
to redistribute to lists requires specific permission and payment
of a fee. Contact Publisher@In
formingScience.org to request
redistribution permission.
Framing the Corporate Security Problem
46
say that everything: the computer and its opera
ting system, the network and web site, the infor-
mation on it or in corporate databases, the soft
ware used to conduct business and query the data-
bases, and the person, is vulnerable and subject to
some kind of malicious attack. “A vulnerability
is a weakness…that might be exploited to
cause loss or harm” (Pfleeger, 1997, p. 3).
Hardware is vulnerable to interruptions (also
called “denial of service”) and interceptions (by
stealing) (Pfleeger, 1997; Graff & van Wyk, 2003). The accessibility and visibility of computers
(laptops are stolen), printers, even cables, and
equipment (hard drives are recycled) of all kinds
make them vulnerable to security breakdowns (Pfleeger, 1997; Whitman, 2003; Volonino & Rob-
inson, 2004).
Software is open to interruptive (b
eing deleted) threats. Software, at
least in part, and its function-
ality can be captured and used without appropria
te permissions. Software
can be changed in un-
permitted ways by unauthorized pe
rsons (Pfleeger, 1997; Whitman, 2003).
Information can be subject to unauthorized capture
and use. Use of information can be disrupted.
Unauthorized access to an information system ca
n lead to information being inappropriately
changed, even made up, or a
ppropriated contrary to privacy laws (Pfleeger, 1997; Whitman,
2003; Volonino & Robinson, 2004).
People are especially prime points of exploita
tion for unpermitted access to and use of informa-
tion and its system. People become opened gates fo
r incursions into applications, operating sys-
tems, and networks (Carstens et al., 2004; Ba
iles & Templeton, 2006; Campbell, 2006). Informa-
tion systems become vulnerable when key person
nel are unavailable and are not reliable. This
happens in many possible ways, but the chief
manner is framed by and works through people’s
mental models of trust. There is also a problem
with usability designs of systems. For the user,
security ought to be transparent. People will try
to bypass system security whenever confronted
with an accessibility choice allowed by an easy
security routine as opposed to a difficult security
check (Pfleeger, 1997; Howard, LeBlanc, & Viega, 2005; Mercuri, 2006).
Security Threats
Information systems and their components are threatened in at least four different ways. An in-
formation system suffers an “interruption” wh
en a breakdown of functionality and use happens
because of an unauthorized intrusion into the
information system (Pfleeger, 1997; Volonino &
Robinson, 2004). An “interception” occurs as the
“hijacking” or “piracy” of an information sys-
tem or one of its components in order to gain una
uthorized rights to and use of available software
applications or stored information (Pfleeger, 1997; Volonino & Robinson, 2004). A “modifica-
tion” is the changing of informational content or
software code without the correct permissions as
a consequence of intrusions (Pfleeger, 1997; Sc
hneier, 2000). A “fabrication” is the unpermitted
change of software code or stored informati
on as a result of an exploitative intrusion. The
changes may be additive or subtractive
(Pfleeger, 1997; Volonino & Robinson, 2004).
Security Goals
There are three goals which security plans and pr
actices attempt to meet: confidentiality in the
system, the system’s integrity, and the system’s
continual ability to make information and other
system resources available to users. Users ought to
be confident about the proper use of the in-
formation system. This means that only the prope
r personnel are allowed to use the information
system and its resources in the proper manner, namely information system access with permission
(Hartman, Flinn, Beznosov, & Kawamoto, 2003). “C
onfidentiality” refers to the availability of
system resources only to people permitted to access
them. Having permission to use an informa-
tion system’s resources means that the user must
be authenticated—checked
to see if the user is
“legal”–in order to be authorized to use the syst
em. Only authorized persons have permissions to