论文信息 - Security Strategy Analysis for Critical Information Infrastructures

Security Strategy Analysis for Critical Information Infrastructures

How do security departments relate to and manage information security controls in critical infrastructures (CI)? Our experience is that information security is usually seen as a technical problem with technical solutions. Researchers agree that there are more than just technical vulnerabilities. Vulnerabilities in processes and human fallibility creates a need for Formal and Informal controls in addition to Technical controls. These three controls are not independent, rather they are interdependent. They vary widely in implementation times and resource needs, making building security resources a challenging problem. We present a System Dynamics model which shows how security controls are interconnected and interdependent. The model is intended to aid security managers in CI to better understand information security management strategy, particularly the complexities involved in managing a socio-technical system where human, organisational and technical factors interact.

Finn Olav Sveen | José Manuel Torres | Jose María Sarriegi

[1] Gurpreet Dhillon,et al. Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[2] Jac A. M. Vennix,et al. Group model-building: tackling messy problems , 1999 .

[3] Kim Warren,et al. Competitive Strategy Dynamics , 2002 .

[4] George P. Richardson,et al. Teamwork in group model building , 1995 .

[5] Gurpreet Dhillon,et al. Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[6] Reinhardt A. Botha,et al. Reflecting on 20 SEC conferences , 2006, Comput. Secur..

[7] William L. Simon,et al. The Art of Deception , 2002 .

[8] Kim Warren,et al. Strategic Management Dynamics , 2008 .

[9] John D. Sterman,et al. System Dynamics: Systems Thinking and Modeling for a Complex World , 2002 .

[10] Gurpreet Dhillon,et al. Refereed Papers: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns , 2001 .

[11] John D. Sterman,et al. Business dynamics : systems thinking and modelling for acomplex world , 2002 .

[12] Bruce Schneier,et al. Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[13] Peter M. Senge,et al. Modeling For Learning Organizations , 1994 .

[14] Javier Santos,et al. Modeling and Simulating Information Security Management , 2007, CRITIS.