Blind information security strategy

Abstract How do enterprises relate to and manage information security controls? This paper documents a study of twenty enterprises, six of them in the critical infrastructure (CI) domain. The state of security in the CI enterprises differed little from that in the other enterprises. Information security was seen as a technical problem with technical solutions. However, vulnerabilities in processes and human fallibility create a need for formal and informal controls in addition to technical controls. These three controls are interdependent. They vary widely in implementation time and resource needs, which render the task of building security resources a challenging problem. This paper presents a system dynamics model that illustrates how security controls are interconnected and are interdependent at a high level. The model is intended to aid security managers in CI domains to better understand information security management strategies, especially the complexities involved in managing a socio-technical system where human, organizational and technical factors interact. The model also demonstrates how the knowledge gained from proactive security activities can help managers improve the effectiveness of security controls, risk assessments and incident detection capabilities.

[1]  Scott Campbell How to think about security failures , 2006, CACM.

[2]  I. Nonaka,et al.  The Knowledge Creating Company , 2008 .

[3]  K. B. Hendricks,et al.  Firm characteristics, total quality management, and financial performance , 2001 .

[4]  Javier Santos,et al.  Modeling and Simulating Information Security Management , 2007, CRITIS.

[5]  Alan Calder,et al.  IT Governance: A Manager's Guide to Data Security and BS 7799/ISO 17799 , 2005 .

[6]  John D. Sterman,et al.  System Dynamics: Systems Thinking and Modeling for a Complex World , 2002 .

[7]  E. Eugene Schultz,et al.  The human factor in security , 2005, Comput. Secur..

[8]  George P. Richardson,et al.  Model-building for group decision support: Issues and alternatives in knowledge elicitation , 1992 .

[9]  Kim Warren,et al.  Strategic Management Dynamics , 2008 .

[10]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[11]  William L. Simon,et al.  The Art of Deception , 2002 .

[12]  P. Senge THE FIFTH DISCIPLINE , 1997 .

[13]  Douglas J. Landoll,et al.  The Security Risk Assessment Handbook , 2005 .

[14]  Ping I Lee,et al.  Air Carrier Safety and Culture: An Investigation of Taiwan's Adaptation to Western Incident Reporting Programs , 2005 .

[15]  K. B. Hendricks,et al.  Quality awards and the market value of the firm: an empirical investigation , 1996 .

[16]  Finn Olav Sveen,et al.  Learning from Your Elders: A Shortcut to Information Security Management Success , 2007, SAFECOMP.

[17]  Bruce Schneier,et al.  Secrets and Lies , 2004 .

[18]  G. Easton,et al.  The Effects of Total Quality Management on Corporate Performance: An Empirical Investigation , 1998 .

[19]  Reinhardt A. Botha,et al.  Reflecting on 20 SEC conferences , 2006, Comput. Secur..

[20]  George P. Richardson,et al.  Teamwork in group model building , 1995 .

[21]  Eric D. Shaw,et al.  The role of behavioral research and profiling in malicious cyber insider investigations , 2006, Digit. Investig..

[22]  James Stevens,et al.  The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management , 2004 .

[23]  Kim Warren,et al.  Competitive Strategy Dynamics , 2002 .

[24]  R. Florida,et al.  Gaining from Green Management: Environmental Management Systems inside and outside the Factory , 2001 .

[25]  K. B. Hendricks,et al.  Does Implementing an Effective TQM Program Actually Improve Operating Performance? Empirical Evidence from Firms That Have Won Quality Awards , 1997 .

[26]  J.D. Sterman,et al.  Nobody Ever Gets Credit for Fixing Problems That Never Happened: Creating and Sustaining Process Improvement , 2001, IEEE Engineering Management Review.

[27]  Robin M. Ruefle,et al.  State of the Practice of Computer Security Incident Response Teams (CSIRTs) , 2003 .

[28]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[29]  Jac A. M. Vennix,et al.  Group model-building: tackling messy problems , 1999 .