Annotated Bibliography
tchyar
AFrameworkforEnhancingSystemsSecurity.pdf
A Framework for Enhancing Systems Security
A Framework for Enhancing Systems Security
Srinarayan Sharma, Indian Institute of Management, Ranchi, India sriOsharma(a),gmail.cotn
Vijayan Sugumaran , Oakland University, Rochester, USA, and Service Systems Management and Engineering, Sogang University, Seoul, South Korea
sugumara(a),oakland.edu
ABSTRACT
Security concerns have grown in sync with the growth of ecommerce. This paper presents a framework for analyzing systems security in terms of three dimensions, namely, technology, process, and people. The paper also advocates a systems development life cycle view of security. It describes different activities that need to be carried out throughout the development cycle in order to improve overall systems security. It also discusses the theoretical and practical implications of the study, and identifies future research directions.
KEY WORDS
Systems Security, Systems Development Life Cycle, Security, Ecommerce, Security Framework
INTRODUCTION
Like all sectors of the economy, e-commerce has also been negatively impacted by the worldwide economic downturn. While other sectors have seen their growth suddenly move down in the reverse gear, e-commerce has held its ground well. According to the latest published e-commerce statistics (US Department of Commerce, 2011), online spending in 2010 in the United States increased 8.1 percent from that of 2009, while in 2011, retail ecommerce was expected to grow 13.7% on sales of $188 billion from that of 2010 (eMarketer, 2011).
The long term U.S. retail e-commerce sale is still forecast to grow in high single digits to low double digits from an estimated $165.4 billion in 2010 to $269.8 in 2015 (eMarketer, 2011). Security concerns have grown in sync with the growth of ecommerce (Richardson, 2010). According to the 2010 Computer Security Institute Computer Crime and Security Survey (Richardson, 2010), though the security breaches at the respondent companies have decreased, they remain high. Episodes of hacking at the headquarters of the software giant Microsoft and other companies have only heightened the need for systems security (Gross, 2011). Online privacy and security are the most important issues for Internet users and will remain so in the foreseeable future (Bennett, 2006). Identity theft, credit card fraud, and virus attacks
A Framework for Enhancing Systems Security
affect virtually all areas of Intemet use. Security breaches can lead to lower confidence and heightened fear for consumers resulting in fewer customers buying online (Cybersource, 2009). Consumer fears resulted in estimated online sales losses of $4.0 billion in 2008, an increase of 11 percent from the previous year (Cybersource, 2009).
In this paper, we argue that only a systematic approach to security can protect companies from Intemet and other security breaches. Towards that end, we describe generic systems security concems, and generic security technologies available to address these concems. We provide a framework for analyzing systems security in terms of three dimensions, namely technology, process, and people. We also advocate a systems development life cycle approach to security and identify some of the key activities that need to be carried out throughout the development cycle in order to improve overall systems security.
The paper is organized as follows. In the next section, we briefly provide a review of the security concems and technologies. Following this we review the information security literature to survey existing security frameworks. Then we provide our own framework to integrate different security issues along with key activities needed to be performed in a systems development life cycle. In the next section, we provide a discussion of how our framework could be applied to a generic company. Finally, we conclude with implications for theory and practice.
SYSTEMS SECURITY ISSUES AND SECURITY TECHNOLOGIES
Systems Security Issues
Security is a multidimensional concept and needs to be examined on several dimensions such as privacy, physical access restrictions, application availability, network confidentiality, content integrity, and access policy (Olson & Olson, 2000). Security generally refers to authentication, access control, audit trail, confidentiality, integrity, availability, and nonrepudiation {Internet Society., 2000).
Most common security problems in electronic commerce can be classified into four categories: operating system weaknesses, application vulnerabilities, improper configuration, and lack of training and resources (Connolly, 2001). Ironically, the last category, lack of training and resources, contributes to the first three problems. The following are some of the e-commerce security issues discussed in the literature.
(a) Misallocation of resources: In the majority of organizations, security spending has been lagging compared to migration of corporate information from legacy systems to new client/server and web-based systems (Myers, 2011; Richardson, 2010). While the critical corporate data has been moved to Unix and NT systems, companies are still spending resources to secure mainframes (Hines, 2007; Messmer, 2008; Paris, 2009).
A Framework for Enhancing Systems Security
(b) Broadband Remote Access Applications: Keeping mission control applications up and running 24-hours a day 7 days a week has become a business necessity. If they are not secure, hackers will find them and possibly gain control with malicious intent. Some hackers use empty hard drives on these systems for storing illicit files, while others may use remote access as a backdoor into enterprise systems. Cable systems use Ethernet "party-line" architecture and put a neighborhood on a single subnet. Each packet is broadcast to everyone, and only the addressee is supposed to process it. However, neighborhood hackers can use Sniffer technologies to tap into this subnet (Panko, 2010). Once they have access to the subnet, they also have easy access to the other systems on it.
(c) Lack of Incident Response Plan: Organizations often lack an Incident Response Plan to cope with security breaches (May, 2011; Richardson, 2010). A good Incident Response Plan usually includes policies on when to shut down an affected server and when to quarantine it. It also outlines how to contact vendors, company executives, and response team members, as well as ISP and law enforcement officials. The plan explicates logs to be kept and steps to be performed to track the hacker's activities and location. It also describes how the affected parties will be contacted. In the absence of such a plan, organizations try to address any security breaches in an impromptu manner, which leads to chaos and delay.
(d) Lack of customizable automated tools to fix security holes: Plugging every security hole is extremely resoure-consuming. Scripting tools available to automate the process are not customizable. Thus skilled security professionals are needed to do the job by hand (Schwartz, 2011).
(e) Lack of security awareness: Organizations lack a strong security culture to ward off unexpected hacker attack (Grimes, 2009; Richardson, 2010). Complexity and variety of security attacks have made the management of employee attitude toward security a paramount concern. Increasing numbers of companies are becoming dependent on Intemet access from their desktop for personal and daily business and as a result, bring exposure to company data and information to new, intensely dangerous levels. While some employees may be acutely aware of security dangers, others may need constant reminders. Building a security- conscious culture may be a daunting task, but companies need to instill it to minimize security breaches.
(f) Heavy emphasis on just IT: There is a general perception that system security is the responsibility of the information systems department and is independent of the business processes. Factors that control the information flow between sub-systems shouldn't just come from a technical view if it is to be effective companywide (Grimes, 2009). Business risk control mechanisms are needed to meet the overall security objectives.
A Framework for Enhancing Systems Security
(g) Lack of security education and Training: Employees need to be educated to understand the need for information security and what it means to the organization (Richardson, 2010). They have to be encouraged and motivated to follow standard security procedures (Myers, 2011).
(h) Lack of Ownership: Employees must also be assigned responsibility and ownership of the information they manage (Panko, 2010). Early involvement of employees in the process is necessary for their taking ownership of the process.
Security Technologies
Having briefly described different systems security concems in companies, in this section we provide a brief overview of the technologies available for addressing these security concems.
(a) Digital Certificates: Digital certificates which are a key part of Intemet security, received federal legal authority in June 2000. These certificates can serve as a trusted and verified means of identification that cannot be repudiated (Gerdes Jr., Kalvenes & Huang, 2009).
(b) Public Key Infrastructure (PKI): It has been difficult to establish proper trust and verily credentials with electronic trading partners in the realm of B2B electronic commerce. Vendors have developed PKI management services and products that are designed to eliminate this problem (Millan et al., 2010). However, vendors' ultimate goal of having a system to handle the entire end- to-end authentication and payment process is still to be achieved (Millan et al., 2010).
(c) Intmsion Detection: Examination of a number of high profile security breaches such as those at Microsoft, TJ Max, and Bank of America has revealed that most successful intmders escape casual surveillance. This has made intrusion detection technology one of the most used security technologies. Intrusion-detection systems monitor an organization's network and hosts (Xenakis, Panos & Stavrakakis, 2011). They detect intrusions by watching for certain actions that resemble characteristics of known attacks. A downside of this technology is that it cannot detect attacks which are not resident in its knowledge base.
(d) Security in Web Applications: Progress has been made in preventing attacks that exploit security weaknesses in Web applications. Perfecto Technologies' AppShield, for example, sits between the network firewall and web server, allowing Web surfers to access the Web site only from authorized entry points and verifying that all incoming client requests are legitimate. If a request violates the defined security policy, browsers are denied access to the application (Caceres & Teshigawara, 2010).
A Framework for Enhancing Systems Security
(e) Personal Firewall: Explosion of broadband networking option has made desktops vulnerable. Hackers can gain access to these desktops with assigned IP addresses and launch attacks on other systems. Personal firewalls can mask these desktops from casual probing. Well-known anti-virus players such as Symantec and McAfee along with specialty vendors such as Network ICE and Syborgen are providing personal firewall solutions (Schultz, 2005).
(f) Disposable IDs: Complex encryption algorithms used by web browsers have made the theft of credit card numbers in transit almost impossible (Buccafurri & Lax, 2011). However, vendor databases containing these numbers remain vulnerable. Disposable ID mechanism makes it possible to issue one-use credit card numbers to render stealing of credit card numbers from vendor databases useless (Experiencefreak, 2010).
(g) Biometrie Security: Biometrie security technologies have become easier to implement. These technologies make use of individual's unique fingerprints, face, and voice to ensure authorized entry (Uzoka & Ndzinge, 2009).
(h) Single Sign-On Technologies: Many security systems in past have required multiple sign-ons from users to ensure security. Single sign-on technology allows users to browse through network resources without entering several passwords (Orr, 2005). When combined with biometrics, it can be a powerful security tool. Novell's NDS directory device uses this technology.
SECURITY FRAMEWORK FOR ENHANCING SYSTEMS SECURITY
In the previous two sections we have discussed the common security issues that are being faced by the IT departments in companies engaged in e-commerce and the technologies that are currently available for securing mission critical applications. A closer examination of the issues and the available technologies reveal that, while technical solutions exist to provide adequate security, organizations still experience considerable difficulty in securing their applications from intruders. Most of the security measures implemented by organizations rely heavily on technology alone without considering other factors that have a greater impact on the overall security of their systems. According to PwC (2011), companies have been increasing their security spending since 2007. But despite the multibillion-dollar spending, they fall short of achieving business-process security (Nosworthy, 2000; PwC, 2011). To address these shortcomings many researchers have provided various frameworks. A brief review of these frameworks is given below.
Chang et al (2011) provide a technology driven framework that uses (extemal) environment information to enhance computer security. The advantage of this framework is that the environment information is collected by sensors that are outside the control of a host and communicate to an extemal monitor via an out-of-band channel (with respect to the host), thus it cannot be compromised by malware on a
A Framework for Enhancing Systems Security
host system. The information gathered still remains intact even if malware uses rootkit techniques to hide its activities. This framework is applicable to a number of security applications: (1) intrusion detection, (2) rate monitoring/control of external resources, and (3) access control. Chang et al (2011) show that this framework is useful even with coarse-grained and simple information. They present some experimental prototypes that employ the framework to detect/control email spam, detect/control DDoS zombie attacks and detect misuse of compute resources. Experimental evaluation shows that the framework is effective in detecting or limiting the activities of such malware. The shortcoming of this framework is that it does not address process and people aspect of security that may have a greater impact on overall security.
Abbas et al (2011) propose a framework based on options theory borrowed from corporate finance and adapt it to evaluation of security architecture and decision making for handling issues at organizational level. This framework addresses three main problems resulting from uncertainty in information security management: dynamically changing security requirements of an organization, externalities caused by non-secure system, and obsolete evaluation of security concerns. The framework is relevant to information security management in organizations, particularly issues on changing requirements and evaluation in uncertain circumstances created by progress in technology. This is a process driven framework and does not address technology and people aspect of security.
Tsohou et al (2010) provide a classification framework for categorizing available information security standards. Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, the majority of organizations still does not know the dominant security standards or fully implement them. The aim of this framework is to facilitate the awareness of information security practitioners regarding globally known and accepted security standards. Clearly the focus of this framework is on a narrow aspect of technology, that is, technology standards. This does not address broader technological issues, process issues and people issues.
There is a need to provide secure and safe information security systems through the use of firewalls, intrusion detection and prevention systems, encryption, authentication, and other hardware and software solutions. Patel, Qi, and Wills (2010) propose a framework which includes safe, secure, trusted, and auditable services, as well as forensic mechanisms to provide audit trails for digital evidence of transactions and protection against malicious and illegal activities. This framework focuses on technology and process aspects of security. Gurung, Luo, and Liao (2009) develop a research framework and empirically analyze the factors that motivate the consumers to adopt and use anti-spyware tools when they are faced with security threats. The research model was tested with data obtained through online survey questionnaires. The results do not find statistically significant relationships for hypotheses related to perceived vulnerability and response cost with
A Framework for Enhancing Systems Security
the dependent variable. Perceived severity, self-efficacy, and response efficacy was found to be significantly related to use of anti-spyware tools. This framework focuses on people aspect of security.
Using two-stage framework Mouratidis, Jahankhani, and Nkhoma (2008) empirically found that personnel from general management have different perspectives towards network security than personnel from the network security management. In particular, the study indicates that such differences are demonstrated on a number of areas such as the effectiveness and the efficiency of the networked system, control of network security, security-related decision-making processes, and users of the network. The latter being the most controversial issue with one side indicating that users should be allowed to use the network in an efficient manner, and the other side emphasizing that users pose one of the greatest security risks to the system. This framework also focuses on people aspect.
Hong, et al. (2003) propose a framework to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This framework suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This framework is focused on process aspect.
Siponen (2002) provides a framework synthesized from the information systems (IS) and software engineering literatures for articulating security maturity criteria and examining existing information security maturity criteria. This framework is focused on process aspect.
Debar and Viinikka (2006) provide an architecture for the outsourcing of security information management (SIM). They posit that the day-to-day operation of a SIM is beyond the financial capabilities of all but the largest organizations, as the SIM must be monitored constantly to ensure timely reaction to alerts. Many managed security services providers (MSSP), therefore, have merged for outsourcing the alert management activities. Sensors are deployed within the customer's inñ-astructure, and the alerts are sent to the outsourced SIM along with additional log information. This framework focuses on process and technology aspects.
Eloff and von Solms (Eloff, 2000) provide a hierarchical framework for information systems management from the security standpoint. Their multilevel model includes two major aspects of security management, namely, technology and process. Despite the fact that considerable emphasis has traditionally been placed on the technical aspect, they have introduced the process aspect of security and discuss the importance of developing guidelines, code of practice, standards, legislation, and benchmarking. While these processes are essential, equally important is the consideration of the changing nature of the overall business processes and their security requirements. For
A Framework for Enhancing Systems Security
example, in the dynamic B2B environment, partnerships between participating entities are forged and terminated frequently. These partners collaborate and cooperate on certain projects, while maintaining individual trade secrets and competitive edge. In such a scenario, the security requirements for the systems and interfaces are driven by the specific business processes and the data that are exchanged between them. Thus, we argue that identifying and articulating the security requirements for important business processes is critical in coming up with a comprehensive security solution.
Most of the security framework reviewed above focus on technical and/or process aspects of security. However, an important piece of the security puzzle is the human aspect. Recent literature indicates that maximum threat of security breach comes from within the organization (Panko, 2010; Richardson, 2010). A joint study by the Computer Security Institute (CSI) and the FBI indicates that the most serious losses in companies are done by unauthorized insider access (Richardson, 2010). As aptly pointed out by Dhillon and Backhouse (2000), information system security is a social and organizational problem because they are used by people. Thus, it is the human beings that interact with, and are responsible for systems that have the biggest impact on security of individual systems and the organization as a whole (Andress, 2000). In this context, personal traits such as responsibility, integrity, trust, and ethicality are deemed critical in securing information assets (Dhillon & Backhouse, 2000).
In light of the above discussion, we contend that for any systems security solution to be effective, it should take into account the following three dimensions, as depicted in Figure 1: a) technology, b) process, and c) people. In fact, these three equally important dimensions are tightly coupled, and should serve as the comer stone of every systems security solution architecture. A weakness in one dimension not only affects the system security but also has a severe detrimental impact on the other dimensions and thus has a compounding effect. Hence we argue that a balance and congruence between these three dimensions is critical for providing a secure systems environment. We identify important factors within each of these dimensions in Table 1 below. These factors are derived from the frameworks reviewed above.
Table 1: Important Technical, Process, and People Factors for Enhancing Systems Security
Technical
• Standards • Security models • Specific security
technologies • Privacy • Physical access
restrictions
Process
• Guidelines • Code of practice • Controls • Certification • Accreditation • Benchmarking • Self-assessment
People
• Responsibility • Integrity • Trust • Ethicality
10
A Framework for Enhancing Systems Security
• Application availability • Network confidentiality • Content integrity
• Legislation • Evaluation
Another drawback discussed in the literature regarding current security solutions is that most of the security measures are "after thoughts" (Panko, 2010). In other words, the security layer is just an add-on to systems without taking into consideration the assets to be secured and the business processes that they support. During the development life cycle of the system, security requirements and the design of appropriate solutions are not an integral part of the development process.
Technology
Sfcufe Environment
Ptocess
People
Figure I. Framework for Enhancing Systems Security
For the most part, system security is limited to user authentication and limiting access to certain resources through rudimentary techniques. We contend that a thorough analysis of the security requirements based on the assets and the business processes to be secured, ensuring that there is a good fit between the chosen security mechanisms and the processes, is crucial for the effectiveness of system security. In order to achieve a high level of success, we advocate that security related issues be considered at every phase of the system development life cycle and not just at the post- implementation phase. In other words, organizations have to develop and commit to a systems development life cycle view of security. Furthermore, during each phase of the systems development, the issues related to the three dimensions of security have to be delineated and addressed. Table 2 presents some of the security related activities that have to be carried out during each phase of the systems life cycle. Without
11
A Framework for Enhancing Systems Security
claiming comprehensiveness, we suggest that these activities provide a systematic way to incorporate security aspects into the overall systems development process.
Table 2. Security Related Activities in Systems Development Life Cycle Phases
^^^^^Jimensions SDLC Phas^-^^^ Planning
Analysis
Design
Implementation and Testing
Technology
Survey existing security technologies (intemal and external). standards, and models.
Identify technologies and their requirements to secure business processes.
Design security architecture including privacy and physical access restrictions.
Procure security technologies (hardware and software to meet security requirements identified in analysis phase). Ensure application availability. network
Process
Study codes of practice. Review existing security policy. Identify assets to secure. Identify their high level security needs.
Perform SWOT analysis for security. Determine process level security requirements and controls.
Design organizational security policies. Ensure that policies are consistent with legislation.
Establish security interfaces between sub-systems. Identify domain specific test scenarios. Perform unit testing, system testing.
People
Identify security champion. Seek participation of high level managers. Identify manager(s) for security operations.
Involve security analysts, and process users (end users).
Identify and involve technical people who will design security solutions.
Involve technology vendors. consultants. designers, and system integrators.
12
A Framework for Enhancing Systems Security
Post Implementation
confidentiality, and content integrity. Fix bugs. Enhance security Features.
Train end users. Promote security. Actively monitor security breaches. Identify new security risks Evaluate, perform self-assessment and benchmark. Get accreditation and certification
Get end users' trust. Inculcate end user responsibility. securify personnel integrity and ethicality.
DISCUSSION
In this section, we provide detailed actions that organizations can take in order to mitigate the woes of "security blues" based on our framework and systems development life cycle view of security. The actions presented below are grouped based on the SDLC phases related to technology, process and people dimensions of systems security.
Planning
A sound planning paves the way for effectiveness and efficiency for security and compliance. In the planning phase of the SDLC, a company needs to survey existing security policies, codes of practice, standards, procedures, technologies, and models which are available both intemally and extemally. Information security policies are high-level statements about securing systems. A standard is a detailed rules or statement to enforce the given policy. As an example, a company will use passwords to secure its systems might be a policy statement, while passwords must be eight characters in length, should include both capital and small letters and a number might be a standard. A procedure can describe a step-by-step method to implementing various standards. As an example, the company will enable password length controls on all production systems. The company also needs to review extemal security standards such as ISO/IEC 27002 which is an information security standard published by the Intemational Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC) to find out codes of practice for information security management. If necessary, it needs to make changes to its existing policy. Effective security begins with a solid understanding of the protected asset and its value. The company needs to identify assets to secure. Since it will be prohibitive to secure all the assets a company possesses, it should prioritize asset based on the existing securify guidelines, codes of practice, and risk analysis. As an example, risk analysis will allow the company to weigh the cost of securing the asset versus the loss
13
A Framework for Enhancing Systems Security
if the asset's security is breached. If the cost of securing the asset is more than the value of the compromised asset, it may not be beneficial to secure the asset. As an example, assume that the value of an asset is $10,000, and the probability of the security breach for this asset is 10%. The loss associated with this security breach will be $10,000 X 10% = $1000.00. If securing this asset cost more than $1000.00, then it should not be secured. High level security needs of the identified assets also need to be identified in this stage. Such needs could be categorized as access control, physical security, endpoint security, infrastructure security, application security, and data security.
Security needs to be recognized by IT managers as an important issue. The best technologies and wisest policies will take security only so far without extensive management buy-in (Tipton & Krause, 2004). It is heartening to know that in the CSI survey, a majority of managers regard security as a top priority (Richardson, 2010). The remaining IT managers must also recognize security as a top priority, if they want to see their web-systems secure (Tipton & Krause, 2004). In the planning phase, the company also needs to identify security champion who will provide resources and support the security effort even in case of resistance from other stakeholders. Participation of high level managers should be sought in the planning phase within whose purview the security function falls. Lower level managers who will oversee the operations of the security should also be identified.
Analysis
The company needs to perform strength-weakness-opportunity-threat (SWOT) analysis for security. Such a SWOT analysis should identify the strength of the existing securify mechanisms (technologies, processes, and personnel) and their weaknesses. It should also identify any opportunities that may be there to strengthen the existing securify and institute new securify. It should also identify any current and possible new threats such as company allowing its employees to use wirelessly connected hand-held devices for enterprise communication. Other possible threats can come from policy breach, data theft, equipment theft/damage, social engineering, DoS, unauthorized access, etc. In the analysis phase, the company would identify appropriate technology requirements (such as hardware and software) to secure assets and business processes that need securing. Use of such technologies should be based on the high level securify requirements identified in the planning phase. An outcome of the analysis phase could be the decision to outsource securify because of the lack of skilled securify personnel (Richardon, 2010). Of course, personnel could be acquired and trained in-house, but it may be cost prohibitive. Any securify outsourcing decision should be made with utmost caution, as companies must trust handling of their most critical data to an outsider, namely, an Managed Securify Provider (MSP). Before choosing an MSP, a company must thoroughly analyze its securify needs and determine if the MSP meets their needs. The company should also be mindful of the adverse reactions of their customers (Messmer, 2008).
14
A Framework for Enhancing Systems Security
To secure business processes, the company would need to identify process level security requirements. The company would also require to identify relevant security standards such as ISO 27002 (previously known as ISO 17799) or COBIT and benchmarks for business processes. Such standards and benchmarks could be obtained from standards certifying bodies such as Intemational Organization for Standardization (ISO), the Intemational Electrotechnical Commission (IEC), and industry best practices from sources such as Information Systems Audit and Control Association (ISACA), the SANS institute, CSI survey, etc. As an example, in B2B environments, where business partners may collaborate on different business processes, there is a need for very detailed access and content control. A new security challenge is the complexity and granularity of protection needed for business processes in these environments. The process level requirements will necessitate confidentiality, integrity, and authenticity in data flows. Different business processes or transactions may require different data. These data may require different level of security for different business processes. While SSL may be sufficient for some data, digital certificates must be used for others. Though when these data flow across different systems, they are in the same bit and byte format. Thus, the same security technologies potentially could be applied to the same stream of data; however, different security technologies would be required for different streams of data. A joint collaboration between RSA and Netegrity is aimed at providing a multilevel access- control expertise to produce a security system that can accommodate many types of users and scopes of access rights (Parris, 2009).
The company must involve security analysts and process users (end users) early on in this phase. Early involvement of these stakeholders makes them take the ownership of security requirements of the business processes they are involved with.
Design
In the design phase the company needs to design its security architecture. Security Architecture can be defined as the design artifacts that describe how the security controls (security countermeasures) are positioned, and how they relate to the overall information technology architecture (OpenSecurityArchitecture.org, 2006). These controls serve the purpose to maintain the system's quality attributes, among them confidentiality, integrity, availability, accountability, and assurance. The security architecture should be holistic and encompassing, make suggestions on how different controls can be synchronized and integrated to achieve maximum effect, include a comprehensive approach to security risk management, and be measurable to demonstrate adherence to the requirements (Eloff & Eloff, 2005) and federal and state laws, such as the Federal Information Security Act of 2002 (P.L. 107-347, Title III), National Security Directive 42 (NSD-42), etc.
The company also needs to design its security policies, particularly. Incident Response Plan. An information security policy statement expresses management's commitment to the implementation, maintenance, and improvement of its information security
15
A Framework for Enhancing Systems Security
management system (ISO 27000). Though there is a need for reviewing security policy in the planning phase as discussed above, the approach needs to be repetitive given that any security program will never be 100% complete. The rapidly changing technologies require continuous adaptation. If the organization has a security policy, it should be evaluated to determine whether it is valid and appropriate. This phase should include all updates and changes to the policy as well as identification of all controls and procedures that are needed to implement the policy.
In this phase the company also needs to identify technical people who will design security solutions. Such people should be carefully chosen to ensure that they bring a holistic perspective and are not wedded to some particular security policy approach. They should also exhibit integrity and ethicality.
Implementation and Testing
The company would need to procure security technologies (hardware and software to meet security requirements identified in analysis phase) if it does not have the technologies already. Appropriate security technologies could be obtained by contacting technology vendors and consultants. If in-house security systems are to be deployed, appropriate systems security designers and systems integrators should be identified and assigned. Special care should be taken to ensure security of interfaces between systems. The individual systems may themselves be secure, however, when interacting with other system security could be breached.
To ensure security of individual systems, the company would need to identify domain specific test scenarios, and then test its security. Unit testing will be appropriate for such scenarios. However, system testing should be perfonned to ensure the securify of interfaces between subsystems.
After testing, the security architecture needs to be implemented. Implementation could be carried out following any of direct cut-off, parallel, or pilot approaches. An analysis should be done to figure out suitability of these approaches before following them as every one of them has unique strengths and weaknesses. As an example, direct cut-off approach allows one to move the entire system to new architecture. However, if there are security glitches, then entire system is affected. In contrast, parallel approach allows both old and new architecture to be in place for some period of time, but creates confusion among users. Pilot approach allows implementation in only small segment. This approach helps in ironing out any kinks the security architecture may have before going for full-fiedged implementation. Post-Implementation
It is inevitable that there would be some security bugs in the implemented system. In this phase, such bugs need to be identified and fixed. It is also inevitable that security will be breached at some point in time. If a security breach takes place, the company
16
A Framework for Enhancing Systems Security
should follow its Incident Response Plan developed as a part of overall security policy in prior phases.
All end users of all the systems need to be educated and trained about using proper security protocols to promote security. Complexity and variety of security attacks have made the management of employee attitude toward security a paramount concem. While some employees may be acutely aware of security dangers, others may need constant reminders. Building a security-conscious culture may be a daunting task, but companies need to instill it to minimize security breaches. As a part of security culture, users have to see the benefits to themselves if they are to buy in these security technologies and policies. (Tipton & Krause, 2004). Therefore, it is important to make user education a top priority. Getting end-users to understand the importance of security and making them conscious of areas in which they can help increases the security of the company as a whole. Employee education buttresses security solutions installed to protect a company from attack. Unfortunately, people working inside the company are considered higher security risks than those outside the company (Panko, 2010). The need to address employee breaches is often obscured by all the solutions for physical and network security. While web-browsers and servers do a good job of encrypting data they exchange, traffic on intranet and LAN is often unencrypted. Managers need to pay special attention to insider security breaches. Employees need to be educated to understand the need for information security and what it means to the organization (Richardson, 2010). They have to be encouraged and motivated to follow standard security procedures (Myers, 2011). Employees must also be assigned responsibility and ownership of the information they manage (Panko, 2010). Early involvement of employees in the process is necessary for their taking ownership of the process. Future security risks should also be identified.
In this stage, companies will do well by self-assessing their overall security. They should also benchmark themselves against ISO27000 or similar standard. If it is found wanting, they should take action to rectify it. A good way to meet common benchmarking standards is to get certified and accredited by certifying and accreditation agencies such Verisign.
CONCLUSIONS
Though organizations are spending vast sums of money towards securing their mission critical applications, they are unable to completely protect their applications and systems from malicious attacks and intrusions. More importantly, they are not able to improve the perception of lack of privacy and security in their applications from the consumers' point of view. This has resulted in very high opportunity cost, estimated to be in billions of dollars. To a large extent, the lack luster performance of security mechanisms is attributed to heavy reliance on technology while ignoring other factors. Consequently, there is a big push towards taking a holistic approach to designing security solutions.
17
A Framework for Enhancing Systems Security
This study contributes to the theory by providing a holistic securify framework which addresses the shortcomings of the existing frameworks. In particular, existing frameworks address only one or two of the three dimensions of people, process, and technology, while this framework incorporates all three dimensions for analyzing and subsequently implementing systems securify. Existing framework also do not provide a holistic way of incorporating securify in business processes. This paper advocates a systems development life cycle view of securify and provides some of the key activities that have to be carried out throughout the development life cycle in order to improve overall securify of business processes and corresponding applications and systems. A systematic approach to system security will greatly enhance customer confidence and thus provide competitive advantage. The paper also contributes to practice by providing a detailed discussion of how this framework could be implemented in a given company. Future research could investigate how and if organizations are using systems development life cycle approach to secure their business processes. They could also examine if all three dimensions are equally involved in such an endeavor, or companies give priorities to one dimension over others.
ACKNOWLEDGEMENT
The work of the second author has been partly supported by Sogang Business School's World Class Universify Program (R31-20002) ftmded by Korea Research Foundation and the Sogang Universify Research Grant of 2011.
REFERENCES
Aberdeen Group. (2008) Aberdeen Group Research Benchmark Report. Passwords, Privileged Passwords and Password Lifecycle Management.
Andress, M. and Fonseca, B. (2000) Manage people to protect data. InfoWorld, Nov. 10. Bennett, M. (2006) Communify poll forum: Biggest concem about switching to online applications . CNet Forums, May 2.
Buccafurri, F. and Lax, G. (2011). Implementing disposable credit card numbers by mobile phones. Electronic Commerce Research, 11(3), 271-296.
Caceres, G.H.R. & Teshigawara, Y. (2010). Securify guideline tool for home users based on intemational standards. Information Management & Computer Security, 18(2), 101-123. Chang, E.-C, Lu, L., Wu, Y., Yap, R.H., and C. and Yu, J. (2011). Enhancing host securify using extemal environment sensors. International Journal of Information Security, 10(5), 285-299.
18
A Framework for Enhancing Systems Security
Connolly, P.J. (2001) Securify steps into the spotlight InfoWorld.com, Jan. 21.
CyberSource. (2009) 10th Annual, 2009 Edition, "Online Fraud Report." http://forms.cvbersource.com/forms/FraudReport2009NACYBSwww020309
Debar, H. and Viinikka, J. (2006). Securify information management as an outsourced service. Information Management & Computer Security, 14(5), 416.
Dhillon, G., Backhouse, J. (2000) Information System Securify Management in the New Millennium, Communications of the ACM, Vol. 43, No. 7, July, pp. 125 - 128. Ellof, J.H.P. and Eloff, M.M. Information Securify Architecture. Computer Fraud & Securify, Novemebr 2005, pp. 10-16.
Eloff, M. M., and von Solms, S. H. (2000) Information Securify Management: A Hierarchical Framework for Various Approaches, Computers and Security, Vol. 19, No. 3, pp. 2 4 3 - 2 5 6 .
eMarketer. (2011) US Retail Ecommerce Forecast: Growth Opportunities in a Maturing Channel. March.
Experiencefreak. (2010) Disposable Identify? http://experiencefreak.posterous.com/disposable-identity. April 23.
Gerdes Jr., J.H., Kalvenes, J., Huang, C.-T. (2009) Multi-dimensional credentialing using veiled certificates: Protecting privacy in the face of regulatory reporting requirements. Computers &Security, July, Vol. 28, Iss. 5; pp. 248-259.
Grimes, R. (2009) How to manage IT securify - without a tech background. InfoWorld, Sept. 25.
Gross, G. (2011) U.S. needs cyber-emergency response, lawmaker says. Computerworld, April 11.
Gurung, A., Luo, X., and Liao, Q. (2009). Consumer motivations in taking action against spyware: an empirical investigation. Information Management & Computer Security, 17(3), 276-289.
Haider, A., Magnusson, C , Yngstrom, L., and Hemani, A. (2011) Addressing dynamic issues in information securify management. Information Management & Computer Security, 19 (1), 5-24.
Hines, M. (2007) Securify outsourcing on the rise. InforWorld, Sept. 20.
19
A Framework for Enhancing Systems Security
Hong, K.-S., Yen-Ping, C , Chao, L.R, and Tang, J.-H. (2003). An integrated system theory of information security management. Information Management & Computer Security, 11(5), 243-248.
Intemet Society, RFC 2828. (2000) Intemet Security Glossary, 2000. http://w\vw.ietforg/rfc/rfc2828.txt.
Kirk, J. (2005) Oracle password protection is weak, experts say.. Infoworld, October.
Krebs, B. (2009) Payment Processor Breach May Be Largest Ever. Washington Post. Retrieved Jan. 20, 2009, from http://voices.washingtonpost.eom/securitvfix/2009/01 /pavment processor breach ma V b.html?hpid=topnews.
May, T.A. (2011) IT needs to plan for what comes between now and later. Computerworld, March 31.
Messmer, E. (2008) Outsourcing securify tasks brings controversy. NetworkWorld, March 20.
Millán, G., Pérez, M., Pérez, G., and Skarmeta, A. (2010). PKI-based tmst management in inter-domain scenarios. Computers & Security, 29(2), pp. 278-290.
Mouratidis, H., Jahankhani, H., and Nkhoma, M Z. (2008). Management versus security specialists: an empirical study on security related perceptions. Information Management & Computer Security, 16(2), 187-205.
Myers, L. (2011) Security Education: We are doing it Wrong. SC Magazine, April 11.
Nosworthy, J. (2000) Implementing Information Security in the 21^' Century - Do you have the Balancing Factors? Computers and Security, Vol. 19, No. 4, pp. 337 - 347.
Olson, J.S. and Olson, G.M. (2000) I2i trust in e-commerce. Communications of the ACM, Vol. 32, No. 12, Dec. p. 41.
Orr, B. (2005). A single sign-on for all supply chain members? American Bankers Association. ^ 5 ^ Banking Journal, 97(9), p. 82.
Panko, R. (2010) Corporate Computer and Network Security, 2/e . Prentice Hall.
Parris, K. (2009) 3 Tips for Brushing Up B2B Security. TechNewsWorld, 7/2/09.
Patel, A., Qi, W., and Wills, C. (2010). Information Management & Computer Security, 18(3), 144-161.
20
A Framework for Enhancing Systems Security
PwC. Global state of information security survey. (2011) A worldwide survey by CIO magazine, CSO magazine, and PwC.
Richardson, R. (2010) CSI Computer Crime and Security Survey.
Schultz, E. (2005). Study shows home computer users are ignorant about security. Computers & Security, 24(1), 5-6.
Schwartz, M.J. (2011) Secure coing or bust. InformationWeek, April 7. SecurifyArchitecture.org. Definitions: IT Securify Architecture., Jan, 2006. http://wvvw.opensecuritvarchitecture.org/cms/index.php.
Siponen, M. (2002). Towards maturify of information securify maturify criteria: Six lessons leamed from software maturify criteria. Information Management & Computer Security, 10(5), 210-224.
Tipton, H.F. and Krause, M. (2004) Information security management handbook. Fifth Edition, CRC Press.
Tsohou, A., Kokolakis, S., Lambrinoudakis, C , and Gritzalis, S. (2010). A securify standards' framework to facilitate best practices' awareness and conformify. Information Management & Computer Security, 18(5), 350-365.
US Department of Commerce. (2011) US census Bureau News. Feb., 17. http://vvww.census.gov/retail/mrts/www/data/pdf/ec current.pdf
Uzoka, F., & Ndzinge, T.. (2009). Empirical analysis of biométrie technology adoption and acceptance in Botswana. The Journal of^ Systems and Software, 82(9), 1550-1564.
Xenakis, C , Panos, C , & Stavrakakis, I.. (2011). A comparative evaluation of intrusion detection architectures for mobile ad hoc networks. Computers & Security, 30(1), 63-80.
21
A Framework for Enhancing Systems Security
AUTHOR BIOGRAPHY
Dr. Srinarayan Sharma is a Professor of Information Systems in the Indian Institute of Management, Ranchi, India. His past work has involved studies of various IT innovations such as open source software, computer-aided software engineering, data warehousing, mobile commerce, etc. His current interest Ues in the application of IT to solve contemporary problems such as global warming, water scarcity, and world poverty. His past work has been published in various IT journals and conferences such as Communications of the ACM, Information Systems Journal, Information <& Management, Annual Conferences of the Association of Information Systems, Annual Conferences of the Decision Sciences Institutes, etc.
Dt, Vijayan Sugumatan (Corresponding Author) is a Professor of Management Information Systems in the Department of Decision and Information Sciences at Oakland University, Rochester, Michigan, USA. He is also WCU Professor in the Department of Service Systems Management and Engineering at Sogang University, Seoul, South Korea. His research interests are in the areas of Service Systems, Ontologies and Semantic Web, Intelligent Agent and Multi-Agent Systems, and Component Based Software Development. He has published over 150 peer-reviewed articles in Journals, Conferences, and Books. He has edited ten books and serves on the Editorial Boards of eight journals. His recent publications have appeared in Information Systems Research, ACM Transactions on Database Systems, IEEE Transactions on Education, IEEE Transactions on Engineering Management, Communications of the ACM, and Healthcare Management Science. D r . Sugumaran is the E d i t o r - i n - C h i e f of the International Journal of Intelligent Information Technologies. He is the Chair of the Intelligent Agent and Multi-Agent Systems mini-track for Americas Conference on Information Systems (AMCIS 1999 - 2012). He served as the Program Co-Chair for the 13th International Conference on Applications of Natural Language to Information Systems (NLDB 2008). He also regularly serves as a program committee member for numerous national and international conferences.
22
Copyright of Journal of Information Privacy & Security is the property of Ivy League Publishing and its content
may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express
written permission. However, users may print, download, or email articles for individual use.
