DOCSLIB.ORG

The State of IT Security from a Confidentiality- Focused Perspective and the Role of IT Risk Management

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

University of Piraeus Faculty of Digital Systems Department of Security of Digital Systems The state of IT Security from a confidentiality- focused perspective and the role of IT Risk Management MASTER THESIS Submitted to: Prof. Dr. Günther Pernul and Prof.Dr. Sokratis Katsikas Mentoring: Michael Weber Submitted on 26th of February 2015 Submitted by: Myrsini Athinaiou Dr.-Gessler-Straße 15b 93051 Regensburg (Germany) matriculation number. 1718030 University of Regensburg Faculty of Business, Economics and Management Information Systems Department of Information Systems Prof. Dr. Günther Pernul The state of IT Security from a confidentiality- focused perspective and the role of IT Risk Management MASTER THESIS Submitted to: Prof. Dr. Günther Pernul Mentoring: Michael Weber Submitted on 26th of February 2015 Submitted by: Myrsini Athinaiou Dr.-Gessler-Straße 15b 93051 Regensburg (Germany) matriculation number. 1718030 Abstract I Abstract Information security is important for corporations. Decisions regarding security involve uncertainties, complexities related to various scientific and technological disciplines, and adverse impacts on business prosperity and goals. Risk management methodologies are widely accepted and used to increase the efficiency and effectiveness of information security, according to the priorities and limited resources of each firm. The common belief is that risk management offers a framework which summarizes scientific judgment and can be used to support decisions regarding the security of information. Still, every year and even on a daily bases, enterprises worldwide are reporting lost or stolen data and also suffer the various consequences. Legal penalties, diminishing reputation, lost costumers, financial losses are some of the most referenced examples. As risk management is used in the field of information security, it has been considered not only as a strengthening element but also as an opening. Some scientists and affected parties perceive risk management as narrowly focused, non-scientifically quantitative, overly quantitative, theoretical, and biased. If information security is related with risk management, if information security is violated, if failures of security are the cause of corporate loses, then where risk management has flows? Is it a matter of application or lies to the core of the practices? Is the concept of risk management misunderstood or security is unreachable? Those are some of the questions that were examined. A literature review shows that information security risk management is a scientific field for each own. Regarding security violations the paper shows that, especially regarding confidentiality, incidents occur worldwide. The impact of data breaches cannot be ignored in monetary terms as they lead to losses. Finally, the paper identifies possible sources of information risk management weaknesses. Future work could examine the given answers from different angles, time periods, and sample selection criteria. The importance and criticality of the issue can also lead to a depth analysis of how improvements in risk management will raise the efficiency of information security. Furthermore, other factors that can advance risk management practices can be found. This research focuses on confidentiality, integrity and availability oriented studies can be also held. It’s a field of growing importance, its critical for corporate success and as the value and amount of information increases more research is necessary. Master Thesis Myrsini Athinaiou, 2014/15 Acknowledgments II Acknowledgments First and foremost I would to thank Dr. Prof. Pernul and my advisor Michael Weber. It has been an honor to be taught from them. I appreciate all their contributions of time, ideas and motivation. I am also thankful for the corrections and the excellent example they have provided me of how scientific methods are implemented with consistency. Also all the members of the department of management information systems I (Wirtschaftsinformatik I) have contributed immensely through attendance to lectures, where they presented the state-of-the- art. I would also like to acknowledge Dr. Prof. Katsikas for his advice to study in the University of Regensburg and his support during all this time, from the very beginning of my master studies. I have appreciated the insides Prof. Sneed gave me through Software Engineering lessons in the IT business reality, highlighted also how priorities differ based on cultures, regions and people. Communication, as a term, took a different dimension for me after his presentations, from a managerial perspective. I gratefully acknowledge the funding sources that made my master work possible. I was funded be the ERASMUS program of the University of Piraeus. Lastly, I would like to thank my family, the hidden heroes, that make the impossible possible for my sake and they have been an endless source of love and encouragement. Master Thesis Myrsini Athinaiou, 2014/15 Table of Contents III Table of Contents Page ABSTRACT ..................................................................................................................................... I ACKNOWLEDGMENTS ............................................................................................................. II TABLE OF CONTENTS ............................................................................................................. III LIST OF FIGURES ....................................................................................................................... V LIST OF TABLES ........................................................................................................................ VI ABBREVIATIONS ..................................................................................................................... VII 1 INTRODUCTION .................................................................................................................. 1 1.1 PROBLEM DESCRIPTION AND MOTIVATION ............................................................................. 3 1.2 STRUCTURE AND OBJECTIVES ................................................................................................. 4 2 METHODOLOGY................................................................................................................. 6 3 REVIEW OF PREVIOUS WORK AND TERMINOLOGY ............................................. 9 3.1 INFORMATION SECURITY RELATED TERMINOLOGY ................................................................. 9 3.2 CORPORATIONS AND RISK MANAGEMENT ............................................................................. 17 3.3 SCOPE AND LOGIC OF THIS STUDY ......................................................................................... 19 4 RISK MANAGEMENT AND INFORMATION SECURITY ......................................... 23 4.1 INFORMATION SECURITY ....................................................................................................... 23 4.2 INFORMATION SECURITY RELATED STANDARDS ................................................................... 29 4.3 RISK MANAGEMENT .............................................................................................................. 33 4.4 INFORMATION SECURITY AND RISK MANAGEMENT .............................................................. 35 5 INFORMATION SECURITY FAILS ................................................................................ 38 5.1 BRIEF HISTORY OF DATA BREACHES ............................................................................. 38 5.2 REVIEW OF INFORMATION SECURITY STUDIES ............................................................... 43 5.3 DATA BREACHES WORLDWIDE ...................................................................................... 55 5.4 PRIVACY BREACHES IN UNITED STATES ........................................................................ 61 6 COST OF DATA BREACHES ........................................................................................... 73 6.1 RELATED WORK ............................................................................................................. 73 6.2 SCOPE OF THIS COST ANALYSIS ...................................................................................... 77 6.3 METHODOLOGY ............................................................................................................. 79 6.4 DATA SELECTION CRITERIA ............................................................................................ 84 6.5 RESULTS......................................................................................................................... 86 Master Thesis Myrsini Athinaiou, 2014/15 Table of Contents IV Page 7 FACTORS THAT LEAD TO RISK MANAGEMENT FAILURE ................................. 90 7.1 SCOPE AND PURPOSE OF RISK MANAGEMENT ....................................................................... 90 7.2 ARGUMENTS REGARDING RISK MANAGEMENT ..................................................................... 92 7.3 ARGUMENTS FOR INFORMATION SECURITY RISK MANAGEMENT .......................................... 95 8 CONCLUSIONS .................................................................................................................. 97 APPENDIX .................................................................................................................................... 99 LITERATURE ...........................................................................................................................
Recommended publications
  • Calendar No. 168

    Calendar No. 168

    Calendar No. 168 110TH CONGRESS REPORT " ! 1st Session SENATE 110–70 PERSONAL DATA PRIVACY AND SECURITY ACT OF 2007 MAY 23, 2007.—Ordered to be printed Mr. LEAHY, from the Committee on Judiciary, submits the following R E P O R T together with ADDITIONAL VIEWS [To accompany S. 495] [Including cost estimate of the Congressional Budget Office] The Committee on the Judiciary, to which was referred the bill (S. 495), to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal pen- alties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally iden- tifiable information, reports favorably thereon with amendments, and recommends that the bill, with amendments, do pass. CONTENTS Page I. Purpose of the Personal Data Privacy and Security Act of 2007 ............... 2 II. History of the Bill and Committee Consideration ....................................... 7 III. Section-by-Section Summary of the Bill ...................................................... 10 IV. Cost Estimate ................................................................................................. 18 V. Regulatory Impact Evaluation ...................................................................... 25 VI. Conclusion ...................................................................................................... 25 VII. Additional Views ............................................................................................ 26 VIII. Changes in Existing Law Made by the Bill as Reported ............................ 32 59–010 VerDate Aug 31 2005 06:18 May 28, 2007 Jkt 059010 PO 00000 Frm 00001 Fmt 6659 Sfmt 6646 E:\HR\OC\SR070.XXX SR070 mstockstill on PROD1PC66 with HEARING 2 I. PURPOSE OF THE PERSONAL DATA PRIVACY AND SECURITY ACT OF 2007 A. SUMMARY Advanced technologies, combined with the realties of the post- 9/11 digital era, have created strong incentives and opportunities for collecting and selling personal information about ordinary Americans.
  • FISSEA Conference 2011 Presentation

    FISSEA Conference 2011 Presentation

    Securing the Weakest Link Instructor Jay Ferron CEHI, CISM, CISSP, CWSP, MCITP, MCT, MVP, NSA-IAM … [email protected] © 2010 Global Knowledge Training LLC. All rights reserved. Section Objectives After completing this section, you will be able to: Discuss the issue of social media in security Describe and show examples of phishing Show methods of discovering and processing online attacks © 2010 Global Knowledge Training LLC. All rights reserved. 2-2 Security Fundamentals Security Importance To protect your finances To protect your data To protect your country To protect your job To protect your way of life To protect your life © 2010 Global Knowledge Training LLC. All rights reserved. 1-3 Security Fundamentals Human Influence in Security “People are the underlying cause of the need for security.” Donn Parker, Fighting Computer Crime © 2010 Global Knowledge Training LLC. All rights reserved. 1-4 Vulnerabilities Social Engineering Dumpster diving and shoulder surfing Organizational charts, passwords, access codes, and log files Use of tools Google, Bing, Yahoo!, etc. www.learnwebskills.com/company www.whitepages.com Hoover’s, Inc. EDGAR Online, Inc. © 2010 Global Knowledge Training LLC. All rights reserved. 1-7 Demo © 2010 Global Knowledge Training LLC. All rights reserved. Discussion DoHow you manydo haveyou of connect children you have to at more thehome Internet than and one WhatDoHave you areyou useback youever encryption? upusing been your tohit data?computer? read by a yourHow virus? often?eHow-mail? often? ifcomputer(DSL, so, what cable, at ages? home?or dial-up)? © 2010 Global Knowledge Training LLC. All rights reserved. Social Media Types Social networking sites Blogging sites Facebook Xanga Twitter LiveJournal Video sharing Bookmarking sites YouTube Digg Photo sharing Flickr © 2010 Global Knowledge Training LLC.
  • A Chronology of Data Breaches

    A Chronology of Data Breaches

    A Chronology of Data Breaches Posted April 20, 2005 Updated August 17, 2007 DATE MADE PUBLIC NAME (Location) TYPE OF BREACH NUMBER OF RECORDS August 13, 2007 Pfizer/Axia Ltd. Axia Ltd. had notified Pfizer on June 14 of an incident in which two Pfizer laptops were stolen from a 950 (New York, NY) locked car. The laptops, which disappeared May 31 in Boston, included the names and Social Security 866-274-3891 numbers of health-care professionals who “were providing or considering providing contract services for Pfizer,” according to the letter. August 11, 2007 Providence Alaska Medical Center A laptop computer that contains the personal information of patients is missing. On the laptop there 250 (Anchorage, AL) maybe names, medical record numbers, dates of birth, patient diagnoses, Social Security numbers and (888) 387-3392. addresses. August 10, 2007 Loyola University A computer with the Social Security numbers of 58 hundred students was discarded before its hard drive 5,800 (Chicago, IL) was erased, forcing the school to warn students about potential identify theft. August 10, 2007 Legacy Health System A primary care physician practice has discovered the theft of $13,000 in cash and personal data for 747 (Portland, OR) patients. Patient receipts, credit card transaction slips and checks are also missing, in addition to Social (503) 445-9533 Security numbers and dates of birth for patients. August 8, 2007 Yale University Social Security numbers for over 10,000 current and former students, faculty and staff were 10,000 (New Haven, CT) compromised last month following the theft of two University computers August 7, 2007 Electronic Data Systems A former employee was arrested this week for allegedly trafficking in stolen identities she received 498 (Montgomery, AL) through her work with the company.
  • Types of Retailers

    Types of Retailers

    LLev2899x_ch02_034-065.inddev2899x_ch02_034-065.indd PagePage 3434 8/2/138/2/13 2:322:32 AMAM f-494f-494 //202/MH01986/Lev2899x_disk1of1/007802899x/Lev2899x_pagefiles202/MH01986/Lev2899x_disk1of1/007802899x/Lev2899x_pagefiles Types of Retailers EXECUTIVE BRIEFING Debbie Ferree, Vice Chairman and Chief Merchant, DSW Inc. Math was always my favorite subject in school and retail. In 2004, I was promoted to president and chief came quite naturally to me, so it was no surprise that merchandising officer of DSW and we took the I entered college with the goal to become a college company public in 2005. math professor, but my passion for fashion and love To implement this new concept, we developed for business and retail caused me to change my career strategic partnerships with the leading designer aspirations and transfer to the college of business. brands in footwear. These vendors were focused on Before joining DSW (Designer Shoe Warehouse), I selling their brands through the department store worked in senior management positions for a variety channel and were initially skeptical about the new of retailers, which gave me broad experience in differ- business model. The new model had many advan- ent channels of distribution and business models: tages and financial benefits: when they sold to DSW, May Company and Burdines/Federated Department there would be no extra charges such as advertising Stores—department stores; Ross Dress for Less— allowances or vendor chargebacks, and no renego- discount stores; and Harris Company—specialty retail. tiations on prices at the end of the season or mer- In 1997, I joined DSW, a true off-price retailer, of- chandise returns.
  • Ibm Ndustry Verview Etail Mss I O : R

    Ibm Ndustry Verview Etail Mss I O : R

    ii IBM NDUSTRY VERVIEW ETAIL MSS I O : R RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: JANUARY 06, 2015 BY: DAVID MCMILLEN, SENIOR THREAT RESEARCHER ©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others. iii TABLE OF CONTENTS EXECUTIVE OVERVIEW ....................................................................................................................................... 1 MAJOR RETAIL DATA BREACHES ......................................................................................................................... 1 METHODS OF RETAIL DATA LOSS ........................................................................................................................ 4 METHODS OF ATTACK ........................................................................................................................................ 6 COMMAND INJECTION ...................................................................................................................................................... 6 SHELLSHOCK ................................................................................................................................................................... 6 POPULAR POS MALWARE ................................................................................................................................................
  • Twitter Equity Firm Value CS4624: Multimedia, Hypertext, and Information Access Blacksburg, VA 24061 5/8/2018 Client: Ziqian Song Instructor: Dr

    Twitter Equity Firm Value CS4624: Multimedia, Hypertext, and Information Access Blacksburg, VA 24061 5/8/2018 Client: Ziqian Song Instructor: Dr

    Twitter Equity Firm Value CS4624: Multimedia, Hypertext, and Information Access BlacksburG, VA 24061 5/8/2018 Client: Ziqian SonG Instructor: Dr. Edward A. Fox By: Nathaniel Guinn, Christian Wiskur, Erik AGren, Jacob Smith, and Rohan Rane 1 Table of Contents Table of Figures .................................................................................................................................................................2 Table of Tables ...................................................................................................................................................................3 1. Executive Summary ......................................................................................................................................................4 2. Introduction ...................................................................................................................................................................5 3. Requirements ................................................................................................................................................................5 4. Design ..............................................................................................................................................................................6 4.1 High Level Design ............................................................................................................................................................................................ 6 4.2 Twitter