University of Piraeus Faculty of Digital Systems Department of Security of Digital Systems The state of IT Security from a confidentiality- focused perspective and the role of IT Risk Management MASTER THESIS Submitted to: Prof. Dr. Günther Pernul and Prof.Dr. Sokratis Katsikas Mentoring: Michael Weber Submitted on 26th of February 2015 Submitted by: Myrsini Athinaiou Dr.-Gessler-Straße 15b 93051 Regensburg (Germany) matriculation number. 1718030 University of Regensburg Faculty of Business, Economics and Management Information Systems Department of Information Systems Prof. Dr. Günther Pernul The state of IT Security from a confidentiality- focused perspective and the role of IT Risk Management MASTER THESIS Submitted to: Prof. Dr. Günther Pernul Mentoring: Michael Weber Submitted on 26th of February 2015 Submitted by: Myrsini Athinaiou Dr.-Gessler-Straße 15b 93051 Regensburg (Germany) matriculation number. 1718030 Abstract I Abstract Information security is important for corporations. Decisions regarding security involve uncertainties, complexities related to various scientific and technological disciplines, and adverse impacts on business prosperity and goals. Risk management methodologies are widely accepted and used to increase the efficiency and effectiveness of information security, according to the priorities and limited resources of each firm. The common belief is that risk management offers a framework which summarizes scientific judgment and can be used to support decisions regarding the security of information. Still, every year and even on a daily bases, enterprises worldwide are reporting lost or stolen data and also suffer the various consequences. Legal penalties, diminishing reputation, lost costumers, financial losses are some of the most referenced examples. As risk management is used in the field of information security, it has been considered not only as a strengthening element but also as an opening. Some scientists and affected parties perceive risk management as narrowly focused, non-scientifically quantitative, overly quantitative, theoretical, and biased. If information security is related with risk management, if information security is violated, if failures of security are the cause of corporate loses, then where risk management has flows? Is it a matter of application or lies to the core of the practices? Is the concept of risk management misunderstood or security is unreachable? Those are some of the questions that were examined. A literature review shows that information security risk management is a scientific field for each own. Regarding security violations the paper shows that, especially regarding confidentiality, incidents occur worldwide. The impact of data breaches cannot be ignored in monetary terms as they lead to losses. Finally, the paper identifies possible sources of information risk management weaknesses. Future work could examine the given answers from different angles, time periods, and sample selection criteria. The importance and criticality of the issue can also lead to a depth analysis of how improvements in risk management will raise the efficiency of information security. Furthermore, other factors that can advance risk management practices can be found. This research focuses on confidentiality, integrity and availability oriented studies can be also held. It’s a field of growing importance, its critical for corporate success and as the value and amount of information increases more research is necessary. Master Thesis Myrsini Athinaiou, 2014/15 Acknowledgments II Acknowledgments First and foremost I would to thank Dr. Prof. Pernul and my advisor Michael Weber. It has been an honor to be taught from them. I appreciate all their contributions of time, ideas and motivation. I am also thankful for the corrections and the excellent example they have provided me of how scientific methods are implemented with consistency. Also all the members of the department of management information systems I (Wirtschaftsinformatik I) have contributed immensely through attendance to lectures, where they presented the state-of-the- art. I would also like to acknowledge Dr. Prof. Katsikas for his advice to study in the University of Regensburg and his support during all this time, from the very beginning of my master studies. I have appreciated the insides Prof. Sneed gave me through Software Engineering lessons in the IT business reality, highlighted also how priorities differ based on cultures, regions and people. Communication, as a term, took a different dimension for me after his presentations, from a managerial perspective. I gratefully acknowledge the funding sources that made my master work possible. I was funded be the ERASMUS program of the University of Piraeus. Lastly, I would like to thank my family, the hidden heroes, that make the impossible possible for my sake and they have been an endless source of love and encouragement. Master Thesis Myrsini Athinaiou, 2014/15 Table of Contents III Table of Contents Page ABSTRACT ..................................................................................................................................... I ACKNOWLEDGMENTS ............................................................................................................. II TABLE OF CONTENTS ............................................................................................................. III LIST OF FIGURES ....................................................................................................................... V LIST OF TABLES ........................................................................................................................ VI ABBREVIATIONS ..................................................................................................................... VII 1 INTRODUCTION .................................................................................................................. 1 1.1 PROBLEM DESCRIPTION AND MOTIVATION ............................................................................. 3 1.2 STRUCTURE AND OBJECTIVES ................................................................................................. 4 2 METHODOLOGY................................................................................................................. 6 3 REVIEW OF PREVIOUS WORK AND TERMINOLOGY ............................................. 9 3.1 INFORMATION SECURITY RELATED TERMINOLOGY ................................................................. 9 3.2 CORPORATIONS AND RISK MANAGEMENT ............................................................................. 17 3.3 SCOPE AND LOGIC OF THIS STUDY ......................................................................................... 19 4 RISK MANAGEMENT AND INFORMATION SECURITY ......................................... 23 4.1 INFORMATION SECURITY ....................................................................................................... 23 4.2 INFORMATION SECURITY RELATED STANDARDS ................................................................... 29 4.3 RISK MANAGEMENT .............................................................................................................. 33 4.4 INFORMATION SECURITY AND RISK MANAGEMENT .............................................................. 35 5 INFORMATION SECURITY FAILS ................................................................................ 38 5.1 BRIEF HISTORY OF DATA BREACHES ............................................................................. 38 5.2 REVIEW OF INFORMATION SECURITY STUDIES ............................................................... 43 5.3 DATA BREACHES WORLDWIDE ...................................................................................... 55 5.4 PRIVACY BREACHES IN UNITED STATES ........................................................................ 61 6 COST OF DATA BREACHES ........................................................................................... 73 6.1 RELATED WORK ............................................................................................................. 73 6.2 SCOPE OF THIS COST ANALYSIS ...................................................................................... 77 6.3 METHODOLOGY ............................................................................................................. 79 6.4 DATA SELECTION CRITERIA ............................................................................................ 84 6.5 RESULTS......................................................................................................................... 86 Master Thesis Myrsini Athinaiou, 2014/15 Table of Contents IV Page 7 FACTORS THAT LEAD TO RISK MANAGEMENT FAILURE ................................. 90 7.1 SCOPE AND PURPOSE OF RISK MANAGEMENT ....................................................................... 90 7.2 ARGUMENTS REGARDING RISK MANAGEMENT ..................................................................... 92 7.3 ARGUMENTS FOR INFORMATION SECURITY RISK MANAGEMENT .......................................... 95 8 CONCLUSIONS .................................................................................................................. 97 APPENDIX .................................................................................................................................... 99 LITERATURE ...........................................................................................................................