by The Open University
Available in 39 free installments
Owner:
Read Chapter 1 of the Set Book and evaluate the case for information security made in that chapter.
To complete this activity, you should consider carefully the statistics the authors present. Do try to be critical. Try to distinguish the points that you feel are made convincingly from those that might warrant deeper enquiry or scrutiny. Ask yourself about the motives and interests of the parties whose research and opinions are presented. Do you think the evidence is presented in a balanced way?
There is no need to be exhaustive. Aim for about three or four substantial observations that you could discuss with a colleague, or with other learners, using the unit forum.
Here are some of our thoughts.
We wondered about the extent to which expressions such as ‘flood of threats?, ‘web of legislation?, ‘clear and present danger?, ‘random unprovoked attacks?, ‘no organisation is immune?, ‘every organisation will suffer? might have been chosen to resonate with (or even exploit) today's social and political anxieties.
We noticed that some of the surveys and opinions cited come from parties who may have an interest in promoting the information security industry. Management consultants market expertise in this area; enforcement agencies have to make the case for budgets and resources for new areas of activity; the UK government (DTI) promotes the interests of UK businesses internationally, including security and IT businesses.
We felt that most of the statistics raised more questions than they answered. Many of them suggest more research is needed to understand more clearly the nature and scale of threats. The measurement scales for many of the reported results were unclear; and there are obvious difficulties in costing security breaches, including some of the most common. Here are some specific examples of what we mean.
Compare ‘European businesses … lost £4.3 billion in [2000] due to Internet-related crime? (p. 11) with ‘in 2001 … the annual cost to the German economy of deficient IT security was higher than £96.3 billion? (p. 12).
The statement that ‘69% recognised that they possessed information that was either sensitive or critical? (p. 9) leaves open several important questions, such as what volumes of such data were held and how exposed it was. Nor is it clear what portion of the measurement scale is covered by the classes ‘sensitive? to ‘critical?.
We noted (from p. 9) that 63% of the 69% cited (i.e. 43% of those surveyed) had suffered a moderately serious breach or worse. We are not told what portion of the measurement scale is covered by the class ‘moderately serious breach or worse?.
The increase of virus incidents from 20% to 73% (reported on p. 11) deserves exploration. Was it just one virus, or many, that infected many organisations?
The authors offer a variety of figures assessing the ‘average cost? of security breaches, e.g. ‘the cost of a single breach was in excess of £100,000? (p. 10), ‘the average cost of serious security incidents was £30K? (p. 10), ‘average losses … in the order of $2 million? (p. 12). Information on whether these were the mean, median or modal costs would be valuable. Furthermore, information on the distribution of costs would help.
If 90% of organisations suffered a malware attack, but 80% of these had antivirus software (reported on p. 13), then we need to know whether or not antivirus defences are effective.
We learn that ‘insider security incidents occurred more often than outsider ones? (p. 13), but that these incidents included installation of unauthorised software, unauthorised email, gambling, pornography, personal businesses. Do these activities really pose a threat?
Given its focus on IT governance, the Set Book naturally concentrates on threats to computer-based communication and storage. However, it is worth remembering that the more traditional form of industrial espionage, in which physical documents and plans are acquired, is still widely practised and is still a threat not to be underestimated.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
