Administering Security

1
Administering Security
2
Personal Computer Security Management

• Security problems for personal computers are more
  serious than on mainframe computers
• people issues
• hardware and software issues
• lack of sensitivity
• users do not appreciate security risks associated
  with the use of PCs
• lack of tools
• hw and sw tools are fewer and less sophisticated
  than in the mainframe environment

3
Contributors to Security Problems

• Hardware vulnerabilities
• limited protection of one memory space
• every user can execute every instruction
• can read and write every memory location
• the operating system may declare certain files as
  system files, but it can not prevent the user
  from accessing them
• operating system designers have failed to take
  advantage of hardware protection

4
Contributors to Security Problems

• Low awareness of the problem
• analogous to a calculator
• no unique responsibility
• if the machine is shared, nobody takes full
  responsibility for maintenance, supervision and
  control
• few hw controls
• few PCs take advantage of hw features
• no audit trail
• environmental attacks
• physical access
• unattended machines
• care of media components
• diskettes, etc.

5
Contributors to Security Problems

• No backups
• questionable documentation
• high portability
• combination of duties
• lack of checks and balances

6
Security Measures

• Procedures
• Do not leave PCs unattended in an exposed
  environment if they contain sensitive info
• do not leave printers unattended if they are
  printing sensitive output
• secure media as carefully as you would a
  confidential report
• perform periodic back-ups
• practice separation of authority

7
Security Measures

• Hardware Controls
• Secure the equipment
• consider using add-on security boards
• Software Controls
• use all sw with full understanding of its
  potential threats
• do not use sw from dubious resources
• be suspicious of all results
• maintain periodic complete backups of all system
  resources

8
Protection of Files

• Access control features
• encryption
• copy protection
• no protection

9
Access Control Mechanisms for PCs

• Motivations for access control
• Outside interference
• two users one machine
• network access
• errors
• untrusted software
• separation of applications

10
Features of PC Access Control Systems

• Transparent encryption
• some systems automatically encrypt files so that
  their contents will not be evident
• time of day checking
• allowing access during certain times
• automatic timeout
• the system automatically terminates the session
• machine identification
• unique serial no can be read by the application

11
Risk Analysis
12
RISK

• Possibility of suffering harm or loss, a factor,
  course or element involving uncertain danger

13
OPPORTUNITY THREAT
14
THEORETICAL FRAMEWORK

• Important parameter in designing security systems
  is the COST
• RISK ASSESSMENT
• Risk perception
• psychological theory of risk how the general
  public reacts to uncertainities of danger, and
  how this general reaction affects individual
  behaviour.
• cultural theory of risk Risk perception differs
  depending on the social group belief system an
  individual belongs to (Douglas 1970)

15
Reacting to Threats
THREAT
RESPONSE
communication
RISK PERCEPTION
Passive Reaction
16
Reacting to Threats
RISK MANAGEMENT
External danger
RISK PERCEPTION
Organisation Structure
Shared Meaning and Trust
17
CULTURAL THEORY

• When we try to think of the individual in a
  social context, we normally think of the
  corporate group or groups to which they belong.
• Individuals also have constraining
  classifications within the group hierarchy,
  kinship, race, gender, age...

18
CULTURAL THEORY
Four types of social environment and cultural
biases (Douglas 1970)
Fatalists
Hierarchists
B
C
Grid (Individual)
Individualist
Egalitarians
A
D
Group (Social incorporation)
19
CULTURAL THEORY

• A competitive, control people, autonomy see
  risks with opportunities
• B no voluntary risk taking, but accept it as a
  given, no personal autonomy
• C group is emphasised division of labour,
  specialisation, segregation of duties. Take risks
  iff it is approved by experts hierarchical
  authority
• D members get their support from the group no
  formal delegation. The group dissolves in the
  absence of strong leadership

Fatalists
Hierarchists
B
C
individual
Individualist
Egalitarians
A
D
group
20
CULTURE AND RISK

• Risk behaviour is a function of how human beings,
  individually and in groups, perceive their place
  in the world.
• It is important to understand the role of culture
  in stakeholder interaction in order to understand
  cultural biases in risk perception.

21
STAKEHOLDER MODEL

• Stakeholders
• Users information user
• Suppliers information provider and systems
  developer
• Others systems manager
• Each stakeholder group has a differing
  perceptions of same risk.
• Stakeholders can be grouped within themselves
  depending on the social groups they belong to
  rather than roles they assume.

22
STAKEHOLDER MODEL
Links stakeholder model with the cultural theory
23
STAKEHOLDER MODEL

• Individuals have different cultural biases and
  have different perceptions of risk
• computer privacy and security rules are different
  in different countries
• Singapore, Japan, US, Canada
• Grouping stakeholders is not enough for designing
  IS.

24
RISK COMMUNICATION

• It is important to know the cultural backgrounds
  of the stakeholders
• how they perceive risks
• how they communicate risks
• risk communication theory
• risk communication model

25
RISK COMMUNICATION

• Past
• risk communication as one way to general public
  from government
• efforts to improve risk communication
• to get the message across by describing the
  magnitude and balance of the attendant costs and
  benefits

26
RISK COMMUNICATION

• The costs and benefits are equally distributed
  across a society
• People do not agree about which events or actions
  do the most harm or which benefits are more worth
  seeking.

27
RISK COMMUNICATION

• US National Research Counsil (1989)
• Risk communication is an interactive process of
  exchange of information and opinion among
  individuals, groups and institutions. It involves
  multiple messages about the nature of the risk
  and other messages, not strictly about risk, that
  express concerns, opinions and reactions to risk
  messages or to legal and institutional
  arrangements for risk management.

Top-down definition of risk
28
RISK COMMUNICATION

• Risk Communication
• risks posed to stakeholders on the web are
  technological hazards
• classical risk communication model
• sources
• transmitters
• receivers

Certain aspects of risks are intensified or
attenuated
29
CULTURE
Risk Event
Transmitters Media Institutions/Agencies Inte
rest Groups Opinion Leaders
Two-way interaction
Sources Scientists Agencies Interest
Groups Eyewitnesses
Portrayal of Event with symbols, signals and
images by the Sources
Receivers General Public Affected
Organisations/Institutions Social
Groups Other target audience
feedback
30
Initial Information
HEAR
CULTURE SOCIAL FASHION PERSONAL VALUES RELATED
ATTITUDES INFLUENCES
Appeal
Do not Appeal
UNDERSTAND
BELIEVE
New Information
PERSONALIZE
RESPOND
31
Communication

• The recipient hears the information and then
  screens it based on social fashion, personal
  values, attitudes under the influence from peer
  groups
• cultural forces before understanding the message
• Believing involves acceptance that the
  understanding is correct
• the risk is real
• Personalisation
• the risk event will affect the receiver
• Response
• decision to take action for protection from risk

32
Communication

• Credibility of information sources and
  transmitters is a key issue in risk communication

33
TRUST AND CONFIDENCE VS CREDIBILITY

• Trust is an important ingredient in any trade
  transaction
• Trust acts as the mitigating factor for the risks
  assumed by one party on the party in the trade
• As trust increases the risks either reduce or
  become manageable by the trusting party
• Existence of trust also reduces the transaction
  cost in a trade

34
TRUST
For effective communication of risks it is
critically important that receivers place trust
on the sources and transmitters (Lee 1986)
Five levels of trust analysis framework
35
INSTITUTIONAL CREDIBILITY

• Confidence in business and economic organisations
  depends on the perceived quality of their
  services, but also on the employment situation,
  the perception of power monopolies in business,
  the observation of allegedly unethical behaviour
  and the confidence in other institutions
• Confidence in political institutions depends on
  their performance record and openness, but in
  addition on the perception of a political crisis,
  the belief that the government is treating
  everyone fair and equally, the belief in
  functioning of checks and balances, the
  perception of hidden agendas, and the confidence
  in other institutions

36
INSTITUTIONAL CREDIBILITY

• The more educated people are, the more they
  express confidence in the system, but the more
  they are also disappointed about the performance
  of the people representing the system
• Political conservatism correlates positively with
  confidence in business and negatively with
  government and public service

37
INSTITUTIONAL CREDIBILITY

• The social climate pre-sets the conditions under
  which an institution has to operate to gain and
  maintain trust
• in a positive climate people invest more in trust
  institutions
• in a negative climate people tend to caution and
  seek to have more control

38
Risk Perception, Trust and Credibility

• Hypothesis
• once trust and credibility exist in a
  relationship among the stakeholders during risk
  communication, stakeholders do not get involved
  in the analysis of risk factors individually, and
• information systems security becomes less
  important to people when dealing with a
  trustworthy and credible institution.

39
Risk Perception, Trust and Credibility

• Personality of the communicator with attributes
  of ability and integrity are also important in
  establishing trust.
• Overall message, communicator, institution, and
  the social context are the major factors in
  establishing trust within an organisation.

40
Risk Perception, Trust and Credibility

• Inferential analysis
• inverse correlation between trust and security on
  the internet
• the higher the trust placed on an organisation
  the lower was the security concern.