Controlled Information Security: How to recognize and improve organizational information security status
2010 (English)Report (Other academic)
This report is a compilation of the first three main reports of the COINS project (Yngström et al., 2009a, Yngström et al., 2009b, Hallberg & Lundholm 2009). The COntrolled INformation Security (COINS) research project was established to address the needs of understanding, learning and eventually managing information security (IS) in organizations. It has proved to be difficult for organizations, including government agencies, to reach adequate information security levels, as illustrated by a report from the Swedish national audit office published in 2007 (RiR, Swedish National Audit Office 2007). Despite much research and work conducted within the area, auditing and assessments frequently find inadequacies in how practical IS is handled, and, as it seems, there are frequent discrepancies in how IS is perceived by humans and what degree of IS that is actually performed. The three first reports of COINS present in detail the design, modeling and test of six constructs – frameworks and models – for assessing IS. The different constructs compute and discuss the metrics provided in three different ways. This report targets mainly the participants at the agency at which the tests of IS metrics were conducted. The concept of a IS metric is interpreted widely following the definition from Hallberg et al. (2004): “A security metric contains three main parts: a magnitude, a scale and an interpretation. The security values of systems are measured according to a specified magnitude and related to a scale. The interpretation prescribes the meaning of obtained security values”, and aims at the formulation of viable IS metrics. Therefore this report is also an input to a validation test of the practical results obtained, while the theoretical validation rests with the reasoning presented in the two first reports.
The approach taken differs from the ordinary 27000-standard based analyses in that the idealized communication structure starts from demands of an information system in total, and views communication as equal to steering and control. Thereby, both the social and the technical layers in communication are included as are the strategic, tactic and operational decision levels and their equivalent life cycle stages. Metrics focusing the control system underline that complex information systems necessarily must handle existing variety including its IS.
Some of the findings, which still have to be verified by the agency, are:
1. the relative focus for the agency’s documentation correlates rather well with the relative focus of the controls specified in appendix A of the standard ISO/IEC 27001,
2. the agency seems partly to fulfill the security policy, which it has defined itself,
3. the agency tend to focus on operative matters and on acting when something has happened, rather than emphasize planning and developing and carrying out proactive information security work.
A general observation of all COINS’ constructs, on which metrics in the report are based, is that the standard may not explicitly identify senders respectively receivers of messages. This is illustrated by the metrics connected to ISO/IEC appendix A, which show that most of the controls listed (76%) do not have an entity assigned to it.
Apart from COINS’ work with metrics being verified by the participating agency, future work involves developing a faster and eventually also recursive method for analyzing and extracting interesting data for metrics use, as well as providing more transparent views on the models. The research is planned to continue for one further year.
Place, publisher, year, edition, pages
security metrics construction
Research subject Computer and Systems Sciences
IdentifiersURN: urn:nbn:se:su:diva-51875OAI: oai:DiVA.org:su-51875DiVA: diva2:386342
FOI Memo 3102; utgiven 2010-02-05, 32 sidor2011-01-122011-01-12