Discuss about the Improving Critical Infrastructure Cybersecurity.
Information security is about protecting the information systems of an organization against security related threats. These threats can either occur accidently or could be deliberate with intensions to cause some harm. Irrespective of the presence of intentions, both cause the concerns as they can affect the security posture of an organization. This research would explore both deliberate and accidental threats that can cause harm to an organization considering the case of VIC (Victorian) government. The objective is to explore if the VIC policy is sound enough to help the organization combat these threats or there is a need for improvement in which case, appropriate recommendations would be made on whether the company should keep the security function with itself or outsource the same to an expert organization in security domain.
The VIC government uses The Victorian Protective Data Security Framework (VPDSF) to protect their data and systems. This framework identified standards of security, security assurance model, security guidelines, and other supporting resources. The key objective of this security framework is to ensure that security risks to the company are minimized. It explains the process of establishing protection that includes identification of information and its value, identification of risks to data, application of measures for data security, creation of a secure culture in the organization and taking steps to mature the security capabilities of the organization.
Security Risks and Concerns
- High Exposure Risks: Insiders in VIC can take advantages of situations and the access given to them to cause attacks and such risks of attacks have high exposure. This is because internal employees would be well aware of the policies and procedures of the company and its security systems such that before launching any attacks, they would find the work around to cause maximum damage without getting caught .
- Medium Exposure Risks: When information of data is leaked to unauthorized personnel, it can be a medium exposure risk as it would affect the integrity of the organization and its system and can also cause data modifications during transit.
- Medium-Low Exposure Risks: Certain risks can result into damage of the properties of information that may be sensitive or confidential. Legal policies can help in such cases but such attacks can cause further attacks or risks related to regulatory and legal compliances. However, the likelihood that such things would happen is not high.
- Low Exposure Risks: Because of large number of people working in the same organization, human errors that can cause operational or technical issues can occur but they are not easily identified. Yet it can cause severe damages if the roll back does not happen on time.
Comparative analysis of Threats
Security Threats are either deliberate that are used for causing a harm or can be caused accidently because of ignorance or a mistake.
Accidental threats can be:
- Natural calamities causing physical infrastructure damages resulting into data loss such as happening in the cases of cyclones, earthquake, hurricanes, and tornadoes
- Breakdown in hardware can cause technical failures
- Human errors or mistakes can cause harm to the security of organization such as caused in the cases of device loss, opening of unknown emails, tampering with security levels of machines, and downloading of unsafe files.
- Social Engineering is another way that can affect security. It may only be used for tricking someone into giving away confidential personal information but when this information is leaked to wrong people, it can pose serious risks to the security of the person whose data is obtained(AlKalbani, et al., 2015).
There are several ways in which either the accidental threats are avoided or their negative impacts are reduced through mitigation such as:
- The critical data of an organization can be continuously monitored to check if any changes are being made in the data. At this point, permissions can be used such that the modification in the data is only allowed to designated people who are responsible for managing data.
- All the company prints should be shredded before disposing if they contain confidential business information to ensure that the data does not reach the wrong person who can misuse it.
- People performing different functions in an organization may be provided with different access rights to information. A programmer may only be given access to the front end and not the storage systems of the company.
- Every piece of data that gets exchanged over the internet from the company must be encrypted such that it can only be read by the intended receiver of the message (S, 2016)
- IT auditors can perform checks on the security systems of the company to ensure that they are up to the mark and in case, they are not suggestions can be made by the auditor for improvement.
- Transaction logs containing the information of use of data can help company keep a check on users which would help in identification of any
Deliberate Threats are caused by threat agents who intend to cause harm to an organization. Some examples of such deliberate attacks include denial of service attacks, espionage, extortion, espionage, data breach, phishing, spamming, keylogging, malware, virus, spyware, worms, and so on.
To assess the level of risk that each type of threats can cause the company, a Risk rating model, which assesses the likelihood of the risk occurrence and their impacts on security posture of the company, can be used. Specific steps that would be followed in the process include identification of risks, estimation of probability of occurrence, estimation of impact levels, determination of risk severity, identification and analysis of loopholes to fix and customization of the risk model based on analysis (Brey, 2007).
Risk Identification: The first step in the process is identification of security risks for the Victorian government, and these include:
- Technology Obsolescence
- Network failure
- Network errors
- Power failure
- Hardware failure
- Hardware errors
- Faulty planning
- User Errors
- Technical Failures
- Operational problems (ESET, 2016)
- Communication interception
- Incomplete data
- Missing data
- Data theft
- Equipment Theft
- Social Engineering
- Espionage (CGI, 2013)
- Misuse of resources
- Unauthorized communication
- Quality deviations
- Financial Fraud
- Intellectual property compromise
- Environmental Threats
- Natural Disasters
- Terrorism (Shahri & Ismail, 2012)
The next step is to estimate the likelihood of the occurrence of each risk that is identified in the previous step. There can be some agent factors and some vulnerability factors that would be used here for estimating this likelihood by giving each the likelihood rating from 0 to 9. Agent factors can include skill level of attackers, attack motive, resource requirements of attacker, and the size of the attackers group. Vulnerability factors can be ease of vulnerability discovery, awareness in the attacker group about the vulnerability, and the probability of detection of the attack if made (CenturyLink Solutions Consulting, 2014).
Once the threat likelihood is estimated, the resulting impacts would be rated between 0 and 9. Some impact factors can be technical such as accountability, availability, confidentiality, and integrity, or business specific such as financial loss, reputation damage, non-compliance issues, and privacy violations (Engine Yard, Inc., 2014).
The risk likelihood and its impact factors rating are multiplied for each risk to find out the severity of risk from low, medium, high to critical. Risks can then be categorized based on the rating of severity such that priority can be given to each while taking decisions for resolution (Chen & Zhao, 2012). Risk severity is:
Low, when probability of occurrence is medium and the level of impact is low and when likelihood is low but impact is medium.
Medium, when probability of occurrence is Low and the level of impact is High, when both are medium and when likelihood is high but impact is low.
High, when probability of occurrence is medium and the level of impact is high and when probability of occurrence is high but the level of impact is medium.
Critical, when both probability of occurrence and the level of impact are high then the risk can be considered as critical (Gopinath, 2011).
These risks are given priorities from critical to low in the same sequence while taking decisions for resolution. If these risks are assessed for the Victorian Government then factors that may not have been considered in the security framework of VIC can be added or improvements can be made with risks identified in the process.
The table shows the risk calculation for all risk factors and an overall risk rating is given to identified risks based on each probability factor as discussed earlier for the VIC government.
The table above identifies each risk from critical, high risk, medium level and low level risks. Espionage, resource misuse, IP compromise and missing data are seen as high level of risk while quality deviation is critical for VIC. Certain risks were found to be low on severity such as sabotage, environmental threats and repudiation. This could be due to the fact that the damage can occur only in selective cases such as data warehouse damage in the case of natural calamity, reputation resulting from sabotage of users, issues affecting security posture due to repudiation, and so on (TrustSphere, 2012). In most of these cases, mitigation is easy such as use of Disaster recovery to retrieve data in case of physical damage. Thus, with low level risks, there would not be a major impact on the security posture of the VIC government (Shahri & Ismail, 2012).
Challenges of security/risk management approach
VIC government can either manage its risks on its own by establishing internal department for Risk management or with established governance procedures and policies or can outsource the operations to an external security expert allowing them to manage security systems of the company. Most organizations had their own security systems implemented in earlier days but in the past decades, companies have started to outsource their security management processes to third party security management contractors for two primary reasons that include (MYOB, 2016):
- Because of increasing competition between different organizations across markets, it is essential for companies to focus more on their core work which is why non-core activities are often outsourced to some third party solution provider. As security is also a non-core process, it is outsourced by organizations to external parties to save on the internal costs and resources that would otherwise be used if security is handled internally(Hu, et al., 2007).
- Cost of establishing, maintaining and updating security systems has drastically increases over the years with increasing threats and upcoming new technologies. However, the third party companies provide the same systems to multiple companies on a large scale which saves them costs per organization and this benefit can be used by companies when security processes are outsourced(Chen, et al., 2004).
There are many challenges that companies can face when managing security in either case and thus, taking decision on whether to outsource security is very critical. An organization outsourcing security would have less control over its security systems and thus, it is essential that the security agency is both trustworthy and competent for which an extensive background check is needed to be done before taking a decision to outsource. Outsourcing can help an organization enhance its security posture in various ways such as the following (HP Enterprise, 2015):
- The overheads of the company that are incurred in managing office, its systems and operations are reduced.
- The productivity of the team managing security processes is high as it is the core function of the outsourcing organization
- The security agency would have more experience and resources for applying best security management practices through professional training and thus, it would be advantageous for the company.
- Some security related processes like screening and hiring of professionals, payroll management, monitoring and tracking would be offloaded to the security agency thereby saving efforts, time and resources for the company.
- The outsourcing agency can be more flexible in changing the company’s security posture based on the requirements of the business(MYOB, 2016).
- When the system is outsourced, the liabilities of managing risks would get shared such that responsibility of finding solutions to problems would be combined
- Organizations can leverage on the resources, experience and expertise of security agencies to get the best management practices.
- The cost of establishing and managing security department would be eliminated as the security agency can make use of their own established infrastructure for managing security for the organization(MYOB, 2016)
‘’Risk’’ and ‘’Uncertainty’’
Uncertainty is an outcome which cannot be predicted or controlled and pose the risk when an action or a series of actions occur in the situation. Risk is that situation in which a loss can occur because of an outcome resulting from an uncertainty. The two can be compared on the basis of several criteria’s mentioned in the table below:
Basis of comparison
It is situation in which outcome cannot be predicted or controlled
It is the probability that the outcome of a given situation would cause a loss
Cannot measure it
Can measure it
Uncertain situation cannot be controlled
Risk can be controlled (Xero, 2016)
Some risks are systematic such as inflation or market risks while others are unsystematic like financial loss or business slow down (NIST, 2014).
Risk control and mitigation
VIC government makes use of its security data framework risk control and mitigation. The framework is used to identify preventive measures for controlling these risks through the given guidelines in the framework document. These guidelines include security protocols related to:
- Analysis of the evolving risks in the security of the information systems
- Identification of the security updates required for improving the security framework
- Maintenance of a risk register for recording various types of risks including their entry, monitoring and review.
- Implementation of security systems and strategies as defined in the procedures and policies of the security framework such as access management, business continuity management, personnel management, service agreements, physical management and ICT management(Cisco, 2013)
- Security functions incorporation within the routine functions or activities of the organization
- Ensuring meeting of obligations concerning organization security by everyone working in the organization
- Reviewing changing security needs of the company and identifying possibilities for improving the security policies accordingly (OECD, 2008).
- Spread awareness of security aspects in the company and give training to people to ensure that they follow security protocols.
- Monitoring and reviewing incident management system so as to identify needs for improvement and implementing the same
- Conducting annual security compliance review to ensure that right practices are bring followed (DHS, 2009)
The risk response and mitigation mechanisms are decided based on the level of severity of the risk. Risks that are critical to the company or have high severity are avoided in most cases or taken for resolution or mitigation on priority if they occur. In case of VIC, the deviation from quality is considered as a critical case of risk and thus, organization needs to have quality checks and ensure that quality standards are always met. High risk categories identified for VIC included Espionage, resource misuse, IP compromise and missing data. In each of these cases, actions have to be taken on priority for resolution or mitigation. Risks with medium level of severity may be reduced with appropriate mitigation plan that would reduce the impact caused by the risks such that the security posture of the company could be maintained. Low severity risks are mostly avoided as they can be accepted without any major threats to the organization but their resolution can take significant resources of the organization (Security Awareness Program Special Interest Group, 2014).
Based on the findings from the current studies on risks and uncertainties likely to be encountered by VIC, some recommendations can be made that would be useful for enhancing the VIC security posture and these include:
- VIC may ooutsource its risk management operation to a security expert third party service provided as it could save on the costs for the company as well as enhance the security posture with best practices applied by the expert organization for security.
- Training may be given to the staff on the security risks and possible control measures such that they work in a way that reduces security risks that the company can otherwise encounter in the case of lack of awareness in employees.
- The security systems should be kept updated with eh latest technologies and strategies that can be used for combating threats which is possible with regular audits conducted on security systems of the company as they would reveal the security gaps that are required to be filled.
- A risk register can be maintained by the company to record the risks occurring, the measures taken for mitigation as well as possible risks that can occur such that actions for solving problems can be taken faster.
- There are multiple factors that can together add to the severity of a risk and thus, every risk may be rated on all these factors to identify the risk severity and develop priorities accordingly.
- High and medium level risks may be avoided altogether but if they still occur, the company can deal with them on priority using the pre-decided mitigation measures during the analysis stage.
- A culture supporting secure practices must be fostered in the company by ensuring that security consideration are added in standard operating procedures for every activity of the company such that either the risks are avoided or are mitigated safely.
This paper explored the concept of security, uncertainity and risks using a real case study of VIC government that has implemented a security framework in the organization. The paper explored if the security framework was sufficiently addressing all the security concerns of the organization. Various tiles of risks including deliberate and accidental risks that are faced by VIC were explored to identify the levels of severities using a risk rating methodology. It was found that quality deviation was considered as the critical risks for the organization while Espionage, resource misuse, IP compromise and missing data were found as high on the level of risk severity. This rating was decided on the basis of multiple factors that included agent factors such as skill, level of motivation, opportunities and size of the group exploiting vulnerabilities, vulnerability factors such as the ease of discovery of vulnerability, user knowledge, and capabilities of the organization to detect intrusion. There were also certain impact factors identified such as technical factors like availability, confidentiality, accountability, and integrity, as well as some business factors like financial loss, reputation damages, privacy violation and non-compliance of security procedures. Based on the study, certain recommendations were made to enhance e VIC security posture such as security outsourcing to third party, training on security aspects to employees, and embedding of the security aspects in standard operating procedures.
AlKalbani, A., Deng, H. & Kam, B., 2015. ORGANISATIONAL SECURITY CULTURE AND INFORMATION SECURITY COMPLIANCE FOR E-GOVERNMENT DEVELOPMENT: THE MODERATING EFFECT OF SOCIAL PRESSURE, s.l.: RMIT University.
Brey, P., 2007. Ethical Aspects of Information Security and Privacy, s.l.: Springer Berlin Heidelberg.
CenturyLink Solutions Consulting, 2014. CenturyLink Assessments: seCurity,infrAstruCture And disAster reCovery, s.l.: CenturyLink Technology Solutions.
CGI, 2013. Developing a Framework to Improve Critical Infrastructure Cybersecurity, s.l.: CGI.
Chen, D. & Zhao, H., 2012. Data Security and Privacy Protection Issues in Cloud Computing. Shenyang, China, International Conference on Computer Science and Electronics Engineering.
Chen, L.-C., Longstaff, T. A. & Carley, K. M., 2004. THE ECONOMIC INCENTIVES OF PROVIDING NETWORK SECURITY SERVICES ON THE INTERNET INFRASTRUCTURE, s.l.: Carnegie Mellon University .
Cisco, 2013. Australian Government Cyber Security Review, s.l.: Cisco.
DHS, 2009. A Roadmap for Cybersecurity Research, s.l.: DHS.
Engine Yard, Inc., 2014. Security, Risk, and Compliance, s.l.: Engine Yard.
ESET, 2016. TRENDS 2016 (IN) SECURITY EVERYWHERE, s.l.: ESET.
Gopinath, S., 2011. Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, Mumbai: Reserve Bank of India .
HP Enterprise, 2015. Cybersecurity Challenges, Risks, Trends, and Impacts: Survey Findings, s.l.: MIT.
Hu, Q., Hart, P. & Cooke, D., 2007. on information systems security – a on information systems security – a neo-institutional perspective. Journal of Strategic Information Systems, Volume 16, p. 153–172.
IBM Global Technology Services , 2011. Security and high availability in cloud computing environments, s.l.: IBM Corporation.
ISC, 2010. The Pursuit of Integrity, Honor and Trust in Information Security, s.l.: ISC.
James, C., 2016. Cyber Security Threats, Challenges and Opportunities, s.l.: ACS.
JIRA Security and Privacy Committee (SPC) , 2007. Information Security Risk Management for Healthcare Systems , s.l.: MITA (Medical Imaging & Technology Alliance) .
Khan, R. & Wanner, R., 2010. Practical Approaches to Organizational Information Security Management, s.l.: SANS Institute.
MYOB, 2016. Company file security. [Online]
Available at: https://help.myob.com/wiki/display/ar/Company+file+security
MYOB, 2016. Protecting your confidential information. [Online] Available at: https://myob.com.au/myob/australia/myob-security-recommendations-1257829253909
NIST, 2014. Framework for Improving Critical Infrastructure Cybersecurity, s.l.: National Institute of Standards and Technology.
OECD, 2008. Malicious Software (Malware): A security Threat to Internet Economy, s.l.: OECD.
Security Awareness Program Special Interest Group, 2014. Best Practices for Implementing a Security Awareness Program, s.l.: PCI.
Shahri, A. B. & Ismail, Z., 2012. A Tree Model for Identification of Threats as the First Stage of Risk Assessment in HIS. Journal of Information Security, Volume 3, pp. 169-176 .
S, S., 2016. Difference Between Risk and Uncertainty, s.l.: Keydifferences.
TrustSphere, 2012. Advanced Security Methods for eFraud and Messaging, s.l.: TrustSphere.
Xero, 2016. Your data is safe with multiple layers of security. [Online] Available at: https://www.xero.com/accounting-software/security/