Information Security Solutions Research Articles

Secure-system design methods: evolution and future directions

It is important for IT professionals to realize that employing information security solutions requires careful and systematic planning. To aid in the planning process, researchers and practitioners have proposed several secure-systems design methods. This paper describes the evolution of these methods and their respective strengths and weaknesses

Identity theft – dodging the own-goals

Companies are spending $ billions on technology to fight off sophisticated high-tech threats like phishing, pharming and keyloggers, and rightly so. First-rate information security solutions are a necessity for any modern business. Most identity theft, though, is committed by adapting age-old – and often relatively unsophisticated – criminal techniques, as a recent study by Secure Computing shows.

Les adénomes corticotropes silencieux : à propos d’une série de 7 patients

As a consequence of the events of 11 September, politicians and legislators throughout the world are rushing to block perceived gaps in national and international security. Some procedural changes, such as increased checks on airline cabin luggage, are likely to add, however slightly, to the difficulty of repeating the terrorist action. Others, particularly those attempting to address technical information security solutions, seem to be pointless. We, the voting public, need to ensure that any temporary or permanent sacrifice of existing freedoms will significantly increase absolute security.

Measuring the risk-based value of IT security solutions

Information security problems cost millions of dollars for US companies and billions for the overall US economy. Nowadays, the question is not whether organizations need more security, but how much to spend for added security. And yet investing in IT security has always been a hard sell for IT managers. Scores of security technologies are on the market and, if anything is certain, it is that none of them can guarantee security. Each choice involves risk. The problem is that security managers lack structured cost-benefit methods to evaluate IT security solutions in light of prevailing uncertainties. A framework can help evaluate the costs and benefits of IT security solutions using a company's risk profile. Using an unconventional concept, this framework bases benefit on avoided risk rather than increased productivity. Lawrence Berkeley National Laboratory (LBNL) uses this framework to help demonstrate to management and auditors that it is significantly less expensive to accept some damage from cyberattacks than to attempt to prevent all possible damages. This pragmatic approach continues to enable LBNL's cybersecurity staff to optimize security countermeasure investments and reduce spending without sacrificing protection. The framework described here uses a risk management approach that integrates risk profile with actual damages and implementation costs to determine the costs and benefits of information security solutions. This approach requires reasonably voluminous data and is thus well suited for organizations with extensive incident data or when the consequences of incidents are high enough to warrant extensive data gathering.

A Moment’s Reflection

As a consequence of the events of 11 September, politicians and legislators throughout the world are rushing to block perceived gaps in national and international security. Some procedural changes, such as increased checks on airline cabin luggage, are likely to add, however slightly, to the difficulty of repeating the terrorist action. Others, particularly those attempting to address technical information security solutions, seem to be pointless. We, the voting public, need to ensure that any temporary or permanent sacrifice of existing freedoms will significantly increase absolute security.

SALSA: A method for developing the enterprise security architecture and strategy

It is the experience of many corporate organizations that information security solutions are often designed, acquired and installed on a tactical basis. A requirement is identified, a specification is developed and a solution is sought to meet that situation. In this process there is no opportunity to consider the strategic dimension, and the result is that the organization builds up a mixture of technical solutions on an ad-hoc basis, each independently designed and specified and with no guarantee that they will be compatible and interoperable. Worse still, there is no analysis of the long-term costs, especially the operational costs, and there is no strategy that can be identifiably said to support the goals of the business. It does not have to be this way. The solution lies in the development of an enterprise security architecture which is business-driven and which describes a structured inter-relationship between the technical and procedural solutions to support the long-term needs of the business of the organization. If the architecture is to work, then it must provide a rational framework within which decisions can be made upon the selection of security solutions, derived from a thorough understanding of the business requirements, including the need for cost reduction, modularity, scaleability, reusability, operability, usability, interoperability both internally and externally, and integration with the enterprise IT architecture and its legacy systems. This paper describes a model for such an architecture (known as SALSA) which has been developed by the author and which is currently being implemented successfully in a number of major corporate clients. Its primary characteristic is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited. The model is layered, with the top layer being the business requirements definition stage. At each lower layer a new level of abstraction is developed, going through the definition of major security strategies, security services, security mechanisms and finally at the lowest layer, the selection of technologies and products — in other words the shopping list. The model itself is generic and can be the starting point for any organization, but by going through the process of analysis and decision-making implied by its structure, it becomes specific to the enterprise, and is finally highly customized to a unique business model. It becomes in reality the enterprise security architecture, and it is central to the success of a strategic programme of information security management within the organization.

Software Intelligence introduces a new cross‐platform, dient/server security solution

Outlines plans and products of Software Intelligence′s new division AXENT Technologies which will concentrate on information security solutions for client/server computers.

INFORMATION SECURITY AND NEW TECHNOLOGY Potential Threats and Solutions

Abstract IS security professionals are faced with a stream of products and information technologies that create both new threats and the potential for new defenses. This article explores the impact of emerging technologies, including imaging and wireless communications, on information security.