An Expert System for the Evaluation of Information Security Programs: A Helping Hand for SMEs Tae-Nyeon, Kim Korea University Business School, Seoul, Korea
[email protected] Anat Hovav Korea University Business School, Seoul, Korea
[email protected] Abstract Many Small and Medium size companies face security issues similar to those encountered by large organizations. However analyzing and implementing proper security programs that encompass technical and organizational solutions is a very complex and prohibitively costly process. A business information security support system (described below) can provide companies a cost effective way to analyze their Information Security program. The rule-set used to construct the system is based on the ISO17799 and NIST standards. Keywords : Information security management, ISO17799, Security audit Introduction My Interest in Information Security in Small and Medium size companies (SMEs) began when I realized that confidential information created in our Human Resources department (strategic organizational charts and individual location replacement charts) found their way to our competitors’ executive desk within a few hours of their inception. Much like large companies, small to medium size companies face security issues that they need to resolve. However, unlike large companies, SMEs have limited resources and often can not afford to hire consultants to evaluate their systems. A business information security support system (described below) can provide SMEs a cost effective way to analyze their Information Security program. The main purpose of this system is to evaluate organizational obedience to current standards and provide relative evaluation of the organization’s current business information security process.
Furthermore, the system will offer a set of improvements and recommendations base on the result of the analysis. The system is programmed in Java and supports online access. The following short article describes the basic premise of the system and its functionality. Background Security is becoming more important not only to computer scientists but also to business managers. Until recently, information security efforts focused on technical solutions (e.g., network and computer security, Firewalls and computer virus vaccines). Thus, technical issues have dominated research and business practices. However, in recent years the focus changed and information security is now viewed as a people issue and an organizational matter (D’Arcy and Hovav, Forthcoming). However, analyzing the security level of a given company is a very complex, detailed and resource consuming task. The analysis process must cover every business activity of the company and is often based on one of three standards. This is because an organization is only as secure as its weakest link. Correcting only a few weak links in the Information Security fabric may not be enough to guarantee the required level of security. Often the analysis has to covers 3rd party partners (vendors, suppliers, contractors). In addition, organizations have to comply with industry and country specific regulations. Because of the newness of Information Security management there are very few experts who can evaluate the security level of a business. In addition, the skills and resources necessary to conduct a thorough analysis are often costly. Therefore, many SMEs are having difficulties in evaluating and implementing proper security controls, leading to increased vulnerability. Standards The analysis criteria used in the proposed system are based primarily on the implementation of the ISO and NIST standards in Korea. The ISO standard criteria are extracted from the latest ISO 17799. The NIST standard criteria are developed based on the National Cyber Security Manual which published by National Cyber Security Center (NCSC) of Korea. Additional standards evaluation material (i.e., ISO/ISE 2000; NCSC 2004; Whitman and Mattord, 2005; Theoharidou et. al 2005) are also used as references. Since the International Organization for standardization (ISO) adopted the
British Standard BS7799 (“Code of practice for information security management”) and published it as an International standard, a number of organizations develop their business information security systems based on this ISO standard. ISO17799 provides a set of recommendations for information security management. Its focus is on the protection of information as an asset. The standard covers ten security dimensions consisting of 36 security practices. It provides the basis for self-assessment, reassessing the information security practices of business partners, and the independent evaluation of Information Security Management within the business organization (Whitman and Mattord, 2005). The NCSC is the focal point for identifying, preventing and responding to cyber attacks and threats in Korea. The mission of the NCSC, in collaboration with the private sector and the military, is to improve the warning systems and response time to security incidents, and protect critical national infrastructures in Korea. The National Cyber Security Manual was published in 2004. It has been distributed to majority of government and civilian organizations. The manual describes an appropriate set of protective measures and recovery procedures according to the level of cyber threats and risks. Compliance with standards Having its roots in BS7799, ISO17799 is widely applied in the UK. The Information Security Breaches Survey of the UK department of Trade and Industry for the year 2004 (DTI, 2004) reports that 67% of organizations that have complied with the standard observed some or significant change of attitude and behavior in the area of personnel security. Therefore, organizations need to be able to evaluate their employees’ attitude towards security, their level of training and education and employees’ compliance with organizational rules. The prototype (System) An expert system (ES) is a computer program that contains some subject-specific knowledge of one or more human experts (Durkin 1994). Organizations can overcome decencies of human experts such as time, space, performance, speed and cost by complementing those experts with ES (Durkin 1994). Java language will be used for the construction of the proposed system since it is platform independent and currently the common choice for web based applications (Horstmann 2005). The system front-end interface is Web-based. Therefore, the system is easily accessible from any place and at
any time. The prototype has three processes. Working Process I
Input General Information of the Company
Working Process II
Analysis (Question & Answer)
Working Process III
Results
Figure 1. Three processes Process I - the system gathers general information about the target company. Based on this general information, the system will perform statistical classification. This information is also the basis for the analysis. Nine items are collected. The items are shown in Figure 2. Company Name
Need for a final report
Optional
ID & Password
Identifying, result record, and security
Essential
Mailing Address
Identifying, communication and final report
Essential
Number of Employees
Statistics, and further research
Optional
Employment condition*
Statistics, and further research
Essential
Total Sales
Statistics, and further research
Optional
Industry Field
Statistics, and further research
Optional
Security Department
Statistics, and further research
Optional
*
Figure 2. Information collected in stage I
Process II- is the analysis stage. The system will prompt the users with a set of questions regarding their policies and rules (see example in Figure 3). The users (mainly *
This term identifies if external entities have access to the organization’s Information system such as: contractor labor, outsourcing, and 3rd party vendors.
management level employees) enter the company’s current status in response to these questions. Using the users’ replies, the system will analyze the current security level of the company. Each question is given at least five parameters for classification, grading and analysis. Question 1
HR
In my organization, security roles and responsibilities are documented in the organization's information security policy manual
Disagree O
Somewhat disagree O
Neutral O
Somewhat Agree O
Agree O
Figure 3. Sample question Process III- provides results and reports. The system will show the analysis results and a set of recommendations. The results are divided into four sections: 1. Security score. The system will display the total security points of the company (calculated based on a 100 point scale). 2. Detailed security point graph. Based on the graph the users/business managers can determine which part of their overall security system is relatively weak and which part is robust. 3. The system will provide text explanations of the results. Here users can find elaborate explanations regarding the strength and weaknesses of the current business information security system of the company. 4. Recommendations. The system will suggest potential improvements and recommendations based on the analysis. In addition, users are able to evaluate future improvements in their Information Security program by answering questions in various ways and observing the changes in their score. For example, if a manger is about to invest $X in one of three new security systems she can assess the prospective value of each of the proposed systems and select the one that provides the most benefits to the organization. Ideally, such a system should cover all business activities, processes and functions of the target company. However, due to time constraints, the scope of the prototype is limited to Human Resources policies and asset management. In addition, companies vary in their organization, structure and policies. The initial system is meant to cover a “typical” set of processes. Specialized processes will have to be added on a per-need basis.
Conclusions and future work The goal of the proposed system is to enable SMEs to cost effectively analyze their information security program. In addition, SMEs can get suggestions for improvements and recommendations about their business processes and systems. The interactivity of the system allows user to ask “what-if” questions. Initially, the system can only provide absolute values since there is limited historical and comparative data available. With time, the system can collect company specific historical data and create additional longitudinal analysis. Future work may also concentrate on comparative type analysis. However, such systems depend on the availability of external data and the co-operation among various organizations. References D’Arcy, J. and Hovav, A. (Forthcoming) “Coping with Information Systems Misuse: An Individual Awareness Perspective. Accepted for Publication by Communications of the ACM. DTI (2004), “Information Security Breaches Survey 2004”, Department of Trade and Industry, April (http://www.dti.gov.uk/files/file9986.pdf) Durkin, J., (1994). Expert Systems: Design and Development. Prentice Hall, NJ. 1994 Horstmann, C. S., (2005), Core Java 2. Volume (1) – Fundamentals. 7th Edition. Sun Microsystems Press, California. 2005. ISO/IEC. Information Technology – Code of Practice for Information Security Management. ISO/IEC 17799: 2000(E), Geneva, Switzerland NCSC (2004), “National Cyber Security Manual”. National Cyber Security Center, March (http://www.ncsc.go.kr) Theoharidou, M., Kokolakis, S., Karyda, M., and Kiountouzis, E., (2005), “The Insider Threat to Information Systems and the Effectiveness of ISO 17799.” Computers and Security. 24, 472-484
Whitman, M.E., and Mattord, H. (2005) Principles of Information Security, 2nd Edition Course Technology, Boston.
