Enhancing IT Security in Organizations Through Knowledge Management Areej AlHogail
Jawad Berri
Department of Information Systems College of Computing and Information Sciences Imam Mohammed Bin Saud University Riyadh, Saudi Arabia
[email protected]
Department of Information Systems College of Computing and Information Sciences King Saud University Riyadh, Saudi Arabia
[email protected]
Abstract— Security of Information Systems (IS) is a major concern for organizations nowadays as security related risks may affect the organization’s information assets badly. Security systems in organizations can benefit a great deal from knowledge and experiences of security experts, practitioners and professionals if this knowledge is acquired, encoded into a knowledge management system and distilled appropriately to help decision making in IS security management. This paper proposes to enhance security of information systems through the development of an architecture sustaining knowledge of IT security within an organization. The architecture uses a tailored set of security processes, policies and solutions to protect the organization’s business. The proposed architecture is used to capture the security related knowledge in order to share it and transfer it across the organization. The goal is to increase the efficiency of handling security incidents and to minimize the dependency on security expert personal. Keywords— Information security; Knowledge management; Knowledge acquisition;
I. INTRODUCTION Information security is a paramount concern for organizations as most organizational activities and business processes are depending heavily on information and communication technologies. Issues related to IT security have been growing exponentially in the past years due to the fact that information technology is becoming accessible for everyone. Information is one of the most valuable assets for any organization hence, defending the organization’s IT infrastructure from security risks such as hackers, viruses, theft of data, denial-of-service attacks, and intruders has become an important role. This battle cannot be fought and won without the appropriate knowledge being delivered to the right people. In recent years knowledge management (KM) has become frequently used in organizations. Knowledge has become one of the most valuable resources in many organizations and many of them depend on the capability of using this knowledge for profit generation [1]. Though knowledge management, technology has been widely deployed to support several functions within organizations, little if any use of such technology has so far been addressed towards IS security management. The implementation of an efficient security system in an organization depends primarily on two factors: i)
the existence of a secure information framework ensuring data integrity, unified methods for data and information access and retrieval, effective authentication procedures and efficient risk management; ii) the availability of an ecosystem sustaining knowledge of IT security within the organization in order to develop a tailored set of security processes, policies and solutions to protect the organization’s business. While the first factor has been investigated extensively by the IT security community, the second factor has received little attention. Using knowledge in information security management is critically important. For instance, failure to deploy, or upgrade security technologies, or to carefully preserve and backup valuable data could cost organization considerable monetary losses. Knowledge is needed for taking rational decisions regard selecting information security policies and procedures [2]. Knowledge of IT security could improve the performance by applying more security measures. In many organizations, the security solutions are focused on the technical solution. Moreover, the knowledge of security procedures is kept tacit in limited number of IT technicians minds. In fact, the actual effectiveness of current security solutions has been seriously questioned, as the volume of security related incidents and consequent financial losses continues to increase in magnitude, as well as in severity [3]. Some researchers believe the reason behind the lack of effectiveness is that security is primarily a “people issue”, as well as a technical issue; and based on that it is believed that information systems security management is a knowledgeintensive activity that currently depends heavily on the experience of security experts [4]. However, the knowledge dimension of IS security management has been rarely investigated. The need for security knowledge management has prompted the development of programs like Security Awareness and Training (SETA) [5]. However, more work is needed in that matter in order to develop more structured frameworks and models of integrating knowledge management in information security management. This paper presents an architecture which enables knowledge management of information security. This architecture is designed to be adopted by organizations in order to improve knowledge sharing, to enhance and facilitate
decision making, and to reduce dependency on individual experts aiming at improving information systems security. II.
RELATED WORK
Previous attempts to manage IS security knowledge have been limited to the management of security documents and the establishment of communities of practice that promote the cooperation of security experts, as well as the collection and dissemination of security information [3]. Different organizations have been working in this regard such as CERT (Computer Emergency Response Team) and SAGE (System Administrators Guild; an international organization for professional system administrators). Risk analysis, a common security management practice, has been appraised for its knowledge acquisition potentials. However, there is no indication how this knowledge could be associated to other security knowledge and how it can be managed within the organization [3]. The standards ISO/IEC 27001:2005 aims at transferring established solutions for Information Security Management to the field of Knowledge Management to identify widely accepted solutions [1]. These standards include information security policies and integrate it with knowledge sharing policy that force members of the organization to share their knowledge with others and enables sanctions in case of non-sharing. In addition, it encourages using knowledge or information classification in which stronger security measures is applied for valuable knowledge. The above techniques and practices contribute significantly to IS security management and provide pieces of security knowledge. However, a comprehensive appreciation of IS security knowledge has not been provided as yet. Knowledge management (KM) is assumed to have a major positive impact on the effectiveness of information system security management (ISSM). KM systems are used to capture and store organizational security knowledge and make it available to others. In order to support IS security managers and actors in strategic planning, tactical decision making, as well as in daily operations. Knowledge refers to codified information with a high proportion of human value added, including insight, interpretation, context, experience, wisdom and so forth. It is usually categorized in two types: tacit and explicit. Tacit knowledge is transferred through personal interaction, mental models, technical skills, and experience and is difficult to formalize and communicate. Explicit knowledge is easy to communicate, but it is rigid and requires frequent update. Term knowledge also can be defined as “a mix of framed experience that often becomes embedded not only in documents or repositories, but also in organizational routines, practices and norms” [6]. Knowledge management aims to identify, capture, and organize knowledge and make it available to others in order to facilitate knowledge sharing and exchange, by providing a formal mechanism for the identification and distribution of knowledge. It facilitates decision making, accelerates market volatility, increases competition and diminish individual experience [6], [7]. Information Systems Security refers to the set of principles, regulations, methodologies, measures, techniques and tools that are established to protect an IS from potential threats. Information system security management is a set of policies
describes controls that an organization needs to implement to ensure that it is sensibly managing the IS related risks. It deals with the technical related factor as well as human factor, which adds complexity and makes the goal of securing a system rather difficult to achieve. As a consequence, security management depends primarily on the knowledge of the IS, its organizational context, the technology trends, etc. Information system security knowledge refers to several characteristics of the information system that significantly affect its security, e.g. network configuration. Each organization has many valuable knowledge “assets” within a business process that need to be well documented. Many information security processes are kept as tacit knowledge within the IT security staff and when they are not around for any reason, there is a problem of handling such security actions. For instance, Shedden et al [4] found in their study that the backup process often depends on tacit knowledge, in informal ways, to sustain operational complexity, handle exceptions and make frequent interventions. Glaser [1] argue that knowledge that can be used by all members of an organization promises higher profits than individual knowledge, and knowledge that remains secret from competitors promises higher profits than knowledge that is publicly available. Therefore, a well-designed knowledge management system that aimed at expanding the body of exclusively usable knowledge is a must for organization information security success. Effective use of the IS security knowledge management can provide an organization with confidential competitive advantage. In organization there are several practices targeting to enhance security. In each practice there are some sources of exploitable knowledge. Practices can be classified as proactive security or reactive security. Proactive security is security measures that aim to prevent security incidents whereas reactive security is the measures that aim to detect them after they have developed [1]. IS security-related knowledge and its sources have never been systematically recorded, neither their impact on security expert’s work has been identified. Security policies are not always recorded and strictly expressed in a corresponding security policy document. However, security policies often emerge from a risk analysis study and the documentation that has been produced in the process of analyzing risks includes vital information, especially in cases of emergency, such as recovering after a security incident [5]. In a field study, Shedden et al [4] found that if the information security managers are not on-hand, the back-up process will fail. The security managers were identified as being information assets whose availability needed to be preserved. In case this knowledge was lost or not on hand, the security process would fail with the potential for a “catastrophic result”. They found that this was due to little documentation done in that organization. They argued that although Australian security risk management ASRM guidelines and handbooks do suggest that knowledge should be identified as an extension of a “people”, this view is not applied across organizational implementations of these methods, and in particular, tacit knowledge. It was apparent that a combined information security and knowledge perspective would identify that knowledge of one organization’s systems and security is concentrated into only few minds (i.e. too few people know too much) which could be classified as a key vulnerability. If
either of these employees retired or resigned, this would lead to a major threat to the organization systems and processes generally. If this employee is dissatisfied, he might do worse by sabotaging the network, or facilitate vulnerabilities in the system to be attacked [8]. A combined perspective on this problem would facilitate action to control this risk; for instance, through knowledge documenting and sharing by mean of a knowledge management system. Some common examples of creating knowledge resources in IS security could include: the coding and sharing of best practices; and the creation of knowledge networks by bringing people together virtually face-to-face in order to exchange collective information and knowledge. In [9], Liu et al suggest that knowledge sharing not only lies inside the organization, but should be extended to cover competitor organizations in order to improve the security. They claim that organizations can improve information security by collaborating and sharing security related knowledge with other firms. An example of security knowledge sharing is the Information Technology Information Sharing and Analysis Center (IT-ISAC) (https://www.it-isac.org), aimed at facilitating the sharing of information on cyber-security threats and vulnerabilities. This center provides a neutral forum for interaction between peer members from member organizations to understand and share non-public details of threats and vulnerabilities. It also provides members a trusted point of contact for information sharing prior to and during incidents. This will improve the security of participating organization in a way that when an information breach happens, only the breached organization suffers the loss and the other member organizations could benefit from knowledge sharing. III.
THE POTENTIALS OF USING KNOWLEDGE MANAGEMENT ARCHITECTURE FOR IS SECURITY
Human knowledge is created and enlarged by means of a social interaction between tacit and explicit knowledge. This interaction is called knowledge creation. According to the Nonaka and Takeuchi Knowledge Spiral Model [10], Knowledge is exchanged through person-to-person interaction and while experiences are exchanged. This process of conversion from tacit knowledge to explicit knowledge is called socialization. Examples of situations where this happens are trial and error learning, on the job training, direct or indirect communication. In this case, tacit knowledge is exchanged and remains tacit. Tacit knowledge could be converted to become explicit using metaphors, models and analogies. This process is called externalization. The transition from explicit knowledge to explicit knowledge called the process of combination, where documents, meetings, and existing knowledge is combined, structured and sorted. A typical case is the use of information technology. Knowledge then can be converted from explicit knowledge to tacit knowledge as the process of internalization. For instance, by using the models and learning. This tacit knowledge could be converted again to explicit. Artificial intelligence based techniques (including neural networks and case-based reasoning) facilitate KM by the creation of new knowledge through merging, categorizing, reclassifying, and synthesizing existing explicit knowledge. Neural networkbased systems can analyze patterns of security violations and present valuable knowledge to stakeholders. Case-based
reasoning systems can offer solutions to present security problems by recommending solutions based on similar previous cases and external knowledge sources such as Journal reports and training providers [5]. Currently, creation of IS security related knowledge within the organization remains an ad hoc process. Organizations either hire expensive external consultants or depend on security experts within the organization that build their own personal knowledge creation processes. In either case organizations are restrained from controlling security knowledge. Knowledge management improves the employee turnover process. In many organizations the knowledge lost through employee turnover can be a large problem. If all important data is stored within the organization, unexpected employee turnover will not be any more disruptive to the organization. In addition, employee training will be much more effective as it would ensure that new employees are trained on the correct information. Moreover, it will ensure that the new employees are clear on the information for which they responsible for. Integrating knowledge management in information security management could help creating central repository for storing and sharing security information across the organization. This repository would house all of the policies, methodologies, process documents, guidelines and best practices. However, security standard should be applied to ensure who access what, based on the employee’s roles. A KM system for IS security is meant to support IS security management in all strategic, tactical and operational levels as Belsis et al, [3] suggested. It could be reducing the dependency on outsourced expensive security consultants, as knowledge creation takes place within the organization; providing stakeholders with access to security knowledge and facilitating their participation in the IS security decision; enabling policies and guidelines to be effectively communicated to stakeholders; finally, reinforcing the feedback process, consequently, support monitoring, reviewing, and amending the IS security management system. In summary, a knowledge management system for information security enables organizations to determine and manage their IT security knowledge needs in order to improve the general management of the information system and its security. IV.
KNOWLEDGE ACQUISITION FOR INFORMATION SECURITY SYSTEM
Acquiring the necessary knowledge for security is a major step towards the implementation of a knowledge management system. This step consists in setting up the knowledge acquisition process which aims to feed the system with the necessary knowledge expertise (Fig. 1). Knowledge acquisition is a cycle which aims at transferring the problem solving expertise from field experts and practitioners involved in the security side of IS, and also all the corporation related security information. This transfer is accomplished through knowledge management techniques which i) analyze the expert tasks and their best practices associated to security, and ii) scrutinize the corporate documents related to security in IS [12]. Knowledge acquisition is achieved through a four steps cycle: Elicitation, Representation, Implementation and Validation (Fig. 1). Elicitation consists in the identification of
data related to IS security used by the field experts and corporate security information. This data is categorized in order to isolate procedures, actions and rules used in the expert’s decision process. Representation consists in representing knowledge in a formal language closer to the implementation. During this step action schemes organizing expert’s actions are elaborated. Besides, problem solving strategies used in the decision process are defined. Implementation consists in encoding the expertise acquired during the two previous steps into a knowledge-based program. In the Validation step knowledge encoded in the knowledge base is tested and validated. During this step experts are involved to test and verify the missing, incomplete or incorrect system knowledge.
Knowledge Base
security management standards are ISO/IEC 27001, COBIT, and ITIL. (5) IS security tacit knowledge: which are the know-how, and other valuable security knowledge that is kept in mind of security personal. The proposed model should help to convert such tacit knowledge into usable form. (6) IS related knowledge: There are also other sources of knowledge that are related with the organization and that should be carefully examined as it significantly affects policy design such as organization mission statement and budget.
Validation Reasoning Engine
Knowledge-based System
Security Experts & Practitioners, Organization’s Security Information Sources
Elicitation
Implementation
Procedures
Resolution Strategies
Figure 2. knowledge sources of information security in an organization
Actions
Action Schemes
Rules
Representation Representation Model
Elicitation Model
Figure 1. Knowledge acquisition process.
Knowledge of IS security could be classified under six main categories: security risks analysis, security controls, policy and guidelines, standards, IS security tacit knowledge and IS related knowledge (Fig. 2). (1) Security risk analysis: is the systematic approach of evaluating threats and vulnerabilities to the organization assets in order to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. (2) Security controls: or ‘measures’ refer to specific actions that are taken to avoid, counteract or minimize security risks. (3) A policy refers to a set of high-level principles, rules, or procedures in order to guide decisions making and achieve rational outcome. Guidelines are detailed ‘low-level’ operational steps to be followed by members of the organization in order to implement a policy. (4) Standards are an agreed, repeatable, published document that contains a technical specification or other precise criteria designed to be used consistently as a rule, guideline, or definition. Examples of common information
V. KNOWLEDGE MANAGEMENT ARCHITECTURE Knowledge is useful to an organization when it has formal or informal mechanisms for transforming tacit knowledge into explicit knowledge. The knowledge management architecture is used to build a knowledge management system that allows capturing and sharing of information systems security procedures, in order to facilitate effective security incident response and to reduce the dependency on security experts. The knowledge management architecture exhibits four major layers: the knowledge user, knowledge interface, knowledge description, and knowledge resources layers (Fig. 3). The knowledge user describe the “right people” who should acquire IT security knowledge to maintain confidentiality, integrity, and availability of an IT system. The knowledge interface details the “right information” that must be conveyed to each knowledge user for maintaining the system security and in order to make an effective decision regarding IT security, such as the recovery plan. The relationship between knowledge users and knowledge interface should be carefully specified as it should allow only the right knowledge user’s access to the correct IT security information based on the knowledge types and user role in the organization. Each user will be identified through specific user name and password. Based on the user role in the organization, specific knowledge will be displayed. In other words, for each knowledge interface, a number of user roles will be assigned that can access it. It should for example state the steps taken by a specific knowledge user to deal with a specific knowledge interface. It will be different for each user, depending on his/her role. Knowledge description layer provides the necessary elements to classify knowledge which
can be procedural (how), declarative (what), or conditional (a statement of when and what relationships). This level includes ontologies that are conceptual descriptions of the security domain; action schemes which specify series of actions to perform in order to solve a security related issue; rules describing the correspondence between security facts and the actions to take to solve a security problem; and resolution strategies which combine different rules, actions, techniques and heuristics to solve a security problem or to define a method to prevent security threats. The Knowledge resources level includes resources from where security related information is gathered and acquired. This level deals with the organization databases that can be internal to the organization or external, for instance databases of collaborators, competitors and suppliers. Knowledge will be derived also from the collective organizational memory defined from past experience and events which influence present organizational activities. This information is located in the local area network. Resources can also be accessed remotely in the web, these are accessed by mean of specific services available which allow the resources layer to search, access and retrieve them.
Databases Web
Resolution Strategies
LAN
Action Schemes
Knowledge Resources
Rules
Ontologies
Knowledge Description
in some real-life situation. A service-based company provides online services to its customers who connect through the company portal and request different services, pay online, and can interact with customer-service for maintenance and other purpose. Keeping up the company main server is vital for the company’s business and the availability of the services offered to customers 24/7. The company employs a security group composed by a security specialist, an IS manager and a software engineer. The main objective of the security group is to monitor the main server and the satellite servers all the day to avoid any interruption and to take action whenever a security threat is detected. In an effort to capitalize expertise of the company in terms of security and avoid any disturbance of online services, the company engaged in a process of expertise capitalization related to security and the implementation of a Knowledge Management System in Security (KMSS) to be used by different actors. The objective of the KMSS is to relief key IS and security staff from being present physically all the time and also to save the company expertise and allow IT staff to learn from experiences of experts and also to assist them in decision making whenever a threat is detected. Whenever a security event happens, the security group reports their observation and the action taken in order to keep a log. The report has many fields which need to be filled by different actors. The following is an example of a security report: Security Threat Report Profile Report ID: 020523 Type: DoS Date: 12-5-2009 Time: 00:36 Actors Reported-by: Sara Resolved-by: Adam Further-Consideration: Security specialist, Knowledge officer Diagnostic Description: I noticed that the performance of the server decreased badly suddenly. Damage: Server very slow from 00:36 to 01:15
Knowledge Interface
Mobile User
Expert
Communities
Manager
Knowledge Users
Figure 3. Multi-Layer Knowledge Management Architecture
VI.
CASE STUDY
We will use the following case study scenario to illustrate the usage of our architecture and the value added by knowledge
Solution Actions: • Main Server activity shifted to Secondary Server • Execution of antivirus scan in the main server Remarks: • 60% of services unavailable during the attack; • Need to write a system script for activity shift between servers in case 25% of server performance decrease is detected Figure 4. Security report example
The report has four parts: Profile, Actors, Diagnostic and Action.
Profile: includes ID which is a unique identifier generated automatically, Type representing the threat type or name, Date and Time which correspond to the time the threat has occurred. Actors: reports all company staff involved in handling the event. Reported-by is the employee who reported the event; Resolved-by is the specialist who took actions in order to resolve the issue and Further-consideration includes further actors who will use the report for various considerations. For instance in our case a security specialist need to review the report for further analysis, and the knowledge officer need to consider the report for knowledge management purposes. Diagnostic: includes Description field which is a description of the attack reported by the security staff; Damage is the evaluation of the damage caused by the attack as assessed by the security staff. Solution: describes the measures that have been taken in order to solve or prevent the threat or the attack. This part includes the field Actions which lists all actions that have been taken to solve the issue; The field Remarks includes any noticed facts that are important for security audit and for IS staff to prevent such threats. Security Threat Reports are referred to the knowledge officer for further consideration by the knowledge management team. All report parts are analyzed and the knowledge acquisition process (Fig. 1) is applied to represent the report as actions and rules, and then it is integrated into the knowledgebase of the KM system. The following is an example rule (Fig. 5) acquired from the report. At the elicitation step the rule is written in pseudo-code: RULE “Server Performance Decrease” IF Current server performance is less than 75% THEN Possible threat: Alert = 3 Execute Shift from current server to available server Execute Scan in current server Notify security staff Figure 5. Example of a rule.
The rule is used to suggest actions in case a decrease of server performance is detected. Security staffs are notified to monitor the incident and take action. The system displays different messages to each user who log into the system for the same incident. Based on the user Id, the system determines the knowledge interface that will be displayed. Based on that knowledge interface, the instruction or “Knowledge Description” for that user will be different. For instance, the knowledge interface for IT security personal will lead to altering firewall rule-sets to block a particular protocol from being used or protect a vulnerable host. It will guide him to the policy and guidelines of how to deal of such an event. A knowledge management interface includes instructions that will ensure the business continuity. Expertise acquired from reports serves different users and helps monitoring the company’s business activity. It is also used to assist new security staff to get trained trough real-life security scenarios.
VII. CONCLUSION Expertise in security is valuable to protect the organization’s information capital against threats which are becoming very frequent and complex over the network. Security solutions to network threats are not always available in books and manuals, most of them are acquired through experience and practice. In this paper we proposed a knowledge management architecture to tackle this breach by bridging the gap between security explicit knowledge and tacit knowledge. The architecture allows supporting the transfer of security knowledge from security experts in practice into a KM system which will be used by many actors involved in the organization’s security. The architecture has been designed to decouple the knowledge description layer which includes the necessary elements to represent security knowledge and other layers that make use of knowledge to satisfy users’ needs and to implement IT security standards and policies more easily and effectively. We are planning in our future work to develop a fine-grain ontology for the architecture in order to standardize and integrate all the elements of the knowledge description layer. It is planned also to test the architecture in various environments. This will enable an exhaustive and accurate knowledge description of the security domain and also will test the architecture’s robustness while facing new threats not already handled before. REFERENCES [1]
Glaser, T., & Pallas, F., (2007), Information Security and Knowledge Management: Solutions through Analogies? Available from http://ssrn.com/abstract=1014302 accessed October 2011. [2] Grossklags , J., Johnson, N., & Christin, N., (2010), “When Information Improves Information Security” in: Proceedings of the Fourteenth International Conference Financial Cryptography and Data Security (FC'10), January 25-28, 2010, Tenerife, Spain. [3] Belsis, P., Kokolakis, S., and Kiountouzis, E., (2005), “Information systems security from a knowledge management perspective”, Information Management and Computer Security, 13 (3):189-202. [4] Shedden, P., Scheepers, R., Smith, W., & Ahmad, A. (2011), “Incorporating a knowledge perspective into security risk assessments”, The journal of information and knowledge management systems, 41 (2): 152-166. [5] Someswar, K. & Ratnasingham, P., (2007), “A Knowledge Architecture for IT Security”, Communications of the ACM, 50 (7): 103-108. [6] Awad, E & Ghaziri, H., (2010), “Knowledge Management”, 2nd Ed., International Technology Group, LTD., North Garden, VA. [7] Dalkir, K.(2011), “Knowledge Management in Theory and Practice”, 2nd Ed., MIT Press, Cambridge [8] Nelson, E., Sharon D., & John, S., (2005), “Disgruntled Emplyess in your Law firm: the enemy within”, Sensei Enterprises, Inc, available online at http://www.senseient.com/articles/pdf/article31.pdf (accessed December 2011). [9] Liu, D., Ji, Y., & Mookerjee, V., (2011), “Knowledge sharing and investment decisions in information security”, Decision Support Systems Journal, 52 (1): 95-107. [10] Nonaka, I. and Takeuchi, H., The knowledge-creating company. New York, Oxford: Oxford University Press, 1995. [11] Lea, N., Hailes, S., Austin, T., & Kalra D, (2008) , “Knowledge Management for the Protection of Information in Electronic Medical Records” , in Proceedings of the MIE 2008 Conference, eHealth Beyond the Horizon , 2008, IOS press, pp. 685-690. [12] Berri, J., (2010), “Towards a Framework for Collective Intelligence”, Proceedings of ICDIM’10 (International Conference on Digital Knowledge Management), Thunder Bay – Canada,pp. 454 – 459, July 58, 2010