Корреляция затрат в многогранных системах защиты информации

Оптимізаційні економічні задачі інформаційної безпеки направлено на вирішення двох основних проблем: визначення оптимального розміру інвестицій в захист інформації і оптимізація розподілу ресурсів між об’єктами, котра забезпечує досягнення найкращих економічних показників. Перехід до багаторівневих багаторубіжних систем суттєво розширює проблему і викликає низку питань, обумовлених ускладненням структури і особливостями розташування окремих елементів. Розглянуто послідовно-паралельну схему розташування перешкод, котра містить спільну для всіх об’єктів перешкоду та індивідуальні перешкоди. Проаналізовано доцільність введення спільної перешкоди за незмінного бюджету захисту інформації в залежності від вразливості перешкод і розподілу інформації між об’єктами. Розроблено методику і наведено результати розрахунків оптимального розподілу ресурсів між спільною і індивідуальними перешкодами. Розглянуто умови кореляції між оптимальними розподілами ресурсів, направлених на індивідуальні перешкоди. Наведені результати можуть бути корисними при розробці рекомендацій з управління ресурсами і створенню оптимальних систем захисту інформації.Economic optimization problems of information security are aimed at addressing two major problems: determining the optimal amount of investment in information security, which provides the best economic performance and optimizing the resource allocation between objects. The transition to multilevel multi-barrier systems significantly expands the problem and raises a number of issues arising from the complexity of the structure and physical layout of individual items. We consider a series-parallel layout of obstacles, which contains common obstacles for all objects and individual obstacles. The feasibility of introducing of an additional obstacle at the constant information security budget, depending on vulnerabilities of obstacles and the information distribution between objects, was analyzed. The method was developed and the results of calculations of optimal allocation of resources between the common and individual barriers were presented. Conditions of correlation were considered between the optimal allocation of resources aimed at individual obstacles. The results may be useful in developing recommendations for the creation of optimal information security systems and the resources management.Оптимизационные экономические задачи информационной безопасности направлены на решение двух основных проблем: определение оптимального размера инвестиций в защиту информации, который обеспечивает достижение наилучших экономических показателей, и оптимизация распределения ресурсов между объектами. Переход к многоуровневым многорубежным системам существенно расширяет проблему и вызывает ряд вопросов, обусловленных усложнением структуры и особенностями расположения отдельных элементов. Рассмотрена последовательно-параллельная схема расположения препятствий, содержащая общее для всех объектов препятствие и индивидуальные препятствия. Проанализирована целесообразность введения дополнительной преграды при неизменном бюджете защиты информации в зависимости от уязвимости препятствий и распределения информации между объектами. Разработана методика и приведены результаты расчетов оптимального распределения ресурсов между общей и индивидуальными препятствиями. Рассмотрены условия корреляции между оптимальными распределениями ресурсов, направленных на индивидуальные препятствия. Приведенные результаты могут быть полезными при разработке рекомендаций по созданию оптимальных систем защиты информации и управлению ресурсами

ПРОДУКТИВНІСТЬ ІНВЕСТИЦІЙ В ІНФОРМАЦІЙНУ БЕЗПЕКУ

Розглянуто показники продуктивності інформаційної безпеки по зменшенню вразливості і зменшенню загрози. Ці показники утворюють двовимірний простір продуктивності, який можна поділити на зони, котрі визначають різні стратегії розподілу ресурсів. Визначені границі зон в залежності від властивостей об’єктів і умов протистояння, приведені приклади розрахунків

Умови існування сідлової точки в багаторубіжних системах захисту інформації

When planning the unified information security systems calculation of optimal resource amount needed for defence and their allocation between the objects, which differ in amount of information, vulnerability or attack probability, are important problems. Search for solution gets more complex over uncertainty of attackers actions. Under the circumstances appropriate is considered solution that match with saddle point of objective function, which express one of security system indicators – part of lost information, benefits of an investment in information security, investment efficiency – depending on correlation of attack  and defence resources. Carried out calculations enable to analyse conditions of saddle point existence in one- and multilevel systems, which differ in quantity of objects and obstacles that defend them. It is demonstrated that saddle point exists in certain intervals of values Z=X/Y; intervals are determined by form of objects dynamic vulnerability and distribution of information between the objects.При проектировании комплексных систем защиты информации важным вопросом является определение оптимального количества ресурсов, которые необходимы для защиты, и их распределение между объектами, которые отличаются количеством информации, уязвимостью, вероятностью нападения. Поиск решения усложняется из-за неопределенности действий противника. В этих условиях подходящим можно считать решение, соответствующее седловой точке целевой функции, которая может выражать один из показателей системы защиты – потери информации, прибыль от инвестиций в защиту, их рентабельность – в зависимости от соотношения ресурсов нападения и защиты –   и, соответственно, . Произведенные расчеты позволяют проанализировать условия существования седловой точки в одно- и  двухуровневых системах, которые отличаются количеством объектов и препятствий, которые их защищают. Показано, что седловая точка существует в определенных интервалах значений Z=X/Y, которые определяются формой динамической уязвимости объектов и распределением информации по объектам.При проектуванні комплексних систем захисту інформації важливим питанням є визначення оптимальної кількості ресурсів, котрі слід виділяти на захист, та їх розподіл між об’єктами, які відрізняються кількістю інформації, вразливістю, імовірністю нападу. Пошук рішення ускладнюється через невизначеність дій суперника. В цих умовах задовільним можна вважати рішення, що відповідає сідловій точці цільової функції, яка може виражати один з показників системи захисту – частку втраченої інформації, прибуток від інвестицій в захист, їх рентабельність – в залежності від співвідношення ресурсів нападу і захисту  і, відповідно, . Проведені розрахунки дозволяють проаналізувати умови існування сідлової точки в одно- і дворівневих системах, котрі відрізняються кількістю об’єктів і перешкод, які їх захищають. Показано, що сідлова точка існує в певних інтервалах значень Z=X/Y, котрі визначаються формою динамічної вразливості об’єктів і розподілом інформації по об’єктах

Кореляція витрат у багаторубіжних системах захисту інформації

Оптимізаційні економічні задачі інформаційної безпеки направлено на вирішення двох основних проблем: визначення оптимального розміру інвестицій в захист інформації і оптимізація розподілу ресурсів між об’єктами, котра забезпечує досягнення найкращих економічних показників. Перехід до багаторівневих багаторубіжних систем суттєво розширює проблему і викликає низку питань, обумовлених ускладненням структури і особливостями розташування окремих елементів. Розглянуто послідовно-паралельну схему розташування перешкод, котра містить спільну для всіх об’єктів перешкоду та індивідуальні перешкоди. Проаналізовано доцільність введення спільної перешкоди за незмінного бюджету захисту інформації в залежності від вразливості перешкод і розподілу інформації між об’єктами. Розроблено методику і наведено результати розрахунків оптимального розподілу ресурсів між спільною і індивідуальними перешкодами. Розглянуто умови кореляції між оптимальними розподілами ресурсів, направлених на індивідуальні перешкоди. Наведені результати можуть бути корисними при розробці рекомендацій з управління ресурсами і створенню оптимальних систем захисту інформації.Оптимизационные экономические задачи информационной безопасности направлены на решение двух основных проблем: определение оптимального размера инвестиций в защиту информации, который обеспечивает достижение наилучших экономических показателей, и оптимизация распределения ресурсов между объектами. Переход к многоуровневым многорубежным системам существенно расширяет проблему и вызывает ряд вопросов, обусловленных усложнением структуры и особенностями расположения отдельных элементов. Рассмотрена последовательно-параллельная схема расположения препятствий, содержащая общее для всех объектов препятствие и индивидуальные препятствия. Проанализирована целесообразность введения дополнительной преграды при неизменном бюджете защиты информации в зависимости от уязвимости препятствий и распределения информации между объектами. Разработана методика и приведены результаты расчетов оптимального распределения ресурсов между общей и индивидуальными препятствиями. Рассмотрены условия корреляции между оптимальными распределениями ресурсов, направленных на индивидуальные препятствия. Приведенные результаты могут быть полезными при разработке рекомендаций по созданию оптимальных систем защиты информации и управлению ресурсамиEconomic optimization problems of information security are aimed at addressing two major problems: determining the optimal amount of investment in information security, which provides the best economic performance and optimizing the resource allocation between objects. The transition to multilevel multi-barrier systems significantly expands the problem and raises a number of issues arising from the complexity of the structure and physical layout of individual items. We consider a series-parallel layout of obstacles, which contains common obstacles for all objects and individual obstacles. The feasibility of introducing of an additional obstacle at the constant information security budget, depending on vulnerabilities of obstacles and the information distribution between objects, was analyzed. The method was developed and the results of calculations of optimal allocation of resources between the common and individual barriers were presented. Conditions of correlation were considered between the optimal allocation of resources aimed at individual obstacles. The results may be useful in developing recommendations for the creation of optimal information security systems and the resources management

Towards a Comprehensive Evidence-Based Approach For Information Security Value Assessment

This thesis is motivated by the goals of understanding in depth which information security value aspects are relevant in real-world business environments and contributing a value-prioritised information security investment decision model suitable for practitioners in the field. Pursuing this goal, we apply a mixed method research approach that combines the analysis of the relevant literature, expert interviews, practitioner survey data and structural equation modelling and multicriteria decision analysis. In the first step, we address the identified terminology gap to clarify the meaning of ‘cyber security’ by analysing authoritative definition sources in the literature and presenting an improved definition distinct from that of ‘information security’. We then investigate the influence of repeated information security breaches on an organisation’s stock market value to benchmark the wider economic impact of such events. We find abnormal returns following a breach event as well as weak statistical significance on abnormal returns for later breach events, confirming that data breaches have a negative impact on organisations. To understand how security practitioners view this topic, we conduct and analyse semi-structured interviews following a grounded theory approach. Our research identifies 15 principles aligned with a conceptual information security investment framework. The key components of this framework such as the business environment, drivers (threat landscape, legal and regulatory) and challenges (cost of security, uncertainty) are found to be a crucial part of value-prioritised information security investment decisions. We verify these findings through a structural model consisting of five latent variables representing key areas in value-focused information security investment decisions. The model shows that security capabilities have the largest direct effect on the value organisations gain from information security investment. In addition, the value outcome is strongly influenced by organisation-specific constructs such as the threat landscape and regulatory requirements, which must therefore be considered when creating security capabilities. By addressing one of the key uncertainty issues, we use a probabilistic topic modelling approach to identify latent security threat prediction topics from a large pool of security predictions publicised in the media. We further verify the prediction outcomes through a survey instrument. The results confirm the feasibility of forecasting notable threat developments in this context, implying that practitioners can use this approach to reduce uncertainty and improve security investment decisions. In the last part of the thesis, we present a multicriteria decision model that combines our results on value-prioritised information security investments in an organisational context. Based on predefined criteria and preferences and by utilising stochastic multicriteria acceptability analysis as the adopted methodology, our model can deal with substantial uncertainty while offering ease of use for practitioners

The Education of Information Security Professionals: An Analysis of Industry Needs vs Academic Curriculum in the 21st Century

This research compared the employment of the skills and attributes needed by information systems security professionals in an information systems security work environment with those taught in NSA Centers of Academic Excellence in Information Assurance Education. Using two surveys the goal of this research was to determine if the skills and attributes identified in the CISSP were employed in an information systems work environment and if these skills were taught in colleges and universities designated as NSA Centers of Academic Excellence in Information Assurance Education. The skills and attributes within the10 domains of the CISSP were identified by 23 questions contained in two surveys, one to information systems security professionals working in the field and one to information systems security faculty in NSA designated Centers of Academic Excellence in Information Assurance Education. The CISSP domains cover the following areas of information security responsibilities: 1) Access Control Systems and Methodology, 2) Telecommunications and Network Security, 3) Security Management Practices, 4) Applications and Systems Development Security, 5) Cryptography, 6) Security Architecture and Models, 7) Operations Security, 8) Business Continuity Planning and Disaster Recovery Planning, 9) Laws, Investigations, and Ethics, and 10) Physical Security. The CISSP domains were chosen as the defining criteria for the development of the operational definitions after an extensive review of literature in the field of information security. The surveys were developed over three phases: the pilot phase, the validity phase, and the reliability phase. The breakdown of the domain descriptions into questions was accomplished during the pilot survey phase. Requests for participation in the survey were e-mailed to 800 information systems security professionals and 321 information systems security faculty. There was a 67% information systems security faculty response rate and a 20% information systems security professional response rate. This research indicated that information systems security professionals working in an information systems security work environment employed or addressed the skills and attributes identified in the 10 domains of the CISSP. This research also indicated that the skills and attributes taught in the curriculum of NSA Centers of Academic Excellence in Information Assurance Education had no association with the skills and attributes employed, or addressed, by information systems security professionals in an information systems security work environment. There was one exception, Domain 4, Applications and Systems Development Security, which indicated there was an association between how the skills and attributes were employed in an information systems security work environment and were taught in NSA Centers of Academic Excellence in Information Assurance Education. The findings of this research can be used as a baseline to develop information systems security curriculum. Further research is needed to determine the differences, if any, in the skills and attributes identified in the various information security certifications, the correlation between the skills and attributes identified in each of the information security certifications, and any differences in the employment of these skills and attributes between certified and non-certified information systems security professionals

BEHAVIORISM AND LOGICAL POSITIVISM: A REVISED ACCOUNT OF THE ALLIANCE (VOLUMES I AND II)

The primary aim of this work is to show that the widespread belief that the major behaviorists drew importantly upon logical positivist philosophy of science in formulating their approach to psychology is ill-founded. Detailed historical analysis of the work of the neobehaviorists Edward C. Tolman, Clark L. Hull, and B. F. Skinner leads to the following conclusions: (1) each did have significant contact with proponents of logical positivism; but (2) their sympathies with logical positivism were quite limited and were restricted to those aspects of logical positivism which they had already arrived at independently; (3) the methods which they are alleged to have imported from logical positivism were actually derived from their own indigenous conceptions of knowledge; and (4) each major neobehaviorist developed and embraced a behavioral epistemology which, far from resting on logical positivist assumptions, actually conflicted squarely with the anti-psychologism that was a cornerstone of logical positivism. It is suggested that the myth of an alliance between behaviorism and logical positivism arose from the incautious interpretations of philosophical reconstructions as historical conclusions. This and other historiographical issues are discussed in the concluding chapter, where it is argued that the anti-psychologism of the logical positivists is an unnecessary impediment to a fuller understanding of the phenomenon of knowledge

Imagining corporate culture: the industrial paternalism of William Hesketh Lever at Port Sunlight, 1888-1925

At Lever Brothers soap company in Port Sunlight, U.K., William Lever, between 1888-1925, instituted employee benefits that preceded the welfare state. Yet, in addition to providing tangible benefits for the employees (including free medical care, pensions, an employee profit-sharing scheme), Lever also created a strong corporate identity for his employees by cultivating a strong company and personal image, one constructed in response to national discourses surrounding industrialization, empire, national identity, and economic decline. Lever offered his company as a solution to national concerns and thus posited his workers as participants in patriotic efforts and empire-building. He forged an effective company culture by constructing a positive image of himself, his company, and his factory town. Lever constructed and defended this image through various channels. In public addresses, he carefully constructed his own ethos. In Port Sunlight, architecture was a rhetorical method for constructing and consolidating a company image that looked to an idealized past. Media events, Lever\u27s art collection, advertisements, and company, local, and national publications further promoted the company culture and the employees\u27 roles in it. This carefully constructed image was an important element in the development of an overall corporate culture that helped thrust Lever Brothers (later Unilever) into multinational status. This dissertation shows that analysis of paternalist companies such as Lever Brothers must be conducted through a wide lens to account for the influence of cultural factors on the company\u27s success as well as to recognize the role of such factors in the successful construction of company identity

Regulation, architecture and modernism in the United States, 1890-1920

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Architecture, 2008.Includes bibliographical references (p. 239-256).This dissertation examines the modernization of the United States through a group of regulatory techniques and institutions that emerged in the early twentieth century. In this period, conceptions of power based on laissez-faire capitalism were giving way to systems of governance that aimed to control the economies of the home, market, nature and labor. Methods of avoiding, delaying, and constraining the uncertainties resulting from the massive economic development of the nation established a new approach to securing its future through the regulation of risk. While predictability and efficiency are often invoked as core principles of modernism, these were in fact ideologies that gained their force through these earlier attempts to manage and forestall risk. The dissertation identifies four cases in which technology and architecture served as critical instruments for the implementation of regulation in the modern interior. The application of thermostatic control of heat for domestic architecture established a norm for room temperature that, through the home economics movement, became a hygienic standard for the modern American home. In cold storage facilities, mechanical refrigeration technologies were employed to regulate the longevity of perishable food. By extending the life of produce, these warehouses served as control centers for distributing the nation's food supply and regulating the futures market that determined their prices.(cont.) Even more dramatic manipulations of the environment were enacted in ecological laboratories. Packed with control systems, these structures played a crucial role in the development of research that explored the governing dynamics of the economy of nature; they sought to connect the life of organisms to fluctuations in their surrounding environment. In factories, plant owners hired engineers to install production control systems to regulate the relations between machines, men and the market. The techniques devised by these mangers sought to make industry both responsive and resistant to unstable and often unpredictable fluctuations in demand.by Michael Osman.Ph.D