Confidentiality and Information Security

<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia5bxwFDl2OkpqKBRBMYh1jP05qoy-jYK6IxjDKn-RVmMNz4_dTHmwkOem3Kw2ggDzgQk8G5M4Wc-KCSkBQfp9EPW8_u_MED_fHq_K1rFwPa_NSSxxaxyBepo7CrsUUMPqjlQ22tyfk4IP/s1600/confidentiality.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia5bxwFDl2OkpqKBRBMYh1jP05qoy-jYK6IxjDKn-RVmMNz4_dTHmwkOem3Kw2ggDzgQk8G5M4Wc-KCSkBQfp9EPW8_u_MED_fHq_K1rFwPa_NSSxxaxyBepo7CrsUUMPqjlQ22tyfk4IP/s1600/confidentiality.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">When it comes to confidentiality, a good information security strategy is to adopt the need-to-know basis for determining who has access to which data and when they have access to those data. Essentially, this paradigm states that a user should, by default, have access to no system capabilities or information assets. The assets or capabilities that are ultimately granted to the user, then, are done so only on a need-to-know basis. Similar to the need-to-know policy for data access, access to physical assets such as a server room or a network closet should also be granted only on a need-to-know basis. Put another way, system users and information technology workers should be provided with all of the information assets and access that they need to do their jobs effectively, </span><i style="font-family: Arial, Helvetica, sans-serif;">and nothing more</i><span style="font-family: Arial, Helvetica, sans-serif;">.</span><br /><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><div class="MsoNormal"></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">Another interesting consideration with respect to confidentiality is the question of how we know if a user truly is the person or system that they claim to be. This question speaks directly to the difference between identification and authentication. In generic terms, identification can be thought of as the process of proving that someone is who they say they are. By contrast, authentication is the process of proving that something is genuine, true, or authentic. In the world of information security, it is often very difficult or infeasible to truly identify a real human being or a specific system. Instead, we commonly use methods of authentication, and in so doing we assume that the credentials being used for purposes of authentication are being used only by the real-world system or human being to whom those credentials apply. This is, of course, a risky assumption, since through malicious or non-malicious means it might be very possible for another person to obtain your login credentials. If that person were then to use those credentials to login to, say, your social networking account, as far as the social networking site is concerned, that person <i>is </i>you. After having received appropriate credentials, the system will assume that the malicious party is, in fact, the real-world human being to whom those credentials actually belong. Confidentiality is thus difficult to ensure with 100% certainty, but it is nevertheless often the easiest security goal to assess in terms of whether or not efforts aimed at ensuring confidentiality have been successful.</span></div>

Confidentiality and Information Security

When it comes to confidentiality, a good information security strategy is to adopt the need-to-know basis for determining who has access to which data and when they have access to those data. Essentially, this paradigm states that a user should, by default, have access to no system capabilities or i…

Read more »

Harm and Information Assets

<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj47jnJHA25GxSKb-evVH7fLbBelrTlqCkVYxS0EOP5uvstcSwlQlNiEsHQcLOWEYaDhhiqdy5_zlux-zfX5ITnCUANAOYIL5hUVZn5AHigJoSs3I_g4LB2067CwVxaGh1Ofdv3OFkUNfzR/s1600/harmful+acts.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj47jnJHA25GxSKb-evVH7fLbBelrTlqCkVYxS0EOP5uvstcSwlQlNiEsHQcLOWEYaDhhiqdy5_zlux-zfX5ITnCUANAOYIL5hUVZn5AHigJoSs3I_g4LB2067CwVxaGh1Ofdv3OFkUNfzR/s1600/harmful+acts.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">In this post, I’d like to discuss harmful acts in the context of information assets. To begin, <a href="http://computersecurityconcepts.blogspot.com/2013/09/the-pillars-of-information-security.html">recall</a> that information security seeks to protect the confidentiality, integrity, and availability of information assets. With this in mind, consider that there are four distinct ways in which harm can be caused to an information asset. The first way in which an information asset can be harmed is through <i>interception</i>. As an example, a malicious party may intercept valuable information assets while they are in transit over a network, thereby harming the confidentiality of those assets, and potentially degrading their value. The second way in which information assets can be harmed is through <i>interruption</i>. A malicious party might, for example, disrupt an information system’s ability to perform its tasks, or might interrupt the transmission of information assets, thus harming the availability of those assets. The third way in which information assets can be harmed is through <i>modification</i>. A malicious party who modifies an information asset without proper authorization is causing harm by degrading the integrity of that asset. Finally, the fourth way in which information assets can be harmed is through <i>fabrication</i>. As an example, a malicious party might fabricate an identity or might fabricate phony information assets for the purpose of causing harm.</span><br /><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="font-family: Arial, Helvetica, sans-serif;">In summary, then, we can consider each of these four acts -- interception, interruption, modification, and fabrication -- to be a harmful act because it can erode the confidentiality, integrity, or availability of an information asset.</span>

Harm and Information Assets

In this post, I’d like to discuss harmful acts in the context of information assets. To begin, recall that information security seeks to protect the confidentiality, integrity, and availability of information assets. With this in mind, consider that there are four distinct ways in which harm can be …

Read more »

The Pillars of Information Security

<div class="MsoNormal"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO-HiRWyJ2UHygtlopLZdfm5T-GpmH2CSOIihTsQIq3CHBEsNrawlIlkxhhFToWyMRtEee8hgJDicEw8DCAqPll5JuTY0Edxk_9aK31uHPKNZYJhBma-ITvVF-dEG1v5cI6yxC0XZSO22k/s1600/security+pillars.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO-HiRWyJ2UHygtlopLZdfm5T-GpmH2CSOIihTsQIq3CHBEsNrawlIlkxhhFToWyMRtEee8hgJDicEw8DCAqPll5JuTY0Edxk_9aK31uHPKNZYJhBma-ITvVF-dEG1v5cI6yxC0XZSO22k/s1600/security+pillars.png" /></a></div><span style="font-family: Arial,Helvetica,sans-serif;"><span id="goog_1946619458"></span><span id="goog_1946619459"></span>I’d like to begin this post by discussing information security threats in the context of what has come to be known as CIA -- confidentiality, integrity, and availability. The acronym CIA and the concepts for which it stands are commonly referred to as the <i>security triad</i>. One useful way of thinking about information security threats is that they are circumstances which have the potential to interfere with the confidentiality, integrity, or availability of an information system. Confidentiality, then, is simply the ability of the system to ensure that information assets are viewable or accessible only by authorized parties. Integrity, by contrast, is the ability of a system to ensure that information assets are modifiable or changeable only by authorized parties. Finally, availability refers to the ability of a system to ensure that information assets are usable by and accessible to all authorized parties. Confidentiality, integrity, and availability can also be seen as goals or objectives of information security, since together they represent three very desirable properties of an information system.</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">While the CIA security triad has been around for many decades, more recently other desirable system properties have also been identified; namely, authentication, non-repudiation, and auditability. With respect to the first two of these properties -- that is, authentication and non-repudiation -- we are referring here to information systems that support communication or messaging with other systems or other users. In this regard, authentication refers to the ability of a system to confirm the identity of the sender. For example, imagine that you receive a message from your boss which instructs you to immediately discontinue working on a critical organizational project, and instead direct your attention to another task. As the receiver of such a message, you would like to be able to confirm the identity of the sender; that is, you would like to be certain that it truly was your boss who sent the message to you. On the other side of technology-supported messaging is the concept of non-repudiation, which is a property of an information system in which a sender cannot convincingly deny having sent a message. Returning to our previous example, if you received a message from your boss instructing you to immediately discontinue working on a critical project, and if we assume that your boss genuinely did send that message, a desirable property of the system from your perspective would be to ensure that your boss could not deny having sent the message. Finally, we have auditability as a desirable system property. Auditability is simply the ability of a system to trace all actions related to a given information asset. If something goes awry in the future, auditability allows us to trace backward through time and determine who performed which actions at which times in order to ensure that responsible parties are held to account.</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">Together, these six concepts -- confidentiality, integrity, availability, authentication, non-repudiation, and auditability -- represent the pillars of information security.</span></div>

The Pillars of Information Security

I’d like to begin this post by discussing information security threats in the context of what has come to be known as CIA -- confidentiality, integrity, and availability. The acronym CIA and the concepts for which it stands are commonly referred to as the security triad. One useful way of thinking a…

Read more »

Vulnerabilities, Threats, and Controls in Information Security

<span style="font-family: Arial,Helvetica,sans-serif;">In <a href="http://computersecurityconcepts.blogspot.com/2013/09/information-security-and-human.html">an earlier post</a>, I noted that one of the major goals of information security is to mitigate security risks. Another major goal of information security as a discipline and as a profession is to try to protect valuable information assets. In order to approach the study of methods of protecting these assets, we can adopt what is known as a <i>vulnerability/threat/control</i> framework. To begin, consider a vulnerability, which is a weakness in some aspect of an information system. If a vulnerability is exploited, then that exploitation has the potential to cause loss or harm. A human being who intentionally exploits a vulnerability is perpetrating an attack on the system. An attack, then, can be defined as an intentional exploitation of a system vulnerability. Next, we can consider a threat, which is simply a set of circumstances that has the potential to cause loss or harm. As we will see shortly, threats and vulnerabilities are very closely related. Finally, we have controls, which are things that we do or things that we have which help to eliminate or reduce a vulnerability. Note that another name for a control is a <i>countermeasure</i>.</span><br /><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;">When first learning about information security, many people become confused regarding the difference between a threat, a vulnerability, and a control. I will therefore provide a simple example that I hope will help you to remember the difference between these three security concepts. Imagine that you are walking over a bridge. Whenever you walk over a bridge there is always a certain threat to your safety; namely, that the bridge might collapse underneath you.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0ytd7wnla8sEVsNBTHYjrJJyutGpXipgVKRWajUZmqFue0a1SD8vLLQExKIxl8cnsVmcISmpt4UnEWaLE2rlTE79LOrHi-yd9REGafIqFK3iS5IUaIUJ40g_UnEXun3oyvLePj_CAqxcI/s1600/bridge+01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0ytd7wnla8sEVsNBTHYjrJJyutGpXipgVKRWajUZmqFue0a1SD8vLLQExKIxl8cnsVmcISmpt4UnEWaLE2rlTE79LOrHi-yd9REGafIqFK3iS5IUaIUJ40g_UnEXun3oyvLePj_CAqxcI/s1600/bridge+01.png" /></a></div><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;">Here, the possibility of the bridge collapsing is a threat to your safety. Now imagine that there is a weakness in the bridge. For this example, let’s say that the mortar between the blocks of stone from which the bridge is constructed has begun to crumble or deteriorate.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy5Bwz12VxQif0qTr3IOjkEXECjfG_YawT06-dIAywXv27-TC984NSubURfxFhBYqfht6vXjAJnLp1edaBWdYXYg3i5NR8tvJhyphenhyphentlZTzczeDfzkqouxSVxNO2E0LngOKypTdMc7EvQs6fI/s1600/bridge+02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy5Bwz12VxQif0qTr3IOjkEXECjfG_YawT06-dIAywXv27-TC984NSubURfxFhBYqfht6vXjAJnLp1edaBWdYXYg3i5NR8tvJhyphenhyphentlZTzczeDfzkqouxSVxNO2E0LngOKypTdMc7EvQs6fI/s1600/bridge+02.png" /></a></div><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;">The weaknesses in the mortar are vulnerabilities, and if those vulnerabilities were to be exploited, the threat of the bridge collapsing would be actualized, and might cause you physical harm.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJFOM5pXsxFlx8zmAw4Zg7PXZPtYmgCG_K3h8uksuLQ_vR1wHRo1FYRYLqO9gNI3ntJtJy0BG-mmYQc1K_t2_2rMf8yQFE5s5IY_AIod5F0bOJ9_59OGv7NTJyGunzrJRhZh9YtAzIn9BL/s1600/bridge+03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJFOM5pXsxFlx8zmAw4Zg7PXZPtYmgCG_K3h8uksuLQ_vR1wHRo1FYRYLqO9gNI3ntJtJy0BG-mmYQc1K_t2_2rMf8yQFE5s5IY_AIod5F0bOJ9_59OGv7NTJyGunzrJRhZh9YtAzIn9BL/s1600/bridge+03.png" /></a></div><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;">A control, then, is something that we do or something that we have which helps us to eliminate or reduce a vulnerability. In this example, we might apply bracing to reinforce the bridge or we might try to repair the cracks in the concrete, thus reducing the possibility that the vulnerability will be exploited.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhisy2E_f5jzEmj_Ziw0pBXqTNpTCkYkhwmrdWlcHhXz-IuVdfQeMbBkftUestKSQMuf7z2bowKRo7FBopVOuKYWcRPuqij4pI5NlhDhvPu8w_fmHSOziNrI9aNneDUGvgct_6dbOSIa5xB/s1600/bridge+04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhisy2E_f5jzEmj_Ziw0pBXqTNpTCkYkhwmrdWlcHhXz-IuVdfQeMbBkftUestKSQMuf7z2bowKRo7FBopVOuKYWcRPuqij4pI5NlhDhvPu8w_fmHSOziNrI9aNneDUGvgct_6dbOSIa5xB/s1600/bridge+04.png" /></a></div><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;">Broadly, then, threats are blocked or prevented from being actualized by controlling vulnerabilities.</span>

Vulnerabilities, Threats, and Controls in Information Security

In an earlier post, I noted that one of the major goals of information security is to mitigate security risks. Another major goal of information security as a discipline and as a profession is to try to protect valuable information assets. In order to approach the study of methods of protecting thes…

Read more »

On the Valuation of Information Assets

<span style="font-family: Arial,Helvetica,sans-serif;">When considering the diagram below, remember that the perceived value of an information asset depends in part upon the ease with which that asset can be replaced. Certain components of an information system such as hardware, mobile devices, operating systems, and off-the-shelf software can be easily replaced. By contrast, custom applications, custom mobile apps, files, and data are often unique and essentially irreplaceable.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjydKt3BBe6i3GA83efg0hgSZJurve6sOstx2Hd3ajSAmLXlsP2glfTC6Rief11En43GwJJtIGVA1dYYOOCZBaX9LHAlE8o4m-5AmMk_ODnH99xIKKTf2wJ8uqxT-wDEYyc022CnaiYzoQQ/s1600/asset+valuation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjydKt3BBe6i3GA83efg0hgSZJurve6sOstx2Hd3ajSAmLXlsP2glfTC6Rief11En43GwJJtIGVA1dYYOOCZBaX9LHAlE8o4m-5AmMk_ODnH99xIKKTf2wJ8uqxT-wDEYyc022CnaiYzoQQ/s1600/asset+valuation.png" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div><span style="font-family: Arial,Helvetica,sans-serif;"></span> <div class="separator" style="clear: both; text-align: center;"></div><span style="font-family: Arial,Helvetica,sans-serif;">Perhaps you can think of an example in your own life where you or someone you know has lost a laptop computer or a mobile device. Many times people who lose such devices are not upset primarily about the loss of the physical device or the physical hardware itself, but rather are upset about the loss of their photos, documents, or other valuable data. It is such files and data items that represent much of the value of an information system to its users, and we can understand intuitively through examples such as this why the value of an information asset commonly depends upon the ease with which that asset can be replaced.</span>

On the Valuation of Information Assets

When considering the diagram below, remember that the perceived value of an information asset depends in part upon the ease with which that asset can be replaced. Certain components of an information system such as hardware, mobile devices, operating systems, and off-the-shelf software can be easily…

Read more »

Information Assets and the Scope of Information Security

<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicWdtpOu_FFplsX_9ufNmVsJe-QllgkFm1tbVtfczhAmLQpysnH6krEH9vnKrwAVXqCdfLuTG29kIyPdIjFHSwcrHC9qe3VgQ-mMCZSOzXwtIVf5JE7ShD6PySbUv50tIcsdzPWJEU4iU9/s1600/information+assets.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicWdtpOu_FFplsX_9ufNmVsJe-QllgkFm1tbVtfczhAmLQpysnH6krEH9vnKrwAVXqCdfLuTG29kIyPdIjFHSwcrHC9qe3VgQ-mMCZSOzXwtIVf5JE7ShD6PySbUv50tIcsdzPWJEU4iU9/s1600/information+assets.png" /></a></div><span style="font-family: Arial,Helvetica,sans-serif;">When thinking about information security, it’s important to remember that as a discipline and as a profession, information security has a vast scope. Information security involves protecting components as small as tiny integrated circuits all the way up to massive clusters of servers that may involve thousands of unique machines. Information security involves protecting local private networks that people may have in their homes or apartments all the way up to massive wide-area networks or even the entire Internet. Information security involves protecting hardware, software, operating systems, databases, networks, and so forth.<br /><br />Clearly, the scope of inquiry in information security is vast, continuously changing, and ever-growing. Broadly speaking, however, we can think about information security as being concerned with the protection of information assets. When we say “information assets”, we are referring to the elements of an information system that have <i>value</i>. Since value lies at the core of determining where we should focus our information security efforts, a critical first step is to identify precisely which information assets within our organization have the greatest value, and to whom those items have value.<br /><br />One good way of thinking about information technology assets is to subdivide those assets into three categories. First, we have hardware assets, which can include computing systems, mobile devices, networks, and communications channels. Second, we have software assets, which can include operating systems, off-the-shelf application programs, mobile apps, as well as custom or customized application programs. Third, we have data assets, which include our files or databases -- that is, the information that we generate in our daily lives or in the process of carrying out our business. As we will see in our discussion of <a href="http://computersecurityconcepts.blogspot.com/2013/09/on-valuation-of-information-assets.html">asset valuation</a>, it is often these data assets that have the greatest value of all.</span>

Information Assets and the Scope of Information Security

When thinking about information security, it’s important to remember that as a discipline and as a profession, information security has a vast scope. Information security involves protecting components as small as tiny integrated circuits all the way up to massive clusters of servers that may involv…

Read more »

Computer Security and Information Technology Failure

<div class="separator" style="clear: both; text-align: center;"></div><span style="font-family: Arial,Helvetica,sans-serif;">Although many people think of the world of information privacy and security as one characterized by hackers, cyber terrorists, or government-sponsored information espionage, in reality the scope of information privacy and security is much broader. One way of understanding this scope is to consider computer security from the perspective of IT failures. Modern information technologies can fail for many different reasons. First, consider physical failures. These are, after all, hardware devices, and hardware can and does fail. Even in the modern era many of our computational technologies still rely on moving parts, and the failure of any of these moving parts can cascade to cause a wider failure of the information technology as a whole. Further, electronic components can fail, and when such components fail intermittently, the cause of the problem can be more difficult to diagnose than when they fail permanently. It is therefore important for managers and system administrators not only to expect that their physical IT devices will fail, but also to develop plans for how to address those failures when they inevitably occur.</span><br /><span style="font-family: Arial,Helvetica,sans-serif;"></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfIOZuHWxHS1h0Nv0oy7F41nEZJkVW0IjCbwx2S2noV67r37gbeXgEFNjeqd8ygGYNZFJWluZHdNx_E6lFLkCaGV1Hagwqxo5bZ4lUPkLkmgss07LUztkGixb9R1w5YT0iiTAEC73d2shJ/s1600/failures.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfIOZuHWxHS1h0Nv0oy7F41nEZJkVW0IjCbwx2S2noV67r37gbeXgEFNjeqd8ygGYNZFJWluZHdNx_E6lFLkCaGV1Hagwqxo5bZ4lUPkLkmgss07LUztkGixb9R1w5YT0iiTAEC73d2shJ/s1600/failures.png" /></a></div><div style="text-align: left;"></div><div style="text-align: left;"><span style="font-family: Arial,Helvetica,sans-serif;">Beyond physical failures, there are also other types of information technology failures, and these can best be understood by considering the intersection of two different dimensions, as shown in the diagram above. Along one dimension, we have a spectrum which ranges from malicious to non-malicious. That is, the source of the failure is caused by someone either intentionally or unintentionally. Along the other dimension, we have a spectrum which ranges from harmless to catastrophic. Plotting these two dimensions against each other provides us with a geometric space in which we can easily classify our non-physical information technology failures. Failure, then, might be non-malicious and harmless, it might be non-malicious but catastrophic, it might be malicious but cause no harm, or in the worst scenario, it may be a malicious attack that causes catastrophic damage to our information assets. Again remember that information security has a broad scope, and information security addresses each of these different types of failures. What’s more, information security addresses failures that have never before been seen, or which do not currently exist. That sentiment, I believe, speaks to the dynamism and constant change that characterize the world of information security.</span></div>

Computer Security and Information Technology Failure

Although many people think of the world of information privacy and security as one characterized by hackers, cyber terrorists, or government-sponsored information espionage, in reality the scope of information privacy and security is much broader. One way of understanding this scope is to consider c…

Read more »

Information Security and Human Dependence on Computers

<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr15JjdbFbgV9KuQJWs042toE5HecwnycxYnQIvut0qcChm2rxzWqUH1grx4vpSuhrX3JQvEB93D_K4a1_-dcVjIanZ2hpgXbrCH3Sitb5sXFSrdqPuv1NjNBoyc3WSzwQMbkfmf5Jnz8U/s1600/dependence+on+computers.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="1" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr15JjdbFbgV9KuQJWs042toE5HecwnycxYnQIvut0qcChm2rxzWqUH1grx4vpSuhrX3JQvEB93D_K4a1_-dcVjIanZ2hpgXbrCH3Sitb5sXFSrdqPuv1NjNBoyc3WSzwQMbkfmf5Jnz8U/s1600/dependence+on+computers.png" /></a><span style="font-family: Arial,Helvetica,sans-serif;">How dependent are you upon information and communication technologies? If you’re like most people in the developed world, your day-to-day activities are increasingly characterized by interactions with technology. Computational capabilities are being embedded in a rapidly increasing number and variety of products ranging from athletic shoes to kitchen appliances to implantable medical devices, and with every passing day, computers are hence controlling, administering, and making decisions about more and more aspects of our daily lives.<br /><br />What we can conclude from this is that we are becoming more and more dependent on these information and communication technologies every single day, and this situation has very important implications with respect to our privacy and security. To better understand why, consider the relationship between our dependence on technology and risk: Because we live in a world where we are increasingly entrusting our lives and our livelihoods to computer technologies, and because those technologies are not entirely dependable, safe, or secure, our increasing reliance upon information and communication technologies carries with it many new risks that were not present prior to the rise of the Information Age. As a discipline and as a profession, then, one of the major goals of information security is to find ways of mitigating these risks -- that is, to allow us to have our information technology cake and eat it too.</span>

Information Security and Human Dependence on Computers

How dependent are you upon information and communication technologies? If you’re like most people in the developed world, your day-to-day activities are increasingly characterized by interactions with technology. Computational capabilities are being embedded in a rapidly increasing number and variet…

Read more »

Philosophical Thoughts on Information Security

<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0eCzjBXCmrMUdmjZNLBt1fS5VnXxZRmUw7xR0iU6IPWk0QzxlF9D-cNVMkgkpsEa6OzIO19FwLNgUaBn52odnez05tqEhyphenhyphen1GUjUI42_ZZf-F_z6Cx02W0dLXHMjaTQYXBbeSDdlg8N3UO/s1600/philosophy+and+security.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" border="1" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0eCzjBXCmrMUdmjZNLBt1fS5VnXxZRmUw7xR0iU6IPWk0QzxlF9D-cNVMkgkpsEa6OzIO19FwLNgUaBn52odnez05tqEhyphenhyphen1GUjUI42_ZZf-F_z6Cx02W0dLXHMjaTQYXBbeSDdlg8N3UO/s1600/philosophy+and+security.png" style="display: inline; margin-top: 5px;" title="" /></a><span style="font-family: Arial,Helvetica,sans-serif;">To begin this <a href="http://computersecurityconcepts.blogspot.com/">series of posts</a> on computer and information security, I wanted to pose an interesting philosophical question: namely, why is information security necessary? Although many of the investments that are made into information privacy and security are not related to malicious attacks, there is nevertheless an extraordinarily large amount of investment in information privacy and security mechanisms that is targeted toward protecting systems against attacks by malicious parties. From a philosophical perspective, it’s important to consider what this says about humanity. On the one hand it shows that we are certainly curious creatures, but on the other hand it shows that we as a species are not particularly trustworthy or scrupulous, and we also seem to be quite greedy.<br /><br />There are many people, organizations, and even governments in the world that would be very happy to steal personal, private information from you or your organization for their own gain. In light of the widespread proliferation of these would-be attackers, such behavior appears to be a natural trait of human beings in virtually all cultures. It is, I believe, important to note that if humans did not behave in this way, then the quantity of time, money, and other resources that individuals, organizations, and governments must invest into protecting their information assets would be much less than it is today.</span>

Philosophical Thoughts on Information Security

To begin this series of posts on computer and information security, I wanted to pose an interesting philosophical question: namely, why is information security necessary? Although many of the investments that are made into information privacy and security are not related to malicious attacks, there …

Read more »