Developing An Empirical Relationship To Propose An ......Sri Ranganathar institute of Engineering and technology, Coimbatore Tamil Nadu, INDIA January 4, 2018 Abstract During the last

Developing An Empirical RelationshipTo Propose An Information SecurityAssurance Model For Collaborating

Business Processes

D. Vinod1 and S. Chandrasekaran2

1Research Scholar,Department of Computer Science and Engineering,

Sathyabama University,Chennai - 600 119 Tamil Nadu, INDIA

[email protected] Department of Computer Science and Engineering,

Sri Ranganathar institute of Engineering and technology,Coimbatore Tamil Nadu, INDIA

January 4, 2018

Abstract

During the last few decades, organizations have re- en-gineered business processes on the back of digital data andcomputer networks. Recently, organizations are beginningto realize that increased accessibility, and productivity, car-ries a hidden cost of making the data more vulnerable insecurity breaches. It makes intuitive sense to incorporateinformation security into strategic decision-making duringbusiness process. Consequentially, companies are often en-hanced sub-optimally retrofit security into their businessprocesses in response to security breaches. The present in-vestigation presents an information security risk analysisproactively conducted at an internationally well renownedbusiness organization. The prime goal of the study was to

1

International Journal of Pure and Applied MathematicsVolume 118 No. 16 2018, 1391-1415ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version)url: http://www.ijpam.euSpecial Issue ijpam.eu

1391

propose an information security assurance model for col-laborating business processes. The business processes haveto handle sensitive information either in structured or un-structured forms that may be leaked by security flaws inbusiness transactions. An empirical model of a risk basedenhanced security for business processes is proposed withsuitable metrics during the integration of the structured andunstructured information for business continuity. This re-search also describes the dynamic activation of appropriatesafeguards; prevention and recovery from risks due to boththe structured and unstructured information were consid-ered. The expected business continuity (EBC) in businessimportance and attack security index is proposed from thestandards towards the security compliances.

Key Words and Phrases:Security Assurance; Busi-ness Continuity; Attack Severity; Compliance; Geni tool;

1 Introduction

Business organizations are more dependent than ever on the reliableoperation of their information systems. Yet institutions worldwideface increasing security threats that can undermine the operation ofthese systems. Considering todays high threat cyber environment,organizations need security assurance models to protect their valu-able information [Kenneth et.al, 2009].

Forces like global market, mounting expectations and require-ments of the customers and advances in enabling integration tech-nologies [Chalmeta et.al, 2001] push enterprises to take advantageof the possibility to access information over any distance. Webtechnologies enable today ICT-supported business processes withinglobal enterprises and across enterprise boundaries [Braa and Rol-land, 2000; Leem and Kim, 2002; Britton and Bye, 2004; Linthicum, 2004]. However, there are numerous questions to be solved beforethe information systems of collaborating business partners can beset up and made accessible for the exchange of information, in-dependent of the geographic location of the sites of the partners.A core issue in building e-services partnerships are mutual trust[Heikkila et.al, 2005]. To build trust in cases where the provision-ing of the service requires exchange of data between the business

2

International Journal of Pure and Applied Mathematics Special Issue

1392

information systems of the partners, one of the first thresholds toovercome is the protection or security of the information systemsand data from unauthorized access. However, remote services fea-ture a promising business opportunity.

Information security is critical to ensure the integrity and con-fidentiality of structured and unstructured information in businessprocesses. A business process is a collection of related, structuredactivities or tasks that produce a specific service or product fora particular customer or customers. These activities are handlinga huge size of unstructured and structured information where theunstructured information is a direct product of human communi-cation. Since the unstructured information represents the largest,most current and fastest growing source of knowledge available tobusinesses and governments worldwide, they have to be secured.The earlier information security model address the business out-come, importance of assets needed for the business and also therecovery time for the assets after the attacks are so as to put theminto use for business days [Anita and Labuschagne, 2005]. Theproposed model from the literature discussed here categorizes theassets into different types without concentrating its data types orstructure. The attacks especially the insider threats are more severeand possibly in the case of unstructured information in the businesscommunications like email or design documents. In another model,an objective analysis is performed for the probability assessment ofthreats to information systems through a possible reasonable ap-proach for a risk management system to manage these threats [Fari-borzet.al, 2003]. The earlier research proposes poly-instantiate ionthat allows the use of cover stories in databases which appear dif-ferently to users different security classes while maintaining consis-tency relative to any one particular user. In another approach, thepotential information leakage through conciliation and a reschedul-ing policy for higher secrecy action is studied [Keith et.al, 2008].The throughput, operational cost, and compliance of the informa-tion have to be analyzed towards the effects of loss of such informa-tion. The security engineers should resist the temptation to viewinformation security requirements as a collection of technical mech-anism and should focus on the business impact of security failures[Ivan Tirado, 2008].

3


1393

2 Related Works

The attacker can then damage the asset by degrading its confiden-tiality, integrity, or availability thereby causing potential businesslosses. In case of a number of business processes that are collabo-rating the vulnerabilities may originate from technology, people orprocesses that are viewed as flaws in the implementation of soft-ware and hardware. In information security, however, verificationhas to be done involving more entities, such as security specifica-tion, security policy, security mechanisms etc. [Andy Juan Wang,2005]. The internal policy is the base for regulatory compliance,practice and insider incident prevention. The policy defines andgoverns actions and behaviors of personnel within an organization.It is vital that an organizations information is protected not onlyfor the business operations but for client security as well. In an ear-lier investigation, a responsibility driven distributed system is pro-posed, where exceptions needing immediate attention are conveyedto the right person in minimum possible time [Michael DCarroll,2006].The information security model has encompassed all securityincidents that can be deliberate or accidental and can be causedboth by technical and physical means to damage to the informa-tion or database assets of the organization. The internet acts as asource of potential IS incidents and events, but at the same timeas a source of information for the vulnerability monitoring process.It is generally a good idea to purchase a document imaging systemthat offers the maximum capabilities to deal with both types ofdocuments, rather than purchasing a system that caters only to asingle document type [Bhilare, 2009].The goal of the risk mitigation,monitoring and management plan is to identify as many potentialrisks as possible. When all risks have been identified, they will thenbe evaluated to determine their probability of occurrence, and howGame Forge will be affected if they do occur. Plans will then bemade to avoid each risk, to track each risk to determine if it ismore or less likely to occur, and to plan for those risks should theyoccur [Anna, 2004]. In the earlier information security incidents,the dynamic activation of appropriate safeguards, prevention andrecovery from risks due to unstructured information were not con-sidered.Since business processes and transactions are performed inparallel and the concurrent business principles force collaborated

4


1394

to ease the collaboration through the following requirements:

• Dynamic activation of appropriate safeguards, prevention andrecovery from risks due to structured and unstructured infor-mation

• The security management team must define a set of managedprocesses which should be developed and maintained for busi-ness continuity throughout the organization.

• Provide secure transparency against the risks due to securitybreach which leads to loss of confidentiality (LOC) and lossof integrity (LOI) of the information assets needed for thebusiness processes.

• Provide easy access to business data of the business partnersif granted;

• By providing information security assurance, the process as-sessment and its compliance are carried to estimate the prob-abilities of potential risks and possible attacks based on thevulnerabilities.

• The business processes should be continued and the resultingrisks are estimated to minimize the loss with the presence ofexplicit or implicit attacks too.

To tackle the issues collaboration in a distributed environmentand dynamic data sharing and security, this paper describes theconcept of security assurance and the business continuity along withthe estimation of minimizing loss in the presence of explicit or im-plicit attacks.From the published literature, it was understood thatthe very few investigations has been carried out to deal with theinformation security management model to continue the businesstransactions in structured and unstructured information. Hencethe present investigations focused on developing an empirical rela-tionship to propose an integrated information security managementmodel and its risks when a number of processes are collaborating tocontinue business transactions dealing structured and unstructuredinformation. Furthermore, expected business continuity (EBC) interms of business importance and attack security index is proposedfrom the standards towards the security compliances.

5


1395

3 Integrated Information Governance,

Risk And Compliance

The information assets are recognized as values to the organizationwhere an asset is any tangible orintangible thing that has value toan organization. They are not easily replaceable without cost, skill,time, resources and they form a part of the organizations corporateidentity, without which, the organization may be threatened. Thedata or asset classification would normally be proprietary, highlyconfidential or even top secret. The information security gover-nance (ISG) indicates the objectives and operations about the se-curity incidents that had happened or may happen inside or outsidethe organization. Information security governance can be definedas representing the framework for decision rights and accountabili-ties to encourage desirable behavior in the use of IT (Weill, 2004).Some respondents in similar previous studies felt that informationsecurity itself must be viewed as a governance issue stating, In-formation security is often treated as a technology issue, when itreally should be treated as a governance issue. Some others havesuggested that failing to realize that information security is a cor-porate governance responsibility is the number one deadly sin ofinformation security management (Von Solms R and Von Solms B,2004).

The focus of governance is to identify the various risks and se-curity compliance (ISC) in different directions and dimensions soas to take decisions that defines the expectations to grant the reg-ulatory processes. It was motivated that the acceptance and im-plementation of an ISG framework are an important action in se-curing business information through the protection of informationsystems, acting in accordance with legislation, as well as improvingthe efficiency of business operations, amongst other things [Entrust,2004]. Thus information, security governance enables an organiza-tion to effectively full fill all the internal and external requirementsin terms of protecting business information assets and, therefore,covers the full scope of risks faced by an organization in this re-gard. These security requirements could be viewed as informationrisk directives that would advise executive management on whatshould be done in order to govern and manage information securityproperly. The information security risk (ISR) analysis based on the

6


1396

business processes is configured not only to regulate the processesbut also report the necessary updates. Risk analysis can be doneto an asset or a group of assets with two different objectives: one isfor identification of all possible risks associated with the assets dueto their vulnerability and another is for improvising the vulnerabil-ities using safeguards or firewalls. Managing information securityrisks requires a suitable risk assessment and risk treatment methodwhich may include an estimation of the costs and benefits, legalrequirements, social, economical and environmental aspects, theconcerns of stakeholders, priorities, and other inputs and variablesas appropriate.

Fig. 1 Information Security Governance, Risk, Compliance rela-tionship

The governance, risk and compliance of the information assetsof a business organization can be analyzed through their relation-ships as shown in Figure1. The results of the information securityrisk assessment will help to guide and determine the appropriatemanagement treatment decisions for action and prioritization formanaging information security risks, and for implementing relevantsecurity controls to protect against these risks. The ISO/IEC 27005standard provides information security risk management guidance,

7


1397

including advice on risk assessment, risk treatment, risk acceptance,risk communication, risk monitoring and risk review. Risk analysisuses information to identify possible sources of risk. It uses theinformation to identify threats or events that could have a harmfulimpact. It then estimates the risk by asking: What is the proba-bility that this event will actually occur in the future and actingaccording to the identification of security risk by following certainstandards. The management action will proceed by processing thesecurity incidents.

4 Business Information Structure, Se-

curity and Standards

Once a company has completed its risk analysis process it needs todesign its own customized control framework (providing guidance,policies and processes) to address its risks. Once the companys con-trol framework has been designed and agreed upon, the companyshould build an internal control system (the interactive pieces thatenable the operation of the framework) [Stephen and von Solms,2009]. An information security incident is made up of one or moreunwanted or unexpected information security events that could verylikely compromise the security of information and weaken or impairthe business processes. The failure of information security affectsthe strategy and objective of an organization and it stops the devel-opmental business activities. The risk analysis can be done basedon the business security policies and initiate the activities in orderto minimize the information loss in an organization. The securitystandards must identify not only the assets targeted in the businessprocesses but also the possibility and potential risks either due tothe inside threats through information leakage or the outside ad-versaries. The organizational security and privacy policies are tobe drawn in such a manner so as to comply with the existing reg-ulations or they can demand revised regulations duly approved bythe business communities. This is highly depended on the missionand business goal of the organization in the current competitivebusiness world.

The importance of defining and declaring new business func-tions and activities through outsourcing or through virtual organi-

8


1398

zational setups is based on the business model what they want tofollow. The attacker and the insider threat will try to access the in-formation assets irrespective of its structure and location. The sizeand the type of such assets are to be kept confidential for the suc-cessful business continuity. It is logically correct if the confidentialinformation is vulnerable to different attackers then the risk is sure.But the security management team must define a set of managedprocesses which should be developed and maintained for businesscontinuity throughout the organization. While defining a securitymanagement process, the team faces many challenges which arenot primarily based on the conventional attacks and vulnerabilitiesbut on the very structure and location of the information assets.For example, a highly confidential design data set of an automotivepart may be hidden and sent as a sequence of numbers through anemail or sent as an image placed in the attachment. Similarly videoframes and audio segments may contain very sensitive informationand are being sent through personal networks or social networks.There may be some hidden business between the information ex-changes knowingly or unknowingly. The business loss and the rep-utation damage are very high in the case of illegal document re-lease and untimed release of legal evidences through networking. Inall these scenarios, the computational structure of the informationis the most important criteria in managing the security activities.Hence the structure of information can be represented as a tuple of< Identity of Info, Uniqueness, Location, Size > where the identityis a kind of token or a valid keyword pertaining to the business.For illustration, the identity can be expressed as a name or a typeor an instance and as a parameter that is hidden or explicit. Theuniqueness of the structure can be expressed as a member in the setof {Context, Content, Pixel, Mixed}.Similarly the location featureof the information asset or its cyber markup can be expressed as amember in the set of User Defined, Static, Dynamic, Random. Theinformation size which plays a vital role in the end user transactionas the raw information which may be of types belonging to a set ofelements like Computational, Application, Duration, Resolution asshown in Table 1.

9


1399

Table 1 Business Information Attributes

example, the structuredness of a design data from a productcenter is very well represented by its identity name or number andits data type with all its related names or fields mentioned explicitlyor implicit in the information exchange. The information assets be-longing to business community have to be secured to continue thebusiness in a satisfying manner even in the presence of securityflaws. These security flaws or vulnerabilities have to be handledby both the clients and also the service providers as per the exist-ing standards. This International Standard will provide practicalimplementation guidance and provide further information for es-tablishing, implementing, operating, monitoring, reviewing, main-taining and improving Information Security Management Services(ISMS) in accordance with ISO/IEC 27001and 27003. ISO/IEC27002:2005 establishes guidelines and general principles for initiat-ing, implementing, maintaining, and improving information secu-rity management in an organization. A document like this would beable to suggest appropriate security controls that can successfullypreserve the confidentiality, integrity and availability of businessinformation and thus could serve to integrate information securityinto the daily activities and functions of an organization. Oncethe security measures have been implemented, business informa-tion risks, as well as the usefulness of the selected security controls,should be observed and reported to executive management [Corpo-rate Governance Task Force, 2004]. These reports will further aidexecutive management in directing and controlling their organiza-tions information security endeavours with greater precision.Theobjectives outlined provide general guidance on the commonly ac-cepted goals of information security management. A quantitativeapproach to model and measure the action taken and also the netoutcome of a security strategy is guided by the following standardslike ISO/IEC 27004:2009. These provide guidance on the devel-

10


1400

opment and use of measures and measurement in order to assessthe effectiveness of an implemented information security manage-ment system (ISMS) and controls or groups of controls, as spec-ified in ISO/IEC 27001.The failure of such security techniques interms of the risk in the business processes and the product is alsoaddressed in ISO/IEC 27005. The management aspect of secu-rity and risk management are specified in a set of standards calledISO/IEC 27005:2008 that provides guidelines for information secu-rity risk management. The ISO/IEC 27010 will provide guidancefor information security interworking and communications betweenindustries in the same sectors, in different industry sectors and withgovernments, either in times of crisis and to protect critical infras-tructure or for mutual recognition under normal business circum-stances to meet legal, regulatory and contractual obligations.

5 Attacks And Threats In Business Pro-

cesses

Many large businesses have been aware of and dealing directly withsecurity issues for some time. Viruses, distributed denial of serviceattacks and the potential, both external and internal, for systemand network compromise have been topics of concern for businesseswith IT departments for several years. The importance and wideawareness of security have greatly increased since the terrorist at-tacks of September 11, 2001. There is a heightened level of securityat airports, borders and elsewhere. However, the increased level ofsecurity awareness and concern at a broader societal level is onlybeginning to manifest itself in relation to the Internet. The mainpublic concerns regarding the Internet remain centred around theprivacy and security of personal information. There is insufficientawareness about the broad range of risks that systems and net-works may be subject to, or about potential cyber attacks that canbe generated from failure to properly secure computers. There iseven less awareness of protective steps, both proactive and reactive,that can be taken to minimize these risks. The various attacks onbusiness assets are as shown in Figure 2.

11


1401

Fig. 2 Attacks on Business assets

It describes about the possible internal and external attacksthrough which the internal attacker has grabbed all the privileges toaccess the authenticated records without proper permission. Withthis illegal permission the sensitive records may be destroyed whereasthe external attacks may be due to viruses, Trojans or hackerwhich may not be granted permission to access those records. Insome cases, the hacker may bypass the firewall and attack passivelythrough which he/she not only views but also modifies the confi-dential records. The viruses may go through the firewall where thefirewall cannot identify this type of hidden attacks and so it may bedone actively.When using the methodology, one should not forgetthe following: security of an E-business system is not a state, but aprocess that has to be incorporated into the system from scratch,and not treated as an afterthought [Denis Trek, 2003]. There area number of processes that are collaborating together to get theexpected business output through successful transactions during aparticular scenario. There may be other processes running parallelbut without interacting with the remaining processes. In a busi-ness environment, there may be many processes like P1,P2 and soon which are safe guarded by security functions sg1, sg2 and so onas shown in Fig.3.

12


1402

Fig. 3 Attack to threat process flow in business

Let the number of processes be Np and the collaborating pro-cesses are Nc in any point of time of observation. The number ofother processes will be (Np-Nc).Let the probability of accessing thestructured information asset si by a process pi may be representedas prob(si) that can be represented as pi .prob(si ). Similarly theprobability of accessing the unstructured information ui by a pro-cess pi may be represented as prob(ui) and it can be representedas pi.prob(ui) and knowing that prob(si) + prob(ui) =1. Let theprobability of an attack using any strategy on the asset which maybe either structured or unstructured information be prob (aj) withnumber of safe guards for the structured type be nsg whereas forunstructured being equal to nug. The attacks can be quantitativelymodeled based on the type of the attack and also on the durationwith which they persist for example in the case of denial of serviceattacks. The severity of an attack is dependent on the number ofsecurity safeguarding mechanisms adopted and the storage patternof the information assets. If the information is a structured one,then the attacker may know the location or the buffer in which itis stored using intrusion techniques. Otherwise if the informationasset is an unstructured one, then the location or the indexing pat-tern may not be known to the attacker. Hence the attack severityindex (ASI) may be evaluated as per Eqn. 1

13


1403

Attack Severity Index for attack k (ASIk ) =

The situation may be explained with the help of a process flowdiagram shown in Fig 4. The business process first decides whetherthe customer request comes through the proper interface or is ita valid request. This is done through the first process called E-Compare. The input is verified with the security function to de-termine its validity. In the case of invalid input, the business secu-rity process will identify the incident as an attack through struc-tured query injection or cross site scripting attack by html injection.These business security functional implications can be representedas follows:

E. Compare (input) → valid | invalidInvalid input → attack.sql injection | attack.html Injection

Fig. 4 Attack to Risk Processes flow

14


1404

Because of the attacks mentioned above, the risks due to se-curity breach leads to loss of confidentiality (LOC) and loss ofintegrity (LOI) of the information assets needed for the businessprocesses. The credentials of the business process or the systemmay be affected due to the loss of the above two attributes of in-formation security in a business environment. The situation can becorrected by protecting the firewall itself which can be representedlogically as,

Exploit (Database) → Database revealed ⇒ LOC ∧ LOIExploit (Server) → Credentials stolen ⇒ LOIE-Compare (firewall) → protected / unprotectedIf the firewall is being unprotected, then the chances of active

attacks due to viruses or Trojans are also high thereby disturbingthe availability of the system resources or control elements leadingto total application seizure. This may result a partial or erroneousexecution due to the presence of bugs in the system key logs thatcan be formally specified as,

Unprotected firewall → attack (virus) | attack (Trojan)Attack (virus)→ Affect (System Resource) ∧ Control (System)

⇒ LOI ∧ LOA ∧ LOCAttack (Trojan)→ Affect (application) ∧ Execute (Key log)⇒

LOCAs per the process flow across a sample of business transactions,

the time needed to complete the security actions and the associatedcosts are simulated as per the implications or rules mentioned aboveand tabulated in Table 2 and shown in Fig. 5 for a single serverbased processes.

Table 2 Work time and Cost for Security Actions

15


1405

Fig. 5 Work time and Cost for single server

It is found that a lot of work time is needed to maintain the con-fidentiality of the structured information when compared with thetime needed to make that information available to the customers.But at the same time, the cost associated with the integrity as-surance is more than that assuring the availability of the businessinformation. It is found out that the integrity assurance is costlierthan the confident assurance when a number of business processesare collaborating with each other assuming zero waiting time forall the processes. If the waiting time is included, then the scenariowill be dependent on the individual waiting times for each and ev-ery business token collected over a specific period of working time.When multiple clients and servers were involved in the businessprocesses, then the case results are based on the number of busyservers and aborted or terminated transactions which are tabulatedin Table 3 and shown in Fig. 6.

16


1406

Table 3 Multiple servers business Security Assurance

Fig. 6 Work time and Cost for multiple servers

17


1407

6 Security Assurance And Business Con-

tinuity

Business Information Assurance is part of corporate governance inwhich the top level management provides accurate and correct in-formation to the stake holders about the efficiency and effectivenessof their security policy and operations. If any of the critical infor-mation assets is accessed frequently then the business index can bedetermined from the knowledge of the frequency of an access andthe number of such collaborating processes which needs that infor-mation at that point of time. The number of security operationsperformed on the asset over a session is also a factor to determinethe business continuity. Business continuity planning (BCP) is avery important issue and it has to be covered carefully [Devargas,1999].

One aspect of incident handling and response should be busi-ness continuity. Business continuity implies the existence of workaround mechanisms that allow a company to continue to operate inthe event of a non-catastrophic failure. A decision to employ busi-ness continuity or full disaster recovery will depend on the nature ofthe business and its own business risk assessment. After a seriousdisaster many businesses recover with difficulty, e.g. in the case of amajor fire in the UK, over 80% of businesses never recover, despiteinsurance arrangements, which effectively cover 30-50% of losses.Thus, continuity planning should be an integral part of securitypolicy. BCP starts with threat identification, asset valuation anddetermination of likelihood of incidence. Afterwards, business im-pact analysis has to be done to identify critical business functions.This analysis should identify the effects of disaster and requirementsfor a recovery, including all resources. Afterwards, critical businessfunctions need to be prioritised, depending on their impact. Thisimpact forms the basis for financial justification of related invest-ments for equipment, procedures and training to enable recoveryin the necessary time frame. BCP requires inclusion of internaland external effects, which includes business interruptions of part-ners processes, loss of credibility and image. The proposed metric,called as Expected Business Continuity (EBC) may be consideredas a factor that depends not only on the number of such assets inthe business transaction during that session but also on the rel-

18


1408

ative business importance of the information assets. The assetsbeing secured with safeguards, the EBC factor can be expressedas the ratio of number of assets, their relative importance and theweight age factor of security in terms of safeguards to ASI of alltypes of attacks over a period [Devargas, 1999]. The security assur-ance for the information needed to continue the on-going businessprocesses is a complex technique in which each and every stage, theunderlying information system needs to ensure the confidentiality,integrity, availability and accountability of information. There areapplication program interfaces (API) shown as T1, C1, B1 and P1through which the behavioral changes are reflected in to the nearbysub systems. For example, the APIs in the threat side of the Fig 7say, TI or T2 senses any possible threat and activated by the attacksub module and signaled to legislation and specification modules.Similarly the APIs in the content side say C1 or C2 sensed thevariation in the information content will be communicated to therisk and policy sub modules to adapt to the incoming attack due tothe existing vulnerabilities. The legislation and the business poli-cies are interacting with the guidelines and the specifications of thebusiness transaction requirements as shown in Fig 6

Fig. 7 Business Continuity and Assurance

The various services like asset assessment service, complianceservices are to be checked as per Assessment and Compliance Ser-vices like NIST 800-30, 800-18 and 800-53 against all possible at-tacks on various assets involved in the business stages. That is thesystem should be certain to do something and make that thing cer-

19


1409

tain to happen. It is integrated policy framework in which multiplecomponents are interacting concurrently like a biological signalingpathway so as to minimize future losses to manage possible riskwhich may or may not take place. In the case of business infor-mation processing, the care should have been taken in reimbursingor protecting a process or an asset from a variety of contingentrisk of losses through financial means. The assurance can be calcu-lated based on the assessment of the compliance, correctness andcertainty of the information handled by each and every process orcomponent during a particular period of time. The various interac-tions and their translations discussed are represented as a pathwayfor information assurance as shown in Fig. 8

Fig8...

Fig. 8 Information Security Assurance pathway

By providing information security assurance, all the parametersfor the process assessment and its compliance are carried to esti-mate the probabilities of potential risks and possible attacks basedon the vulnerabilities. The legislations and policy along with thebehavior of the persons involved are modified so as to secure thebusiness content which is the valuable asset when multiple customerservices are collaborating. The minimization business risk is doneby securely storing and transmitting the business information atall times and the data and processes should be used only for thatpurpose exclusively in a virtual environment. After determiningthe significant probability of potential risks, the final relationshipto estimate The business continuity can be estimated based on thenumber of assets involved in business transactions and the securityguards for the processes needed for continuation The business con-tinuity can be estimated based on the number of assets involved

20


1410

in business transactions and the security guards for the processesneeded for continuation. If an attack on the asset happens, thenbased on the index of information being structured, the result-ing risk factor can be represented in first order logic as given bythe equation where BI represents the business information whetherstructure or unstructured and sg represents the number of securityguards or functions for the processes involved. The business willbe extended and continued (EBC) if the process Pi is governed aslong as the security function Sg for that particular succeeds is rep-resented by the second line below.

BI(asset)i ∗ sg(asset)iFig...Pi.BI(asset)i ∗ sg(asset)i −−−−−−−−− > EBC

The final empirical relationship for the total amount of risksincluding process, product and business risks can be estimated bythe above procedure by considering the attack severity index andindex factor of the structured information of the business assetswhen number of security functions are activated and summed upas given by the Eqns. (2) and (3) shown below;

Index = location complexity * size of informationFactork Level of assetk assetk (2)

Risk =∑n

i=l ∗BI(asset)i∗sg(asset)i∑fk=1 IndexFactor∗∑m

j=1 ASI(attack)j(3)

The total number of assets is being n and the index factorsfor the number of structuredness is being f against the number ofattacks is being m.

7 Conclusions

The information security assurance model is important in the caseof business services deployed in the grid or in a cloud environment.The security model is based on the design heuristics that relates thestructure of the information assets that are represented as a tuplewith uniqueness, identity, location and size of the information.Theempirical relationship model provides secured transparency against

21


1411

the risks due to security breach which leads to loss of confidentiality(LOC) and loss of integrity (LOI) of the information assets neededfor the business processesThe continuity in business is achieved con-tinued and the resulting risks are predicted with minimized loss inthe presence of explicit or implicit attacks. The information secu-rity assurance pathway is brought out to quantitatively model andestimate the total risks covered when a number of services are in-teracting if the attack and asset may become noncompliant entities.

References

[1] Andy Juan Wang, Information Security Models and Metrics,ACM Digital Library 2005; 3 (59593-059- 0):230-239.

[2] V. Anita, L. Labuschagne, A Frame Work for Comparing Dif-ferent Information Security Risk Analysis Methodologies, ACMDigital Library 2005; 2(2-34589-756):298-306.

[3] K. Anna, M Natalia, T. Alexander, Information Security Inci-dent Management Process, ACM Digital Library 2009; 3(978-1-60558-412-6):450-458.

[4] D S Bhilare, A K Ramani, Sanjay Tanwani, Information Se-curity Assurance for Academic Institution Using Role BasedSecurity Metric: An Incremental Approach, ACM Digital Li-brary 2009; 3(978-1-60558-351-8):670- 679.

[5] K Braa, K H. Rolland, Horizontal information systems: emer-gent trends and perspectives, In: Baskerville, R., Stage, J., De-Gross, J.I. (Eds.), Organizational and Social Perspectives onInformation Technology. Kluwer Academic Publishers, Boston,2000:83101.

[6] C. Britton, P. Bye, IT Architectures and Middleware, seconded. Addison-Wesley, Boston 2004.

[7] R. Chalmeta, C. Campos, R. Grangel, Reference architecturesfor enterprise integration, Journal of Systems and Software2001; 57:175191.

22


1412

[8] Corporate Governance Task Force. Information security gov-ernance”: a call to action. Available from: http://www. cyber-partnership.org/InfoSecGov4 04.pdf; 2004, April.

[9] Denis Denis Trek, An integral framework for information sys-tems security management, Computers & Security 2003; 22(4):337-360, 2003

[10] F. Fariborz, B.N. Shamkant, S. Gunter, E. Philip, ManagingVulnerabilities of Information Systems to Security Incidents,Pittsbur, ACM Digital Library 2003; 1(1-58113-788):580- 589.

[11] J. Heikkila, M. Heikkila, J. Lehmonen, Sharing for under-standing and doing for learning: an emerging learning busi-ness network, The ICFAI Journal of Knowledge ManagementIII 2005;1:2845.

[12] Ivan Tirado, Business Oriented Information Security Require-ments Development, ACM Digital Library 2008; 2 (978-1-60558):89-91.

[13] I. Keith, Y. Ting, H.W. William, Avoiding Information Leak-age in Security-Policy-Aware planning, ACM Digital Library2008; 4 (1-7545):340-350.

[14] C S Leem, S. Kim, Introduction to an integrated methodologyfor development and implementation of enterprise informationsystems, Journal of Systems and Software 2002; 60:249261.

[15] D. Linthicum, Next Generation Application Integration: FromSimple Information to Web Services, Addison-Wesley, Boston2004.

[16] Michael D. Carroll, Information Security: Examining andManaging the Insider Threat, ACM Digital Library 2006;1(59593-437-5):560-570.

[17] F. Stephen, R. Von Solms, Real-time information integrity= system integrity + data integrity + continuous assurances,Computers & Security (2005); 24:604-613.

23


1413

[18] B. Von Solms, R. Von Solms, The 10 deadly sins of infor-mation security management, Computers & Security 2004;23:371376.

[19] P. Weill, Dont just lead, govern: how top performing firmsgovern IT, MIS Quarterly Executive 2004; 3(1):117.

[20] G. Gasper, M. Rahman, Basic Hypergeometric Series, Cam-bridge University Press, Cambridge (1990).

[21] M. Rosenblum, Generalized Hermite polynomials and theBose-like oscillator calculus , In: Operator Theory: Advancesand Applications, Birkhauser, Basel (1994), 369-396.

[22] D.S. Moak, The q-analogue of the Laguerre polynomials, J.Math. Anal. Appl., 81 (1981), 20-47.

[23] J. Kenneth, R Knappa, Jr. Franklin Morris, E.M.Thomas, B. Terry Anthony, Information security policy: Anorganizational-level process model, Computers & Security 2009;28:493-508

[24] M. Devargas, Survival is Not Compulsory, Com-puters & Security 1999; 18 (1):35-46. Entrust. In-formation Security Governance (ISG): an essen-tial element of corporate governance.Availablefrom:http://itresearch.forbes.com/detail/RES/1082396487 702.html;2004.

24


1414

1415

1416

Developing An Empirical Relationship To Propose An ......Sri Ranganathar institute of Engineering and technology, Coimbatore Tamil Nadu, INDIA January 4, 2018 Abstract During the last

Documents