A term paper in the PhD course 5LVNDQG9XOQHUDELOLW\ NTNU - Norwegian University of Science and Technology Department of Industrial Economics and Technology Management ’HFHPEHU $JHQHULFFRPSDULVRQRILQGXVWULDOVDIHW\ DQGLQIRUPDWLRQVHFXULW\ (LULN$OEUHFKWVHQ
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
����
A term paper in the PhD course
�5LVN�DQG�9XOQHUDELOLW\��
NTNU - Norwegian University of Science and Technology
Department of Industrial Economics and Technology Management
'HFHPEHU�����������
$�JHQHULF�FRPSDULVRQ�RI�LQGXVWULDO�VDIHW\�DQG�LQIRUPDWLRQ�VHFXULW\�
�����������
(LULN�$OEUHFKWVHQ��
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 1
6XPPDU\�This term paper illustrates and discusses differences and similarities between industrial safety and information security. The basic idea of industrial safety and information security are the same. Both are protecting assets from hazards/threats. Perrow’s (1999) interaction/coupling chart illustrates the vulnerabilities of information technology and a system related to industrial safety. Information technology pulls other systems towards a more vulnerable state, primarily due to unforeseen and unwanted interactions. Threats, assets for protection and consequences in information security and industrial safety are compared. By the help of this comparison and Klinke and Renn’s (2001) risk classification factors, differences in risk are discussed. The main differences in risk are: - The damages within information security are more complex, geographically
spread and unforeseen than for industrial safety. - The reversibility of consequences is much lower in industrial safety as it is more
difficult to bring back humans lives than restore and rebuild information. - Hazards in industrial safety are more observable and proximate than threats in
information security. - The uncertainty on threats and consequences is much higher in information
security than industrial safety. The threats and consequences in information security incidents are associated with higher degree of uncertainty than threats and consequences in industrial safety due to complexity in information technology systems, change of technology, non-proximate threats, external threats, difficulties in predicting deliberate threats, a broad range of threats and unforeseen and unwanted interactions� By use of the risk classification it is show that information security management should be based on precautionary risk management strategies and that industrial safety management should be based on a combination of precautionary and risk-based strategies. A comparison of methods in information security and industrial safety shows that the methods to a large extent are the same at the surface. Although the content of the methods is a bit different. Furthermore, industrial safety research focus on human and organisational contribution integrated with technical aspects to a much larger extent than information security. Information security seems to focus on deliberate and external threats, while industrial safety tend to focus unintended incidents. The main results in the comparison are the high uncertainty level regarding threats and consequences in information security and the gap between information security and industrial safety regarding focus on human and organisational aspects. Information security should learn from industrial safety regarding the view on human and organisational contribution integrated with technical aspects. Another potential for learning is to move toward a transdisciplinary approach to information security. This approach is part of precautionary management strategies that should be implemented in information security management in order to cope better with uncertainty.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 2
&RQWHQWV�� 1 Introduction............................................................................................................ 3 2 Industrial safety and information security ............................................................. 4 3 Security and safety................................................................................................. 4 4 System classification ............................................................................................. 7
4.1 Offshore industry ........................................................................................... 7 4.2 Information technology ................................................................................. 7
5 Risk classification................................................................................................ 10 5.1 Assets for protection .................................................................................... 10 5.2 Hazards/threats ............................................................................................ 10 5.3 Consequences .............................................................................................. 12 5.4 Uncertainty .................................................................................................. 13 5.5 Risk classification........................................................................................ 13 5.6 Industrial safety management & information security management ........... 14
6 Research............................................................................................................... 16 7 Comparison of methods....................................................................................... 17
7.1 The energy model and Haddon’s strategies.................................................17 7.2 Models .........................................................................................................20 7.3 Checklists.....................................................................................................23 7.4 Risk assessments..........................................................................................23
8 Summary of comparison......................................................................................25 8.1 Similarities...................................................................................................25 8.2 Differences...................................................................................................25
9 Conclusion ...........................................................................................................26 10 References........................................................................................................27 )LJXUHV�Figure 1 Relationship between data security, computer security, IT security, ICT
security and information security ..........................................................................4 Figure 2 Interaction and coupling chart.........................................................................9 Figure 3 Framework for risk classification..................................................................10 Figure 4 Purposes of deliberate incidents’ influence on cause, incidents and
consequences .......................................................................................................11 Figure 5 Revised energy model for protection of information and Haddon’s
prevention strategies ............................................................................................19 Figure 6 Accident analysis framework (Kjellén, 2000)...............................................20 Figure 7 ILCI-model (from Kjellén, 2000)..................................................................20 Figure 8 The TRIPOD model (from Kjellén, 2000) ....................................................21 Figure 9 Model for computer and network incidents (Howard and Longstaff, 1998) 22 �7DEOHV�Table 1 Generic differences between risks based on Klinke & Renn (2001)’s risk
classification factors. ...........................................................................................14 Table 2 Haddon’s prevention strategies applied on information security threat .........18 �
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 3
�� ,QWURGXFWLRQ�Today’s society has become more vulnerable than before (NOU, 2000). One of the main contributions to this vulnerability is the increased use of information technology. Practically every part of society has become dependent of information technology in some way. Over the last 10-20 years information technology has become one of the girders in today’s society. This dependency has created a need for information security in every part of society. Information security regarding information technology (securing non-electronic information existed before the IT revolution, especially in the military) is quite young. In contrast industrial safety has existed since the nineteenth century (Hale and Hovden, 1998). Information security is dominated by focus on technical and functionalist (i.e. regulation and control of organisational affairs) aspects (Dhillon and Backhouse, 2001). Industrial safety has on the other hand through history developed an integrated technical, human and organisational approach. In Norway, a great deal of industrial safety is centred on safety at offshore installations. The offshore safety research has had large influence on safety research in other areas in Norway as well. 7KLV�WHUP�SDSHU�ZLOO�SURYLGH�D�FRPSDULVRQ�EHWZHHQ�WKH�EDVLF�LGHDV�RI�LQIRUPDWLRQ�VHFXULW\�DQG�LQGXVWULDO�VDIHW\�DQG�D�FRPSDULVRQ�EHWZHHQ�PHWKRGV�LQ�WKH�WZR�GLVFLSOLQHV� Since industrial safety traditionally has taken care of human and organisational aspects and information security traditionally has not, a comparison between the two will provide a status on how well human and organisational aspects are taken into consideration in information security. The comparison will provide potentials for learning as well. 7KH�FRPSDULVRQ�KDV�PDLQO\�EHHQ�GLUHFWHG�RQ�ZKDW�GLVWLQJXLVKHV�LQIRUPDWLRQ�VHFXULW\�IURP�LQGXVWULDO�VDIHW\�DQG�ZKDW�LQIRUPDWLRQ�VHFXULW\�FDQ�OHDUQ�IURP�LQGXVWULDO�VDIHW\� Information security and industrial safety are both large areas. The comparison has thus become generic. The comparison is at some points based on my subjective assessments. Chapter 2 gives an indication on what industrial safety and information security is and illustrates the relationship between them. Chapter 3 discusses what the difference between safety and security is. The chapter concludes that it is difficult to distinguish them and that the basic idea is the same in both - protection against hazards/threats, no matter what the nature of the hazards/threats looks like. In chapter 4 Perrow’s (1999) normal accident theory is used to illustrate the vulnerabilities associated with fields related to industrial safety and information security. The chapter shows that information technology creates increased vulnerability for other system using information technology. Chapter 5 shows differences between information security and industrial safety regarding threats, assets for protection and consequences. The main difference is that the uncertainty associated with information security threats and consequences are much higher than threats and consequences in industrial safety. Differences in research are presented in chapter 6. Chapter 7 presents differences between methods (models, risk assessments, checklists and prevention strategies) used in information security and industrial safety. In chapter 8 the comparison is summarized and the conclusion is given chapter 9
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 4
�� ,QGXVWULDO�VDIHW\�DQG�LQIRUPDWLRQ�VHFXULW\� The standard ISO17799 – Code of Practice of Information Security Management defines information security as: ³,QIRUPDWLRQ�VHFXULW\�SURWHFWV�LQIRUPDWLRQ�IURP�D�ZLGH�UDQJH�RI�WUHDWV�LQ�RUGHU�WR�HQVXUH�EXVLQHVV�FRQWLQXLW\��PLQLPL]H�EXVLQHVV�GDPDJH�DQG�PD[LPL]H�UHWXUQ�RQ�LQYHVWPHQWV�DQG�EXVLQHVV�RSSRUWXQLWLHV´. This term paper focuses on electrical information and use of this information. In contrast to data security, computer security, IT security and ICT security, information security is much broader since it considers handling of information both inside and outside IT-systems. The other types of security mentioned above are much narrower in their area of protection, and are part of the broader information security. This is illustrated in Figure 1. Data security is about protecting data, i.e. binary numbers (programming languages and saved data files). Computer security and IT security is protecting data and the computer/information technology. ICT security is the same as IT security but has added protection of communication technology (e.g. network cables) as well. Finally information security encloses the rest of the types of securities and includes handling of information outside as well as inside the technology.
)LJXUH���5HODWLRQVKLS�EHWZHHQ�GDWD�VHFXULW\��FRPSXWHU�VHFXULW\��,7�VHFXULW\��,&7�VHFXULW\�DQG�LQIRUPDWLRQ�VHFXULW\�
Industrial safety protects humans, environment and material at industrial plants from unacceptable risks that might lead to injuries and death of people, damage of the environment, material/production costs, delays in delivery and loss of reputation. A part of industrial safety is functional safety – obtaining correct functioning of the safety-related systems. Information technology is widely used in most parts of society. The industry is no exception. Thus information security is a part of industrial safety as well. Examples were information security is important for industrial safety are control rooms and “computer-based” safety devices (e.g. detectors and valves). Much of the machinery used in the industry is based on information technology, information security is thus a central part of industrial safety. In the same way, industrial safety is part of information security. Examples of this are design of offshore installations in such a way that the control room is protected and fire protection. �� 6HFXULW\�DQG�VDIHW\��
Data security
IT security / Computer security
ICT security
Information security
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 5
One difference between information security and industrial safety is the notations security and safety. This section discusses differences between security and safety. In Norwegian the word ‘sikkerhet’ translates both security and safety. Thus it might be confusing for a Norwegian to distinguish them. Nevertheless, some groups at the Norwegian University of Technology and Science (NTNU) has distinguished the two words in Norwegian, saying that security is protection against GHOLEHUDWH incidents and safety is protection against XQLQWHQGHG incidents (Hovden, 1998; Skavland Idsø and Mejdell Jakobsen, 2000).
The new Oxford dictionary of English (Pearsall and Hanks, 2001)describes the words in the following way:
The differences between security and safety are not remarkable, both are conditions where one is well protected and without risks. The basic idea of both is protecting assets from hazards/threats creating safe/secure conditions. The condition safety is about EHLQJ�SURWHFWHG, while the condition security is about EHLQJ�IUHH from danger. The differences between being protected and being free from danger or threat are not easily seen. Being protected leads to a condition of being free from danger or threat,
6DIHW\���1) The condition of being protected from or unlikely to cause danger, risk or injury. � Denoting something designed to prevent injury or damage, e.g. safety barrier
6DIH��1) Protected from or not exposed to danger or risk; not likely to be harmed or lost � Not likely to cause or lead to harm or injury; not involving danger or risk � (of a place) Affording security or protection 2) Uninjured; with no harm done From the Latin word ‘saluses’ – uninjured
6HFXULW\��1) the state of being free from danger or threat, e.g. “the system is designed to provide maximum security against toxic spills” � the safety of a state or organizations against criminal activities such as terrorism, theft or espionage � procedures followed or measures taken to ensure such safety � the state of feeling safe, stable and free from fear or anxiety From the Latin word ‘securus’; ‘se’-without, ‘cara’ – care, - ‘securus’ – free from care 6HFXUH��� not subject to threat; certain to remain or continue safe and unharmed � protected against attack or other criminal activity � feeling safe, stable and free from fear and anxiety
1718�GHILQLWLRQ��6NDYODQG�,GV¡�DQG�0HMGHOO�-DNREVHQ��������� 6DIHW\ is protection against random incidents. Random incidents are unwanted incidents that happen as a result of one or more coincidences. 6HFXULW\ is protection against intended incidents. Wanted incidents happen due to a result of deliberate and planned act.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 6
and being free from danger or threat might imply well protection. Thus the basic idea is the same for both. One part of security is protection against criminal activities. Simultaneously security is about being in a state of feeling safe, stable and free from fear or anxiety (no.‘trygghet’). Criminal acts are mainly deliberate acts. However criminal incidents do not need to be intended acts. Driving a car a few km/h over the limit is per definition a criminal act, nevertheless it can be an unintended incident (e.g. inattention on speed limits). Thus, I do not think it’s correct to say, following the NTNU definition above, that security is just about protection against deliberate acts. It is also about protection against unintended incidents that might bring one into a state of not being subject to threat. Safety is related to protection against injury, which introduces the aspect of protecting human lives and health. It seems like one slight difference between security and safety is that security specifically protects against crime, while safety specifically protects human lives and health. However, I do not think this distinction is adequate. Protection of human lives and health can be protection against deliberate (and criminal) acts such as murder attempts and violence. When an unintended accident at an industrial plant happens, it might be a violence of the Working Environment Act, which per definition is a criminal act. Taking shortcuts in order to get more efficient work and less workload are deliberate incidents as well, which might lead to an accident at an industrial plant. Ignorance of procedures leading to an accident is a deliberate incident as well. Thus, it will not be fully correct to say that safety is protection against unintended incidents. It is about time to end the discussion before it gets even more confusing. It is definitively complicated to distinguish safety and security. The basic idea is the same in both understandings; protecting assets from a possible hazard or threat. Thus, it might be unnecessary to distinguish them. A slight difference seems to be that security is related to criminal acts (e.g. espionage, theft, terrorism) and safety is related to the risk of injury of humans. As discussed above neither deliberate or unintended incidents are directly associated with criminal incidents or injuries. Thus, I think the NTNU definitions are not completely correct. It is, nevertheless, easy to see the advantages of distinguishing deliberate and unintended acts, however I think it is misleading to use security and safety for this distinction. By staying loyal to the Norwegian word ‘sikkerhet’ there is actually no problem at all. The conclusion is that it might be unnecessary to distinguish security and safety, since both are protection against hazards/threats, no matter what the nature of the hazards/threats looks like. What the differences actually are still remains as questions. Even persons with English as their mother language I have talked to, have difficulties by distinguishing the two. From these persons’ point of view the difference lies in a kind of tacit knowledge, and is thus found difficult to describe (if there are a difference).
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 7
�� 6\VWHP�FODVVLILFDWLRQ�In this section generic differences and similarities between industrial safety and information security are discussed by the use of Perrow’s (1999) interaction and coupling classification. This classification is a central part of Perrow’s normal accident theory, which illustrates how couplings and interactions of systems may lead to a normal accident. A normal accident occurs when a single failure in a complex interacted and tightly coupled system leads to an accident. The theory is very useful for illustration of vulnerabilities of systems. It is not possible to classify industrial safety and information security by the help of Perrow’s theory, since they are not systems in that sense. Nevertheless it will be helpful to classify systems related to industrial safety and information security, I have thus chosen to classify the offshore industry and information technology systems. The presented classification is limited in two ways. First it is not easy to classify the two systems in an exact manner, they are both large areas. The classification is thus broad and generic. Second the classification is based on my own subjective assumptions. Anyway, the classification should give an indication of differences between the two systems. Indirectly the classification will provide an indication on differences between industrial safety and information security as well.
���� 2IIVKRUH�LQGXVWU\�The offshore industry has FRPSOH[�LQWHUDFWLRQV due to: - Tight spacing of equipment - Proximate production steps - Limited isolation of failed components However, there are also OLQHDU�LQWHUDFWLRQV�� - Less personnel specialization. Personnel can perform different tasks. - Direct on-line information sources - Extensive understanding of all processes Hence, the offshore industry is a complex system as well as a linear system. Personally, I would say the complex interactions weigh more than the linear interactions. The offshore industry is quite WLJKWO\�FRXSOHG due to: - Delays in processing not possible - Invariant sequences. The order of sequences cannot be changed - Only one method to achieve goal - Buffers and redundancies are designed-in, deliberate From the presented classification, the offshore industry belongs in the upper right corner in Perrow’s I/C chart. However not too much over to the right. In Figure 2 the classification is presented in an I/C chart.
���� ,QIRUPDWLRQ�WHFKQRORJ\�Information technology increases the possibilities for a normal accident in all systems using IT, the use of information technology pulls other systems towards the upper right in Perrow’s I/C chart. In the postscript in his book “Normal Accidents”, Perrow (1999) illustrates this increased vulnerability with a discussion about the year 2000
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 8
problem (Y2K problem). Quoting Perrow:�³«��<�.�KDV�WKH�SRWHQWLDO�IRU�PDNLQJ�D�OLQHDU��ORRVHO\�FRXSOHG�V\VWHP�PRUH�FRPSOH[�DQG�WLJKWO\�FRXSOHG�WKDQ�DQ\RQH�KDG�DQ\�UHDVRQ�WR�DQWLFLSDWH´� In the postscript Perrow describes how failures in chips might create a normal accident at January 1st 2000 (note that Perrow wrote the postscript before year 2000, and that there actually was no crisis as the world entered a new millennium). It is not the chip problem that is the main dilemma. Failures in chips are “the stroke that fells the great oak” (small strokes may fell great oaks). It is the way society has become dependent of chips (or IT-systems), that is the main issue according to Perrow’s postscript. Since the dependency of IT-systems still is found in society, the normal accident theory regarding information technology still is functional. Information technology implies FRPSOH[�LQWHUDFWLRQV due to: - Unfamiliar an unintended feedback loops - Many common-mode connections of components not in production sequence (e.g.
common nodes in networks) - Limited understanding of some processes, especially among the lay people.
However the experts have a high degree of understanding of processes. Thus understanding of processes implies both complex and linear interactions.
- Proximate production steps (programming language) Interactions become more complex primarily due to unknown and unwanted feedback loops, which often are difficult to predict and detect. Perrow illustrates some unforeseen interactions at a high level in Rasmussen’s (1997) model for risk management that will affect almost every part of society, failure in components/chips due to the Y2K problem would make power supplies go down, it might lead to failure of manufacturing plants, the traffic at airports might be reduced, gas pumps might run dry, it might lead to blood supply and medical equipment failure and the stock markets might crash. Other examples of unforeseen interactions are the cable break in the south of Norway summer 2000 creating lack of power in a large area and an incident in the Norwegian banking industry that made one hundred thousand costumers without electrical banking services. Both these examples are more comprehensively described below. These unforeseen interactions imply uncertainty on consequences in information security incidents. The couplings in information technology systems are quite tight due to: - Invariant sequences. Sequence must be done in a certain order (e.g. the
programming that most systems are built on) - Buffers and redundancies are in-design, deliberate - Little slack possible. When an incident happens, it happens fast.� Open networks create more loosely couplings. The networks are designed in such a way that if one path is unavailable, the package will take the fastest alternative and available path in the network. In addition the networks consist of nodes that interact the paths. These nodes create higher degree of complexity due to the common connection of many different systems. An example of this complexity is an incident in the southern Norway summer 2000 where a cable was dug over. Normally the network would work in such a way that it would find an alternative available path. However, on this occasion it did not find another path, since the node that should have been programmed to find an alternative path was not programmed in such a way. This
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 9
incident created lack of power in large parts of the area. This example in the south of Norway is a good illustration on a normal accident concerning IT-systems. The example shows how easily unforeseen consequences may appear; who would have imagined that a part of the country was to be without power supply due to a single cable being dug over? Another Norwegian example of a normal accident regarding information technology is what is known as “the 2nd of August” in the Norwegian banking industry. At the 2nd of August 2001 about one hundred thousand Norwegian bank costumers lost their electrical services for about a week. The incident happened at the company EDB Teamco, an organization that provides common IT-systems for many Norwegian banks. What happened was that EDB Teamco was supposed to make a test of a safety devise. A re-coupling that was supposed to make a back up of data before the test was carried out, was erroneously coupled to the ordinary operating system. This coupling made 300 out of 1000 disks inaccessible. The example shows how common connections of difference systems create more complex systems and increased possibility for a normal accident. Simultaneously it illustrates unforeseen interactions; who would have imagined that one hundred thousand costumers would be without their electronic bank services due to a single erroneous coupling? Nearly every week the press writes about normal accidents, which have happened or with high potential of occurrence, with aspects of information technology. Some examples with unforeseen interactions from this autumn: SAS’ IT-systems in Norway went down due to a cable being dug over near Copenhagen1, wireless keyboards writing at the neighbour’s computer2 and sabotage of some central nodes in Norway might put Internet down3. Figure 2 illustrates interactions and couplings of the offshore industry and shows how information technology pulls other system towards the upper right corner. The probability of a normal accident increases with complexity of interactions and tightness of couplings.
)LJXUH���,QWHUDFWLRQ�DQG�FRXSOLQJ�FKDUW��
1 'DWDVDPPHQEUXGG�IRU�6$6, Adresseavisens nettutgave, 02.10.02, http://www.adressa.no/nyheter/article.jhtml?articleID=386860 2 7UnGO¡VW�WDVWDWXU�VNUHY�Sn�QDERHQV�3&, Aftenpostens nettutgave, 31.10.02, http://www.aftenposten.no/nyheter/nett/article.jhtml?articleID=427464 3 �6DERWDVMH�KHU�NDQ�ODPPH�1RUJH, VG Nett, 16.10.02, http://www.vg.no/pub/vgart.hbs?artid=628461
7LJKW�
,QWHUDFWLRQ�/LQHDU� &RPSOH[�
&RXSOLQ
J�
Offshore industry Information
technology
/RRVH�
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 10
The offshore industry and information technology are both classified with complex interactions and loose couplings, information technology is more complex interacted and tightly coupled than industrial safety. Thus the possibility for a normal accident is lower for industrial safety than for information technology systems. Use of information technology in other systems will pull these systems to the upper right in the I/C chart. In particular unforeseen and unwanted incidents are creating the complexity of information technology. �� 5LVN�FODVVLILFDWLRQ�In this section hazards, assets for protection and consequences for information security and industrial safety are discussed. By this discussion and Klinke and Renn’s (2001) risk classification factors, differences and similarities of risks associated with industrial safety and information security is presented. Figure 3 illustrates the connections between hazards, assets and consequences. The figure is used as the framework for this section. The figure can also be recognized as a framework for risk analysis, where hazards/threats and assets is the causal chain and the consequence part represents consequence chains and probabilities of these consequences.
)LJXUH���)UDPHZRUN�IRU�ULVN�FODVVLILFDWLRQ�
���� $VVHWV�IRU�SURWHFWLRQ�Industrial safety is primarily about protecting human lives and health, environment and material/production in connection with an industrial plant (e.g. an offshore installation). Information security is above all about preserving information’s confidentiality, integrity and availability. Information can exist in many forms (e.g. on paper, electronically stored, spoken or in the human mind). No matter what form the information has, it should be protected adequately. This term paper has mainly focused on information handling inside and outside the information technology.
���� +D]DUGV�WKUHDWV�Industrial safety is protection against KD]DUGV, while information security is protection against WKUHDWV. Within the field of industrial safety, hazards represent a risk for human health and lives, environment, production and material objects. The hazards are tightly related to the concept of energy release. An incident involves a sudden and uncontrolled release of energy (Kjellén, 2000). The injury or damage develops when the uncontrolled energy hits the human body, environment or material assets. The energy might be mechanical, chemical, electrical, thermal, kinetic, etc. Uncontrolled energy might
&RQVHTXHQFHV� 7KUHDWV������KD]DUGV
$VVHWV�
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 11
develop due to mechanical failures, human failures and influence from the environment. The hazard within industrial safety is primarily associated with unintended incidents, in contrast information security protects against deliberate as well as unintended incidents. The threats within information security are related to human threats, as it is humans who use, design and attack information technology. An exception is technical vulnerabilities and failures, however one can say that these are a human threat as well, since technology is created by people (the information technology can not live its own life, it can only do what humans have programmed and designed it to do). External factors (such as no power supply) are also considered. Anyhow, as will be described in section 6, the main part of the information security research is carried out on technical aspects.
)LJXUH���3XUSRVHV�RI�GHOLEHUDWH�LQFLGHQWV¶�LQIOXHQFH�RQ�FDXVH��LQFLGHQWV�DQG�FRQVHTXHQFHV�
There are deliberate incidents in industrial safety as well. The difference between deliberate incidents in information security and industrial safety is illustrated in Figure 4. The figure shows deliberate incidents in industrial safety above the time axis, while deliberate incidents in information security is beneath the time axis. The arrows indicate how the purposes of the deliberate incidents are related to the causes, incidents and consequences. In industrial safety the purpose of deliberate incidents is not directly related to the incident and consequences. In contrast the purpose of deliberate incidents in information security is mainly to get a benefit from the incident, regardless of the consequences of the incident. The deliberate incident within industrial safety do not want incidents to happen, the deliberate acts are made in order to do work more efficient and less effortful. These deliberate acts can be characterized as cynical, calculating and ignorant. Deliberate acts within information security are malicious acts, forcing the incident to happen by the desire of beneficial consequences for the attacker.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 12
The threats for information can be divided into external threats and insider threats (i.e. inside the organisation). The external threats (e.g. hackers) principally imply deliberate incidents. This external threat makes the picture of threats even more complex and brings in the uncertainty dimension. It is impossible to control the external threat, the only thing the organisation can do is to protect oneself. Further it is difficult to predict the threat (where, when and how the attack appear), and it might be difficult to find the responsible after an incident since the attacker seldom leave any tracks behind. In contrast to the external threat, the insider threat can be unintended as well as deliberate. The threats within industrial safety can be characterised as more proximate than within information security. It is possible to physically see and sometimes touch the hazard, while information security threats often are not viewable and physically close (the threat can be at the other side of earth). This proximity within industrial safety provides a simpler and better overview of the hazard, which gives a good understanding of the hazard. The uncertainty dimension of the threats are much more present within the field of information security than in industrial safety. The main contributions to the uncertainty are external threats and deliberate acts. In addition, knowledge about technology and systems might create uncertainty amongst the lay people. The fast pace of change in technology might even create uncertainty for experts. The non-proximity dimension and the deliberate dimension imply a broader range of threats for information security than industrial safety. Broader range of threats will imply even more uncertainty.
���� &RQVHTXHQFHV�The consequences within industrial safety are injuries and death of people, damage of the environment, material/production costs, delays in delivery and loss of reputation (Kjellén, 2000). There are seldom unforeseen interactions within the field of industrial safety, unless there is a major accident. The range of consequences is broad for information security. The immediate consequence is related to loss of information’s confidentiality, integrity or availability or combinations of these (e.g. unauthorized access, deleted information and denial of service). The losses are to a large extent directly related to economical loss (loss of income, material loss of technology, loss of man-hour, loss of reputation, insider incidents with financial gain as aim). Further the consequences might imply loss of privacy. As described by Perrow’s normal accident theory in section 4.2 incidents related to information security breaches might result in unforeseen and unwanted interactions. A single failure, which looks simple in the first place, could develop into unexpected consequences elsewhere. These consequences may be critical failures for the society, since information technology is used in almost every area of society including essential functions such as power supply and water supply. A difference between information security and industrial safety is that failures within the field of information security might provide crisis at a high level in society, the possibilities for such a crisis is lower for accidents within industry (see also chapter 4).
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 13
Lupton (1999) has presented some characteristics on lay people’s risk perception. Among these are: - Lay people are more likely to calculate risk is likely to occur if information related
to it is available and easily recalled - Lay people tend to overestimate risk related to circumstances where they may be
involved them selves - People are more likely to be concerned about risks that they see as close to them Due to the proximity of the viewable threats and consequences in industrial safety it must be assumed that the laypeople have higher degree of knowledge and opinion on risks regarding industrial safety than information security. This knowledge leads to more attention and concern regarding risks in industrials safety than in information security. Thus it seems fair to say that the social involvement is higher within industrial safety. The characteristics of risk perception among lay people presented above will be apparent in higher degree within industrial safety than information security.
���� 8QFHUWDLQW\�The uncertainty on threats and consequences within information security has been repeatedly mentioned in the previous sections. To sum up, uncertainty on threats and consequences in information security is created due to: - High degree of complexity in information technology systems - Unforeseen and unwanted interactions - Non-proximity of threats, threats beyond sight - External threats are difficult to predict and control - Deliberate threats (internal/external) are difficult to predict - Broad range of threats - Change of technology - Need for knowledge to understand information technology
���� 5LVN�FODVVLILFDWLRQ�In this section risk is discussed by means of threats and consequences, I have assumed that these aspects are central parts of risk. The probability aspect, which is seen a central part of risk, is not discussed. The discussion is broad and generic, it has thus been difficult to include the probability aspect of risk. To summarize the discussions in this chapter Klinke und Renn’s (2001) eight factors for risk classification are used. The factors are probability, potential for harm, uncertainty, ubiquity, persistency, delayed effects, equity violations and potential for social mobilization. Some of these factors will provide support when comparing risks within information security and industrial safety. A generic comparison is shown in Table 1. I have not taken the factor possibility into consideration, as this factor is closely linked to actual situations. A generic approach to the probability of occurrence is thus difficult, as the variety of different occurrences is high.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 14
7DEOH���*HQHULF�GLIIHUHQFHV�EHWZHHQ�ULVNV�EDVHG�RQ�.OLQNH��5HQQ�������¶V�ULVN�FODVVLILFDWLRQ�IDFWRUV��
,QIRUPDWLRQ�VHFXULW\� ,QGXVWULDO�VDIHW\�Uncertainty High uncertainty due to complexity,
change of technology, unforeseen interactions, deliberate threats, external threats, broad range of possible threats, non-proximity and threats “beyond sight”
Lower than inf.sec. due to observable hazards, knowledge on processes, less complexity and proximity to hazard.
Ubiquity High geographic dispersion of potential damages due to networks.
Damage limited to the plant and the surrounding environment.
Persistency Temporal extension of potential damages due to unforeseen and complex interactions
Lesser complexity than inf.sec implies lesser degree of temporal extension of potential damages
Reversibility Some information might be technologically restored or restored by human mind (knowledge) and some might be lost.
Not possible to bring back human lives. Injuries and environmental damages might be irreversible.
Delayed effects Delayed effects possible, e.g. logical bombs, transient viruses.
No latency between energy release and impact
Potential of social mobilization
Less possibility of social mobilization due to lack of knowledge in society, however e.g. major power supply crisis due to IT-systems might create reactions.
Major accidents with several fatalities will create social conflicts and psychological reactions
Damage potential Loss of information’s confidentiality, integrity and availability. Unforeseen interactions. Higher potential the ind.saf. for damage at high level in society.
Loss of human lives and health, environmental damage, production delay and material damage.
Probability - -
The most important findings regarding differences in risk are: - The uncertainty on threats and consequences is much higher in information
security than industrial safety. - The damages within information security are more complex, geographically
spread and unforeseen than for industrial safety. - The reversibility of consequences is much lower in industrial safety as it is more
difficult to bring back humans lives than restore and rebuild information. - Hazards in industrial safety are more observable and proximate than threats in
information security. - Knowledge and proximity about hazards and consequences in industrial safety
may lead to more attention and concern on industrial safety protection amongst lay people.
���� ,QGXVWULDO�VDIHW\�PDQDJHPHQW��LQIRUPDWLRQ�VHFXULW\�PDQDJHPHQW�Klinke and Renn (2001) indicate three central categories of risk management strategies: risk-based, precautionary and discursive. The categories are associated with different classes of risk based on a classification on environmental risks. I will not try to put the threats and hazards within industrial safety and information security into these classes, since Klinke and Renn have used environmental risks in their classifications. Anyhow, the basic idea about the different management strategies for
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 15
different risks will be foundation for a fruitful discussion on what information security management and industrial safety management should look like. In the following the classification in Table 1 is used as input for a discussion on what strategies information security management and industrial safety management should be built on. Information security is as described in section 5.4 characterised by high degree of uncertainty. According to Klinke and Renn high uncertainty implies precautionary management strategies. Thus information security management should be based on precautionary strategies. As Ortwin Renn (2002) puts it: “Risk management cannot reduce uncertainty from this world and its future, but it may help to improve our skills to cope with uncertain events and their undesirable consequences”. Some of the characteristics of today’s information security management are recognised as precautionary strategies, e.g. redundancy and diversity in technical security design and constant monitoring (detection systems). Nevertheless, many of the characteristics of today’s information security management are recognized as strategies for risk-based management. In the standard ISO 17799 risk management is defined as the “process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost”. The standard is to a large extent built on risk-based management strategies, e.g. emphasis on scientific assessment, reduction of exposure and/or probabilities and management according to expected values on risk and benefits. Other examples on risk-based strategies are emphasis on scientific risk assessment (see section 7.4) and reliance on inspections and routine controls (e.g. checklists, section 7.3). According to Klinke and Renn risk-based strategies demand sufficient knowledge on probability of occurrence and extent of damage. As discussed earlier in the paper there is a high degree of uncertainty on probability of occurrence and extent of damage in information security. From that point of view risk-based management strategies are inappropriate for information security management. Industrial safety management should be built on a combination of risk-based and precautionary management strategies. The knowledge on some areas is sufficient, thus industrial safety management should be managed according to expected values on risks and benefit (risk-based strategy). Since knowledge is sufficient, reduction of exposure and/or probabilities is possible. However, this risk-based strategy should be combined with precautionary strategies for increasing the systems resistance and robustness, e.g. redundancies, buffers and monitoring In practise it seems like industrial safety is well at target with their combination of strategies. At the other hand, information security management seems to be a bit out of target, as management tend to be more risk-based than precautionary.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 16
�� 5HVHDUFK�Much of the research in the field of information security has been directed at protecting materialistic information technologies (Dhillon and Backhouse, 2001), e.g. hardware, software and even the binary numbers. This view on information security looks at information as a physical object and not an immaterial object. I think this view on information security might be seen as originating from the “EDB-age” in the eighties. There is a need for taking care of the humans and the organisations that use the systems as well. Furthermore, most of the research on threats within information security has been on deliberate malicious incidents, unintended incidents have not been extensively addressed (Cresson Wood and Banks, 1993; Magklaras and Furnell, 2002). The focus has especially been on the external threats, and in less degree on the threat from the inside. Thus, research on unintended incidents within information security is a quite fruitful one. In the field of industrial safety science, there has been done quite a lot research on the topic human error. Amongst others, Reason (1997) and Rasmussen (1997) can be mentioned for their contribution on the field of human error. � In contrast to the narrow view as information security as a technological problem, industrial safety is a transdisciplinary field of research. Research within industrial safety has focused on technical, human and organisational aspects alone or in combination. In contrast to information security research industrial safety research is primarily on unintended incidents. Hale and Hovden (1998) have described three ages of safety research. The first age, lasting from the nineteenth century until after the World War II, was concerned by safety as a technical problem. The second age was related to safety as a human error problem, and was concerned by matching the individual to technology. The third age of safety looks at safety as a problem related to management, organisation and culture. Today’s safety research is found in the third age. The main differences between research within information security and industrial safety are - There is much higher the focus on human and organisational aspects in industrial
safety - Industrial safety is a more transdisciplinary field than information security which
to a large extent focus on technical - Information security focuses on deliberate incidents - Information security focuses on external threats
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 17
�� &RPSDULVRQ�RI�PHWKRGV�In the previous sections basic differences in the essence of industrial safety and information security are described. Based on previous sections, this section looks at methods used in work and research in the two fields.
���� 7KH�HQHUJ\�PRGHO�DQG�+DGGRQ¶V�VWUDWHJLHV�Within the field of industrial safety, the energy model is extensively used. It is based on how a victim absorbs energy (e.g. a person on foot absorbing the kinetic energy of a car that does not stop for the walker). Together with the energy model, Haddon’s (1980) ten strategies for accident prevention are widely used within industrial safety. The energy model and Haddon’s accident prevention strategies have had a significant influence on the European legislation and standardization within industrial safety (Kjellén, 2000). Preventive measures in industrial safety have been associated with Haddon’s strategies and the energy model. However, looking at the origin of Haddon’s strategies, in the article “The basic strategies for reducing damage from hazards of all kinds” from 1980, the concept of energy is not used. In the article Haddon focuses on prevention of possible KD]DUGV�RI�DOO�NLQGV, which not necessarily need to be addressed to energies (examples not related to the energy model from the article are drug abuse and hostile nations). Haddon (1980) says that his strategies are generic approaches that are useful to a wide range of fields, quoting Haddon: “..systematic principles applicable whether the hazard is a dangerous virus, a hostile regime, or a larcenous employee”. As discussed in chapter 5, the concept of threat within information security is somewhat different from the hazards in industrial safety (e.g. deliberate acts, complexity, uncertainty, non-proximity etc). :LOO�+DGGRQ¶V�³ROG´�VWUDWHJLHV�EH�KHOSIXO�IRU�SUHYHQWLQJ�ORVVHV�GXH�WR�WKH�³QHZ´�KD]DUGV�DVVRFLDWHG�ZLWK�WKH�ILHOG�RI�LQIRUPDWLRQ�VHFXULW\"��� In Table 2 Haddon’s strategies are used for two different threats within the field of information security. An example from industrial safety is presented as well. The strategies are supposed to be carried out at an organisational level, at a higher level the strategies might be different.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 18
7DEOH���+DGGRQ¶V�SUHYHQWLRQ�VWUDWHJLHV�DSSOLHG�RQ�LQIRUPDWLRQ�VHFXULW\�WKUHDW�
Haddon’s strategies are useable for hazards of any kinds and have survived the IT-revolution. The prevention strategies, which are widely used within industrial safety, are useful strategies for prevention against threats within information security as well. A problem will appear when protecting against external threats (e.g. hacking, viruses). It is difficult for the organisation that protects oneself to predict the external threat (who the external threat is, when/where the attack happens and how it happens) and to control it. There is a broad range of external threats, which makes it even more complex and unclear. The first five prevention strategies will thus not be appropriate for an organisation’s protection against external threats.
([DPSOHV�RI�KD]DUGV�WKUHDWV�DQG�PHDVXUHV�6WUDWHJLHV��+DGGRQ����������
5RWDWLQJ�PDFKLQHU\��FLUFXODU�VDZ��.MHOOqQ��������
([WHUQDO�KXPDQ�WKUHDW��GHOLEHUDWH���KDFNHU�
,QWHUQDO�KXPDQ�WKUHDW��XQLQWHQGHG����KXPDQ�IDLOXUH��
To prevent the creation of the hazard in the first place
Eliminate use of circular saw by ordering pre-cut pieces of wood
- Eliminate use of information technology systems
To modify relevant basic qualities of the hazard
Modified saw blade teeth -
Increased skills and knowledge on use of IT-systems
To reduce the amount of the hazard brought into being
Limit rotational speed -
Limit the use and users of critical systems
To prevent the release of the hazard that already exists
Design of start button which prevents unintended start
- Detection systems
To modify the rate or spatial distribution of release of the hazard from its source
Emergency stop (modifies rate) -
Stop the incident (if longitudinal) Separate intranet from open networks (modifies spatial distribution)
To separate, in time or in space, the hazard and that which is to be protected
Automatic sawing machine
Separate open networks (e.g. internet) and closed networks (e.g. intranet)
Warnings in form of pop-up messages such as: ”Are you sure you want to delete this file? Yes/No”
To separate the hazard and that which is to be protected by interposition of a material “barrier”
Machine guarding Firewalls Passwords for access to systems
To make that to be protected more resistant to damage from the hazard
Eye protection Encryption of information Encryption of information
To begin to counter damage already done by the environmental hazard
First aid Emergency plans Emergency plans
To stabilize, repair, and rehabilitate the object of the damage
Rehabilitation Restore or reconstruct information if possible (e.g. from backup files)
Restore or reconstruct information if possible (e.g. from backup files)
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 19
The energy model, which is associated with Haddon’s strategies in industrial safety, is a useful model for information security as well. However, the notations must be changed. Instead of talking about energy as the hazard, threat is a better notation. The threat will cover the broad range of threats to information’s confidentiality, integrity and availability. A revised energy model is illustrated in Figure 5. The asset to be protected is information.
)LJXUH���5HYLVHG�HQHUJ\�PRGHO�IRU�SURWHFWLRQ�RI�LQIRUPDWLRQ�DQG�+DGGRQ¶V�SUHYHQWLRQ�VWUDWHJLHV�
��
•CONFIDENTIALITY •INTEGRITY •AVAILABILITY
7+5($76� %$55,(5� ,1)250$7,21�
6WUDWHJLHV�UHODWHG�WR�WKUHDWV�� 1. Prevent the creation of the threat 2. Modify the characteristics of the threat 3. Reduce the amount of threats brought into being 4. Prevent “release” of the threat 5. Modify rate and spatial distribution of “released” threat
6WUDWHJLHV�UHODWHG�WR�EDUULHUV�� 6. Separate threat and information to be protected in time or in space 7. Separate by “material barriers”
6WUDWHJLHV�UHODWHG�WR�LQIRUPDWLRQ�� 8. Make information more resistant to damage 9. Limit the development of damage 10. Stabilise, repair and rehabilitate information
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 20
���� 0RGHOV�Models are useful for research and science, as well as work, for both industrial safety and information security. Models can for example be used in risk analyses, accident analyses, understanding/design of measures, design of databases and creating shared understanding between different groups. This section presents some models used in industrial safety and information security, and discusses differences and similarities.
)LJXUH���$FFLGHQW�DQDO\VLV�IUDPHZRUN��.MHOOpQ��������
In Figure 6 a framework for collection and analysis of data on accident risk is presented. The framework is based on aspects from different accident models presented by Kjellén (2000). The framework is built on the energy model (Figure 5), where a victim absorbs the energy flow. An incident is defined as a loss-of-control of the energies in the systems or body movements. Development of loss occurs when the victim absorbs the energy flow. The incident is preceded by deviations at the workplace (e.g. faulty safety equipment). The basic causes are technical, organisational and social condition and individual circumstances in the system.
)LJXUH���,/&,�PRGHO��IURP�.MHOOpQ��������
The ILCI model (Figure 7) has had large influence on SHE practise in many countries, and serves as basis for categorisation of information on accidents in many accident and near accident reporting systems in use by many companies (Kjellén, 2000). The much-used reporting system in industries and transportation in Norway, SYNERGI is among the systems that uses the ILCI model.
BASIC
CAUSES
DEVIATIONS
INCIDENT
VICTIM ABSORBS ENERGY
LOSS •PEOPLE
•ENVIRONMENT
•PROPERTY
•REPUTATION
INPUT PROCESS OUTPUT
LACK OF CONTROL
BASIC CAUSES
IMMEDIATE CAUSES
INCIDENT LOSS
INADEQUATE PROGRAM
INADEQUATE
PROGRAM STANDARD
INADEQUATE
COMPLIANCE TO STANDARD
PERSONAL FACTORS
JOB
FACTORS
SUBSTANDARD ACTS
SUBSTANDARD
CONDITIONS
CONTACT WITH
ENERGY OR SUBSTANCE
PEOPLE PROPERTY
ENVIRONMENT PROGRESS
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 21
Another accident model that has had large influence on current thinking in industrial safety is Reason’s (1997) TRIPOD model. The model presents causal sequences based on the same logic principles as the ILCI model. The advantage with the TRIPOD model is its modelling of how “erroneous” decisions at different management levels lead up to the circumstances of which the accident is a result (Kjellén, 2000)
)LJXUH���7KH�75,32'�PRGHO��IURP�.MHOOpQ��������
The TRIPOD model distinguishes between two classes of human failure: - 7RNHQV� specific failures made by operators at the work system level - 7\SHV� classes of organisational and management failures. The failure type are
further divided into function failure types (i.e. those done by line management, designers, planners, etc) and source type failures (i.e. top management decisions at the strategic level)
The arrows in the figure indicate ”channel” for feedback of information on accident risks. It has not been easy to find a model for incidents within information security. There exists models in the consulting business, however these companies are not willing to let the public take a look at their models. In Figure 9 a model by Howard and Longstaff (1998) for computer and network incidents is presented. The model is a result from a project that developed a common language for computer security incidents, and is supposed to be used for classifying and understanding computer security incidents. The model is used by CERT Coordination Centre (CC). CERT/CC is a US centre that works on handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training to help you improve security at your site. The centre has several similarities with the planned ‘Senter for Informasjonssikring (SIS)’ in Norway. As far as I know, SIS has planned to use the same model as CERT/CC for their planned incident database.
SOURCE FAILURE
TYPES
FUNCTION FAILURE
TYPES
CONDITION TOKENS
(Precursors)
UNSAFE ACT
TYPES
MANAGEMENT WORKPLACE
ACCIDENTS AND
INCIDENTS
SAFETY MANAGEMENT SYSTEM
1 5 4 3 2
DEFENCES
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 22
�
)LJXUH���0RGHO�IRU�FRPSXWHU�DQG�QHWZRUN�LQFLGHQWV��+RZDUG�DQG�/RQJVWDII��������
The model in Figure 9 has some similarities as well as some differences from the models used in industrial safety presented earlier in the section. The energy model presented in Figure 5 can be recognised. The threat is represented in the block ‘Attackers’, vulnerability in barriers is found in ‘Vulnerability’ and asset for protection is found in ‘Target’. From the framework for accident analysis in Figure 6 losses can be recognized in ‘Unauthorized result’. The differences between models in industrial safety and information security are first and foremost that basic causes (organisational and human causes) are not taken into consideration at all in the model for computer and network incidents. Further, the information security model focus only on deliberate incidents, and in a high degree on external threats. The information security model has a very technological focus. I think the model for computer and network incidents should be criticized for not taking organisational and human causes into consideration. The model should be criticized for not looking at insiders and unintended incidents as well. The model’s focus at technology should be commented as well. These critiques show that information security has a lot to learn from industrial safety regarding modelling of incidents. On the basis of this critique I think it should be asked questions whether the model planned to be used by SIS is adequate.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 23
���� &KHFNOLVWV�According to Dhillon and Backhouse (2001) ‘one of the most prominent methods for addressing the security of technical systems has been checklists’. These checklists (e.g. IBM 88-point security assessment questionnaire) are criticised for not taking social nature of the problem into consideration. The focus is on technical aspects. In the light of the introduction of legislation on information security, IT audit has been created. These audits can be criticized being normative and for their focus on measuring systems to a standard measure. In contrast to research an many other methods within information security audits take care of some organisational aspects. Although these aspects are limited to structural and functional perspective, and do not e.g. take culture and human behaviour into consideration. Examples of checklists used in industrial safety are SMORT, MORT and ISRS (Kjellén, 2000). Compared to checklists used in information security, these checklist focuses on human and organisational aspects to a much larger extent.
���� 5LVN�DVVHVVPHQWV�The methods used for risk analysis in information security are qualitative risk assessments. The structure of the information security risk analysis is broadly built in the same manner as a coarse analysis. Information security risk analyses has been criticized for their focus on technological aspects, and hardly looking at organisational and human contribution to risk However, there has been a trend towards taking these aspects into consideration the last years (Dhillon and Backhouse, 2001). Another weakness of these methods is their focus on indented incidents by humans in a much larger degree than unintended incidents. However, this is primarily about the focus, not the methods. The methods are absolutely useful for unintended incidents by humans as well. Qualitative assessments are also found in industrial safety. For example is the Job Safety Analysis built on this approach. It should be mentioned that the EC Machinery directives require risk assessments to document that they meet the requirements in the directives. These risk assessments are of two types; a coarse analysis and a detailed assessment of the machinery as needed (Kjellén, 2000). Both these assessments are qualitative methods. While the qualitative methods used in information security broadly speaking are carried out by IT-experts, the qualitative methods within industrial safety is carried out by a group that represents a sample of the organisation under the assistance of a leader, who knows the risk analysis method well. In contrast to risk analysis in information security, the qualitative assessments within industrial safety takes human and organisational aspects into consideration. Another difference from information security is that the methods tend to focus on unintended incidents, rather than intended ones. Qualitative assessments in industrial safety take organisational, human and technical aspects into consideration. There are quantitative assessments in industrial safety as well. Characteristic for the quantitative methods is the belief in risk represented by a number. In order to calculate this number, one has to model the problem and “calculate” the risk.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 24
Modelling the problem is done by e.g. barrier diagrams and fault trees. The modelling leads to the calculation of risk. When calculating there is need for input data. The input data is typically based on known accident and near-accident statistics on the analysis-object or other similar (or even dissimilar) objects and/or expert judgments. From my point of view it seems like an overwhelming part of input data is based on expert judgments. The use of quantitative assessments and expert judgments demonstrates the belief of representing objective risk. This view on risk illustrates a realist or positivistic epistemological position in risk research. In a realist position Lupton (19xx) says that risk is an objective hazard, threat or danger that exist and can be measured independently of social and cultural framework of interpretation. Shrader-Frechette (1991) on her side, calls this perspective on risk naive positivism, which avoid value judgments in evaluating risk and presuppose that all risk can be measured objectively.
6RPH�FULWLTXHV�RI�ULVN�DVVHVVPHQWV�Both in assessments in industrial safety and information security experts have a central part. Shrader-Frechette (1991) and Perrow (1999) both criticize the use of experts in risk assessments. Both point out that there is a need to include the lay people as well. Such an approach will bridge the gap between lay people’s risk perception and the experts’ perception. This interaction is denominated as scientific proceduralism by Shrader-Frechette, which combines scientific prediction and explanations with discussion with the people exposed to the threat. Thus there is a need to create debate and dialog about risk between experts and those involved and interested in the hazard. Perrow (1999) criticizes even more aspects of risk assessments. For example he points out that the focus is mainly upon dollars and bodies, ignoring cultural and social criteria. Perrow also points out that mathematical models predominate risk assessments, which will increase the gap between experts and lay people. Further, he discusses the problems risk-benefit analyses and cost-benefit analyses represents for risk assessments (e.g. ho much is a human life worth?). Ulrich Beck (1997) descries how demands for objective assessments undermine themselves because they are built on a “house of cards” of speculative assumptions and because one must have taken a point of view on values. Furthermore, the uncertainty on threats and consequences in information security (see section 5.4) creates challenges for risk assessments. Thus it must be assumed that the results in risk assessments are rough estimates. As these critiques illustrates, there are critics against risk assessments, no matter how they are performed. Quoting Perrow (1999); “…risk assessment is not as risky as the systems being assessed, but it has its unfortunate consequences for our society nevertheless”.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 25
�� 6XPPDU\�RI�FRPSDULVRQ��
���� 6LPLODULWLHV�The basic roots of industrial safety and information security are the same, both are protecting assets from hazards/threats creating safe/secure conditions. Furthermore the methods used are similar at the surface, however the content is a bit different. Both information security and industrial safety are mainly associated with complex interacted and tightly coupled systems.
���� 'LIIHUHQFHV�5LVN�While industrial safety is protecting human lives and health, environment and material/production in connection with an industrial plant, information security preserves information’s confidentiality, integrity and availability. Information security is mainly concerned by deliberate incidents, and to a large extent on external threats. On the other hand industrial safety is mainly protecting against unintended incidents. Based on Klinke and Renn’s risk classification factors, the most important differences in risk are: - The uncertainty regarding threats and consequences is much higher in information
security than for industrial safety. - The damages within information security are more complex, geographically
spread and unforeseen than for industrial safety. - The reversibility is much lower in industrial safety as it is more difficult to get
back humans lives and injuries than restore and rebuild information. - Dangers in industrial safety are more observable and proximate than dangers in
information security. - Knowledge and proximity about hazards and consequences in industrial safety
may lead to more attention and concern on industrial safety protection amongst lay people.
�8QFHUWDLQW\�The threats and consequences in information security incidents are associated with higher degree of uncertainty than threats and consequences in industrial safety. Factors contributing to this uncertainty are complexity in information technology systems, change of technology, non-proximate threats, external threats, difficulty in predicting deliberate threats, broad range of threats, need for knowledge to understand information technology and unforeseen and unwanted interactions. 5HVHDUFK�There is much higher the focus on human and organisational aspects in industrial safety research. Industrial safety research is a more transdisciplinary field than information security research’ narrow view on security as a technical problem. 0HWKRGV�The methods in information security and industrial safety are to a large extent the same at the surface, e.g. risk assessments, checklists, models, etc. However, the content of the methods is a bit different.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 26
First and foremost methods used in information security do not take human and organisational aspects into consideration to a large extent, they tend to mainly focus on technological aspects. Methods in information security also tend to focus on deliberate incidents, and ignore unintended incidents. The deliberate incidents are mainly on external threats, which imply that the insider threat is not taken into consideration to a large extent. In contrast methods in industrial safety focus on technical, human and organisational contributions alone or any combination. Methods in information security and industrial safety can both be criticized for their belief in objective risk, expert contributions and general use of risk assessments. �� &RQFOXVLRQ�The comparison between industrial safety and information security has given two main results. The gap between industrial safety and information security regarding focus on human and organisational aspects and the high degree of uncertainty related to threats and consequences in information security. Several differences between industrial safety and information security has been illustrated. Most of these differences seem to be “negative differences” for information security, in the sense that industrial safety provides far better protection than information security. The potential for learning, and thus closing the gap, is high. Information security should especially learn from industrial safety regarding their view on human and organisational contribution integrated with technical aspects. Another learning potential is the focus on unintended incidents in industrial safety. While industrial safety is in the third age of safety (Hale and Hovden 1998), information security is broadly speaking at the same level as the first age of safety. In the first age of safety, safety was characterised as a technical problem, and did not normally look at organisational or human aspects. As is shown throughout this term paper, information security today has many similarities with this first age of safety. Hopefully information security will move away from this age soon. One way of assuring this movement from the first age is to aim at a transdisciplinary approach in information security instead of today’s one-dimensional technical view. This approach is one of the factors contributing to Klinke and Renn’s (2001) precautionary management strategy, which information security management should be based on due to its high degree of uncertainty. As Klinke and Renn puts it: "Technical expertise is a necessary but not sufficient condition in the context of precautionary approaches”. Precautionary information security management will help organisations to deal with uncertain threats and consequences in a better way. The gap between industrial safety and information security regarding their focus on human and organisational aspects could be closed to some degree by information security learning from industrial safety. Methods in industrial safety, which have focus on technical, human and organisational aspect, could very well be used in information security. Though the methods should be carefully assessed and customized before put into use.
Term paper in ”Risk and vulnerability”
Eirik Albrechtsen 27
���5HIHUHQFHV� Beck, U. 5LVLNR�RJ�IULKHW� Oversatt av Eriksen, A. Fagbokforlaget, 1997, ISBN 82-7674-251-3 Cresson Wood and Banks, human error: an overlooked but significant security problem, &RPSXWHUV��6HFXULW\, 1993, vol.12 Dhillon, G and Backhouse, J, 2001, Current directions in IS security research: towards socio-organisational perspectives, ,QIRUPDWLRQ�6\VWHPV�-RXUQDO, April 2001, vol 11, issue 2, Haddon, W.jr., The basic strategies For Reducing Damage From Hazards of All Kinds, +D]DUG�3UHYHQWLRQ� September/October 1980 Hale, A and Hovden, J., 1998, Management and culture; the third age of safety, in A.M. Feger and A.Williamnson (eds.) “Occupational Injury: risk, prevention and interventions, Taylor & Francis, London pp 129-166 Howard, J.D. and Longstaff, T.A, $�&RPPRQ�/DQJXDJH�IRU�&RPSXWHU�6HFXULW\�,QFLGHQWV, Sandia Report SAND98-8667, Sandia National Laboratories, Livermore, CA, USA, printed October 1998 Hovden, J., 6LNNHUKHWVIRUVNQLQJ��(Q�XWUHGQLQJ�IRU�1)5� Institutt for industriell økonomi og teknologiledelse, NTNU Trondheim, 1998. ISO standard 17799 &RGH�RI�3UDFWLFH�RI�,QIRUPDWLRQ�6HFXULW\�0DQDJHPHQW� Kjellén, U., .RPSHQGLXP�L�IDJ�6,6�����+06��VLNNHUKHWVVW\ULQJ��Institutt for industriell økonomi og teknologiledelse, NTNU, 2000. Klinke, A. and Renn, O, Precautionary principle and discursive strategies: classifying and managing risks, -RXUQDO�RI�5LVN�5HVHDUFK, 2001, vol 4, no 2 Lupton, D, 5LVN, London, Routledge, 1999. ISBN 0-415-18333-2 Magklaras, G.B. and Furnell, S.M., 2002, insider Threat Prediction Tool: Evaluation the probability of IT misuse, &RPSXWHUV�DQG�6HFXULW\, Vol. 21, No 1, pp.62-73, 2002 NOU, 2000, (W�VnUEDUW�VDPIXQQ��8WIRUGULQJHU�IRU�VLNNHUKHWV��RJ�EHUHGVNDSVDUEHLGHW�L�VDPIXQQHW��Norges offentlige utredninger, NOU 2000:24, Statens forvaltningstjeneste, Oslo Pearsall, J. and Hanks, P. (eds), 2001, 7KH�QHZ�2[IRUG�GLFWLRQDU\�RI�(QJOLVK� Oxford, Oxford, University Press, ISBN 0-19-860441-6 Perrow, C., 1RUPDO�$FFLGHQWV��/LYLQJ�ZLWK�+LJK�5LVN�7HFKQRORJLHV��Princeton University Press, 1999. ISBN 0-691-00412-9 Rasmussen, J., 5LVN�PDQDJHPHQW�LQ�D�G\QDPLF�VRFLHW\��D�PRGHOLQJ�SUREOHP� Safety Science, 1997, Vol.27, No.2/3 Renn, O., 5LVN�&ODVVLILFDWLRQ�DQG�5LVN�0DQDJHPHQW�6WUDWHJLHV� handout from seminar at Gardermoen, Oslo November 2002. Reason, J., 0DQDJLQJ�WKH�5LVNV�RI�2UJDQLVDWLRQDO�$FFLGHQWV��Ashgate Publishing Limited, 1997, reprinted 1999 Shrader-Frechette, K.S, 5LVN�DQG�5DWLRQDOLW\��3KLORVRSKLFDO�IRXQGDWLRQV�IRU�SRSXOLVW�UHIRUPV� University of California Press, 1991. ISBN 0-520-07289-8 Skavland Idsø, E. og Mejdell Jakobsen, Ø., 2000, 2EMHNW��RJ�LQIRUPDVMRQVVLNNHUKHW��0HWRGH�IRU�ULVLNR��RJ�VnUEDUKHWVDQDO\VH��Institutt for produksjons- og kvalitetsteknikk, NTNU
Related Documents
