Actual and Perceived Information Systems Security

As the Internet becomes the major information infrastructure in most sectors, the importance of Information Systems (IS) security steadily increases. While reaching a certain level of actual IS security is vital for most businesses, this level must also be perceived as acceptable by stakeholders. Businesses have to maintain a certain level of security and be able to assess the level of other actors’ security. IS security is abstract and complex, however, and difficult to estimate and measure. This thesis uses epistemic and ontological frameworks to study the conceptual nature of IS security and separate the concepts of actual and perceived IS security. A well-known event is used to illustrate the conceptual discussion: the Sasser worm that was spread around the world in 2004. This study also includes a smaller case study from the City of Stockholm, where about 4,000 computers were infected by Sasser…

Contents

PART I: RESEARCH SCOPE AND APPROACH
1. INTRODUCTION
1.1 Security in the Information Age
1.1.1 Information Systems Security at a Glance
1.2 The Business Significance of IS Security
1.2.1 Example: The Companies Alpha and Beta
1.3 The Abstractness of IS Security
1.4 Problem Area
1.5 Research Questions
1.6 Aim and Contributions
1.6.1 Target Groups
1.6.2 Delimitations
1.7 Outline of the Thesis
1.7.1 Part I: Research Scope and Approach
1.7.2 Part II: Theoretical and Empirical Bases
1.7.3 Part III: Analysis
1.7.4 Part IV: Conclusion
2. RESEARCH APPROACH
2.1 Scientific and Practical Perspective
2.1.1 Qualitat ive and Interpretive Research
2.1.2 View of Empirical Sources
2.1.3 Personal Background
2.2 Research Strategy
2.3 Applied Research Methods
2.3.1 Literature Studies
2.3.2 Empirical Studies
2.3.3 The City of Stockholm and the Sasser Worm
2.3.4 Conceptual Modelling
2.4 On the Quality of the Study
2.4.1 The Relevance of the Study
2.4.2 The Rigour of the Study
PART II: THEORETICAL AND EMPIRICAL BASES
3. THE MEANING OF ACTUAL AND PERCEIVED
3.1 A Philosophical Presupposition
3.2 External Realism
3.2.1 Relations between ER and Representations of ER
3.2.2 Epistemology versus Ontology
3.2.3 Conceptual Relativity
3.3 Socio-Instrumental Pragmatism
3.3.1 Humans, Human Inner World and Human Actions
3.3.2 Symbolic Objects, Artefacts and Natural Environment
3.4 The Actual and the Perceived
3.4.1 The Ontological Level: The Material World
3.4.2 The Ontological Level: The Immaterial World
3.4.3 The Epistemic Level: Institutional Facts
3.4.4 The Epistemic Level: Inter-subjective Judgements
3.4.5 The Epistemic Level: Subjective Judgements
3.5 An Analysis Model for Actual and Perceived IS Security
3.5.1 Applications of the Analysis Model
4. AN INFORMATION SYSTEMS SECURITY PERSPECTIVE
4.1 Information Systems Research
4.1.1 The Scandinavian School
4.2 Information Systems Security Research
4.2.1 The Need of Contextual IS Security Research
4.2.2 The Contribution of The Scandinavian School
4.3 The Information Systems Security Concept
4.3.1 Computer Security and IT Security
4.3.2 Information Security and Information Systems Security
4.4 IS Security Community and Practice
4.4.1 IS Security Community
4.4.2 The Theory of Practice
4.4.3 Overview of the IS Security Practice Model
4.4.4 Prerequisites for the IS Security Practice
4.4.5 Activities in IS Security Practice
4.4.6 Results and Consequences
4.4.7 The IS Security Practice and External Relationships
5. FUNDAMENTAL IS SECURITY CONCEPTS
5.1 Information Assets
5.1.1 Information
5.1.2 Information Management Resources
5.2 Information Systems Security – the CIA Triad
5.3 Threats and Threat Objects
5.4 Incidents and Damage
5.5 Security Mechanisms
5.5.1 Vulnerability
5.6 Relations between the Concepts
5.6.1 Graphical Conceptualisation
5.6.2 Concepts Matrix
5.7 Risk
5.7.1 The Risk Concept in the IS Security Area
5.7.2 The Paradigm of Objectivism
5.7.3 The Paradigm of Constructivism
5.8 Trust
5.8.1 Social Trust
5.8.2 Technology Trust
5.8.3 IS Security Trust
6. THE SASSER WORM
6.1 Functionality
6.2 Origin and Impact
6.3 Sasser and the City of Stockholm
6.3.1 Underlying Causes
6.3.2 Measures and Lessons Learned
PART III: ANALYSIS
7. ANALYSIS OF FUNDAMENTAL IS SECURITY CONCEPTS
7.1 Actual and Perceived Information Assets
7.1.1 The Ontological Status of Information Assets
7.1.2 Values of Information Assets
7.1.3 Known, Unknown and Delusional Information Assets
7.1.4 Information Assets and the Sasser Worm
7.2 Actual and Perceived CIA Triad
7.2.1 The Ontological Status of the CIA triad
7.2.2 The CIA Triad and Values
7.2.3 Actual and Perceived CIA Triad
7.2.4 The CIA Triad and Time
7.2.5 The CIA Triad and the Sasser Worm
7.3 Actual and Perceived Incidents
7.3.1 The Ontological Status of Incidents
7.3.2 The Dimension of Undesirability
7.3.3 Known, Unknown and Delusional Incidents
7.3.4 Incidents and the Dimension of Time
7.3.5 Incidents and the Sasser Worm
7.4 Actual and Perceived Damage
7.4.1 The Ontological Status of Damage
7.4.2 Values of Damage
7.4.3 Damage and the Dimension of Time
7.4.4 Incidents and Damage
7.4.5 Damage and the Sasser Worm
7.5 Actual and Perceived Threat Objects
7.5.1 The Ontological Status of Threat Objects
7.5.2 The Threatening Dimension
7.5.3 Known, Unknown and Delusional Threat Objects
7.5.4 Threat Objects and the Sasser Worm
7.6 Actual and Perceived Threats
7.6.1 Threat Objects and Incidents
7.6.2 The Ontological Status of Threat
7.6.3 Threats and the Sasser Worm
7.7 Actual and Perceived Security Mechanisms
7.7.1 The Ontological Status of Security Mechanisms
7.7.2 Known, Unknown and Delusional Security Mechanisms
7.7.3 The Functionality of Security Mechanisms and Time
7.7.4 Vulnerability
7.7.5 Security Measures
7.7.6 Security Mechanisms and the Sasser Worm
7.8 Summary of Chapter 7
8. ACTUAL IS SECURITY
8.1 Constitutions of Actual IS Security
8.1.1 Actual IS Security Concepts
8.1.2 What is Actual IS Security?
8.1.3 Influences of Actual IS Security
8.2 Actual Constitutions of Risk
8.2.1 The Likelihood Factor
8.2.2 The Potential Damage Factor
8.2.3 Summary of Actual Constitutions of Risk
8.3 Actual Influences on IS Security
8.3.1 Information Assets’ Actual Influence
8.3.2 Threat Objects’ Actual Influence
8.3.3 Security Mechanisms’ Actual Influence
8.3.4 Influences on Actual IS Security – a Composed Picture
8.3.5 Actual Influences by the IS Security Practice
8.4 Actual IS Security and the Sasser Worm
9. PERCEIVED IS SECURITY
9.1 Constitutions of Perceived IS security
9.1.1 Actual Matters to be Perceived
9.1.2 Types of Perceptions
9.1.3 Perceptions of Present IS Security
9.1.4 Perceptions of Historical IS Security
9.1.5 Perceptions of Future IS Security
9.2 Perceptions of Risks and Threats
9.2.1 Perceived Threats
9.3 Perceptions and Roles
9.3.1 Roles related to the Core Business
9.3.2 Roles related to the IS Security Practice
9.4 Origins and Establishments of Perceptions
9.4.1 Access to IS Security Conditions
9.4.2 Spreading and Establishments of Perceptions
9.5 Perceived IS Security and Trust
9.6 Perceived IS Security and the Sasser Worm
10.RELATIONS BETWEEN ACTUAL AND PERCEIVED IS SECURITY
10.1 Actual IS Security’s Influence on Perceived IS Security
10.1.1 Assessments of IS security
10.1.2 Correspondence and Measurability
10.2 Perceived IS Security’s Influence on Actual IS Security
10.2.1 Actors’ Perceptions that Lead to Intervention
10.2.2 External Perceptions that Lead to Intervention
10.2.3 Perceptions as Part of Actual IS Security
10.3 Actual and Perceived IS Security over Time
10.3.1 Stability between Actual and Perceived IS security
10.3.2 Changes to Actual IS Security
10.3.3 Changes to Perceived IS security
10.3.4 Temporal Instability between Actual and Perceived IS Security
10.4 Relations between Actual and Perceived IS Security and the Sasser\Worm
PART IV: CONCLUSION
11.CONTRIBUTIONS,REFLECTIONS AND FURTHER RESEARCH
11.1 Primary Contributions
11.1.1 Actual IS Security
11.1.2 Perceived IS Security
11.1.3 Relations between Actual and Perceived IS Security
11.1.4 IS Security Concepts
11.1.5 The Analysis Model for Actual and Perceived IS Security
11.2 Secondary Contributions
11.2.1 The IS Security Perspective
11.2.2 The Sasser Worm
11.2.3 General Security and Risk Contributions
11.3 Retrospective and Prospective Discussions
11.3.1 Reflections on the Research
11.3.2 Further Research
REFERENCES
APPENDIX A: INTERVIEW GUIDES
1. Conceptual Issues
2. Organisational Issues
3. The Sasser Worm

Author: Oscarson, Per

Source: Linköping University

Download URL 2: Visit Now

Leave a Comment