1stepsThe Internet is an unsafe medium and actually a dangerous place. Due to the euphoria about all the possibilities of global data exchange, the abuse potential it implies was recognized but not really considered relevant for a long time. Systems have been built on the confidence that nothing would ever happen or abuses would not be severe. That has proven to be a misjudgment, as we all know by now. Those who still believe that nothing will ever happen will have to learn the hard way – painfully.

Lost virtue

The internet has lost its innocence and a general mistrust is more than advisable. Certain media, such as email, are hit particularly hard. In fact, emails are already so compromised that a lot of institutions, such as banks, explicitly disclaim sending digital messages to their customers. Banks usually try to avoid customers’ uncertainty, safeguarding them from having to assess whether an email they received comes from the bank or is a scam. Such a decision to forgo email communication is tantamount to surrender. However, the problem of reliability and safety is not easy to solve.

The Internet has become too complex and too many applications and systems are closely intertwined. The principle that with increasing complexity the uncertainty and the probability of making errors grows, applies to the Internet in particular. Errors may even have global implications, as exploitation of vulnerabilities in client software has already been proven many times with devastating consequences.

Secure and trustworthy by default

Guidelines for data protection can provide a useful basis for security concepts of networks and application and can be summarized as follows:

  1. Awareness: Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
  2. Responsibility: All participants are responsible for the security of information systems and networks.
  3. Response: Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
  4. Ethics: Participants should respect the legitimate interests of others.
  5. Democracy: The security of information systems and networks should be compatible with essential values of a democratic society.
  6. Risk assessment: Participants should conduct risk assessments.
  7. Security design and implementation: Participants should incorporate security as an essential element of information systems and networks.
  8. Security management: Participants should adopt a comprehensive approach to security management.
  9. Reassessment: Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.

IT Security Management

IT security is not just a matter of discovering vulnerabilities or defending attacks. The protection of information systems usually requires the intervention of various measures, such as the simultaneous use of several protection mechanisms and a constant adaptation of measures to change current circumstances. IT security is therefore not a static state but a process, strategically defining the security objectives of an enterprise and the relevant general framework, such as building a security infrastructure and risk management.

Based on a proper threat and vulnerability analysis, it is therefore essential to evaluate available security measures for their target contribution to decide then on their implementation, carry it out at the operational level and monitor with respect to its impact. This procedure equates to the usual quality standard approach PDCA (Plan-Do-Check-Act) and is used, for example, in the widely used standard ISO / IEC 27001 for information security management systems for applications.

Besides, the economic evaluation of security measures is a key challenge. While the costs are usually easy to control, the “value” is in general difficult to determine. For the evaluation of the profitability of investment in IT security, mechanisms are in practice calculated with simple operating figures, such as Return on Security Investment (ROSI), but these are of limited value only. There are other approaches as well, but at a higher cost for the data collection and calculations.

The current development of future information systems, for instance, is to move towards service-oriented architectures, increased networking to enterprise-wide business processes or decentralization and virtualization of IT infrastructure. All that will confront the management of IT security with new challenges: On one hand, new security concepts are needed that enable more than just an access control, but in addition usage control of information systems to meet the increasing demands, for example, of "compliance" requirements. On the other hand, new methods for the evaluation of IT security measures are required, that allow considering the increasingly complex and dynamically changing relationships between threats and their impact on a company's results. Thus, IT security is and will remain a key for the future of the information society and should gain - both in theory and in practice - more in importance.

By Daniela La Marca