How to Submit Proof Corrections Using Adobe Reader Using Adobe ...

How to Submit Proof Corrections Using Adobe Reader Using Adobe Reader is the easiest way to submit your proposed amendments for your IGI Global proof. If you don’t have Adobe Reader, you can download it for free at http://get.adobe.com/reader/. The comment functionality makes it simple for you, the contributor, to mark up the PDF. It also makes it simple for the IGI Global staff to understand exactly what you are requesting to ensure the most flawless end result possible. Please note, however, that at this point in the process the only things you should be checking for are: Spelling of Names and Affiliations, Accuracy of Chapter Titles and Subtitles, Figure/Table Accuracy, Minor Spelling Errors/Typos, Equation Display As chapters should have been professionally copy edited and submitted in their final form, please remember that no major changes to the text can be made at this stage. Here is a quick step-by-step guide on using the comment functionality in Adobe Reader to submit your changes. 1.

Select the Comment bar at the top of page to View or Add Comments. This will open the Annotations toolbar.

2.

To note text that needs to be altered, like a subtitle or your affiliation, you may use the Highlight Text tool. Once the text is highlighted, right-click on the highlighted text and add your comment. Please be specific, and include what the text currently says and what you would like it to be changed to.

3.

If you would like text inserted, like a missing coma or punctuation mark, please use the Insert Text at Cursor tool. Please make sure to include exactly what you want inserted in the comment box.

4.

If you would like text removed, such as an erroneous duplicate word or punctuation mark, please use the Add Note to Replace Text tool and state specifically what you would like removed.

JCIT Editorial Board Editor-in-Chief:

Mehdi Khosrow-Pour, Information Resources Management Association, USA

Associate Editors:

Norm Archer, McMaster U., Canada Andrew Borchers, Kettering U., USA George Ditsa, Tshwane U. of Technology, South Africa Barbara Klein, U. of Michigan, USA William Kuechler, U. of Nevada, USA Lynda Louis, Dillard U., USA Annette Mills, U. of Canterbury, New Zealand Sorel Reisman, California State U. - Fullerton, USA Juergen Seitz, Baden-Wuerttemberg Cooperative State U., Germany Troy Strader, Drake U., USA Vishanth Weerakkody, Brunel U., UK

International Editorial Review Board: Gilbert Ahamer, Austrian Academy of Sciences, Austria Nabeel Al-Qirim, UAE U., UAE Shirley Ann Becker, Florida Institute of Technology, USA Erik Beulen, Tilburg U., The Netherlands Albert Boonstra, U. of Groningen, The Netherlands Rochelle Brooks, Viterbo U., USA Bongsug Chae, Kansas State U., USA Abhijit Chaudhury, Bryant U., USA Jen-Yao Chung, IBM T. J. Watson Research, USA Jakov Crnkovic, U. at Albany, USA Sagarmay Deb, U. of Ballarat, Australia Waleed Farag, Indiana U. of Pennsylvania, USA Liliana Favre, U. Nacional del Centro de la Pcia. De Buenos Aires, Argentina Schubert Foo, Nanyang Technological U., Singapore Tom Gross, U. of Bamberg, Germany Steven Sheng-Uei Guan, Xi’an Jiaotong-Liverpool U., China Jakob Iversen, U. of Wisconsin, USA

Abdul Samad Kazi, Technical Research Centre of Finland, Finland Vincent Lai, The Chinese U. of Hong Kong, China Rob Law, The Hong Kong Polytechnic U., Hong Kong Yair Levy, Nova Southeastern U., USA Nina McGarry, Marymount U., USA Gregoris Mentzas, National Techical U. of Athens, Greece Yousif Mustafa, Bay State College, USA Jacob Nørbjerg, Copenhagen Business School, Denmark Alan Peslak, Penn State U., USA Pauline Ratnasingam, Central Missouri State U., USA James Rodger, Indiana U. of Pennsylvania, USA Anabela Mesquita Sarmento, ISCAP/IPP, Portugal Nelly Todorova, U. of Canterbury, New Zealand Chih-Hsiung Tu, Northern Arizona U., USA Shouhong Wang, U. of Massachusetts, USA Vincent Yen, Wright State U., USA

IGI Editorial: Jamie M. Bufton, Managing Editor Adam Bond, Editorial Assistant Jeff Snyder, Assistant Copy Editor

Jennifer Yoder, Production Manager Allyson Stengel, Editorial Assistant Christina Barkanic, Production Assistant

Journal

Cases on Technology

of

Information

July-September 2013, Vol. 15, No. 3

Table of Contents

Research Articles

1

Today’s Action is Better than Tomorrow’s Cure - Evaluating Information Security at a Premier Indian Business School Saini Das, Indian Institute of Management, Indore, Madhya Pradesh, India Arunabha Mukhopadhyay, Indian Institute of Management, Lucknow, Uttar Pradesh, India Bharat Bhasker, Indian Institute of Management, Lucknow, Uttar Pradesh, India

23

Innovation Intermediation and Emerging Medical Devices - The Lead-User Method in Practice Brian O’Flaherty, Department of Business Information Systems, University College Cork, Cork, Ireland John O’Donoghue, Department of Business Information Systems, University College Cork, Cork, Ireland Joe Bogue, Department of Food Business & Development, University College Cork, Cork, Ireland

37

Future Sustainability of the Florida Health Information Exchange

Alice M. Noblin, Department of Health Management & Informatics, University of Central Florida, Orlando, FL, USA Kendall Cortelyou-Ward, Department of Health Management & Informatics, University of Central Florida, Orlando, FL, USA

46

Effect of Self-Directed Learning Readiness by Learner’s Interaction on Social Network Games Hyungsung Park, Korea National University of Education, Suwon-si, South Korea

Book Review

60

Cases on Consumer-Centric Marketing Management Chia-Wen Tsai, Department of Information Management, Ming Chuan University, Taipei, Taiwan Pei-Di Shen, Teacher Education Center, Ming Chuan University, Taipei, Taiwan Yi-Chun Chiang, Teacher Education Center, Ming Chuan University, Taipei, Taiwan

Copyright

The Journal of Cases on Information Technology (JCIT) (ISSN 1548-7717; eISSN 1548-7725), Copyright © 2013 IGI Global. All rights, including translation into other languages reserved by the publisher. No part of this journal may be reproduced or used in any form or by any means without witten permission from the publisher, except for noncommercial, educational use including classroom teaching purposes. Product or company names used in this journal are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. The views expressed in this journal are those of the authors but not neccessarily of IGI Global

The Journal of Cases on Information Technology is currently listed or indexed in: ABI/Inform ACM Digital Library Aluminium Industry Abstracts Australian Business Deans Council (ABDC) Cabell’s Directories Ceramic Abstracts Compendex (Elsevier Engineering Index) Computer & Information Systems AbstractsCorrosion Abstracts CSA Civil Engineering Abstracts CSA Illumina CSA Mechanical & Transportation Engineering Abstracts DBLP DEST Register of Refereed Journals Electronics & Communications Abstracts Engineered Materials Abstracts Gale Directory of Publications & Broadcast Media GetCited Google Scholar Information Science Abstracts INSPEC JournalTOCs KnowledgeBoard Library & Information Science Abstracts (LISA) Materials Business File - Steels Alerts MediaFinder Norwegian Social Science Data Services (NSD) PubList. com SCOPUS Solid State & Superconductivity Abstracts The Index of Information Systems Journals The Informed Librarian Online The Standard Periodical Directory Ulrich’s Periodicals Directory

Journal of Cases on Information Technology, 15(3), 1-22, 2013 2013 1

Today’s Action is Better than Tomorrow’s Cure - Evaluating Information Security at a Premier Indian Business School Saini Das, Indian Institute of Management, Indore, Madhya Pradesh, India Arunabha Mukhopadhyay, Indian Institute of Management, Lucknow, Uttar Pradesh, India Bharat Bhasker, Indian Institute of Management, Lucknow, Uttar Pradesh, India

EXECUTIVE SUMMARY Information Security breaches today affect a large number of organizations including universities, globally. They pose an immense threat to the C-I-A (confidentiality, integrity and availability) of information. Hence, it is important to have proper Information Security Management System (ISMS) designed in accordance with industry adopted standards for risk management. The current case explores the IT infrastructure at a premier Indian business school where internet support is required round the clock. The entire ISMS framework of the organization, including security policy, security budget and network components, is described. Though the security infrastructure apparently seemed to be adequate, a spate of hacking attacks targeted at the SMTP server attempted to cripple the extremely crucial email services for the period of the attack by generating spam. The primary security challenges facing the organization including nature and appropriateness of ISMS, adequacy of the security policy, budget allocation for IT security, etc., are left open for discussion. Mr. Rajesh Ghosh1, the Chairman, Computer Advisory Committee (CAC) at the ABC Institute of Management, Lucknow (AIML)1 looked at the dark brown, wooden floor of his office, immersed in thought about the latest hacking attempts on the Institute’s network. There was a knock on his partially open office door. Mr. Deepak Jha, the Computer Centre (CC) manager stood at the door with a pile of documents in his hand, smiled and said “It is not that bad after all. Our Computer Centre employees are trying their best to handle the attack and the situation will soon be under control.” Mr. Ghosh however, was more worried than relieved. It was the computer centre’s responsibility to provide safe and secure round the clock internet facility to the entire AIML community and it had always lived up to the expectations since its inception. However, of late there have been a few minor phishing attempts on the AIML network. Though all of them had been nipped in the bud, the current spate of hacking attacks on the AIML Simple Mail Transfer Protocol (SMTP) server had attempted to cripple the email services of the institute for a considerable period by generating spam. Mr. Ghosh wanted to ensure that the IT infrastructure at AIML was perfect and there were no loopholes in the network. As he prepared for his meeting with the CAC members, he pondered over the challenges related to the CC operations and services. Keywords:

Confidentiality, Integrity and Availability (CIA) of Information, Information Security Management System (ISMS), Network Security Components, Security Policy, Simple Mail Transfer Protocol (SMTP)

DOI: 10.4018/jcit.2013070101 Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.

2 Journal of Cases on Information Technology, 15(3), 1-22, 2013 2013

ORGANIZATION BACKGROUND The ABC Institute of Management, Lucknow (AIML) is one of the premier national level management institutes set up by the Indian government at Lucknow, Uttar Pradesh in 1984. The institute’s mission is to be a global, socially conscious and integrated school of management, contributing towards management development, both in India and abroad. In order to fulfil its mission, the objective of the AIML community is to strive for excellence in management education, consultancy, research and training. It does so by inculcating human values and professional ethics in students so that they can make a difference in both the corporate and non-corporate sectors. AIML campus, spread over 185 acres of land, is planned to ensure that nature is maintained at its splendid best in order to provide the perfect ambience to the community’s academic pursuits. AIML also has its campus in Noida, which is being developed as a centre of excellence in executive education. There are around 900 students studying at a particular point of time in AIML, including those in the first and second years of their post graduate programme. However, the intake of students has almost doubled over a short period of 4-5 years. It increased from around 250 students in 2008 to approximately 460 students in 2012. AIML possesses one of the most heterogeneous and gifted student communities in the country, who have many times excelled over their counterparts in other management institutes of repute.

tion chart of the Computer centre. The CC manager in turn reports to the Chairman of CAC. The system analysts and CMC helpdesk (many of the CC operations are outsourced to CMC Ltd.) employees directly report to the CC manager. The CC at the AIML campus is also responsible for maintaining IT infrastructure of the Noida campus. For financial matters, CC (Noida campus) has to report to the Accounts Manager at AIML.

IT Infrastructure at AIML AIML has a large IT infrastructure distributed across the entire campus and caters to the needs of students, faculty, officers and staff of the institute. The CC caters to all the IT services of the institute 24X7. It is spread over an area of 15,000 sq. ft., at the centre of the campus and caters to all the academic as well as administrative activities of the institute. It employs one manager and 5 other system analysts who are involved in the maintenance of IT services in the institute. Initially all the CC activities were handled by AIML employees but in 2002 the job of maintenance was outsourced to an external CMC Helpdesk team.

Hardware The infrastructure at AIML Computer Centre includes a fiber optic backbone based campuswide network connecting machines on heterogeneous platforms with 11 high end servers. The network provides accessibility of 1300 nodes to each of these servers for sharing different hardware and software resources.

The Organization Chart

Software and Applications

Figure 8 in the Appendix provides a detailed view of the organization chart at AIML. The Director heads all the affairs of the institute and is accountable to the board of governors. The three Deans responsible for academic affairs, planning and development and Noida campus affairs, report directly to him. The Chairman of CAC reports to the Dean (Academic Affairs). Figure 9 in the Appendix shows the organiza-

The software applications running at AIML can be broadly classified as (i) Institutional initiatives and (ii) Student initiatives. They are discussed in the following section.

Institutional Initiatives The software resources include Microsoft Office packages, programming language compilers and

Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.


various statistical, modelling and Operations Research packages. There is also the online library portal that provides access to 34 online databases of repute. All students are provided with an email account and sufficient storage space. Since the students, faculty and staff communicate through email, it is one of the primary mission-critical internet services of the institute. All the key organizational processes like accounting, human resources, payroll, etc. are implemented using Enterprise Resource Planning (ERP) system. The AIML website is another internet service that is viewed by prospective students, researchers, industry experts and scholars worldwide.

Student initiatives The Institute intranet, Blondie, is another service that the students access round the clock. This provides them access to all relevant details about the institute like the mess menu, city bus schedule, health centre timings, institute calendar, links to the various committees like the alumni committee, placement committee, etc. There is also the students’ database, Etrigan, that contains the profile details of each student. An academic portal, Claroline, is also maintained that pertains to academic information that the faculty and students share.

Network The network available at AIML can broadly be classified as (i) intranet and (ii) extranet. They discussed in the following section.

Intranet The hostels, faculty block, administrative block, academic block, library and computer centre are all connected by a fast ethernet-switched network. In addition to this, several buildings are provided with Wi-Fi connection as shown in Figure 6.

Extranet The total bandwidth available to the institute is 90 Mbps. of which 70 Mbps is allotted to the Lucknow campus, 10 Mbps to the Noida campus and 10 Mbps is reserved for wireless network. Apart from these, there is also a LAN based on Peer-to-Peer (P2P) technology that the students use to share communications, data files and processing power amongst themselves. Although P2P framework can increase productivity by allowing file sharing, they can also introduce vulnerabilities in the network by enabling users to download executable codes that can introduce rogue or untraceable “backdoor” applications on users’ machines and jeopardize entire network security.

Brand Image of AIML AIML is one of the top five MBA education imparting institutes of the country. The course curriculum is in trend with the latest market requirements and global business schools. The research and consulting output produced from this business school is acclaimed globally. The corporations globally value the talent produced from this business school. The laurels obtained by the students of the institute in both national and international arena have been immensely facilitated by the world-class infrastructure provided by the computer centre, library and other administrative facilities at AIML. Hence, a cyber breach on the network of the institute would not only hamper the academic activities of the students, but also be detrimental to the brand image of the institute.

SETTING THE STAGE Globally security breach incidents are common. Corporations, including academic institutions, have faced the brunt of malicious attackers recently. We discuss some of the security breach events in the following sections.



Security Breach in Corporations The corporate sector has been the primary target of cyber attacks for a long time. Figure 10 in the Appendix shows the trends of different cyber attacks from 1997-2010. All the attacks had a non-linear trend over the period of 14 years. Hence, it is difficult to predict these attacks. Recent examples of cyber breaches include the massive data theft attack on Citibank, the third largest US bank by assets, in May-June 2011. Over 360,000 customer names, account numbers and contact numbers were compromised. In May 2011, Sony was the victim of one of the biggest online data breaches till date. Personal information of over 100 million users of Sony’s PlayStation Network, Qirocity, and Sony Online Entertainment services has been stolen (Levick, 2011). Sony incurred extensive financial losses of over $24 billion. These incidents suggest that it is very important for organizations which are electronically networked to ensure the confidentiality, integrity and availability (CIA) of information (NIST, 1995). But even the best efforts to prevent security breaches may not always succeed because of the novelty and uncertainty of the attack.

Security Breach in Academic Institutions Apart from the corporate sector, the academic sector is another prime target of IS breaches. This is because of the “wide open” feature of university networks where information is shared openly and network security components are limited (Bragg et al, 2004; Sridhar & Ahuja, 2009). There have been several incidents of hacking, phishing attacks, virus attacks and information theft attack on university networks in the recent past. This can be attributed to the increase of online activity as well as the increasing volume of personal information and web accessible files (such as online databases) stored online. For example, in April 2008, phishing e-mails from Hancock Bank asking the recipients to participate in a survey to win $500 as prize, flooded the mailboxes of Loui-

siana State University (SPAMfighter, 2008). In October 2010, personal information belonging to 107,000 current and prospective students of the University of North Florida was breached after a server containing the information was compromised by unknown intruders (Security Week, 2010). Several Indian universities have also been victims of cyber attacks in recent times. In May 2012, the official website of Utkal university and those of several other staterun educational institutions were hacked and defaced (The Times of India, 2012). Figure 11 in the Appendix shows the impact of an Information Security (IS) breach on a university. An IS breach can compromise IT assets and confidential information of a university. It can also congest the entire network and eventually bring it down. This affects the (i) productivity of the university (i.e., operational performance of the support facilities like library, causes down time, missed deadlines for submission of projects, assignments and competitions) (ii) intangibles (i.e., brand image and reputation) and finally (iii) financials (i.e., market capitalization, total assets). This is adopted from risk-components model (Crockford, 1986). AIML is also one of the many institutions that is frequently targeted by hackers and cyber attackers. The Noida campus is highly vulnerable to cyber attacks through its wireless network as it is absolutely in the heart of the city. People can easily exploit the wireless network using rogue access points. However, not many have been able to penetrate into the network or cause much damage until the recent spate of hacking attempts on the e-mail server. The credit for this goes to the appropriate investment in network security infrastructure at AIML and constant monitoring by the dedicated CC staff. But each breach is unique, extremely uncertain and has its own novelty. Hence, even the strongest line of defence against a security breach might fail because a weak link in the organization’s network might get exploited by the breach. Therefore, in order to minimize damages caused by cyber security breaches, a thorough implementation of appropriate Information Security Management System (ISMS)



is required rather than ad-hoc investment in security technology for identifying, evaluating and mitigating IS risks (Dhillon, 1997).

ISMS Framework ISMS comprises of a set of certain government regulations/policies and industry standards that are used to manage IS. The general framework of ISMS followed in the IT industry is described in Figure 12 in the Appendix (ENISA, 2006). Step 1: Security policy Development – Development of a security policy is in accordance with some industry standard like BS7799 or ISO 27001 etc. that takes care of the overall organizational security management in accordance with the mission of the organization and in compliance with external regulations. It covers all important areas like personnel, physical, technical and procedural planning and its development is promoted/guided by the Organization of IS (OIS) (Mukund, 2011). A security policy generally consists of administrative safeguards like IS strategy, security management process, risk analysis, risk management, workforce security, access authorization, password policy, disaster recovery plan, etc. It also contains physical safeguards like access control and validation procedures, workstation use and security, data backup and storage etc. Apart from these it contains technical safeguards like access control, unique user identification, encryption and decryption, audit controls, email security, network security, remote access policy etc. However, apart from formulating security policy, compliance audit is essential to ensure that the security policy is correct, adequate and being applied correctly (Sridhar, 2010). Step 2: Definition of ISMS Scope – Describing the purview of the ISMS within the organization including the functions and activities that the ISMS will cater to. In-

formation and control flow from the OIS domain to all other domains of the ISO/ IEC27001standard. Step 3: Risk Management– This is the most crucial phase of ISMS and consists of three phases (i) risk identification (ii) risk assessment and (iii) risk mitigation. Step 4: Selection of appropriate network security components – Based on the outcome of risk management process decision of appropriate network security components is taken. Step 5: Statement of Applicability – Complete documentation of the entire ISMS process including the threats, vulnerabilities, risk and network security components deployed. Focus on IS started in the early 90s with the development of the British Standards – BS-7799. Since then many developments have taken place and these early standards have been transformed into international standards published by ISO/IEC (Broderick, 2003). We will briefly describe the most widely adopted ISMSs in organizations today.

Commonly Used ISMS Standards In this section we discuss a few widely accepted ISMS standards, such as ISO17799, COBIT and ISO27001.

ISO 17799 BS-7799 was originally published in 1995 by British Standard Institution (BSI) group. It was adopted by the ISO in 1998 as ISO 17799. The first part of BS-7799 was titled “Information Technology - Code of practice for IS management” and the second part “IS Management Systems - Specification with guidance for use”. Its modified version in 2002 introduced the Plan-Do-Check-Act (PDCA) cycle (Susanto et al., 2011). The PDCA cycle is used to continuously monitor and improve the ISMS



of the organization (Broderick, 2003; Mukund, 2011). Figure 13 in the Appendix represents the PDCA cycle in the Risk management model (Fung et al., 2003). The ten essential domains of ISO 17799 and one extra domain, IS Incident Management (ISIM) are shown in Table 2 in the Appendix (Mukund, 2011; Fung et al., 2003; Broderick, 2003).

IS Risk Management

COBIT

IS Risk Identification

The Control Objectives for Information and related Technology (COBIT) is a framework for IT governance created by Information Systems Audit and Control Association (ISACA) in 1996 (Susanto et al., 2011). COBIT aligns IT to an organization’s business goals with IT in a supporting role. It presents the control model for IT governance. It was not only meant to address IS but also other risks that prevailed in an IT environment. COBIT framework covers four control domains namely, planning and organization, acquisition and implementation, delivery and support and monitoring (Broderick, 2003).

This is an extremely critical phase of IS risk management. In this phase the most risky assets are identified by determining existing vulnerabilities and potential IS threats to the assets.

ISO/IEC 27001 ISO/IEC 27001 first published in 2005 is an improvement over the original BS-7799. Keeping up with the IS needs of the modern society ISO/IEC 27001 has eleven control domains. Table 2 in the Appendix lists the eleven essential control domains covering the range of security issues managed by ISO/IEC 27001 and their objectives. ISO/IEC 27001 has 133 security controls compared to 127 security controls present in the original BS-7799. This is due to the addition of the extra eleventh control, ISIM (Broderick, 2003). We also compare these ISMS standards in Table 3 in the Appendix. Since risk management is the most crucial phase of the ISMS, the success or failure of ISMS depends largely on how an organization manages its IS risk in accordance with its security policy.

In light of the recent surge in cyber breaches globally, IS risk management for organizations is of utmost importance. IS risk management consists of three phases (i) risk identification (ii) risk assessment and (iii) risk mitigation (ENISA, 2006).

IS Risk Assessment In this phase the likelihood of a potential threat exploiting an existing vulnerability is determined. The impact of this event is also determined. Now using the likelihood and impact information the overall risk of the IT system is calculated through appropriate risk management framework. There are various methods (qualitative, quantitative and hybrid) of IS Risk Assessment. The qualitative methods include widely used tools like Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), CCTA Risk Analysis and Management Method (CRAMM) etc., to conduct security risk analysis. OCTAVE was developed at the CERT Coordination Center in 2003. People from within the organization lead the information security risk evaluation. The information-related assets most critical to the organization are identified along with their vulnerabilities and threats. The risks to these assets are evaluated in the operational context. Finally a risk mitigation plan and a practice based protection strategy are developed (Alberts et al., 2002). CRAMM method of risk analysis is also similar to OCTAVE. It includes asset identification, threat and vulnerability assessment. Then risks for each asset group are calculated



against the threats to which it is vulnerable. Finally a set of countermeasures are devised for the system or the network based on the identified risks (Yazar, 2002).The quantitative methods include variety of techniques such as financial methods (Wang, 2008), artificial intelligence method (Smith & Eloff, 2000; Rees et al., 2011; Chen et al., 2011) etc. There are also hybrid techniques for evaluating information security risks. ISRAM is a hybrid technique based on obtaining public opinion on a security problem using surveys. Two separate surveys are conducted for the probability and consequence of occurrence of a security breach. Managers, directors, technical personnel and common users of computer are interviewed for the surveys. An as-is analysis is made to assess the risk of an information security problem (Karabacak & Sogukpinar, 2003).

IS Risk Mitigation This is another crucial phase in the IS risk management process. Once the overall IS risk of the organization is determined, various risk mitigation strategies are decided by the management of the organization depending on the risk. The various risk mitigation strategies generally practiced by organizations are listed in Table 4 in the Appendix.

Network Security Components Used in Organizations Organizations deploy various security components for wired and wireless networks. Figure 14 in the Appendix describes the technological architecture of wired network security system. It is made up of preventive, deterrent and corrective or recovery controls (Straub, 1990). Other major security components are antivirus system, VPNs, Honeypots, etc. Description of these components is provided in Table 5 in the Appendix. In addition to these components upgrades may be required for network components like routers and switches to incorporate changes or modifications in the network. Sometimes specialized software like the Log Management Software is used to maintain a log

of connections in order to detect cyber threats. Table 6 in the Appendix provides example of log data for analysing connections or intrusions. A Wireless network requires a secure Wireless Access Point (WAP) that allows wireless devices to connect to the internet using Wi-fi or Bluetooth. A WAP can be secured using second and third generation encryption schemes like Wi-fi Protected Access (WPA) and WPA2. Sometimes an external party can install a rogue access point on the secure university network, without authorization for malicious purposes like launching a man-in-the-middle attack. A wireless intrusion prevention system (WIPS) can be used to monitor the radio spectrum in order to detect such rogue access points. Apart from hardware and software network security components, a group of skilled personnel are required who can install, monitor and maintain the network. Thus, a dynamic, proactive defence mechanism for both the wired and wireless network is required for effective IS management. The network security components like FW, IDS/IPS, antivirus system, VPN, encrypted WAPs etc. should be maintained and upgraded as per the security policy. Patches should be updated on a periodic basis. Figure 15 in the Appendix shows the percentage of preventive and detective network security components and Figure 16 in the Appendix shows the percentage of host based and network based security components used in organizations.

CASE DESCRIPTION The Incident There have been a few scattered incidents of phishing attacks targeted at AIML in the recent past. Most of them were eliminated with utmost perfection and finesse. However, in December, 2012, there was a spate of hacking attempts on the SMTP server at AIML. This resulted in the generation of thousands of spam to various email ids over a period of two days. Most of the spam emails solicited proof of identification of the recipient. The email service has slowed



down and there was large scale dissatisfaction among the student, faculty and staff community as email service was the lifeline of communication both within AIML as well as with the outside world. Mr. Ghosh immediately asked Mr. Jha to have the SMTP server disabled in order to temporarily stop the spam generation. Mr. Jha and his team of system analysts started a thorough inspection of the SMTP server log files. They added the identified IP addresses of the culprits to the firewall in order to block them. Five distinct IP addresses were identified and blocked. Though Mr. Jha was relieved, Mr. Ghosh was worried about the IS management practices followed at AIML and was more keen on finding a permanent solution. Next morning, the CAC chaired by Mr. Ghosh started their meeting to come up with solutions and guidelines in order to be capable of handling future intrusions.

Framework for Information Security Management System at AIML While discussing the Information Security Management System at AIML, Mr. Ghosh described “The ISMS adopted at AIML is primarily reactive in nature. Vulnerability analysis or penetration testing in order to determine the points of vulnerability or weak links in the network is not undertaken apriori. The security policy is not entirely based on any specific industry standard but incorporates bits and pieces from several standards.” Figure 1 describes the framework for IS management at AIML. The existing security policy, network structure, organizational structure, possible types of attacks, possible users of the network and the budget available for CC operations, serve as the input to the risk assessment process. Mr. Ghosh continued “The risk assessment process followed is qualitative and similar to OCTAVE risk assessment technique (Alberts et al., 2003). It includes asset identification,

Figure 1. ISMS employed at AIML



threat and vulnerability assessment. Then risk for each asset group is calculated. Finally a set of countermeasures are devised for the system or the network based on the identified risks. However, there are no standardized processes or guidelines in place for asset identification, grouping and ranking. Hence, the method is generally random and usually depends on the discretion of the committee performing the process. The risk mitigation process followed is crude and limited only to risk reduction or risk absorption. There are no provisions in place for risk transference. Currently, there are no business continuity planning (BCP) measures to ensure continued and uninterrupted operation in case the AIML network is crippled by cyber breaches. There is also no Computer Incident Response Team (CIRT) that is empowered to take necessary decisions or actions in case of a contingency such as an information security breach. We need to decide whether we should focus on proactive information security risk management practices in order to prevent information security breaches or continue with our reactive incident response mechanisms to handle a security breach once it strikes. As per my knowledge prevention is always better than cure.” Figure 2 shows the risk assessment process followed at AIML. Mr. Ghosh described the risk management process followed at AIML “The most critical assets are identified and their risk is determined as an outcome of the risk assessment process. Then based on the budget, the existing security policy is updated and security infrastructure

is selected to upgrade, install and configure components that are most vulnerable or recommended by the policy. The next step is the deployment of the components and full time maintenance (periodic vulnerability tests, FW and IDS log analysis, patch management and updating, security report preparation). These fall under risk mitigation, recovery and corrective controls.” Table 1 shows the existing security policies at AIML, such as, acceptable use policy, e-mail and communication policies, anti-virus policy, identity policy and remote access policy.

Percentage of IT Budget Invested in Security As per Computer Security Institute (CSI)/FBI Computer Crime and Security survey, 20102011, though the overall IT expenditure was either constant or declined slightly from 2009 to 2010, the expenditure on security actually rose by a small margin. Figure 3 shows the percentage of IT budget spent on security by the respondents of the CSI/FBI survey for the years 2009 and 2010.It shows that there is a shift towards allocation of more budget for IT security across organizations. Respondents saying that their percentage of IT budget spent on security is more than 10% increased from 12.8% in 2009 to 18.6% in 2010. In the CAC meeting, Professor Desai, Dean, Planning and Development, stated “Over the last three years of my office, I’ve always been involved with the IT security budget formulation at AIML. In the recent years, IT security

Figure 2. Risk assessment process at AIML



Table 1. Components of security policy at AIML Parameters

Description

AIML specific

Acceptable use policy

Specifies what types of network activities are allowed and which ones are prohibited

All websites, except heavily downloaded unethical sites, are allowed.

E-mail and communications activities

Specifies what types of emails are acceptable, should restrict and filter incoming potential spam, may restrict outgoing/incoming e-mails based on topics or keywords, may not allow all incoming attachments and restrict the type of attachments to .pdf or .doc format only.

All types of mails are segregated at the firewall. Only genuine mails are allowed to enter inside the network, spam are stopped.

Anti-virus policy

Specifies which software should be used to help protect the network against threats like viruses, worms, and Trojan horses, etc.

Individual laptops of all members of the AIML community are provided with separate anti-virus protection.

Identity policy

Specifies who are authorized and unauthorized users in order to help safeguard the network.

All the registered users of the AIML domain can only enter the network. Rest are blocked by Cisco Network Access Control (NAC).

Remote access policy

Helps employees who are working remotely to safely access the network with the least possibility of compromise of network data.

Only mails can be accessed remotely through the webmail. However, the Noida campus staff can access the mail server from outside using a VPN.

Figure 3. Percentage of IT budget spent on security. Source: CSI Computer Crime and Security Survey, 2010-2011. Number of respondents: 237

expenditures are being considered as investments. AIML invested around .412 million USD in the IT infrastructure in 2011.”Figure 4 gives a rough estimation of the amount of money spent in different elements of IT infrastructure such as hardware, software and network. The expenses have been classified as either capital expenditure or revenue expenditure. Figure 5 shows distribution of software expenditure as part of revenue expenditure. Professor Desai

added, “0.09 million USD out of a total IT budget of .412 million USD have been allocated for security software. Security expenditure of license and lease renewals is 0.09 million USD out of a total of .135 million USD for revenue expenditure in software. Though compared to industry standards our investment in IT security seems to be more than adequate we are still not sure whether we are doing justice to the investment.”



Figure 4. Distribution of expenditure among the IT components

Figure 5. Distribution of software expenditure as part of revenue expenditure

Implementation of Information Security Architecture at AIML Figure 6 demonstrates the distribution of the wired and wireless network across the entire campus. Mr. Jha who was a core member of the team responsible for designing the IT infra-

structure at AIML since its inception described the existing information security architecture “The computer center located at the centre of the campus houses the server room through which the wired network connects to the internet.” Figure 7 shows the existing information security architecture at AIML. Mr. Jha added “The

Figure 6. Existing distribution of wired and wireless network at AIML



Figure 7. Existing information security architecture at AIML

institute is connected to the internet through Videsh Sanchar Nigam Ltd. (VSNL) and Airtel links. The network is a combination of wired and wireless technology. The wired network security components currently include three firewalls placed in parallel with an embedded internal security policy. Several changes have been implemented in the configuration of the firewalls since 2009 in order to cope with the increase in student intake and number of user licenses. Prior to 2009, there were two firewalls placed in parallel, one active and the other passive. In late 2009, the passive firewall was also converted to an active one. But with increasing usage, even two firewalls were not enough. A third firewall was brought from Noida campus in the latter half of 2010 and placed in parallel with the existing two. This arrangement worked fine till 2012, when need was felt for something more as the internet speed dropped drastically and students felt agitated. We started contemplating about something new that would provide foolproof solution to network security and speed. Cisco ironport was an option available that could handle more usage and would

replace the firewall. It also uses some of the industry’s most advanced technology to stop spam, viruses and other anomalies. However, the management is in two minds about investing in yet another security technology. Though it costs approximately $2500, there could be several issues impeding its successful implementation, such as, the reluctance of CC employees in adopting yet another new technology or the possibility of it becoming obsolete after a few years like its predecessors. We need to show them the clear benefits of making such investment. But for that we need to be doubly sure ourselves.” Mr. Jha continued “The wired network also has an Intrusion Prevention System (IPS) that proactively tries to detect and block attacks before they can enter the network based on the security policy. The institute is connected to the Noida campus through an Multi Protocol Label Switching (MPLS), which directs and carries data from one network node to the next with the help of labels. There is a Cisco core switch that connects the various zones of the campus like the PGP block, the faculty block, the hostels,



the faculty/staff residence etc., to the computer centre through 1 Gbps fiber cables. Then there are distribution switches at the end of the 1 Gbps cables which distribute traffic and data to the various units mentioned above. These switches are in turn connected to 100 Mbps fiber cables which distribute traffic to narrower zones like hostel wings. Finally there are access switches linked to UTP cables that transmit data to the end users and also connect areas that are closely located like the computer centre and the library. Apart from the wired network there are Wi-fi hotspots at various locations on the campus like the library, the faculty block, the guest house, the students’ mess etc. There are two student hostels that are wi-fi enabled. The rest have wired internet connectivity. The computer centre uses Microsoft® Software Update Services for managing and distributing critical Windows patches that resolve known security vulnerabilities and other stability issues in Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems. Another important network security component in use is the Network Access Control (NAC) provided by Cisco. When a user tries to log into the network using the username and password the NAC determines whether he is an authentic user or not depending on the security policy that defines pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. An external user is blocked from entering the system by NAC. The security policy plays an important role at each component of the network and determines their function. The router, switch, IPS, NAC and firewall are all designed to function according to the guidelines laid down by the security policy.”

CURRENT CHALLENGES/ PROBLEMS FACING THE ORGANIZATION Though everything apparently seemed to be well managed and security of the network infrastructure at AIML appeared to be strong enough to prevent any intrusion from succeeding, it was only a matter of a weak link that could give in and get exploited by a threat, to cause immense damage to the network. This is exactly what happened to the AIML network when a spate of hacking attacks targeted the SMTP server. While contemplating the outcome of CAC meeting Mr. Ghosh realized that despite the attack attempt the situation was within control and a few measures had to be adopted to ensure smooth functioning of the AIML network both in light of the current attacks and in future. Only a few questions had to be answered and a few measures had to be implemented in response to meet the security challenges of the AIML network. The primary challenges that need to be addressed are: •

•

• •

Should AIML focus on proactive information security risk management practices or continue with its existing reactive incident response mechanisms to handle a security breach once it strikes? Was the IS risk management framework adopted at AIML appropriate? If not what alterations could be made. Were the network security components implemented, adequate? If not which vulnerabilities could be easily exploited by a cyber attack on the AIML network security infrastructure? What other network security technologies could be used? Was the current security policy adequate and up-to-date? Was the budget allocated for IT security sufficient keeping in mind the increasing number of users of the system?



• •

Were the members at the CC adequately skilled to face any security related challenge that might emerge? Should the CAC request the management to procure the Cisco ironport?

ACKNOWLEDGMENT This case is developed solely as the basis for class discussion and is entirely the author’s view. It is not intended to serve as endorsements, source of primary data, or illustrations of effective or ineffective management or to deface or demean anyone.

REFERENCES Alberts, C., Stevens, J., Woody, C., & Dorofee, A. (2003). Introduction to the OCTAVE approach. CERT Coordination Center. Bragg, R., Rhodes-Ousley, M., & Strassberg, K. (2004). Network security: The complete reference. New Delhi, India: Tata McGraw-Hill. Broderick, J. (2006). ISMS, security standards and security regulations. IS Technical Report, 11(1), 26–31. Chen, X., Bose, I., Leung, A., & Guo, C. (2011). Assessing the severity of phishing attacks: A hybrid data mining approach. Decision Support Systems, 50(4), 662–672. doi:10.1016/j.dss.2010.08.020 Computer Security Institute. (n.d.). CSI computer crime and security survey. San Francisco, CA: Computer Security Institute Inc. Crockford, N. (1986). An introduction to riskmanagement. Cambridge, MA: Woodhead-Faulkner. Darpa 98 dataset obtained from MIT Lincoln Laboratory (n.d.). Retrieved May 23, 2012, from http://www.ll.mit.edu/mission/communications/ist/ corpora/ideval/data/index.html Dhillon, G. (1997). Managing information systems security. New York, NY: Macmillan Education Ltd. European Network and IS Agency (ENISA). (2006). Risk management: Implementation principles and inventories for risk management/risk assessment methods and tools. Deliverable at the ENISA Work Programme, 2006.

Fung, A., Farn, K., & Lin, A. (2003). Paper: A study on the certification of the IS management systems. Computer Standards & Interfaces, 25, 447–461. doi:10.1016/S0920-5489(03)00014-X Karabacak, B., & Sogukpinar, I. (2005). ISRAM: Information security risk analysis method. Computers & Security, 24, 147–159. doi:10.1016/j. cose.2004.07.004 Levick, R. (2011). Sony’s cyberattack and how companies fail in data security. Retrieved on May 23, 2012, from http://www.fastcompany.com/1751318/ directors-are-disengaged-on-data-security Mukund, B. (2011). ISO 17799 Papers: BS 7799. Retrieved May 24, 2012, from http://17799.denialinfo.com/biju.htm Netland, L. (2008). Assessing and mitigating risks in computer systems. Doctoral Dissertation, University of Bergen, Norway. NIST (National Institute of Technical Standards). (1995). An introduction to computer security: The NIST handbook. Special Publication. 80-112. Rees, L., Deane, J., Rakes, T., & Baker, W. (2011). Decision support for Cybersecurity risk planning. Decision Support Systems, 51, 493–505. doi:10.1016/j. dss.2011.02.013 SecurityWeek. (2010). University of North Florida data breach. Retrieved April 8, 2013, from http:// www.securityweek.com/university-north-floridadata-breach-106884-individuals-potentially-exposed-hackers SPAMfighter. (2008). Phishing attack on the Lousiana State University. Retrieved May 8, 2013, from http://www.spamfighter.com/News-10212-Phishing-Attack-on-the-Louisiana-State-University.htm Sridhar, V. (2010). Challenges of information security management in a research and development spftware services company: Case of WirelessComSoft. Journal of Cases on Information Technology, 12(2), 16–30. doi:10.4018/jcit.2010040102 Sridhar, V., & Ahuja, D. K. (2007). Challenges in managing IS in academic institutions: Case of MDI in India. Journal of Information System Security, 3(3), 52–79. Sridhar, V., & Bhasker, B. (2003). Managing information security on a shoestring budget. Annals of Cases on Information Technology, 5, 151–167. doi:10.4018/978-1-59140-061-5.ch010



Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST. National Institute of Technical Standards.

Wang, J., Chaudhury, A., & Rao, H. (2008). A valueat-risk approach to information security investment. Information Systems Research, 19(1), 106–120. doi:10.1287/isre.1070.0143

Straub, D. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255–276. doi:10.1287/isre.1.3.255

Yazar, Z. (2002). A qualitative risk analysis and management tool. CRAMM. SANS Institute.

Susanto, H., Almunawar, M., & Tuan, Y. (2011). Information security management system standards: A comparative study of the big five. International Journal of Electrical & Computer Science, 11(5). The Times of India. (2012). Utkal University website hacked. Retrieved from http://articles.timesofindia.indiatimes.com/2012-05-15/ bhubaneswar/31710969_1_websites-defacedethical-hacker on 03/08/2013

ENDNOTES 1

Names of organization and characters used in the case are hypothetical and have no resemblance to anyone living or dead. They are merely used to facilitate understanding of the case. The authors may have disguised certain names and other identifying information to protect confidentiality.

Saini Das is a faculty in the Information Technology & Systems area at Indian Institute of Management, Indore, India. She completed her PhD from the Indian Institute of Management, Lucknow, India. Prior to joining IIM Lucknow, she worked with Infosys Technologies for three years as a software developer in the insurance domain. Her teaching interests include e-commerce, IT Governance, e-governance, Enterprise Risk Management, e-risk issues in business, Management Information Systems. Her research interests include assessing information security risks in networks, e-governance, e-commerce, enterprise risk management, data security and privacy, business analytics and business intelligence, cyber risk insurance and digital piracy. Arunabha Mukhopadhyay, Ph.D. is an Associate Professor of Information Technology & Systems Area at Indian Institute of Management Lucknow (IIM Lucknow). He has co-supervised 3 doctoral theses and published around 45 papers in various referred journals and conferences including DSS, JIPS, IJISCM, Decision, IIMB Review, CSI-C, HICSS, AMCIS, Pre-ICIS workshops, GITMA, CISTM, ICEG etc. He is the recipient of the Best Teacher in Information Technology Management in 2013 and 2011, by Star-DNA group B-School Award and 19th Dewang Mehta Business School Award, in India respectively. He is a Member of IEEE, AIS, ISACA, DSI, ITS, IFIP WG 11.1 and a Life Member of Computer Society of India (CSI), Telemedicine Society of India (TSI), Indian Insurance Institute (III), Actuarial Society of India (ASI), All India Management Association (AIMA), System Dynamics Society of India (SDSI) and, Operations Research Society of India (ORSI). He has obtained his Ph.D. and Post Graduate Diploma in Business Management (PGDBM) from the Indian Institute of Management Calcutta (IIM Calcutta), in the area of Management Information Systems. He was awarded the Infosys scholarship during his Ph.D. Bharat Bhasker is a Professor in the area of Information Technology and Systems, at IIM Lucknow, India. He holds a Bachelor’s degree in Electronics and Communications Engineering from University of Roorkee, India; Master’s degree and Doctorate in Computer Science from Virginia Polytechnic Institute and State University, USA. Prior to joining IIM Lucknow, he was with MDL Information Systems and Sybase Inc., California, USA and was the architect of the massively parallel DBMS, Sybase MPP. He also served as a Visiting Professor of Information Systems, Business Management School, University of Maryland, University of California, and University of Texas, USA. His research interests include Distributed Database Management, Data Mining, Personal Recommendation Systems, and Agent based Electronic Shopping. He has also authored a book on Electronic Commerce.



APPENDIX Figure 8. Organization chart

Figure 9. Computer centre organization chart



Figure 10. Year-wise trend of cyber attacks. Source: CSI Computer Crime and Security Survey, 1997-2010

Figure 11. Model demonstrating the impact of an IS breach on a university



Figure 12. General framework of ISMS

Figure 13. Application of ‘P-D-C-A’ cycle in the risk management model



Table 2. Eleven domains of ISO/IEC27001 Domains

Objectives Organizational Controls

Security Policy

Management direction; Support for IS; Personnel Planning; Physical Planning; Technical Planning; Procedural Planning.

Organization of IS

Initiate, implement, control IS, Maintain IS with respect to third parties

AM

Proper protection of assets; Identifying critical assets;Proper storage, copy, disposal

ISIM

Communication of incidents;Effectively manage IS incidents.

Business Continuity Maintenance

Prevent interruptions to business; Protect critical Business Processesfrom IS failures; Ensure timely resumption of Business Processes. External Controls

Compliance

Complying with laws/contracts, standards; Maximize effectiveness of audits

HR Security

Proper personnel screening; Confidentiality agreements; IS awareness training & education; Proper terms & conditions;Orderly and controlled exit.

HR Controls

Physical &Environmental Controls P&E Security

Prevent Unauthorized Access(UA) to secure areas and theft of equipments.

Access Control

Control access to information; Prevent UA to Information systems, network services, Operating Systems; Ensure IS in mobile computing.

ISADM

Ensure security in info system and dev/support; Protect CIA by cryptography; Vulnerability management; Correct processing in applications.

COM

Secure operational procedures; Security during Third Party service delivery; Minimize risk of system failure; Protection against malicious code; Back-up;Network security management; Ensure security of e-commerce; Effective monitoring & Proper media handing

IT Controls

AM = Asset Management; ISIM = Information Security Incident Management; ISADM = Information systems acquisition, development & maintenance; COM = Communications & Operations Management;

Table 3. Comparison of ISO 17799, COBIT and ISO/IEC 27001 ISO 17799

COBIT

ISO/IEC 27001

Year of Creation

1995

1996

2005

Number of domains

Ten

Four

Eleven

Focus

Main focus on IT security controls and IS risk management

Overall business orientation and both IT as well as non IT risks.

Main focus on IT security controls and IS risk management

IT Governance

N

Y

N

Management commitment to IS

Y

N

Y

Organizational Training Plan

N

Y

N

IS Incident handling

N

N

Y



Table 4. Various risk mitigation strategies Strategy

Description

Risk absorption

The risk calculated in the risk assessment phase is accepted by the organization without any mitigation or reduction.

Risk avoidance

The risk is avoided by the organization by either eliminating the source of the risk or shutting down a particular high risk business area.

Risk limitation

The risk is reduced to acceptable levels by implementing appropriate controls or by introducing newer and more efficient techniques to reduce the risk to acceptable levels.

Risk transfer

The risk is transferred to a third party (Netland, 2008)

Figure 14. General technological architecture of ISMS



Table 5. Network security components used Preventive Controls

A firewall(FW) is a program/hardware device to protect a network or a computer system by filtering out unwanted traffic(Sridhar and Bhasker, 2003). The filtering decision is based on a set of rules predefined in the security policy. A FW can be ineffective if the rules and policies are not managed correctly. FWs can have proxies(Application level) and packet filters(network level) to eliminate the unauthorized traffic. Proxy FWs with two independent TCP connections for each application, can be more secure than packet filters. Antivirus protection systems detect and prevent all types of malware including viruses, worms etc. New viruses and their variants are created almost daily, so it is imperative that the antivirus software is updated regularly to counteract new viruses. Patches are available to fix vulnerabilities in the network. Universities generally adopt a time-driven patch update policy. A Virtual Private Network(VPN) is another important security component required in institutions that have distributed sites in different geographical locations. VPN tunnelling is used to establish private connections through public networks like the Internet. It can be used to transfer data packets securely to a Local Area Network in remote location using encryption.

Detective Controls

An IDS is used to identify security breaches arising both from outside the organization as well as within the organization and alert the system. IDSs use either signature-based or anomaly detection methods. Signature-based IDS compare the network packets against preconfigured and predetermined attack patterns known as signatures. Anomaly-detection method detects anomalous traffic which is “not normal” by checking parameters like bandwidth, protocols, ports generally used devices generally connect to each other. However, IDSs can give rise to a lot of false positive and false negative alarms. IPS is an improvement over the IDS. Unlike IDS these are proactive defence mechanisms designed to detect malicious packets within normal network traffic, block offending traffic automatically before it does any damage. A Honeypot is a decoy in the network system that is used to attract and trap hackers. Honeypots like IDSs have multiple uses like prevention, detection or information gathering.

Table 6. Example of log data for analyzing cyber threats. Source: DARPA 98 dataset Sl No

Date

Start Time

Duration

Service

Source Port

1

6/2/1998

0:00:07

0:00:01

http

2127

11

6/2/1998

0:00:07

0:00:01

http

2140

21

6/2/1998

0:02:33

0:00:01

http

2376

1773

6/1/1998

8:05:07

0:03:06

telnet

1941

1782

6/1/1998

8:07:13

0:05:07

telnet

2064

Dest Port

Source IP

Destination IP

Y/N

Attack Type

80

172.016.114.207

152.163.214.011

0

-

80

172.016.114.207

152.163.214.011

0

-

80

172.016.114.207

152.163.214.011

1

Smurf

23

135.008.060.182

172.016.112.050

1

format_clear

23

135.008.060.182

172.016.112.050

1

ffb_clear



Figure 15. Percentage of preventive and detective security technologies

Figure 16. Percentage of host-based and network- based security technologies

Table 7. Acronym definitions AVS

Anti-virus scanners

FW

Firewall

VPN

Virtual Private Network

ASS

Anti-spyware software

EDT

Encryption of data in transit

B

Biometrics

WF

Web / URL filtering

ALFW

Application-level firewalls

PKIS

Public Key Infrastructure systems

SC

Smart Cards

EDS

Encryption of data in storage

PM

Patch management tools

NAC

Network access control

Pwd

Static account / login passwords

DLP/CM

Data loss prevention / content monitoring

F

Forensics tools

IPS

Intrusion Prevention System

LMS

Log management software

IDS

Intrusion detection systems

SWSS

Specialized wireless security systems

SBACL

Server-based access control lists
