Journal of Intelligent Manufacturing

, Volume 25, Issue 2, pp 357–370 | Cite as

Information security strategies: towards an organizational multi-strategy perspective

  • Atif Ahmad
  • Sean B. Maynard
  • Sangseo ParkEmail author


There considerable advice in both research and practice oriented literature on the topic of information security. Most of the discussion in literature focuses on how to prevent security attacks using technical countermeasures even though there are a number of other viable strategies such as deterrence, deception, detection and response. This paper reports on a qualitative study, conducted in Korea, to determine how organizations implement security strategies to protect their information systems. The findings reveal a deeply entrenched preventive mindset, driven by the desire to ensure availability of technology and services, and a comparative ignorance of exposure to business security risks. Whilst there was some evidence of usage of other strategies, they were also deployed in a preventive capacity. The paper presents a research agenda that calls for research on enterprise-wide multiple strategy deployment with a focus on how to combine, balance and optimize strategies.


Information security strategy Deterrence Prevention Compartmentalization Deception Defense in depth 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Agrell W. (1987) Offensive versus defensive: Military strategy and alternative defence. Journal of Peace Research 24(1): 75–85CrossRefGoogle Scholar
  2. Alberts, D. S. (1996). Defensive information warfare. National Defense University: NDU Press Book.Google Scholar
  3. Anderson E. E., Choobineha J. (2008) Enterprise information security strategies. Computers Security 27: 22–29CrossRefGoogle Scholar
  4. Anderson, P. (2001). Deception: A healthy part of any defense in-depth strategy. SANS Institute InfoSec Reading Room, 2001 edn. SANS Institute.Google Scholar
  5. Anderson, R. H., & Hearn, A. C. (1996). An exploration of cyberspace security RD investment strategies for DARPA: ‘The day after... in cyberspace’. RAND.Google Scholar
  6. Arce I., McGraw G. (2004) Why attacking systems is a good idea. IEEE Security Privacy 2(4): 17–19CrossRefGoogle Scholar
  7. Armstrong D., Carter S., Frazier G., Frazier T. (2004) Autonomic defense: Thwarting automated attacks via real-time feedback control. Complexity 9(2): 41–48CrossRefGoogle Scholar
  8. Artail H., Safa H., Sraj M., Kuwatly I., Al-Masri Z. (2006) A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks. Computers & Security 25: 274–288CrossRefGoogle Scholar
  9. Barford P., Dacier M., Dietterich T. G., Fredrikson M., Giffin J., Jajodia S. et al (2010) Cyber SA: Situational awareness for cyber defense. Cyber Situational Awareness, Advances in Information Security 46: 3–13CrossRefGoogle Scholar
  10. Bauer, M. (2001). Paranoid penguin: Designing and using DMZ networks to protect internet servers. Linux Journal, 2001(83es), 16.Google Scholar
  11. Bearavolu, R., Lakkaraju, K., Yurcik, W., & Raje, H. (2003). A visualization tool for situational awareness of tactical and strategic security events on large and complex computer networks. In Paper presented at the military communications conference (MILCOM) 2003, 13–6 October.Google Scholar
  12. Beauregard, J. E. (2001). Modeling information assurance. Master’s Thesis, Ohio: Air Force Institute of Technology, Air University.Google Scholar
  13. Beckman S. L., Rosenfield D. B. (2008) Operations strategy: Competing in the 21st century. McGraw-Hill, New YorkGoogle Scholar
  14. Blumstein A., Cohen J., Nagin D. (1978) Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. National Academy of Science, WashingtonGoogle Scholar
  15. Bowen, P., Hash, J., Wilson, M., Bartol, N., & Jamaldinian, G. (2006). Information security handbook: A guide for managers. NIST special publication 800-100. Gaithersburg: NIST.Google Scholar
  16. Brand, R. L. (1990). Coping with the threat of computer security incidents: A primer from prevention through recovery. Pittsburgh: CERT, June 1990.Google Scholar
  17. Browne P. S. (1972) Computer security: A survey. ACM SIGMIS Database 4(3): 1–12CrossRefGoogle Scholar
  18. Brykczynski, B., & Small, R. A. (2003). Reducing internet-based intrusions: Effective security patch management. IEEE Software, 20(1), 50–57.Google Scholar
  19. Burnburg, M. K. (2003). A proposed framework for business information security based on the concept of defense-in-depth. Master’s Thesis, Springfield: University of Illinois at Springfield.Google Scholar
  20. Butler, S. A. (2002). Security attribute evaluation method: A cost-benefit approach. In Paper presented at the 24th international conference on software engineering (ICSE ’02), New York.Google Scholar
  21. Byrne P. (2006) Application firewalls in a defence-in-depth design. Network Security 9: 9–11CrossRefGoogle Scholar
  22. Cahill, T. P. (2003). Cyber warfare peacekeeping. In Paper presented at the 2003 IEEE workshop on information assurance, June.Google Scholar
  23. Cao, J., Lin, M., Deokar, A., Burgoon, J. K., Crews, J. M., & Adkins, M. (2004). Computer-based training for deception detection: What users want? ISI 2004, LNCS 3073 (pp. 163–175).Google Scholar
  24. Carroll, T. E., & Grosu, D. (2009). A game theoretic investigation of deception in network security. In Paper presented at the 18th international conference on computer communications and networks (ICCCN ’09), January.Google Scholar
  25. Chakrabarti A., Manimaran G. (2002) Internet infrastructure security: A taxonomy. IEEE Network 16(6): 13–21CrossRefGoogle Scholar
  26. Cohen F. (1998) A note on the role of deception in information protection. Computers and Security 17(6): 483–506CrossRefGoogle Scholar
  27. Cohen, F., & Koike, D. (2004). Misleading attackers with deception. In Paper presented at the information assurance workshop, 2004. Proceedings from the fifth annual IEEE SMC, 10–11 June 2004.Google Scholar
  28. CSSP. (2009). Recommended practice: Improving industrial control systems cybersecurity with defense-in-depth strategies. Control Systems Security Program, National Cyber Security Division, Department of Homeland Security.Google Scholar
  29. D’Arcy J., Hovav A., Galletta D. F. (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20(1): 79–98CrossRefGoogle Scholar
  30. Da Veiga A., Eloff J. H. P. (2010) A framework and assessment instrument for information security culture. Computers and Security 29(2): 196–207CrossRefGoogle Scholar
  31. Dasgupta, D. (2004). Immuno-inspired autonomic system for cyber defense. Computer science technical report. University of Memphis.Google Scholar
  32. Debar, H., Morin, B., Boissee, V., & Guerin, D. (2005). An infrastructure for distributed event acquisition. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 Conference Best Paper, Malta: Saint Julians, April.Google Scholar
  33. Debar, H., & Tombini, E. (2005). Accurate detection of HTTP attack traces in web server logs. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 conference Best Paper, Malta: Saint Julians, April.Google Scholar
  34. Dourish, P., & Redmiles, D. (2002). An approach to usable security based on event monitoring and visualization. In Paper presented at the 2002 workshop on new security paradigms, Virginia Beach, September.Google Scholar
  35. Doyle, J., Kohane, I., Long, W., Shrobe, H., & Szolovits, P. (2001). Agile monitoring for cyber defense. In Paper presented at the 2001 DARPA Information Survivability Conference & Exposition II (DISCEX ’01), June.Google Scholar
  36. Dunn, T. S. (1982). Methodology for the optimization of resources in the detection of computer fraud. University of Arizona.Google Scholar
  37. Edwards, S., & Willimas, M. C. (2001). The need for in-depth cyber defence progrmmes in business information warfare environments. In Paper presented at the 2nd Australian information warfare and security Conference 2001.Google Scholar
  38. Eilertson, E. E., Ertoz, L., Kumar, V. (2004). MINDS: A new approach to the information security process. In Paper presented at the 24th army science conference, December.Google Scholar
  39. Evans S., Kyle D. H., Piorkowski J., Wallner J. (2004) Risk-based systems security engineering: Stopping attacks with intention. IEEE Security Privacy 2(6): 59–62CrossRefGoogle Scholar
  40. Forcht K. A. (1994) Computer security management. Boyd and Fraser, DanversGoogle Scholar
  41. Fowler C., Nesbit R. (1995) Tactical deception in air-land warfare. Journal of Electronic Defense 18(6): 37–79Google Scholar
  42. Gandotra, V., Singhal, A., & Bedi, P. (2009). Threat mitigation, monitoring and management plan—a new approach in risk management. In Paper presented at the 2009 international conference on advances in recent technologies in communication and computing.Google Scholar
  43. George, J. F., Biros, D. P., & Adkins, M. (2004). Testing various modes of computer-based training for deception detection. In Paper presented at the ISI 2004, LNCS 3073.Google Scholar
  44. Graham, D. (2003). It’s all about authentication. SANS Institute.Google Scholar
  45. Grance, T., Kent, K., & Kim, B. (2004). Computer security incident handling guide (trans: computer security division ITL). NIST Special Publication. Gaithersburg: National Institute of Standards and Technology.Google Scholar
  46. Hamill J. T., Deckro R. F., Kloeber J. M. Jr. (2005) Evaluating information assurance strategies. Decision Support Systems 39: 463–484CrossRefGoogle Scholar
  47. Henauer, M. (2003). Early warning and information sharing. In Paper presented at the workshop on cyber security & contingency planning: threats and infrastructure protection, Zurich, September.Google Scholar
  48. Hitchins, D. K. (1995). Secure systems-defence in depth. In Paper presented at the European Convention on Security and Detection, 16–18 May.Google Scholar
  49. Honeynet-Project. (2001). Know your enemy II: Tracking the Blackhat’s Moves. The Honeynet Project.Google Scholar
  50. Howard M. (1979) The forgotten dimensions of strategy. Foreign Affairs 57(5): 975–986CrossRefGoogle Scholar
  51. Hu Q., Xu Z., Dinev T., Ling H. (2011) Does deterrence work in reducing information securiuty policy abuse by employees. Communications of the ACM 54(6): 54–60CrossRefGoogle Scholar
  52. Humphries, J. W., Carver, C. A., Jr., & Pooch, U. W. (2000). Secure mobile agents for network vulnerability scanning. In Paper presented at the 2000 IEEE workshop on information assurance and security, United States Military Academy, 6–7 June.Google Scholar
  53. Hunter P. (2003) Defence in depth—protecting the queen. Network Security 6: 17–18CrossRefGoogle Scholar
  54. Huth P. K. (1999) Deterrence and international conflict: Empirical findings and theoretical debate. Annual Review of Political Science 2: 25–48CrossRefGoogle Scholar
  55. Jaatun, M. G., Nyre, A. A., & Sørensen, J. T. (2007). Survival by deception. In Paper presented at the SAFECOMP 2007, LNCS 4680.Google Scholar
  56. JCS. (1996). Joint publication 3-58: Joint doctrine for military deception.Google Scholar
  57. JCS. (1998). Joint publication 3-13: Joint doctrine for information operations.Google Scholar
  58. Jones, B. (2005). Overview of DoD defense in depth strategy. Global information assurance certification paper, 4 January edn. SANS Institute.Google Scholar
  59. Kankanhalli A., Teo H.-H., Tan B. C. Y., Wei K.-K. (2003) An integrative study of information systems security effectiveness. International Journal of Information Management 23: 139–154CrossRefGoogle Scholar
  60. Kewley, D. L., & Lowry, J. (2001). Observations on the effects of defense in depth on adversary behavior in cyber warfare. In Paper presented at the 2001 workshop on information assurance and security, U.S. Military Academy, 5–6 June.Google Scholar
  61. Kitzinger J. (1995) Qualitative research: Introducing focus groups. British Medical Journal 311: 299–302CrossRefGoogle Scholar
  62. Klete, H. (Ed.). (1975). Some minimum requirements for legal sanctioning systems with special emphasis on detection. deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. Washington: National Academy of Sciences.Google Scholar
  63. Krippendorff, K. (1980). Content analysis: An introduction to its methodology. Newbury Park, CA: Sage.Google Scholar
  64. Lakhani, A. D. (2003). Deception techniques using honeypots. MSc, University of London, UK.Google Scholar
  65. Lampson B. W. (2004) Computer security in the real world. Computer 37(6): 37–46CrossRefGoogle Scholar
  66. Lester, A. J., & Smith, C. L. (2002). An investigation into the application of defence in depth theory to electronic information protection. In Paper presented at the 3rd Australian information warfare and security conference 2002.Google Scholar
  67. Lim, J. S., Chang, S., Ahmad, A., & Maynard, S. B. (2012). Towards a cultural framework for information security practices. In M. Gupta, J. Walp & R. Sharman (Eds.), Strategic and practical approaches for information security governance: Technologies and applied solutions IGI globalGoogle Scholar
  68. Lippmann, R., Webster, S., & Stetson, D. (2002). The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Paper presented at the 5th international symposium on recent advances in intrusion detection (RAID), October.Google Scholar
  69. Liu P., Zang W., Yu M. (2005) Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security 8(1): 78–118CrossRefGoogle Scholar
  70. Liu S., Sullivan J., Ormaner J. (2001) A practical approach to enterprise IT security. IEEE IT Professional 3(5): 35–42CrossRefGoogle Scholar
  71. McDermott, J. P. (2000). Attack net penetration testing. In Paper presented at the 2000 workshop on new security paradigms, Ballycotton.Google Scholar
  72. McGuiness, T. (2001). Defense in depth. SANS Institute InfoSec Reading Room, SANS Institute.Google Scholar
  73. McHugh J., Christie A., Allen J. (2000) Defending yourself: The role of intrusion detection systems. IEEE Software 17(5): 42–51CrossRefGoogle Scholar
  74. Michael, J. B. (2002). On the response policy of software decoys: conducting software-based deception in the cyber battlespace. In Paper presented at the 26th annual international computer software and applications conference (COMPSAC’02), August.Google Scholar
  75. Michael, J. B., & Wingfield, T. C. (2003). Lawful cyber decoy policy. In Paper presented at the IFIP 18th international information security conference, May.Google Scholar
  76. Miles, M. B., & Huberman, A. M. (1994). Quantitative data analysis. Thousand Oaks, CA: Sage Publications.Google Scholar
  77. Ning, P., & Xu, D. (2003). Learning attack strategies from intrusion alerts. In Paper presented at the ACM CCS’3, Washington, October.Google Scholar
  78. Ohno, K., Kike, H. K., & Koizumi, K. (2005). IPMatrix: An effective visualization framework for cyber threat monitoring. In Paper presented at the ninth international conference on information visualisation (IV’5), London.Google Scholar
  79. Park, S., Ruighaver, A. B., Maynard, S. B., & Ahmad, A. (2011). Towards understanding deterrence: Information security managers’ perspective. In Paper presented at the international conference on IT convergence and security 2011, Suwon.Google Scholar
  80. Park, S., & Ruighaver, T. (2008). Strategic approach to information security in organizations. In Paper presented at the 2008 IEEE international conference on informarion science and security (ICISS 2008), Seoul.Google Scholar
  81. Parker D. B. (1981) Computer security management. Reston Publishing, RestonGoogle Scholar
  82. Parker D. B. (1983) Fighting computer crime. Scribner, New YorkGoogle Scholar
  83. Peterson, G. (2007). Security architecture blueprint. Arctec Group, LLCGoogle Scholar
  84. Price, S. M. (2010). A defense-in-depth security architecture strategy inspired by antiquity. ISSA Journal, 8(3), 10–16Google Scholar
  85. Ray H. T., Vemuri R., Kantubhukta H. R. (2005) Toward an automated attack model for red teams. IEEE Security Privacy 3(4): 18–25CrossRefGoogle Scholar
  86. Rice, M., Guernsey, D., & Shenoi, S. (2011). Using deception to shield cyberspace sensors. In Paper presented at the critical infrastructure protection V, IFIP AICT, 3–18Google Scholar
  87. Richards K., Davis B. (2010) Computer security incidents agaist Australian businesses: Predictors of victimisation. Trends Issues in Crime and Criminal Justice 399: 1–6Google Scholar
  88. Richardson, R. (2011). 2010/2011 CSI computer security crime security survey. Computer Security Institute.Google Scholar
  89. Roman R., Lopez J., Gritzalis S. (2008) Situation awareness mechanisms for wireless sensor networks. IEEE Communications Magazine 46(4): 102–107CrossRefGoogle Scholar
  90. Rosenquist, M. (2008). Defense in depth strategy optimizes security. Intel Corporation.Google Scholar
  91. Rowe, N. C. (2003). Counterplaning deceptions to foil cyber-attack plans. In Paper presented at the 2003 IEEE workshop on information assurance, June.Google Scholar
  92. Rows, N. C. (2006). Measuring the effectiveness of honeypot counter-counterdeception. In Paper presented at the system sciences, 2006. Proceedings of the 39th annual Hawaii international conference on HICSS ’06, 04–07 January 2006.Google Scholar
  93. Rowe N. C., Custy E. J., Duong B. T. (2007) Defending cyberspace with fake honeypots. Journal of Computers 2(2): 22–36CrossRefGoogle Scholar
  94. Rubel, P., Ihde, M., Harp, S., & Payne, C. (2005). Generating policies for defense in depth. In: Paper presented at the 21st annual computer security applications conference, December.Google Scholar
  95. Ruiu D. (2006) Learning from information security history. IEEE Security Privacy 4(1): 77–79CrossRefGoogle Scholar
  96. Runnels, M. G. (2002). Implementing defense in depth at the University level. SANS Institute InfoSec Reading Room, SANS Institute.Google Scholar
  97. Rytz, R., Romer, J., & Henauer, M. (2003). MELANI- an analysis centre for the protection of critical infrastructure in the information age. In Paper presented at the workshop on cyber security & contingency planning: threats and infrastructure protection, Zurich, September.Google Scholar
  98. Saydjari O. S. (2004) Cyber defense: Art to science. Communications of the ACM 47(3): 53–57CrossRefGoogle Scholar
  99. Schneier B. (2006) Beyond fear. Springer, New YorkGoogle Scholar
  100. Schudel, G., & Wood, B. (2001) Adversary work factor as a metric for information assurance. In Paper presented at the 2001 workshop on new security paradigms, Feberuary.Google Scholar
  101. Sharlun, G. (2002). Defense in depth: The lessons from Troy and the Maginot line applied. Global information assurance certification paper. SANS Institute.Google Scholar
  102. Shimeall, T., Williams, P., & Dunlevy, C. (2001). Countering cyber war. NATO Review, 49, 16–18Google Scholar
  103. Shirey, R. (2007). Internet security glossary, version 2, request for comments: 4949. Network Working Group, IETF.Google Scholar
  104. Siponen M., Vance A. (2010) Neutralization: New insights into the problem of employee information systems security policy vilations. MIS Quarterly 34(3): 487–502Google Scholar
  105. Smith, C. L. (2002). A method for understanding students’ perceptions of concepts in the defence in depth strategy. In Paper presented at the 3rd Australian information warfare and security conference 2002, Perth.Google Scholar
  106. Snyder, J. (2006). Six strategies for defense-in-depth: Securing the network from the inside out. Joel Snyder’s Blog, Vol. 2011.Google Scholar
  107. Stolfo S. J. (2004) Worm and attack early warning: Piercing stealthy reconnaissance. IEEE Security Privacy 2(3): 73–75CrossRefGoogle Scholar
  108. Straub D. W. (1990) Effective is security: An empirical study. Information Systems Research 1(3): 255–276CrossRefGoogle Scholar
  109. Straub D. W., Nance W. D. (1990) Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly 14(1): 45–62CrossRefGoogle Scholar
  110. Straub D. W., Welke R. J. (1998) Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22(4): 441–469CrossRefGoogle Scholar
  111. Stytz M. R. (2004) Considering defense in depth for software applications. IEEE Security Privacy 2(1): 72–75CrossRefGoogle Scholar
  112. Tapiador J. E., Clark J. A. (2011) Masquerade mimicry attack detection: A randomised approach. Computers and Security 30(5): 297–310CrossRefGoogle Scholar
  113. Tinnel, L. S., Saydjari, O. S., & Farrell, D. (2002). Cyberwar strategy and tactics. In Paper presented at the 2002 IEEE workshop on information assurance, United States Military Academy, June.Google Scholar
  114. Tirenin, W., & Faatz, D. (1999). A concept for strategic cyber defense. In Paper presented at the military communications conference (MILCOM) ’99.Google Scholar
  115. van Kessel, P. (2011). Into the cloud, out of the fog: Ernst & Young’s 2011 Global Information Security Survey.Google Scholar
  116. Virta, V. (2005). The red team toolbox, a method for penetration tests. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 conference Best Paper, Malta: Saint Julians, April.Google Scholar
  117. Waterman, S. (2009). U.S. takes aim at cyberwarfare. The Washington, Times, July 2.Google Scholar
  118. Welch, D. J., Buchheit, N., & Ruocco, A. (1999). Strike back: Offensive actions in information warfare. In Paper presented at the 1999 Workshop on New Security Paradigms, Caledon Hills, September.Google Scholar
  119. Williamson M. M. (2004) Resilient infrastructure for network security. Complexity 9(2): 34–40CrossRefGoogle Scholar
  120. Wood, B. J., & Duggan, R. A. (2000). Red teaming of advanced information assurance concepts. In Paper presented at the DARPA information survivability conference and exposition, 2000. DISCEX ’00 Hilton Head, 25–27 January.Google Scholar
  121. Zalenski R. (2002) Firewall technologies. IEEE Potentials 21((1): 24–29CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  1. 1.Department of Computing and Information Systems, Melbourne School of EngineeringThe University of MelbourneParkvilleAustralia

Personalised recommendations