Information security strategies: towards an organizational multi-strategy perspective

Abstract

There considerable advice in both research and practice oriented literature on the topic of information security. Most of the discussion in literature focuses on how to prevent security attacks using technical countermeasures even though there are a number of other viable strategies such as deterrence, deception, detection and response. This paper reports on a qualitative study, conducted in Korea, to determine how organizations implement security strategies to protect their information systems. The findings reveal a deeply entrenched preventive mindset, driven by the desire to ensure availability of technology and services, and a comparative ignorance of exposure to business security risks. Whilst there was some evidence of usage of other strategies, they were also deployed in a preventive capacity. The paper presents a research agenda that calls for research on enterprise-wide multiple strategy deployment with a focus on how to combine, balance and optimize strategies.

This is a preview of subscription content, access via your institution.

References

  1. Agrell W. (1987) Offensive versus defensive: Military strategy and alternative defence. Journal of Peace Research 24(1): 75–85

    Article  Google Scholar 

  2. Alberts, D. S. (1996). Defensive information warfare. National Defense University: NDU Press Book.

  3. Anderson E. E., Choobineha J. (2008) Enterprise information security strategies. Computers Security 27: 22–29

    Article  Google Scholar 

  4. Anderson, P. (2001). Deception: A healthy part of any defense in-depth strategy. SANS Institute InfoSec Reading Room, 2001 edn. SANS Institute.

  5. Anderson, R. H., & Hearn, A. C. (1996). An exploration of cyberspace security RD investment strategies for DARPA: ‘The day after... in cyberspace’. RAND.

  6. Arce I., McGraw G. (2004) Why attacking systems is a good idea. IEEE Security Privacy 2(4): 17–19

    Article  Google Scholar 

  7. Armstrong D., Carter S., Frazier G., Frazier T. (2004) Autonomic defense: Thwarting automated attacks via real-time feedback control. Complexity 9(2): 41–48

    Article  Google Scholar 

  8. Artail H., Safa H., Sraj M., Kuwatly I., Al-Masri Z. (2006) A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks. Computers & Security 25: 274–288

    Article  Google Scholar 

  9. Barford P., Dacier M., Dietterich T. G., Fredrikson M., Giffin J., Jajodia S. et al (2010) Cyber SA: Situational awareness for cyber defense. Cyber Situational Awareness, Advances in Information Security 46: 3–13

    Article  Google Scholar 

  10. Bauer, M. (2001). Paranoid penguin: Designing and using DMZ networks to protect internet servers. Linux Journal, 2001(83es), 16.

  11. Bearavolu, R., Lakkaraju, K., Yurcik, W., & Raje, H. (2003). A visualization tool for situational awareness of tactical and strategic security events on large and complex computer networks. In Paper presented at the military communications conference (MILCOM) 2003, 13–6 October.

  12. Beauregard, J. E. (2001). Modeling information assurance. Master’s Thesis, Ohio: Air Force Institute of Technology, Air University.

  13. Beckman S. L., Rosenfield D. B. (2008) Operations strategy: Competing in the 21st century. McGraw-Hill, New York

    Google Scholar 

  14. Blumstein A., Cohen J., Nagin D. (1978) Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. National Academy of Science, Washington

    Google Scholar 

  15. Bowen, P., Hash, J., Wilson, M., Bartol, N., & Jamaldinian, G. (2006). Information security handbook: A guide for managers. NIST special publication 800-100. Gaithersburg: NIST.

  16. Brand, R. L. (1990). Coping with the threat of computer security incidents: A primer from prevention through recovery. Pittsburgh: CERT, June 1990.

  17. Browne P. S. (1972) Computer security: A survey. ACM SIGMIS Database 4(3): 1–12

    Article  Google Scholar 

  18. Brykczynski, B., & Small, R. A. (2003). Reducing internet-based intrusions: Effective security patch management. IEEE Software, 20(1), 50–57.

    Google Scholar 

  19. Burnburg, M. K. (2003). A proposed framework for business information security based on the concept of defense-in-depth. Master’s Thesis, Springfield: University of Illinois at Springfield.

  20. Butler, S. A. (2002). Security attribute evaluation method: A cost-benefit approach. In Paper presented at the 24th international conference on software engineering (ICSE ’02), New York.

  21. Byrne P. (2006) Application firewalls in a defence-in-depth design. Network Security 9: 9–11

    Article  Google Scholar 

  22. Cahill, T. P. (2003). Cyber warfare peacekeeping. In Paper presented at the 2003 IEEE workshop on information assurance, June.

  23. Cao, J., Lin, M., Deokar, A., Burgoon, J. K., Crews, J. M., & Adkins, M. (2004). Computer-based training for deception detection: What users want? ISI 2004, LNCS 3073 (pp. 163–175).

  24. Carroll, T. E., & Grosu, D. (2009). A game theoretic investigation of deception in network security. In Paper presented at the 18th international conference on computer communications and networks (ICCCN ’09), January.

  25. Chakrabarti A., Manimaran G. (2002) Internet infrastructure security: A taxonomy. IEEE Network 16(6): 13–21

    Article  Google Scholar 

  26. Cohen F. (1998) A note on the role of deception in information protection. Computers and Security 17(6): 483–506

    Article  Google Scholar 

  27. Cohen, F., & Koike, D. (2004). Misleading attackers with deception. In Paper presented at the information assurance workshop, 2004. Proceedings from the fifth annual IEEE SMC, 10–11 June 2004.

  28. CSSP. (2009). Recommended practice: Improving industrial control systems cybersecurity with defense-in-depth strategies. Control Systems Security Program, National Cyber Security Division, Department of Homeland Security.

  29. D’Arcy J., Hovav A., Galletta D. F. (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20(1): 79–98

    Article  Google Scholar 

  30. Da Veiga A., Eloff J. H. P. (2010) A framework and assessment instrument for information security culture. Computers and Security 29(2): 196–207

    Article  Google Scholar 

  31. Dasgupta, D. (2004). Immuno-inspired autonomic system for cyber defense. Computer science technical report. University of Memphis.

  32. Debar, H., Morin, B., Boissee, V., & Guerin, D. (2005). An infrastructure for distributed event acquisition. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 Conference Best Paper, Malta: Saint Julians, April.

  33. Debar, H., & Tombini, E. (2005). Accurate detection of HTTP attack traces in web server logs. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 conference Best Paper, Malta: Saint Julians, April.

  34. Dourish, P., & Redmiles, D. (2002). An approach to usable security based on event monitoring and visualization. In Paper presented at the 2002 workshop on new security paradigms, Virginia Beach, September.

  35. Doyle, J., Kohane, I., Long, W., Shrobe, H., & Szolovits, P. (2001). Agile monitoring for cyber defense. In Paper presented at the 2001 DARPA Information Survivability Conference & Exposition II (DISCEX ’01), June.

  36. Dunn, T. S. (1982). Methodology for the optimization of resources in the detection of computer fraud. University of Arizona.

  37. Edwards, S., & Willimas, M. C. (2001). The need for in-depth cyber defence progrmmes in business information warfare environments. In Paper presented at the 2nd Australian information warfare and security Conference 2001.

  38. Eilertson, E. E., Ertoz, L., Kumar, V. (2004). MINDS: A new approach to the information security process. In Paper presented at the 24th army science conference, December.

  39. Evans S., Kyle D. H., Piorkowski J., Wallner J. (2004) Risk-based systems security engineering: Stopping attacks with intention. IEEE Security Privacy 2(6): 59–62

    Article  Google Scholar 

  40. Forcht K. A. (1994) Computer security management. Boyd and Fraser, Danvers

    Google Scholar 

  41. Fowler C., Nesbit R. (1995) Tactical deception in air-land warfare. Journal of Electronic Defense 18(6): 37–79

    Google Scholar 

  42. Gandotra, V., Singhal, A., & Bedi, P. (2009). Threat mitigation, monitoring and management plan—a new approach in risk management. In Paper presented at the 2009 international conference on advances in recent technologies in communication and computing.

  43. George, J. F., Biros, D. P., & Adkins, M. (2004). Testing various modes of computer-based training for deception detection. In Paper presented at the ISI 2004, LNCS 3073.

  44. Graham, D. (2003). It’s all about authentication. SANS Institute.

  45. Grance, T., Kent, K., & Kim, B. (2004). Computer security incident handling guide (trans: computer security division ITL). NIST Special Publication. Gaithersburg: National Institute of Standards and Technology.

  46. Hamill J. T., Deckro R. F., Kloeber J. M. Jr. (2005) Evaluating information assurance strategies. Decision Support Systems 39: 463–484

    Article  Google Scholar 

  47. Henauer, M. (2003). Early warning and information sharing. In Paper presented at the workshop on cyber security & contingency planning: threats and infrastructure protection, Zurich, September.

  48. Hitchins, D. K. (1995). Secure systems-defence in depth. In Paper presented at the European Convention on Security and Detection, 16–18 May.

  49. Honeynet-Project. (2001). Know your enemy II: Tracking the Blackhat’s Moves. The Honeynet Project.

  50. Howard M. (1979) The forgotten dimensions of strategy. Foreign Affairs 57(5): 975–986

    Article  Google Scholar 

  51. Hu Q., Xu Z., Dinev T., Ling H. (2011) Does deterrence work in reducing information securiuty policy abuse by employees. Communications of the ACM 54(6): 54–60

    Article  Google Scholar 

  52. Humphries, J. W., Carver, C. A., Jr., & Pooch, U. W. (2000). Secure mobile agents for network vulnerability scanning. In Paper presented at the 2000 IEEE workshop on information assurance and security, United States Military Academy, 6–7 June.

  53. Hunter P. (2003) Defence in depth—protecting the queen. Network Security 6: 17–18

    Article  Google Scholar 

  54. Huth P. K. (1999) Deterrence and international conflict: Empirical findings and theoretical debate. Annual Review of Political Science 2: 25–48

    Article  Google Scholar 

  55. Jaatun, M. G., Nyre, A. A., & Sørensen, J. T. (2007). Survival by deception. In Paper presented at the SAFECOMP 2007, LNCS 4680.

  56. JCS. (1996). Joint publication 3-58: Joint doctrine for military deception.

  57. JCS. (1998). Joint publication 3-13: Joint doctrine for information operations.

  58. Jones, B. (2005). Overview of DoD defense in depth strategy. Global information assurance certification paper, 4 January edn. SANS Institute.

  59. Kankanhalli A., Teo H.-H., Tan B. C. Y., Wei K.-K. (2003) An integrative study of information systems security effectiveness. International Journal of Information Management 23: 139–154

    Article  Google Scholar 

  60. Kewley, D. L., & Lowry, J. (2001). Observations on the effects of defense in depth on adversary behavior in cyber warfare. In Paper presented at the 2001 workshop on information assurance and security, U.S. Military Academy, 5–6 June.

  61. Kitzinger J. (1995) Qualitative research: Introducing focus groups. British Medical Journal 311: 299–302

    Article  Google Scholar 

  62. Klete, H. (Ed.). (1975). Some minimum requirements for legal sanctioning systems with special emphasis on detection. deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. Washington: National Academy of Sciences.

  63. Krippendorff, K. (1980). Content analysis: An introduction to its methodology. Newbury Park, CA: Sage.

  64. Lakhani, A. D. (2003). Deception techniques using honeypots. MSc, University of London, UK.

  65. Lampson B. W. (2004) Computer security in the real world. Computer 37(6): 37–46

    Article  Google Scholar 

  66. Lester, A. J., & Smith, C. L. (2002). An investigation into the application of defence in depth theory to electronic information protection. In Paper presented at the 3rd Australian information warfare and security conference 2002.

  67. Lim, J. S., Chang, S., Ahmad, A., & Maynard, S. B. (2012). Towards a cultural framework for information security practices. In M. Gupta, J. Walp & R. Sharman (Eds.), Strategic and practical approaches for information security governance: Technologies and applied solutions IGI global

  68. Lippmann, R., Webster, S., & Stetson, D. (2002). The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Paper presented at the 5th international symposium on recent advances in intrusion detection (RAID), October.

  69. Liu P., Zang W., Yu M. (2005) Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security 8(1): 78–118

    Article  Google Scholar 

  70. Liu S., Sullivan J., Ormaner J. (2001) A practical approach to enterprise IT security. IEEE IT Professional 3(5): 35–42

    Article  Google Scholar 

  71. McDermott, J. P. (2000). Attack net penetration testing. In Paper presented at the 2000 workshop on new security paradigms, Ballycotton.

  72. McGuiness, T. (2001). Defense in depth. SANS Institute InfoSec Reading Room, SANS Institute.

  73. McHugh J., Christie A., Allen J. (2000) Defending yourself: The role of intrusion detection systems. IEEE Software 17(5): 42–51

    Article  Google Scholar 

  74. Michael, J. B. (2002). On the response policy of software decoys: conducting software-based deception in the cyber battlespace. In Paper presented at the 26th annual international computer software and applications conference (COMPSAC’02), August.

  75. Michael, J. B., & Wingfield, T. C. (2003). Lawful cyber decoy policy. In Paper presented at the IFIP 18th international information security conference, May.

  76. Miles, M. B., & Huberman, A. M. (1994). Quantitative data analysis. Thousand Oaks, CA: Sage Publications.

  77. Ning, P., & Xu, D. (2003). Learning attack strategies from intrusion alerts. In Paper presented at the ACM CCS’3, Washington, October.

  78. Ohno, K., Kike, H. K., & Koizumi, K. (2005). IPMatrix: An effective visualization framework for cyber threat monitoring. In Paper presented at the ninth international conference on information visualisation (IV’5), London.

  79. Park, S., Ruighaver, A. B., Maynard, S. B., & Ahmad, A. (2011). Towards understanding deterrence: Information security managers’ perspective. In Paper presented at the international conference on IT convergence and security 2011, Suwon.

  80. Park, S., & Ruighaver, T. (2008). Strategic approach to information security in organizations. In Paper presented at the 2008 IEEE international conference on informarion science and security (ICISS 2008), Seoul.

  81. Parker D. B. (1981) Computer security management. Reston Publishing, Reston

    Google Scholar 

  82. Parker D. B. (1983) Fighting computer crime. Scribner, New York

    Google Scholar 

  83. Peterson, G. (2007). Security architecture blueprint. Arctec Group, LLC

  84. Price, S. M. (2010). A defense-in-depth security architecture strategy inspired by antiquity. ISSA Journal, 8(3), 10–16

    Google Scholar 

  85. Ray H. T., Vemuri R., Kantubhukta H. R. (2005) Toward an automated attack model for red teams. IEEE Security Privacy 3(4): 18–25

    Article  Google Scholar 

  86. Rice, M., Guernsey, D., & Shenoi, S. (2011). Using deception to shield cyberspace sensors. In Paper presented at the critical infrastructure protection V, IFIP AICT, 3–18

  87. Richards K., Davis B. (2010) Computer security incidents agaist Australian businesses: Predictors of victimisation. Trends Issues in Crime and Criminal Justice 399: 1–6

    Google Scholar 

  88. Richardson, R. (2011). 2010/2011 CSI computer security crime security survey. Computer Security Institute.

  89. Roman R., Lopez J., Gritzalis S. (2008) Situation awareness mechanisms for wireless sensor networks. IEEE Communications Magazine 46(4): 102–107

    Article  Google Scholar 

  90. Rosenquist, M. (2008). Defense in depth strategy optimizes security. Intel Corporation.

  91. Rowe, N. C. (2003). Counterplaning deceptions to foil cyber-attack plans. In Paper presented at the 2003 IEEE workshop on information assurance, June.

  92. Rows, N. C. (2006). Measuring the effectiveness of honeypot counter-counterdeception. In Paper presented at the system sciences, 2006. Proceedings of the 39th annual Hawaii international conference on HICSS ’06, 04–07 January 2006.

  93. Rowe N. C., Custy E. J., Duong B. T. (2007) Defending cyberspace with fake honeypots. Journal of Computers 2(2): 22–36

    Article  Google Scholar 

  94. Rubel, P., Ihde, M., Harp, S., & Payne, C. (2005). Generating policies for defense in depth. In: Paper presented at the 21st annual computer security applications conference, December.

  95. Ruiu D. (2006) Learning from information security history. IEEE Security Privacy 4(1): 77–79

    Article  Google Scholar 

  96. Runnels, M. G. (2002). Implementing defense in depth at the University level. SANS Institute InfoSec Reading Room, SANS Institute.

  97. Rytz, R., Romer, J., & Henauer, M. (2003). MELANI- an analysis centre for the protection of critical infrastructure in the information age. In Paper presented at the workshop on cyber security & contingency planning: threats and infrastructure protection, Zurich, September.

  98. Saydjari O. S. (2004) Cyber defense: Art to science. Communications of the ACM 47(3): 53–57

    Article  Google Scholar 

  99. Schneier B. (2006) Beyond fear. Springer, New York

    Google Scholar 

  100. Schudel, G., & Wood, B. (2001) Adversary work factor as a metric for information assurance. In Paper presented at the 2001 workshop on new security paradigms, Feberuary.

  101. Sharlun, G. (2002). Defense in depth: The lessons from Troy and the Maginot line applied. Global information assurance certification paper. SANS Institute.

  102. Shimeall, T., Williams, P., & Dunlevy, C. (2001). Countering cyber war. NATO Review, 49, 16–18

    Google Scholar 

  103. Shirey, R. (2007). Internet security glossary, version 2, request for comments: 4949. Network Working Group, IETF.

  104. Siponen M., Vance A. (2010) Neutralization: New insights into the problem of employee information systems security policy vilations. MIS Quarterly 34(3): 487–502

    Google Scholar 

  105. Smith, C. L. (2002). A method for understanding students’ perceptions of concepts in the defence in depth strategy. In Paper presented at the 3rd Australian information warfare and security conference 2002, Perth.

  106. Snyder, J. (2006). Six strategies for defense-in-depth: Securing the network from the inside out. Joel Snyder’s Blog, Vol. 2011.

  107. Stolfo S. J. (2004) Worm and attack early warning: Piercing stealthy reconnaissance. IEEE Security Privacy 2(3): 73–75

    Article  Google Scholar 

  108. Straub D. W. (1990) Effective is security: An empirical study. Information Systems Research 1(3): 255–276

    Article  Google Scholar 

  109. Straub D. W., Nance W. D. (1990) Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly 14(1): 45–62

    Article  Google Scholar 

  110. Straub D. W., Welke R. J. (1998) Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22(4): 441–469

    Article  Google Scholar 

  111. Stytz M. R. (2004) Considering defense in depth for software applications. IEEE Security Privacy 2(1): 72–75

    Article  Google Scholar 

  112. Tapiador J. E., Clark J. A. (2011) Masquerade mimicry attack detection: A randomised approach. Computers and Security 30(5): 297–310

    Article  Google Scholar 

  113. Tinnel, L. S., Saydjari, O. S., & Farrell, D. (2002). Cyberwar strategy and tactics. In Paper presented at the 2002 IEEE workshop on information assurance, United States Military Academy, June.

  114. Tirenin, W., & Faatz, D. (1999). A concept for strategic cyber defense. In Paper presented at the military communications conference (MILCOM) ’99.

  115. van Kessel, P. (2011). Into the cloud, out of the fog: Ernst & Young’s 2011 Global Information Security Survey.

  116. Virta, V. (2005). The red team toolbox, a method for penetration tests. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 conference Best Paper, Malta: Saint Julians, April.

  117. Waterman, S. (2009). U.S. takes aim at cyberwarfare. The Washington, Times, July 2.

  118. Welch, D. J., Buchheit, N., & Ruocco, A. (1999). Strike back: Offensive actions in information warfare. In Paper presented at the 1999 Workshop on New Security Paradigms, Caledon Hills, September.

  119. Williamson M. M. (2004) Resilient infrastructure for network security. Complexity 9(2): 34–40

    Article  Google Scholar 

  120. Wood, B. J., & Duggan, R. A. (2000). Red teaming of advanced information assurance concepts. In Paper presented at the DARPA information survivability conference and exposition, 2000. DISCEX ’00 Hilton Head, 25–27 January.

  121. Zalenski R. (2002) Firewall technologies. IEEE Potentials 21((1): 24–29

    Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Sangseo Park.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Ahmad, A., Maynard, S.B. & Park, S. Information security strategies: towards an organizational multi-strategy perspective. J Intell Manuf 25, 357–370 (2014). https://doi.org/10.1007/s10845-012-0683-0

Download citation

Keywords

  • Information security strategy
  • Deterrence
  • Prevention
  • Compartmentalization
  • Deception
  • Defense in depth