Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study)

Supervisor: Dr. Raymond Choo

Student: Jing Zhang

Minor Thesis Presentation

Background

Research question

Literature founding

Case study

• Threat landscape

• Risk framework (Case study company)

• Comparison and improvement

Conclusion

Presentation outline

Cybercrime influence faced by company

75 billion USD financial losing each year in United States

Target: E-commerce, sensitive information

Attack type: E-mail spoofing, phishing, malware installation, etc.

Reason: counterfeit software, employee security awareness, etc.

Background

What are the (cyber) threat landscape and the emerging trends and challenges that would have an impact on the China Aerospace Systems Engineering Corporation (Case Study Company)?

What are the limitations of existing information security risk management frameworks and/or how can existing frameworks be adapted in the Case Study Company?

Research questions

Three international risk management frameworks:

NIST sp800-30 (National institute of Standard and Technology) USA

ISO 31000 (International Organization for Standardization) Australia

ENISA (European Network and Information Security Agency) European country

Literature finding

Terminology and risk management phases

  NIST sp800-30 ISO 31000 ENISA

First phase   Mandate and commitment

Corporate risk management

strategyDesign of framework for managing risk

Second phase Risk assessment Implementing risk management

Risk assessmentRisk treatmentRisk mitigation

Risk acceptance (optional)

Third phase Evaluation and assessment

Monitoring and review of the framework

Monitoring and review

Continual improvement of the framework

Literature finding (Cont’d)

NIST sp800-30

Literature finding (Cont’d)

ISO 31000

Literature finding (Cont’d)

ENISA

Literature finding (Cont’d)

Threat landscape

• Phishing: online shopping, ticket selling, travelling agency, Internet banking

• Mobile device attacking: steal Email account, mobile banking information, unauthorised charging fee (premium SMS)

• Advanced Persistent Threat (APT): enterprise level attack, more specific target, sensitive information.

Case study

Risk framework (Case study company)

Risk management process: risk identification, risk analysis, risk treatment, control implementation, risk monitoring and control improvement, communication

• Risk identification:

information assets (system, software, hardware, employee and archived data)

Threat (Non-human, human)

vulnerability (technical, operational, management)

• Risk analysis:

Likelihood (attraction level of each information asset) and consequence (financial: both information value and recovery cost)

Case study (Cont’d)

Risk framework (Case study company)

• Risk treatment:

Control method: Risk avoidance, Risk transformation, Risk minimisation, Risk acceptance

Control category: Technical control, Operation control, Management control

Cost benefit analysis: Purchase cost, Continuing cost, Employee training cost

• Control implementation

Implementation report: timeline, responsibility

• Risk monitoring and control improvement

new risk treatment plan after review and monitoring

• Communication

Case study (Cont’d)

Risk framework (Case study company)

Implementation plan: Planning and preparation, Deployment and implementation, Monitoring and improvement

• Planning and preparation:

Achieve the support: senior management team, related department

(human, physical, financial and timing support)

Main processor and responsibility: information security team, IT group, Human resources, Financial department

Security control selection and implementation: Economic factor, Timing factor, Technical factor, Control implementation plan

Case study (Cont’d)

Risk framework (Case study company)

• Deployment and implementation

Security training: User training, Manager training, Security staff training

• Monitoring and improvement

Mitigation plan: Internal and external network data exchange policy, Security auditing, Accessing control, etc.

Case study (Cont’d)

Comparison and improvement:

What feature missed in company framework:

• Context establishment (ISO 31000 and ENISA), system characterization (NIST), risk criteria (ISO)

• Motivation analysis (NIST), organisation processor, stakeholder concern and expertise decision, organisation risk attitude and tolerance (ISO 31000, ENISA)

• Cost benefit (NIST): implementing effect, non-implementing effect, implementing cost

• Positive risk (ENISA)

• Risk assessment and mitigation activity (NIST)

• Residual risk (all three frameworks)

Case study (Cont’d)

• Different perspective in some fields

• Still could improvement

• Risk management is vital in organisation activity

Conclusion

E. G. Amoroso, "Cyber attacks: awareness," Network Security, vol. 2011, pp. 10-16, 2011.

E. E. Anderson and J. Choobineh, "Enterprise information security strategies," Computers & Security, vol. 27, pp. 22-29, 2008.

K. K. R. Choo, "Cyber threat landscape faced by financial and insurance industry." Trends and Issues in Crime and Criminal Justice 408: 1-6, 2011.

B. Kakoli, P. Peter, K. M. Mykytyn, "A framework for integrated risk management in information technology", Management Decision, vol. 37 no: 5, pp.437 – 445, 1999.

M. Burdon, B. Lane, and P. von Nessen, "The mandatory notification of data breaches: Issues arising for Australian and EU legal developments," Computer Law & Security Review, vol. 26, pp. 115-129, 2010.

K.K. R. Choo, "The cyber threat landscape: Challenges and future research directions," Computers & Security, vol. 30, pp. 719-731, 2011.

G. Locke, P. D. Gallagher, “Guide for applying the risk management framework to federal information system: a security life cycle approach”, NIST Special Publication 800-37, 2010.

Standard. A and Standard. N. Z, “Risk management”, Standard Australia and Standard New Zealand, AS/NZS 4360:2004, 2004.

N. I. S. A. European, “Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools”, European Network and Information Security Agency, 2006.

G. Stoneburner, A. Goguen, et al. "Risk management guide for information technology systems" NIST special publication 800(30): 800–830, 2002.

Reference

Question?